Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to capture packets on a EX8200 Virtual Chassis setup when the ports are across different members of a 8200 chassis

0

0

Article ID: KB23238 KB Last Updated: 08 Mar 2012Version: 1.0
Summary:
An EX8200 Virtual Chassis is multiple Juniper Networks EX8200 Ethernet Switches connected together, which operate as a single network entity. The advantages of connecting multiple EX8200 switches into a Virtual Chassis include, better-managed bandwidth at a network layer, simplified configuration, and maintenance; as multiple devices can be managed as a single device and a simplified Layer 2 network topology that minimizes or eliminates the need for loop prevention protocols, such as Spanning Tree Protocol (STP).
Symptoms:
The issue discussed in this article deals with configuring port mirroring on an EX8200 Virtual Chassis on ports, which are distributed across the different member chassis of the VC. Port mirroring is a traffic monitoring tool, available in EX series switches, for identifying sources of problems on the network by locating abnormal or heavy bandwidth usage from particular stations or applications.


Port mirroring copies packets to either a local interface for local monitoring or VLAN for remote monitoring. You can use port mirroring to copy the following packets:

  • Packets entering or exiting a port.

  • Packets entering a VLAN on Juniper Networks EX2200, EX3200, EX4200, or EX4500 Ethernet Switches.

  • Packets exiting a VLAN on Juniper Networks EX8200 Ethernet Switch.


Port mirroring can also be used in a EX8200 Virtual chassis to capture traffic on ports. A limitation exists in mirroring traffic on ports in EX8200 VC; the ports are located in different EX8200s, which are individual members of the virtual chassis. The limitations are:

  • A port-based analyzer does not work, if the interfaces configured in the input and output definitions exist across members of an EX8200 Virtual Chassis.

  • The analyzer also does not work, If a link aggregation group (LAG) is defined in the input definition of a port-based analyzer and the LAG contains interfaces across members of an EX8200 Virtual Chassis.

The procedure provided in the solution section, enables the user to configure port mirroring, in such a way that traffic can be captured on ports, which belong to different members of the EX8200 VC.
Cause:

Solution:
The limitation in port mirroring on a EX8200 Virtual Chassis can be addressed by configuring multiple port mirroring sessions for each member EX8200 of the Virtual Chassis setup. To explain the process, the following setup is used:

Setup:

  • EX8200 VC with two members of EX8208.

  • An aggregated link (ae0) is configured with two ports; the ge-0/0/0 port from member0 of the Virtual Chassis and ge-16/0/0 port from member1 of the Virtual Chassis:

    root@8200-VC# run show interfaces terse | match ae0
    ge-0/0/0.0 up up aenet --> ae0.0
    ge-16/0/0.0 up up aenet --> ae0.0
    ae0 up up
    ae0.0 up up eth-switch

The requirement is to capture traffic flowing on both ge-0/0/0 and ge-16/0/0 in ingress direction. The requirement cannot be implemented with one analyzer session, as the member links of ae0 are across two EX8200 member chassis.

The workaround is to configure:

  1. Port based analyzer - analyzer-one to capture traffic coming into ge-0/0/0 and mirror it to ge-1/0/30.

  2.  Firewall based analyzer - analyzer-two to capture all traffic coming into ge-16/0/0 and mirror it to ge-17/0/30.


In both step 1 and 2, the mirrored port and the mirroring port are located on the same member chassis, that is ge-0/0/0. ge-1/0/30 belongs to member0 and ge-16/0/0/ ge-17/0/30 belong to member1 of the EX8200 Virtual Chassis.

So, this implementation overcomes the limitation and enables the user to capture traffic on ports across multiple members of the EX8200 Virtual Chassis.

The configuration is:
  1. Two analyzers - analyzer-one to capture traffic on ge-0/0/0 and analyzer-two for the firewall based analyzer are configured:

    root@8200-VC# show ethernet-switching-options
    analyzer analyzer-one { < captures port ge-0/0/0 on ge-1/0/30
    input {
    ingress {
    interface ge-0/0/0.0;
    }
    }
    output {
    interface {
    ge-1/0/30.0;
    }
    }
    }
    analyzer analyzer-two  { < captures traffic into ge-17/0/30
    output {
    interface {
    ge-17/0/30.0;
    }
    }
    }

  2.   A firewall filter is configured to redirect the traffic captured on ge-16/0/0 towards analyzer-two:
     
    root@8200-VC# show firewall
    family ethernet-switching {
    filter fw-capture { < redirects traffic on  port 16/0/0 to analyzer-two.
    term 1 {
    from {
    interface ge-16/0/0.0;
    }
    then {
    accept;
    analyzer analyzer-two;
    }
    }
    term 2 {
    then accept;
    }
    }
    }

  3. The fw-capture filter is now applied in the input direction of the ae0 interface:

    root@8200-VC# show interfaces ae0
    aggregated-ether-options {
    lacp {
    active;
    }
    }
    unit 0 {
    family ethernet-switching {
    port-mode trunk;
    vlan {
    members v555;
    }
    filter {
    input fw-capture;
    }
    }
    }

The above configuration will enable the user to capture the traffic, which is ingressing to ge-0/0/0 on ge-1/0/30 by using analyzer-one, capture traffic to ge-16/0/0 on ge-17/0/30 by using analyzer-two, and overcomes the limitation in EX8200 Virtual Chassis.


Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search