Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] How to create many-to-many port mirroring sessions on EX2200, EX3200, EX3300 and EX4200 switches

0

0

Article ID: KB25660 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:
This article provides information on how to create many-to-many port mirroring sessions on EX2200, EX3200, EX3300 and EX4200 switches.
Symptoms:
  • On an EX2200, EX3200, or EX4200 switch, you can enable only one analyzer (port mirroring configuration). Even though Junos allows you to concurrently configure a number of analyzers; however, only one analyzer can be active at a time.

  • There are 10 host that are connected to the EX switch with the IP range being 10.10.10.1 - 10.10.10.10.

  • The requirement is have two port mirroring sessions, which will mirror all IP traffic from the first 5 hosts to one monitoring station and last 5 hosts to another monitoring station.

  • This can achieved via a physical loopback cable, disabling mac-learning for a VLAN, which is separately created to flood mirrored traffic to multiple ports, and a firewall filter, which can be used to segregate traffic between the monitoring stations by evaluating source and destination IP.
Cause:

Solution:

Topology:

  • In the above topology, the hosts are connected to the 1-10 ports. All the hosts are part of the vl1 VLAN.

  • ge-0/0/11 is physically looped with ge-0/0/12.

  • The analyzer is configured to mirror IP traffic from the ingressing and egressing interfaces - ge-0/0/1 - ge-0/0/10.

  • The output to the analyzer is ge-0/0/12.

  • RSTP is disabled on ge-0/0/12, ge-0/0/13, and ge-0/0/14.
  • v
  • ge-0/0/12, ge-0/0/13, and ge-0/0/14 is configured to be a part of the separate Mirror VLAN.

  • No-mac-learning is configured on the Mirror VLAN.

  • Monitoring stations are connected on ge-0/0/13 and ge-0/0/14.

  • The firewall filter is applied in the output direction on ge-0/0/13 and ge-0/0/14 to allow specific mirrored traffic; which is based on the source and destination IP addresses.

  1. The ge-0/0/1 - ge-0/0/10 access ports are part of the vl1 VLAN:
    set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vl1
    set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vl1
    set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vl1
    set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vl1
    set interfaces ge-0/0/5 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vl1
    set interfaces ge-0/0/6 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vl1
    set interfaces ge-0/0/7 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vl1
    set interfaces ge-0/0/8 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members vl1
    set interfaces ge-0/0/9 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members vl1
    set interfaces ge-0/0/10 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vl1
  2. ge-0/0/11 is the output for analyzer to mirror traffic for all the ports:
    set interfaces ge-0/0/11 unit 0 family ethernet-switching
    set ethernet-switching-options analyzer Multi-Session input ingress interface ge-0/0/1.0
    set ethernet-switching-options analyzer Multi-Session input ingress interface ge-0/0/2.0
    set ethernet-switching-options analyzer Multi-Session input ingress interface ge-0/0/3.0
    set ethernet-switching-options analyzer Multi-Session input ingress interface ge-0/0/4.0
    set ethernet-switching-options analyzer Multi-Session input ingress interface ge-0/0/5.0
    set ethernet-switching-options analyzer Multi-Session input ingress interface ge-0/0/6.0
    set ethernet-switching-options analyzer Multi-Session input ingress interface ge-0/0/7.0
    set ethernet-switching-options analyzer Multi-Session input ingress interface ge-0/0/8.0
    set ethernet-switching-options analyzer Multi-Session input ingress interface ge-0/0/9.0
    set ethernet-switching-options analyzer Multi-Session input ingress interface ge-0/0/10.0
    set ethernet-switching-options analyzer Multi-Session input egress interface ge-0/0/1.0
    set ethernet-switching-options analyzer Multi-Session input egress interface ge-0/0/2.0
    set ethernet-switching-options analyzer Multi-Session input egress interface ge-0/0/3.0
    set ethernet-switching-options analyzer Multi-Session input egress interface ge-0/0/4.0
    set ethernet-switching-options analyzer Multi-Session input egress interface ge-0/0/5.0
    set ethernet-switching-options analyzer Multi-Session input egress interface ge-0/0/6.0
    set ethernet-switching-options analyzer Multi-Session input egress interface ge-0/0/7.0
    set ethernet-switching-options analyzer Multi-Session input egress interface ge-0/0/8.0
    set ethernet-switching-options analyzer Multi-Session input egress interface ge-0/0/9.0
    set ethernet-switching-options analyzer Multi-Session input egress interface ge-0/0/10.0
    set ethernet-switching-options analyzer Multi-Session output interface ge-0/0/11.0
    
  3. ge-0/0/11 is connected to ge-0/0/12 with an Ethernet cable to form a physical loop. RSTP is disabled on ge-0/0/12 - ge-0/0/14.

