Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Example - How to configure a remote L3 port-mirror across VPLS network via LT interface on local/remote routers

0

0
Article ID: KB36312 KB Last Updated: 23 Nov 2020Version: 1.0 Summary:

This article explains how to mirror local L3 traffic and send it to a remote monitoring server across a virtual private LAN service (VPLS) network via LT interfaces with the help of an example.

 

Solution:
 

Topology

 
PC1 ----- (ae10.10)
                                 (lt-0/0/0.0)R1(lt-0/0/0.1) --- vpls --- (lt-0/0/0.1)R2(lt-0/0/0.0)(ae30.30) ---- Server
PC2 ----- (ae20.20)
 

Connection Details

  • PC1 and PC2 are connected with R1.

  • The monitoring server is connected with R2.

  • The VPLS is between R1 and R2.

Hardware and Software Details

  • R1 and R2 are MX80 routers that run Junos OS Release 16.1R6-S2.3 and are set up as local and remote routers, respectively.

  • R3 is configured as a logical system that hosts PC1, PC2, and the monitoring server.

  • All connections are 10g links.

Checking the Configuration

  1. Check the VPLS connections on R1 and R2:

MX80-r1> show vpls connections 
Layer-2 VPN connections:
... snip ...
... snip ...
Instance: VPLS
Edge protection: Not-Primary
  Local site: pc1 (1)
    connection-site           Type  St     Time last up          # Up trans
    2                         rmt   Up     Nov  3 22:19:00 2020           1
      Remote PE: 2.2.2.2, Negotiated control-word: No
      Incoming label: 262146, Outgoing label: 262145
      Local interface: lsi.1048577, Status: Up, Encapsulation: VPLS
        Description: Intf - vpls VPLS local site 1 remote site 2
      Flow Label Transmit: No, Flow Label Receive: No​

MX80-r2> show vpls connections 
Layer-2 VPN connections:
... snip ...
... snip ...
Instance: VPLS
Edge protection: Not-Primary
  Local site: pc2 (2)
    connection-site           Type  St     Time last up          # Up trans
    1                         rmt   Up     Nov  3 22:19:00 2020           1
      Remote PE: 1.1.1.1, Negotiated control-word: No
      Incoming label: 262145, Outgoing label: 262146
      Local interface: lsi.1048577, Status: Up, Encapsulation: VPLS
        Description: Intf - vpls VPLS local site 2 remote site 1
      Flow Label Transmit: No, Flow Label Receive: No​

  1. Start a ping test between PC1 and PC2:

MX80-r3> ping 20.1.1.2 source 10.1.1.2 logical-system pc1 count 100 rapid 
PING 20.1.1.2 (20.1.1.2): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
--- 20.1.1.2 ping statistics ---
100 packets transmitted, 100 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.689/1.143/19.178/1.961 ms​

The firewall filter shows the count.

Note: Mirror traffic only from the port that is facing PC1.​

MX80-r1> show firewall 
                          
Filter: CP-MIRROR-FBB-IN-ae10.10-i                             
Counters:
Name                                                Bytes              Packets
IN-ae10.10-i                                         8400                  100

Filter: CP-MIRROR-FBB-OUT-ae10.10-o                            
Counters:
Name                                                Bytes              Packets
OUT-ae10.10-o                                        8400                  100​

Interface statistics on R1

MX80-r1> show interfaces lt-0/0/0.0 
  Logical interface lt-0/0/0.0 (Index 331) (SNMP ifIndex 592)
    Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
    MAC: fa:c0:01:18:90:00
    Input packets : 0
    Output packets: 200
    Protocol inet, MTU: 1500
    Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0,
    NH drop cnt: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 100.1.1/24, Local: 100.1.1.1, Broadcast: 100.1.1.255

MX80-r1> show interfaces lt-0/0/0.1    
  Logical interface lt-0/0/0.1 (Index 332) (SNMP ifIndex 593)
    Flags: Up SNMP-Traps 0x0 Encapsulation: Ethernet-VPLS
    Input packets : 200
    Output packets: 0
    Protocol vpls, MTU: 1514
      Flags: Is-Primary

