Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

EX8200 Standalone Switch: Junos OS 11.4R2: Ensure egressing frames don't carry output VLAN tag (while Inner Tag is retained) on Analyzer configuration with output interface as VLAN

0

0

Article ID: KB29203 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:

This article describes what happens when the VLAN is configured as output for an analyzer on the EX8200 standalone switch.

Symptoms:

When the VLAN is configured as output for an analyzer on the EX8200 standalone switch:

  • The traffic egresses out of all VLAN member interfaces as dual-tagged (inner tag as it ingresses/egresses the input interfaces, and outer tag as analyzer VLAN).

  • Due to this behavior, the packets are not captured in the PC/LAPTOP that uses Ethereal/Wireshark; consequently, the PC is unable to capture double-tagged frames.

This situation is illustrated below.

ge-0/0/16: port mode trunk VLAN members 10,20

ge-0/0/17: port mode trunk VLAN members 10,30

ge-0/0/41 - ge-0/0/42: port mode access VLAN member 300

All traffic ingressing and egressing on ge-0/016 and ge-0/0/17 should be mirrored to ports ge-0/0/41 and ge-0/0/42.

The only feasible option is to add these links to the VLAN and make this VLAN analyzer output. When the VLAN is used as output for analyzer, packets properly egress out on all the mirrored ports after the monitor interface traffic command is executed. However, attempts to capture this activity on Wireshark on a PC do not capture the frames.

Cause:

When the frames described in the Problem section (above) are captured with a traffic analyzer (such as IXIA/SPIRENT/AGILENT) instead of a PC, the incoming traffic is in double-tagged frames, as shown below:

INNER TAG:  Ingressing/ Egressing traffic on input interfaces.
OUTER TAG: ANALYZER VLAN , in this case vlan300

And, the following warning message is encountered during the commit operation:

root@RE1-TITAN# commit check
[edit ethernet-switching-options]
'analyzer'
warning: Vlan vlan300 which is configured as output vlan for analyzer session vlananalyzer contains untagged interface.The mirrored frames shall go out as vlan tagged frames
[edit ethernet-switching-options]
'analyzer'
warning: Vlan vlan300 which is configured as output vlan for analyzer session vlananalyzer contains untagged interface.The mirrored frames shall go out as vlan tagged frames
configuration check succeeds

Solution:

Use the knob introduced in Junos OS 11.4R2 and above, by executing the command below:

set ethernet-switching-options analyzer <analyzer name> output vlan <analyzer vlan> no-tag <- KNOB

set version 11.4R2.14
set interfaces ge-0/0/16 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/16 unit 0 family ethernet-switching vlan members 10
set interfaces ge-0/0/16 unit 0 family ethernet-switching vlan members 20
set interfaces ge-0/0/17 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/17 unit 0 family ethernet-switching vlan members 10
set interfaces ge-0/0/17 unit 0 family ethernet-switching vlan members 30
set interfaces ge-0/0/41 unit 0 family ethernet-switching vlan members 300
set interfaces ge-0/0/42 unit 0 family ethernet-switching vlan members 300

Then, configure the analyzer:

set ethernet-switching-options analyzer vlananalyzer input ingress interface ge-0/0/16.0
set ethernet-switching-options analyzer vlananalyzer input ingress interface ge-0/0/17.0
set ethernet-switching-options analyzer vlananalyzer input egress interface ge-0/0/16.0
set ethernet-switching-options analyzer vlananalyzer input egress interface ge-0/0/17.0
set ethernet-switching-options analyzer vlananalyzer output vlan vlan300 no-tag
set ethernet-switching-options storm-control interface all
set vlans vlan10 vlan-id 10
set vlans vlan20 vlan-id 20
set vlans vlan30 vlan-id 30
set vlans vlan300 vlan-id 300

However, when the above configurations are set with a commit command, the same warning messages are received:

root@RE1-TITAN# commit check
[edit ethernet-switching-options]
'analyzer'
warning: Vlan vlan300 which is configured as output vlan for analyzer session vlananalyzer contains untagged interface.The mirrored frames shall go out as vlan tagged frames
[edit ethernet-switching-options]
'analyzer'
warning: Vlan vlan300 which is configured as output vlan for analyzer session vlananalyzer contains untagged interface.The mirrored frames shall go out as vlan tagged frames
configuration check succeeds

These warnings can be ignored because the "no-tag" KNOB is used in the analyzer output VLAN configuration.

Other useful links for known limitations when configuring analyzer on EX devices

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search