  4. The ge-0/0/12, ge-0/0/13, and ge-0/0/14 ports are members of the Mirror VLAN.

  5. MAC-Learning is disabled for the Mirror VLAN; so that the switch acts like a hub for it, so as to flood all the received mirror traffic to ge-0/0/13 and ge-0/0/14:
    set protocols rstp interface ge-0/0/12.0 disable
    set protocols rstp interface ge-0/0/13.0 disable
    set protocols rstp interface ge-0/0/14.0 disable
    
    
    set vlans Mirror vlan-id 100
    set vlans Mirror no-mac-learning
    set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members Mirror
    set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members Mirror
    set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members Mirror
    
  6. The ge-0/0/13 port is connected to the first monitoring station, which listens to the mirrored traffic for the first five hosts. To receive the traffic of only the first five hosts, you have to create and apply an outgoing firewall filter on this port:
    set firewall family ethernet-switching filter First-5-FF term 10 from source-address 10.0.0.1/32
    set firewall family ethernet-switching filter First-5-FF term 10 from source-address 10.0.0.2/32
    set firewall family ethernet-switching filter First-5-FF term 10 from source-address 10.0.0.3/32
    set firewall family ethernet-switching filter First-5-FF term 10 from source-address 10.0.0.4/32
    set firewall family ethernet-switching filter First-5-FF term 10 from source-address 10.0.0.5/32
    set firewall family ethernet-switching filter First-5-FF term 10 then accept
    set firewall family ethernet-switching filter First-5-FF term 20 from destination-address 10.0.0.1/32
    set firewall family ethernet-switching filter First-5-FF term 20 from destination-address 10.0.0.2/32
    set firewall family ethernet-switching filter First-5-FF term 20 from destination-address 10.0.0.3/32
    set firewall family ethernet-switching filter First-5-FF term 20 from destination-address 10.0.0.4/32
    set firewall family ethernet-switching filter First-5-FF term 20 from destination-address 10.0.0.5/32
    set firewall family ethernet-switching filter First-5-FF term 20 then accept
    set firewall family ethernet-switching filter First-5-FF term default then discard
    set interfaces ge-0/0/13 unit 0 family ethernet-switching filter output First-5-FF
    
  7. The ge-0/0/14 port is connected to the second monitoring station, which listens to the mirrored traffic for the last five hosts. To receive only the traffic of the last five hosts, you have to create and apply an outgoing firewall filter on this port:
    set firewall family ethernet-switching filter Last-5-FF term 10 from source-address 10.0.0.6/32
    set firewall family ethernet-switching filter Last-5-FF term 10 from source-address 10.0.0.7/32
    set firewall family ethernet-switching filter Last-5-FF term 10 from source-address 10.0.0.8/32
    set firewall family ethernet-switching filter Last-5-FF term 10 from source-address 10.0.0.9/32
    set firewall family ethernet-switching filter Last-5-FF term 10 from source-address 10.0.0.10/32
    set firewall family ethernet-switching filter Last-5-FF term 10 then accept
    set firewall family ethernet-switching filter Last-5-FF term 20 from destination-address 10.0.0.6/32
    set firewall family ethernet-switching filter Last-5-FF term 20 from destination-address 10.0.0.7/32
    set firewall family ethernet-switching filter Last-5-FF term 20 from destination-address 10.0.0.8/32
    set firewall family ethernet-switching filter Last-5-FF term 20 from destination-address 10.0.0.9/32
    set firewall family ethernet-switching filter Last-5-FF term 20 from destination-address 10.0.0.10/32
    set firewall family ethernet-switching filter Last-5-FF term 20 then accept
    set firewall family ethernet-switching filter Last-5-FF term default then discard
    set interfaces ge-0/0/14 unit 0 family ethernet-switching filter output Last-5-FF
    
Note: The above example illustrates the mirroring of IP traffic of different hosts to different ports.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search