Knowledge Base
Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles[MX] When port mirroring on the MX is done on family bridge interface, only one-way traffic is seen at analyzer.
Symptoms:
When a family VPLS is used for port-mirroring bridged traffic, the family bridge filter applied on the physical interface connected to the analyzer will not count the packets in the outgoing direction. This is because the transit packets leaving the physical interface are actually routed packets. They will not be accounted for in the family bridge filter. However, the incoming packets from the analyzer are counted because in the incoming direction, the filter is first taken into account and then the lookup is performed.
DESCRIPTION
Here is the topology used:
+---------------+
| |
| r1 |
| |
| |
| |
| |
+-------+---+---+
| xe-002
|
|
|
|
| xe-001
+------+---+------+
| |
| |
| | ge-1/0/1
| r2 +----+----------------------+
| | ixia2-1/4
| |
| |
+------+----+---+-+
| ge-1ge-115
|
|
|
|
|
|
++
ixia2-3/11
Here r1 is sending traffic to ixia2-1/4 with source IP 1.1.123.1 and dest IP 5.83.7.150. Ixia2-3/11 is like the analyzer. Ge-1/0/1 on r2 is configured as follows:
lab@MX80> show configuration interfaces ge-1/0/1
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
gigether-options {
no-flow-control;
}
unit 3004 {
encapsulation vlan-bridge;
vlan-id 3004;
family bridge {
filter {
input mirror-port;
output mirror-port;
}
}
}
Here is an example of the port-mirroring config and bridge-domain:
port-mirroring {
traceoptions {
file PORT-MIRROR-TRACE;
}
input {
rate 1;
run-length 1;
}
family inet {
output {
interface ge-1/1/5.14 {
next-hop 1.1.14.1;
}
}
}
family vpls {
output {
interface ge-1/1/5.15;
no-filter-check;
}
}
}
vlan3004 {
domain-type bridge;
vlan-id 3004;
interface ge-1/0/1.3004;
routing-interface irb.3004;
}
lab@MX80# show bridge-domains analyzer1
domain-type bridge;
vlan-id 15;
interface ge-1/1/5.15;
lab@MX80# show interfaces ge-1/1/5
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 14 {
vlan-id 14;
family inet {
address 1.1.14.2/30;
}
}
unit 15 {
encapsulation vlan-bridge;
vlan-id 15;
}
When traffic is sent from r1 to ixia2-1/4 (icmp), the packets increment only in the input direction of filter and not in the output direction as follows:
Filter: mirror-port-ge-1/0/1.3004-o Counters: Name Bytes Packets test-ge-1/0/1.3004-o 0 0 lab@MX80> show firewall filter mirror-port-ge-1/0/1.3004-i Filter: mirror-port-ge-1/0/1.3004-i Counters: Name Bytes Packets test-ge-1/0/1.3004-i 4038 40
The ixia2-3/11 acts as analyzer and there only the traffic with source 5.83.7.150 and destination 1.1.123.1 is seen. Here is the configuration of the firewall filter:
family bridge {
filter mirror-port {
interface-specific;
term all {
then {
count test;
accept;
port-mirror;
}
}
}
}
Here is a snapshot of the PCAP from the analyzer which shows that only return traffic (ICMP replies from 5.83.7.150 to 1.1.123.2) is captured.
Solution:
Since the traffic going towards Ixia2(1/4) is routed traffic, we need to apply a family inet filter on irb.3004 filter as follows:
lab@MX80# show interfaces irb.3004
family inet {
filter {
output test-port-mirror;
}
address 5.83.7.149/29;
}
With the above configuration, both ICMP echoes and replies are seen in the PCAP capture of the analyzer as follows:
Related Links
Getting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search