Interface statistics on R2

MX80-r2> show interfaces lt-0/0/0.1 
  Logical interface lt-0/0/0.1 (Index 337) (SNMP ifIndex 661)
    Flags: Up SNMP-Traps 0x0 Encapsulation: Ethernet-VPLS
    Input packets : 0
    Output packets: 200
    Protocol vpls, MTU: 1514
      Flags: Is-Primary

MX80-r2> show interfaces lt-0/0/0.0    
  Logical interface lt-0/0/0.0 (Index 336) (SNMP ifIndex 584)
    Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
    MAC: 82:71:1f:c0:11:00
    Input packets : 200
    Output packets: 0
    Protocol inet, MTU: 1500
    Max nh cache: 0, New hold nh limit: 0, Curr nh cnt: 0, Curr new hold cnt: 0,
    NH drop cnt: 0
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 100.1.1/24, Local: 100.1.1.2, Broadcast: 100.1.1.255​

  1. Once the mirror traffic arrives on port lt-0/0/0.0 on R2, configure a port-mirror to capture the traffic and send it to the server via ae30.30.

MX80-r2> show interfaces ae30.30       
  Logical interface ae30.30 (Index 338) (SNMP ifIndex 611)
    Flags: Up SNMP-Traps 0x0 VLAN-Tag [ 0x8100.30 ]  Encapsulation: ENET2
    Statistics        Packets        pps         Bytes          bps
    Bundle:
        Input :           201          0         16860            0
        Output:           201          0         16846            0

  1. Check the firewall filter on the monitoring server, R3, to see if the mirror traffic was received.

MX80-r3> show firewall              
Filter: test                                                   
Counters:
Name                                                Bytes              Packets
aaa                                                 16800                  200

MX80-r3> show firewall log 
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
18:28:25  pfe       A      ae30.30       ICMP            20.1.1.2                         10.1.1.2
18:28:25  pfe       A      ae30.30       ICMP            10.1.1.2                         20.1.1.2
18:28:25  pfe       A      ae30.30       ICMP            20.1.1.2                         10.1.1.2
18:28:25  pfe       A      ae30.30       ICMP            10.1.1.2                         20.1.1.2
18:28:25  pfe       A      ae30.30       ICMP            20.1.1.2                         10.1.1.2
... snip ...
... snip ...

Full configuration on R1 and R2

R1

set chassis aggregated-devices ethernet device-count 10
set chassis fpc 0 pic 0 tunnel-services
set chassis network-services enhanced-ip
set interfaces lt-0/0/0 unit 0 encapsulation ethernet
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 family inet address 100.1.1.1/24
set interfaces lt-0/0/0 unit 1 encapsulation ethernet-vpls
set interfaces lt-0/0/0 unit 1 peer-unit 0
set interfaces lt-0/0/0 unit 1 family vpls
set interfaces xe-0/0/0 unit 0 family inet address 12.1.1.1/30
set interfaces xe-0/0/0 unit 0 family mpls
set interfaces xe-0/0/1 gigether-options 802.3ad ae10
set interfaces xe-0/0/2 gigether-options 802.3ad ae20
set interfaces ae10 vlan-tagging
set interfaces ae10 encapsulation flexible-ethernet-services
set interfaces ae10 unit 10 vlan-id 10
set interfaces ae10 unit 10 family inet filter input CP-MIRROR-FBB-IN
set interfaces ae10 unit 10 family inet filter output CP-MIRROR-FBB-OUT
set interfaces ae10 unit 10 family inet address 10.1.1.1/24
set interfaces ae20 vlan-tagging
set interfaces ae20 encapsulation flexible-ethernet-services
set interfaces ae20 unit 20 vlan-id 20
set interfaces ae20 unit 20 family inet address 20.1.1.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32
set forwarding-options port-mirroring input rate 1
set forwarding-options port-mirroring family inet output interface lt-0/0/0.0 next-hop 100.1.1.2
set forwarding-options port-mirroring family inet output no-filter-check
set routing-options router-id 1.1.1.1
set routing-options autonomous-system 100
set protocols mpls interface xe-0/0/0.0
set protocols bgp group iBGP type internal
set protocols bgp group iBGP local-address 1.1.1.1
set protocols bgp group iBGP family l2vpn signaling
set protocols bgp group iBGP neighbor 2.2.2.2
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface xe-0/0/0.0 interface-type p2p
set protocols ldp interface xe-0/0/0.0  
set firewall family inet filter CP-MIRROR-FBB-IN interface-specific
set firewall family inet filter CP-MIRROR-FBB-IN term 10 then count IN
set firewall family inet filter CP-MIRROR-FBB-IN term 10 then port-mirror
set firewall family inet filter CP-MIRROR-FBB-IN term 10 then accept
set firewall family inet filter CP-MIRROR-FBB-OUT interface-specific
set firewall family inet filter CP-MIRROR-FBB-OUT term 10 then count OUT
set firewall family inet filter CP-MIRROR-FBB-OUT term 10 then port-mirror
set firewall family inet filter CP-MIRROR-FBB-OUT term 10 then accept
set routing-instances VPLS instance-type vpls
set routing-instances VPLS interface lt-0/0/0.1
set routing-instances VPLS route-distinguisher 1.1.1.1:100
set routing-instances VPLS vrf-target target:100:100
set routing-instances VPLS protocols vpls site-range 10
set routing-instances VPLS protocols vpls no-tunnel-services
set routing-instances VPLS protocols vpls site pc1 site-identifier 1
set routing-instances VPLS protocols vpls site pc1 interface lt-0/0/0.1 no-mac-learning

