Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] When port mirroring on the MX is done on family bridge interface, only one-way traffic is seen at analyzer.

0

0

Article ID: KB29753 KB Last Updated: 21 Nov 2017Version: 2.0
Summary:

In an L2 port mirroring scenario on the MX platform, there can be cases where the analyzer detects only the flows in one direction. The flows in the other direction are not accounted for.


 
Symptoms:

When a family VPLS is used for port-mirroring bridged traffic, the family bridge filter applied on the physical interface connected to the analyzer will not count the packets in the outgoing direction. This is because the transit packets leaving the physical interface are actually routed packets. They will not be accounted for in the family bridge filter. However, the incoming packets from the analyzer are counted because in the incoming direction, the filter is first taken into account and then the lookup is performed.

DESCRIPTION

Here is the topology used:

+---------------+                                      
|               |                                      
|     r1        |                                      
|               |                                      
|               |                                      
|               |                                      
|               |                                      
+-------+---+---+                                      
        | xe-002                                       
        |                                              
        |                                              
        |                                              
        |                                              
        | xe-001                                       
+------+---+------+                                   
|                 |                                   
|                 |                                   
|                 |  ge-1/0/1                         
|      r2         +----+----------------------+       
|                 |                          ixia2-1/4
|                 |                                   
|                 |                                   
+------+----+---+-+                                   
        |  ge-1ge-115                                  
        |                                              
        |                                              
        |                                              
        |                                              
        |                                              
        |                                              
       ++                                              
       ixia2-3/11                                      
 

Here r1 is sending traffic to ixia2-1/4 with source IP 1.1.123.1 and dest IP 5.83.7.150. Ixia2-3/11 is like the analyzer. Ge-1/0/1 on r2 is configured as follows:

lab@MX80> show configuration interfaces ge-1/0/1    
flexible-vlan-tagging;
encapsulation flexible-ethernet-services; 
gigether-options {
    no-flow-control;
}
unit 3004 {
    encapsulation vlan-bridge;
    vlan-id 3004;
    family bridge {
        filter {
            input mirror-port;
            output mirror-port;
        }
    }
}

Here is an example of the port-mirroring config and bridge-domain:

 
port-mirroring {
    traceoptions {
        file PORT-MIRROR-TRACE;
    }
    input {
        rate 1;
        run-length 1;
    }
    family inet {
        output {
            interface ge-1/1/5.14 {
                next-hop 1.1.14.1;
            }
        }
    }
    family vpls {
        output {
           interface ge-1/1/5.15;
            no-filter-check;
        }
    }
}
 
vlan3004 {
    domain-type bridge;
    vlan-id 3004;
    interface ge-1/0/1.3004;
    routing-interface irb.3004;
}
 
lab@MX80# show bridge-domains analyzer1 
domain-type bridge;
vlan-id 15;
interface ge-1/1/5.15;

lab@MX80# show interfaces ge-1/1/5  
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 14 {
    vlan-id 14;
    family inet {
        address 1.1.14.2/30;
    }
}
unit 15 {
    encapsulation vlan-bridge;
    vlan-id 15;
}

When traffic is sent from r1 to ixia2-1/4 (icmp), the packets increment only in the input direction of filter and not in the output direction as follows:

 
Filter: mirror-port-ge-1/0/1.3004-o                            
Counters:
Name                                                Bytes              Packets
test-ge-1/0/1.3004-o                                    0                    0
 
lab@MX80> show firewall filter mirror-port-ge-1/0/1.3004-i     
 
Filter: mirror-port-ge-1/0/1.3004-i                            
Counters:
Name                                                Bytes              Packets
test-ge-1/0/1.3004-i                                 4038                   40
 

The ixia2-3/11 acts as analyzer and there only the traffic with source 5.83.7.150 and destination 1.1.123.1 is seen. Here is the configuration of the firewall filter:

 
family bridge {
    filter mirror-port {
        interface-specific;
        term all {
            then {
                count test;
                accept;
                port-mirror;
            }
        }
    }
}

Here is a snapshot of the PCAP from the analyzer which shows that only return traffic (ICMP replies from 5.83.7.150 to 1.1.123.2) is captured.

Cause:

The cause of the problem is that the transit packets leaving the physical interface are actually routed packets; and they are not accounted for in the family bridge filter.

Solution:

Since the traffic going towards Ixia2(1/4) is routed traffic, we need to apply a family inet filter on irb.3004 filter as follows:

lab@MX80# show interfaces irb.3004 
family inet {
    filter {
        output test-port-mirror;
    }
    address 5.83.7.149/29;
}
 

With the above configuration, both ICMP echoes and replies are seen in the PCAP capture of the analyzer as follows:


 
Modification History:

2017- 11-21: Added link to related ​KB32201.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search