Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Configuration Example - Port mirror of L3 traffic to a collector connected to another remote router

0

0

Article ID: KB35163 KB Last Updated: 21 Oct 2019Version: 1.0
Summary:

When a user does not have the ability to connect the collector directly to the router needed to port mirror the traffic, they can follow the method described in this article to port mirror the traffic to a remote router and connect the collector.

This article provides the configuration steps needed to achieve port mirror of L3 traffic to a collector connected to another remote router.

Cause:

The inability to connect the collector to the router may be due to various reasons such as:

  • The router is on a remote location
  • There is no server/collector on site
  • There is no port availability on the router to connect the collector
Solution:

Topology:

             |
port-mirrored|
interface    |        +-------GRE Tunnel-------------+
       +-----+-------+                              +-----------+
       |             |                              |   R2      |        +---------+
       |             |                              |          lt-0/0/0  | collect |
       |  R1         +------+............+----------+           +--------+         |
       |             |                              |           |        +---------+
       |             |                              |           |         collector
       +-------------+                              +-----------+
        local-router                                 remote-router


Configuration on the router where you want to port-mirror:

  1. Configure tunnel-services under any FPC if not already present
  2. Configure the gr (GRE) tunnel towards the device where you have the collector connected
  3. Configure port-mirror with output interface as gr interface
  4. Configure the firewall filter with action port-mirror and apply to the interface for which you want to mirror the traffic

On the router where traffic is being port-mirrored - R1 in above topology:

[edit chassis]
+     fpc 2 { <-- can be configured on any FPC on the chassis
+         pic 0 {
+             tunnel-services {
+                 bandwidth 10g;
+             }
+         }
+     }
[edit interfaces]
+   gr-2/0/0 {
+       unit 0 {
+           tunnel {
+               source 1.1.1.1; <-- use lo0 IP
+               destination 2.2.2.2; <-- dst lo0 IP
+           }
+           family inet {
+               address 10.200.1.1/30; <-- Any IP.
+           }
+       }
+   }
[edit interfaces irb unit 3522 family inet]
+       filter {
+           input MIRROR;  <-- Apply this on interface which you want to mirror
+           output MIRROR; <-- Apply this on interface which you want to mirror
+       }
[edit]
+  forwarding-options {
+      port-mirroring {
+          input {
+              rate 1;
+              run-length 1;
+          }
+          family inet {
+              output {
+                  interface gr-2/0/0.0; <-- GRE tunnel interface
+              }
+          }
+      }
+  }
[edit firewall family inet]
+     filter MIRROR {
+         term t1 {
+             then {
+                 port-mirror;
+                 accept;
+             }
+         }
+     }
 

Configuration on the router where the collector is connected

  1. Configure tunnel-services under any FPC if not already present
  2. Configure the gr (GRE) tunnel towards the device on which you want to mirror the traffic
  3. Configure the firewall filter with action port-mirror and apply to input direction of the gr interface
  4. Configure port-mirror with output interface as the interface connected to the collector

On the remote end router - R2 in above topology:

[edit interfaces]
+   gr-0/0/0 {
+       unit 0 {
+           tunnel {
+               source 2.2.2.2;
+               destination 1.1.1.1;
+           }
+           family inet {
+               filter {
+                   input MIRROR;
+               }
+               address 10.200.1.2/30;
+           }
+       }
+   }
+   lt-0/0/0 { <-- This is configured just for local collection. This should be the interface where the collector is connected.
+       unit 9 {
+           encapsulation ethernet;
+           peer-unit 10;
+           family inet {
+               address 10.100.1.1/30;
+           }
+       }
+       unit 10 {
+           encapsulation ethernet;
+           peer-unit 9;
+           family inet {
+               address 10.100.1.2/30;
+           }
+       }
+   }
[edit interfaces ae13]
+   disable;
[edit forwarding-options]
+   port-mirroring {
+       input {
+           rate 1;
+           run-length 1;
+       }
+       family inet {
+           output {
+               interface lt-0/0/0.9 {
+                   next-hop 10.100.12;
+               }
+           }
+       }
+   }
[edit firewall]
+   family inet {
+       filter MIRROR {
+           term t1 {
+               then {
+                   port-mirror;
+                   accept;
+               }
+           }
+       }
+   }
+   vrf-mirror { <-- Need to create VRF so that the traffic received is not routed back to the network causing duplication
+       instance-type virtual-router;
+       interface gr-0/0/0.0;
+   }
 
Sending 100pps traffic from the traffic generator that will go out via irb.3522.
Note: For this example, there is ONLY mirroring traffic output of this interface.
 
[MASTER][edit]
user@r1-re0# run show interfaces irb.3522 extensive | match pps         
 Input  packets:     237199          1 pps
 Output packets:   2182225        101 pps

Traffic is sent over the gr interface due to port-mirror

[MASTER][edit]
user@r1-re0# run show interfaces gr-2/0/0.0 extensive | match pps   
 Input  packets:          0       0 pps
 Output packets:   2093732      99 pps

 Traffic is received over the other end on the gr interface

[edit]
user@r2# run show interfaces gr-0/0/0.0 extensive | match pps
     Input  packets:    155551      99 pps
     Output packets:        0       0 pps

Traffic is mirrored and sent out towards the collector ie lt-0/0/0.9

[edit]
user@r2# run show interfaces lt-0/0/0.9 extensive | match pps    
     Input  packets:        0       0 pps
     Output packets:   705603     99 pps
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search