Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[QFX] How to prevent asymmetric hashing when Passive Monitoring is used

0

0
Article ID: KB35530 KB Last Updated: 18 Mar 2020Version: 1.0 Summary:

This article explains how to prevent asymmetric hashing in layer 2 traffic when the Passive Monitoring feature is used in a complex setup in QFX Series switches.

 

Symptoms:

When multiple switches send traffic to QFX/PTX devices wherein passive monitoring is used, it is possible that some devices may add VLAN tags to the traffic before exporting to other QFX/PTX devices.

This behavior may impact the way hashing is done before the QFX/PTX devices send traffic to the IDS Servers that are connected with the link aggregation interfaces, thus causing problems in the stateful inspection of these IDS Servers.

For instance, this behavior may cause the QFX/PTX devices to send traffic from the same flow to different IDS Servers, thus defeating the usage and purpose of the Passive Monitoring feature.

 

Solution:

In order to prevent asymmetric hashing when passive monitoring is used, add the following configuration:

[edit]
user@switch#
set forwarding-options enhanced-hash-key layer2 no-vlan-id

Use the following configuration for hashing:

[edit]

user@switch#

set forwarding-options enhanced-hash-key layer2 no-vlan-id
set forwarding-options enhanced-hash-key inet no-incoming-port

Verify Symmetric Hashing

Verify the output for symmetric hashing. The incoming port fields for inet, inet6, and L2 should all be set to No. Also, in L2 Settings, vlan-id should be set to No.

In configuration mode, enter the show forwarding-options enhanced-hash-key command and verify the output.

Slot 0

Seed value for Hash function           0: 3626023417
Seed value for Hash function           1: 3626023417
Seed value for Hash function           2: 3626023417
Seed value for Hash function           3: 3626023417

    Inet settings:
    --------------
        IPV4 dest address:    Yes
        IPV4 source address:  Yes
        L4 Dest Port:         Yes
        L4 Source Port:       Yes
Incoming port:        No
    Inet6 settings:
    --------------
        IPV6 dest address:    Yes
        IPV6 source address:  Yes
        L4 Dest Port:         Yes
        L4 Source Port:       Yes
Incoming port:        No
    L2 settings:
    ------------
        Dest Mac address:    No
        Source Mac address:  No
        Vlan Id:             No
        Inner-vlan Id:       No
        Incoming port:       No
    GRE settings:
    -------------
        Key:                 No
        Protocol:            No
    MPLS settings:
    --------------
    MPLS Enabled:        Yes

    VXLAN settings:
    ---------------
        VXLAN VNID:          No

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search