I have to implement port mirroring, with RSPAN to collect and monitor the traffic from a cisco switch (1) to another cisco switch (2).
But in between there's a Juniper QFX switch (the one I am calling the 'transit switch').
So my source will be a cisco switch (1) port, my rspan vlan is the vlan 35, then I'll go through the Juniper QFX, and the final destination is another cisco switch (2), from which I will collect the remote traffic.
I'd like to know what is the configuration to put in the QFX, so that it will be able to collect and forward that traffic from the interface ge-1/0/46 [input interface connected to the cisco (1)] to the interface ge-0/0/9 [output interface connected to the cisco (2)].
The traffic will be transfered in a vlan trunk, with many vlans, and I'd like to collect the traffic from the vlan 35 only.
CISCO (1) JUNIPER QFX CISCO (2)
RSPAN VLAN 35 =trunk vlan35=> int ge-1/0/46 RSPAN VLAN 35(?) int ge-0/0/9 =trunk vlan35=> RSPAN VLAN 35
Thanks for your help!
Thanks for the reply!
I found something that seems to be good to put into the QFX configuration:
set vlans remote-analyzer vlan-id 999set interfaces ge-1/0/46 unit 0 family ethernet-switching interface-mode trunkset vlans remote-analyzer interface ge-0/0/46set interfaces ge-0/0/9 unit 0 family ethernet-switching interface-mode trunkset vlans remote-analyzer interface ge-0/0/9set vlans remote-analyzer no-mac-learning
What do you think about it?
I think you can't only 'spread' the vlan traffic as a simple vlan trunk, you have to specify that it's a 'RSPAN vlan' (just like in cisco's configuration), hence the 'set vlans remote-analyzer vlan-id 999' configuration line.
Unfortunately, I can't let you know briefly if it's working, because I have no lab to test this configuration!
Thank you for your help again!
Your understanding is correct, the RSPAN vlan needs to be enabled so you can pass your “mirror traffic” across switches , make sure is enabled in all links along the path up to your PC running wireshark.
set vlans remote-analyzer vlan-id 999
set interfaces ge-1/0/46 unit 0 family ethernet-switching interface-mode trunk
set vlans remote-analyzer interface ge-0/0/46
set interfaces ge-0/0/9 unit 0 family ethernet-switching interface-mode trunk
set vlans remote-analyzer interface ge-0/0/9
set vlans remote-analyzer no-mac-learning >>>>>>>> this will only flood the traffic through it.
I have no way to test it unfortunately, my apologize, but i think it should work that way.
If this solves your problem, please mark this post as "Accepted Solution".If you think that my answer was helpful, please spend some Kudos.
Hello I tried this method but it doesn't work through a 'simple' trunk'.
You have to use the trunk but also to configure a analyzer, to set the input vlan and the another different output vlan.
set vlans VLAN_RSPAN vlan-id 36
set interfaces ge-0/0/46 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members 36
set vlans VLAN_JUNIPER_CISCO vlan-id 37
set interfaces ge-0/0/40 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/40 unit 0 family ethernet-switching vlan members 37
show vlans brief
Routing instance VLAN name Tag Interfacesdefault-switch VLAN_JUNIPER_CISCO 37ge-0/0/40.0*default-switch VLAN_RSPAN 36ge-0/0/46.0*default-switch default 1
show forwarding-options analyzer TEST_RSPAN
Analyzer name : TEST_RSPANMirror rate : 1Maximum packet length : 0State : upIngress monitored interfaces : ge-0/0/46.0Ingress monitored VLANs : default-switch/VLAN_RSPANOutput VLAN : default-switch/VLAN_JUNIPER_CISCO
show forwarding-options analyzer TEST_RSPAN | display set
set forwarding-options analyzer TEST_RSPAN input ingress interface ge-0/0/46.0
set forwarding-options analyzer TEST_RSPAN input ingress vlan VLAN_RSPAN
set forwarding-options analyzer TEST_RSPAN output vlan VLAN_JUNIPER_CISCO
Then you have to make a trunk with vlan 37 between the QFX and the Cisco router to which you want to spread and send the monitoring stream.
I did this in my lab at work, and it is working!
Greetings, this is possible here is a sample of the configuration that would do the job:
Configuring Port Mirroring for Remote Traffic Analysis (ELS)To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location:
Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this KB:
user@switch# set vlans remote-analyzer vlan-id 999Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the remote-analyzer VLAN:
user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk vlan members 999Configure the analyzer. Choose a name and set the loss priority to high. Loss priority should always be set to high when configuring for remote port mirroring:[edit forwarding-options]user@switch# set analyzer employee-monitor loss-priority highSpecify the traffic to be mirrored- in this example the packets entering ports ge-0/0/0 and ge–0/0/1:
[edit forwarding-options]user@switch#set analyzer employee-monitor input ingress interface ge-0/0/0.0user@switch#set analyzer employee-monitor input ingress interface ge-0/0/1.0Specify the remote-analyzer VLAN as the output for the analyzer:
[edit forwarding-options]user@switch#set analyzer employee-monitor output vlan 999Optionally, you can specify a statistical sampling of the packets by setting a ratio:[edit forwarding-options]user@switch# set analyzer employee-monitor ratio 200When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.
If you are missing some traffic or you need this traffic to be untagged please use this knob: no-tag
set forwarding-options analyzer PAN-Test output vlan 999 no-tag
If you are trying another variation, please check the for RSPAN limitations:
If you are using Wireshark as the analyzer software you might get the packets marked as ERSPAN which Wireshark reports them as fake ERSPAN.
> you can decode the following.> -----------------------------------> select menu:> Edit -> preferences -> protocol -> ERSPAN>> Check:> "FORCE to decade fake ERSPAN frame:".> you can decode the following.> -----------------------------------> select menu:> Edit -> preferences -> protcol -> ERSPAN>> Check:> "FORCE to decade fake ERSPAN frame:".
Regards,Lil Dexx JNCIE-ENT#863
If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/
I would just create a dummy VLAN on the 'transit' QFX and disable MAC learning on that VLAN so traffic that ingresses is flooded out the ports of that VLAN, be careful, you would only need this 'dummy' VLAN on two ports, be sure not to flood the traffic on all ports by mistake. with that logic you can put any trasit device with similar configuration.
To disable MAC learning in a VLAN:
user@switch# edit ethernet-switching-options interfaces xe-0/0/0.0[edit ethernet-switching-options interfaces xe-0/0/0.0]user@switch# set no-mac-learning