Switching

Expand all | Collapse all

Port mirroring // RSPAN with Juniper QFX switch as a transit switch

  • 1.  Port mirroring // RSPAN with Juniper QFX switch as a transit switch

    Posted 01-29-2020 07:52

    Hello,

     

    I have to implement port mirroring, with RSPAN to collect and monitor the traffic from a cisco switch (1) to another cisco switch (2).

    But in between there's a Juniper QFX switch (the one I am calling the 'transit switch').

     

    So my source will be a cisco switch (1) port, my rspan vlan is the vlan 35, then I'll go through the Juniper QFX, and the final destination is another cisco switch (2), from which I will collect the remote traffic.

     

    I'd like to know what is the configuration to put in the QFX, so that it will be able to collect and forward that traffic from the interface ge-1/0/46 [input interface connected to the cisco (1)]  to the interface ge-0/0/9 [output interface connected to the cisco (2)].

    The traffic will be transfered in a vlan trunk, with many vlans, and I'd like to collect the traffic from the vlan 35 only.

     

     

         CISCO (1)                                                                           JUNIPER QFX                                                                     CISCO (2)

     

    RSPAN VLAN 35      =trunk vlan35=>  int ge-1/0/46  RSPAN VLAN 35(?)   int ge-0/0/9  =trunk vlan35=>     RSPAN VLAN 35

     

     

     

    Thanks for your help!



  • 2.  RE: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

     
    Posted 01-29-2020 08:03
    Hi RyRy_G,

    Yes simply trunking the required VLAN should work like any other traffic because the contents are transparent to the QFX. Only other thing I could think of is if you have any firewall filter applied on the QFX interfaces, allow required IP/port fields. Else we should be good.

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


  • 3.  RE: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

    Posted 01-30-2020 01:45

    Hello!

     

    Thanks for the reply!

    I found something that seems to be good to put into the QFX configuration:

     

    set vlans remote-analyzer vlan-id 999
    set interfaces ge-1/0/46 unit 0 family ethernet-switching interface-mode trunk
    set vlans remote-analyzer interface ge-0/0/46
    set interfaces ge-0/0/9 unit 0 family ethernet-switching interface-mode trunk
    set vlans remote-analyzer interface ge-0/0/9
    set vlans remote-analyzer no-mac-learning

     

    What do you think about it? 

    I think you can't only 'spread' the vlan traffic as a simple vlan trunk, you have to specify that it's a 'RSPAN vlan' (just like in cisco's configuration), hence the 'set vlans remote-analyzer vlan-id 999' configuration line.

     

    Unfortunately, I can't let you know briefly if it's working, because I have no lab to test this configuration!

     

    Thank you for your help again!



  • 4.  RE: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

    Posted 02-06-2020 13:08

    Hi RyRy_G

     

    Your understanding is correct, the RSPAN vlan needs to be enabled so you can pass your “mirror traffic” across switches , make sure is enabled in all links along the path up to your PC running wireshark.

     

    set vlans remote-analyzer vlan-id 999

    set interfaces ge-1/0/46 unit 0 family ethernet-switching interface-mode trunk

    set vlans remote-analyzer interface ge-0/0/46

    set interfaces ge-0/0/9 unit 0 family ethernet-switching interface-mode trunk

    set vlans remote-analyzer interface ge-0/0/9

    set vlans remote-analyzer no-mac-learning     >>>>>>>> this will only flood the traffic through it.

     

    I have no way to test it unfortunately, my apologize, but i think it should work that way.

     

    If this solves your problem, please mark this post as "Accepted Solution".
    If you think that my answer was helpful, please spend some Kudos.



  • 5.  RE: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

    Posted 02-11-2020 07:19

    Hello I tried this method but it doesn't work through a 'simple' trunk'.

    You have to use the trunk but also to configure a analyzer, to set the input vlan and the another different output vlan.

