Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Contrail] Configure Network Mirroring using Service Instance

0

0

Article ID: KB34217 KB Last Updated: 09 May 2019Version: 1.0
Summary:

Contrail can be configured to mirror traffic between two VNs to a specified analyzer VM instance. This article demonstrates how to configure network mirroring by creating a service instance through the Configure > Services workspace.

Solution:

Network mirroring can be achieved by deploying an analyzer VM instance using a service instance and service template. Since version 2 service template is used, an analyzer instance should be launched manually. New instance flavors can be defined and applied to the analyzer VM instance.

In this scenario, the traffic between VN-A (10.1.0.0/24) and VN-B (10.2.0.0/24) will be mirrored. VN-M (10.251.0.0/24) is created to host the analyzer VM instance. Assume an analyzer VM instance with IP address 10.251.0.3/24 has been created from Openstack UI.

Below are the configurations to enable network mirroring.

Configuration steps from Contrail GUI:

  1. Configure the Service Template

    Select Configure > Services > Service Templates

    Specify a name, select Version v2, and set the Virtualization Type to Virtual Machine, Service Mode to Transparent, Service Type to Analyzer. Only one interface is needed for the analyzer in this case.

  2. Configure the Service Instance

    Select Services > Service Instances

    Specify a name, select the Service Template created earlier, select the VN for the analyzer, and create a Port Tuple with the analyzer's VM Interface.

  3. Wait for the service instance status to be Active

  4. Configure a Policy

  5. Apply the policy to VN-A and VN-B

    Network Mirror Verification

    Initiate traffic from VM-A1 (10.1.0.3) in VN-A to VM-B1 (10.2.0.3) in VN-B and examine the analyzer VM (10.251.0.3):

    The traffic between VN-A and VN-B is being mirrored the analyzer VM instance.

    We can also verify the network mirroring from vrouters.

    For example, in node14 which host VM-A1, the mirror index is shown to be 0.

    root@node14:~# mirror --dump
    Mirror Table
    Flags:D=Dynamic Mirroring
    Index    NextHop    Flags    VNI
    --------------------------------------
        0         57       D          0

    Since a service instance is deployed, the destination IP address is 10.251.0.4.

    root@node14:~# nh --get 57  
    Id:57         Type:Tunnel         Fmly: AF_INET  Rid:0  Ref_cnt:2          Vrf:-1
                  Flags:Valid, Udp, Copy SIP,
                  Oif:0 Len:14 Flags Valid, Udp, Copy SIP,  Data:00 00 00 00 00 00 52 54 00 56 ba 7e 08 00
                  Vrf:-1  Sip:10.168.10.14  Dip:10.251.0.4
                  Sport:8097 Dport:8099

    Examining the flow between 10.1.0.3 and 10.2.0.3, we can see the correct Mirror Index 0.

    root@node14:~# flow --match 10.2.0.3
    Flow table(size 80609280, entries 629760)
    
    Entries: Created 25960 Added 25960 Deleted 51876 Changed 51884 Processed 25960 Used Overflow entries 0
    Created Flows/CPU: 2553 2655 2167 1517 1317 1488 1302 1374 1455 1614 1266 1616 1778 1092 1181 1585)(oflows 0)
    
    Action:F=Forward, D=Drop N=NAT(S=SNAT, D=DNAT, Ps=SPAT, Pd=DPAT, L=Link Local Port)
    Other:K(nh)=Key_Nexthop, S(nh)=RPF_Nexthop
    Flags:E=Evicted, Ec=Evict Candidate, N=New Flow, M=Modified Dm=Delete Marked
    TCP(r=reverse):S=SYN, F=FIN, R=RST, C=HalfClose, E=Established, D=Dead
    
    Listing flows matching ([10.2.0.3]:*)
    
        Index                Source:Port/Destination:Port                      Proto(V)
    ----------------------------------------------------------------------------------
       300544<=>429616       10.1.0.3:40962                                      1 (6)
                             10.2.0.3:0    
    (Gen: 1, K(nh):70, Action:F, Flags:, QOS:-1, S(nh):70,  Stats:1/98,  Mirror Index : 0
    SPort 65360, TTL 0, Sinfo 8.0.0.0)
    
       429616<=>300544       10.2.0.3:40962                                      1 (6)
                             10.1.0.3:0    
    (Gen: 1, K(nh):70, Action:F, Flags:, QOS:-1, S(nh):50,  Stats:1/84,  Mirror Index : 0
    SPort 62418, TTL 0, Sinfo 10.168.10.15)
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search