R2

set chassis aggregated-devices ethernet device-count 10
set chassis fpc 0 pic 0 tunnel-services
set interfaces lt-0/0/0 unit 0 encapsulation ethernet
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 family inet filter input CP-MIRROR-FBB-IN
set interfaces lt-0/0/0 unit 0 family inet filter output CP-MIRROR-FBB-OUT
set interfaces lt-0/0/0 unit 0 family inet address 100.1.1.2/24
set interfaces lt-0/0/0 unit 1 encapsulation ethernet-vpls
set interfaces lt-0/0/0 unit 1 peer-unit 0
set interfaces lt-0/0/0 unit 1 family vpls
set interfaces xe-0/0/0 unit 0 family inet address 12.1.1.2/30
set interfaces xe-0/0/0 unit 0 family mpls
set interfaces xe-0/0/3 gigether-options 802.3ad ae30
set interfaces ae30 vlan-tagging
set interfaces ae30 encapsulation flexible-ethernet-services
set interfaces ae30 unit 30 vlan-id 30
set interfaces ae30 unit 30 family inet address 30.1.1.1/24
set interfaces lo0 unit 0 family inet address 2.2.2.2/32
set forwarding-options port-mirroring input rate 1
set forwarding-options port-mirroring family inet output interface ae30.30 next-hop 30.1.1.2
set forwarding-options port-mirroring family inet output no-filter-check
set routing-options router-id 2.2.2.2
set routing-options autonomous-system 100
set protocols mpls interface xe-0/0/0.0
set protocols bgp group iBGP type internal
set protocols bgp group iBGP local-address 2.2.2.2
set protocols bgp group iBGP family l2vpn signaling
set protocols bgp group iBGP neighbor 1.1.1.1
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set protocols ospf area 0.0.0.0 interface xe-0/0/0.0 interface-type p2p
set protocols ldp interface xe-0/0/0.0
set firewall family inet filter CP-MIRROR-FBB-IN interface-specific
set firewall family inet filter CP-MIRROR-FBB-IN term 10 then count IN
set firewall family inet filter CP-MIRROR-FBB-IN term 10 then port-mirror
set firewall family inet filter CP-MIRROR-FBB-IN term 10 then accept
set firewall family inet filter CP-MIRROR-FBB-OUT interface-specific
set firewall family inet filter CP-MIRROR-FBB-OUT term 10 then count OUT
set firewall family inet filter CP-MIRROR-FBB-OUT term 10 then port-mirror
set firewall family inet filter CP-MIRROR-FBB-OUT term 10 then accept
set routing-instances VPLS instance-type vpls
set routing-instances VPLS interface lt-0/0/0.1
set routing-instances VPLS route-distinguisher 2.2.2.2:100
set routing-instances VPLS vrf-target target:100:100
set routing-instances VPLS protocols vpls site-range 10
set routing-instances VPLS protocols vpls no-tunnel-services
set routing-instances VPLS protocols vpls site pc2 site-identifier 2
set routing-instances VPLS protocols vpls site pc2 interface lt-0/0/0.1 no-mac-learning

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search