Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Contrail] Example - Contrail Port Mirroring Configuration and Verification



Article ID: KB33409 KB Last Updated: 26 Dec 2018Version: 1.0

Contrail supports a port mirror feature, which can be used to mirror traffic of specific port(s) on a compute node (mirror vrouter) to a specified destination IP address where a traffic analyzer VM is located. This article demonstrates how to configure and verify the port mirror.


JTAC test diagram

       +---+                              +---+   
       |   |                              |   |analyzer VM
       +-+-+      mirror traffic          +-+-+   
         |      ====================>       |
         |                          |
         | tap(port:tap1c6a93ae-c2)         | tap
     +---+----+                         +---+----+
     |        |                         |        |
     |bcomp79 |                         |comp106 |
     |        |                         |        |
     +--------+                         +--------+             

    Mirror VRouter                     Analyer VRouter

Port mirror configuration

From the Contrail GUI, do the following:

a. Select Configure -> Networking -> Ports.  (Circles 1, 2, 3 in the figure below)
b. Click "Search" and enter the IP address of the port to be mirrored.   (Circle 4 in the figure below)
c. Select "Edit", click "Advanced Options"  (Circles 5 and 6 in the figure below)

d. Scroll down and check the "Mirroring" option

e. Enter:   (Circles 1, 2, and 3 in the figure below)

  • Mirror destination (normally an nalyzer VM) IP address
  • Mirror destination "UDP port"
  • Analyzer Name (can be any string)

f. Save the configuration.   (Circle 4 in the figure below)

Port Mirror Verification

Once the port mirror is enabled on a port, use the vif command on the mirrored port of the mirror vrouter to print the port mirror information:

    root@bcomp79:~# vif --get 5
    Vrouter Interface Table

    Flags: P=Policy, X=Cross Connect, S=Service Chain, Mr=Receive Mirror
           Mt=Transmit Mirror, Tc=Transmit Checksum Offload, L3=Layer 3, L2=Layer 2
           D=DHCP, Vp=Vhost Physical, Pr=Promiscuous, Vnt=Native Vlan Tagged
           Mnp=No MAC Proxy, Dpdk=DPDK PMD Interface, Rfl=Receive Filtering Offload, Mon=Interface is Monitored
           Uuf=Unknown Unicast Flood, Vof=VLAN insert/strip offload, Df=Drop New Flows, Proxy=MAC Requests Proxied Always
           Mn=Mirror without Vlan Tag

    vif0/5      OS: tap1c6a93ae-c2
                Type:Virtual HWaddr:00:00:5e:00:01:00 IPaddr:
                Vrf:1 Flags:PMrMtL3L2D QOS:-1 Ref:5 Mirror index 2
                RX packets:93060  bytes:3928765 errors:0
                TX packets:236083  bytes:53085897 errors:0
                Ingress Mirror Metadata: 3 1e 64 65 66 61 75 6c 74 2d 64
                                         6f 6d 61 69 6e 3a 61 64 6d 69 6e
                                         3a 70 69 6e 67 73 2d 6e 65 74 ff
                Egress Mirror Metadata: 4 1e 64 65 66 61 75 6c 74 2d 64 6f
                                        6d 61 69 6e 3a 61 64 6d 69 6e 3a
                                        70 69 6e 67 73 2d 6e 65 74 ff 0

The `Flags` now shows `Mr` and `Mt`, where:

`Mr` means mirror ingress (Rx traffic)
`Mt` means mirror egress (Tx traffic)

These flags indicates we now have bidirectional traffic mirror enabled on this port.

The `mirror` command can be used to dump the current port mirror configuration on the mirror vrouter:

    root@bcomp79:~# mirror --dump
    Mirror Table

    Flags:D=Dynamic Mirroring

    Index    NextHop    Flags    VNI
        0         37       D          0
        1         62       D          0
        2         21       D          0         #<-----

In this test, the new mirror configuration with a index "2" was added.
To verify the destination IP addresses and port number associated with the mirror traffic, use the "nh" command:

    root@bcomp79:~# nh --get 21
    Id:21         Type:Tunnel         Fmly: AF_INET  Rid:0  Ref_cnt:2          Vrf:-1
                  Flags:Valid, Udp, Copy SIP,
                  Oif:0 Len:14 Flags Valid, Udp, Copy SIP,  Data:00 00 00 00 00 00 14 02 ec 66 b1 25 08 00
                  Vrf:-1  Sip:  Dip:     #<------

                  Sport:8097 Dport:8888                      #<------

On the destination (analyzer) compute, the mirror traffic will trigger flows:

    root@comp106:~# flow --match
    Flow table(size 80609280, entries 629760)

    Entries: Created 874652 Added 874652 Deleted 1749132 Changed 1749132 Processed 874652 Used Overflow entries 0
    (Created Flows/CPU: 178 416 690 55099 2640 95128 721 40305 663 34496 704 18602 962 540788 251 10942 2620 7763 2313 5656 1579 31840 1862 18434)(oflows 0)

    Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
     Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
     Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
    TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead

    Listing flows matching ([]:*)

        Index                Source:Port/Destination:Port                      Proto(V)
       484260<=>517288                                       17 (8)
    (Gen: 7, K(nh):70, Action:F, Flags:, QOS:-1, S(nh):0,  Stats:707/73528,
     SPort 61851, TTL 0, Sinfo

       517288<=>484260                                      17 (8)
    (Gen: 1, K(nh):70, Action:F, Flags:, QOS:-1, S(nh):0,  Stats:481/70226,
     SPort 63950, TTL 0, Sinfo

From the above flow table we can see that the mirror traffic arrives and triggered these flow entries. The flow entries including source/destination IP/port and packet counter statistics information.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search