Routing
Routing

MX port-mirror for egress taffic doubling output traffic and congesting link.

‎04-30-2019 02:48 AM

Hi All,

I had setup port mirror on one Gig interface to mirror egress traffic to remote analyzer (wireshark PC connected to remote MX via GRE tunnel.) 

 

the mirroring works and i can see the traffic on the PC but i have noticed that once the mirroring starts, the output traffic leaving the interface doubles or even tripples and congests the whole 1G bandwidth of the interface. 

 

before port mirroring, output traffic is around 300mbps. when i enable port mirror i noticed output traffic reached almost 950mbps and congested the while interface. had to disable mirroring to resume traffic. 

I have input filter on the same interface that is sampling traffic also. could this be the issue ? i have also noticed that when i do port mirror on other interfaces, like ingress mirror of all traffic arriving at the interface, ICMP ping arriving at this interface show DUP! flag.. is that expected/normal ?

 

 

Am i doing something wrong in my setup? below is my setup mirroring MX.

re0# show forwarding-options port-mirroring
input {
    rate 1;
    run-length 1;
}
family inet {
    output {
        interface gr-0/1/10.5;
    }
}

re0# show interfaces gr-0/1/10
unit 5 {
    tunnel {
        source 6.6.6.6; 
        destination 7.7.7.7;
    }
    family inet {
        address 172.27.27.6/30;
    }
}
re0# show firewall family inet filter PORT-MIRROR
term 1 {
    then {
        port-mirror;
        accept;
    }
}

-re0# show interfaces ge-0/1/9
description "upstream provider";
mtu 9192;
unit 0 {
    bandwidth 450m;
    family inet {
        mtu 1500;
        filter {
            input IRP-SAMPLE; ( SAMPLING FILTER)
            output PORT-MIRROR;
        }
        policer {
            arp PER-INTERFACE-ARP-LIMITER;
        }
        address 1.1.1.1/30;
    }
re0# show chassis fpc 0
pic 1 {
    tunnel-services {
        bandwidth 1g;
    }
}

On the remote MX where analyzer PC is connected, i have this setup: 

-re0# show interfaces gr-1/0/10.5
tunnel {
    source 7.7.7.7;
    destination 6.6.6.6;
}
family inet {
    filter {
        input PORT-MIRROR;
    }
    address 172.27.27.5/30;
}

re0# show forwarding-options port-mirroring
input {
    rate 1;
    run-length 1;
}
family inet {
    output {
        interface ge-1/0/9.1023 {
            next-hop 10.10.10.2;
        }
    }
}

i have attached graph showing traffic spiking immediately i enable egress port-mirror.

 

Regards,
Lish
FON
2 REPLIES 2
Routing

Re: MX port-mirror for egress taffic doubling output traffic and congesting link.

‎04-30-2019 03:41 AM

Why you apply PORT-MIRROR filter on input of gr interface ? 

You should change next hop for all incoming traffic or if you port-mirror this traffic again you should drop it. With this configuration i do not understand where original packet forwarded after comming in on gr interface

Routing

Re: MX port-mirror for egress taffic doubling output traffic and congesting link.

‎04-30-2019 03:53 AM

Hi,

 

The gr interface with input port mirror is on the remote MX .. after the traffic arrives on the tunnel interface, i am mirroring it to local interface. i could be doing wrong but i consider the remote GR interface to be where the mirrored traffic arrives and i want to send it to local port now where the analyser is connected. this is all on the remote MX. 

 

once the traffic arrives on the other end of the tunnel interface, how best can i send this traffic to the analyser without applying input filter.  

Regards,
Lish
FON