     

    set vlans VLAN_RSPAN vlan-id 36

     

    set interfaces ge-0/0/46 unit 0 family ethernet-switching interface-mode trunk

    set interfaces ge-0/0/46 unit 0 family ethernet-switching vlan members 36

     

    set vlans VLAN_JUNIPER_CISCO vlan-id 37

     

    set interfaces ge-0/0/40 unit 0 family ethernet-switching interface-mode trunk

    set interfaces ge-0/0/40 unit 0 family ethernet-switching vlan members 37

     

    show vlans brief

    Routing instance VLAN name Tag Interfaces
    default-switch VLAN_JUNIPER_CISCO 37
    ge-0/0/40.0*
    default-switch VLAN_RSPAN 36
    ge-0/0/46.0*
    default-switch default 1

     

    show forwarding-options analyzer TEST_RSPAN

    Analyzer name : TEST_RSPAN
    Mirror rate : 1
    Maximum packet length : 0
    State : up
    Ingress monitored interfaces : ge-0/0/46.0
    Ingress monitored VLANs : default-switch/VLAN_RSPAN
    Output VLAN : default-switch/VLAN_JUNIPER_CISCO

     

    show forwarding-options analyzer TEST_RSPAN | display set

    set forwarding-options analyzer TEST_RSPAN input ingress interface ge-0/0/46.0

    set forwarding-options analyzer TEST_RSPAN input ingress vlan VLAN_RSPAN

    set forwarding-options analyzer TEST_RSPAN output vlan VLAN_JUNIPER_CISCO

     

    Then you have to make a trunk with vlan 37 between the QFX and the Cisco router to which you want to spread and send the monitoring stream.

     

    I did this in my lab at work, and it is working!

     

    😉

     

     



  • 6.  RE: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

     
    Posted 01-29-2020 14:13

    Hi schoberw,

     

     

    Greetings, this is possible here is a sample of the configuration that would do the job:

     

    Configuring Port Mirroring for Remote Traffic Analysis (ELS)
    To mirror traffic that is traversing interfaces or a VLAN on the switch to a VLAN for analysis from a remote location:

    Configure a VLAN to carry the mirrored traffic. This VLAN is called remote-analyzer and given the ID of 999 by convention in this KB:

    [edit]
    user@switch# set vlans remote-analyzer vlan-id 999
    Set the uplink module interface that is connected to the distribution switch to trunk mode and associate it with the remote-analyzer VLAN:

    [edit]
    user@switch# set interfaces ge-0/1/1 unit 0 family ethernet-switching port-mode trunk vlan members 999
    Configure the analyzer. Choose a name and set the loss priority to high. Loss priority should always be set to high when configuring for remote port mirroring:
    [edit forwarding-options]
    user@switch# set analyzer employee-monitor loss-priority high
    Specify the traffic to be mirrored- in this example the packets entering ports ge-0/0/0 and ge–0/0/1:

    [edit forwarding-options]
    user@switch#set analyzer employee-monitor input ingress interface ge-0/0/0.0
    user@switch#set analyzer employee-monitor input ingress interface ge-0/0/1.0
    Specify the remote-analyzer VLAN as the output for the analyzer:

    [edit forwarding-options]
    user@switch#set analyzer employee-monitor output vlan 999
    Optionally, you can specify a statistical sampling of the packets by setting a ratio:
    [edit forwarding-options]
    user@switch# set analyzer employee-monitor ratio 200
    When the ratio is set to 200, 1 out of every 200 packets is mirrored to the analyzer. You can use this to reduce the volume of mirrored traffic as a very high volume of mirrored traffic can be performance intensive for the switch.

     

    Source: https://kb.juniper.net/InfoCenter/index?page=content&id=KB10878&cat=SWITCH_PRODUCTS&actp=LIST

     

    If you are missing some traffic or you need this traffic to be untagged  please use this knob: no-tag

    e.i

     

    set forwarding-options analyzer PAN-Test output vlan 999 no-tag

     

    If you are trying another variation, please check the for RSPAN limitations:

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/port-mirroring-limitations-qfx-series.html

     

     


    If you are using Wireshark as the analyzer software you might get the packets marked as ERSPAN which Wireshark reports them as fake ERSPAN.


    > you can decode the following.
    > -----------------------------------
    > select menu:
    > Edit -> preferences -> protocol -> ERSPAN
    >
    > Check:
    > "FORCE to decade fake ERSPAN frame:".
    > you can decode the following.
    > -----------------------------------
    > select menu:
    > Edit -> preferences -> protcol -> ERSPAN
    >
    > Check:
    > "FORCE to decade fake ERSPAN frame:".

     

     

    Regards,
    Lil Dexx JNCIE-ENT#863

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

     

     

     

     



  • 7.  RE: Port mirroring // RSPAN with Juniper QFX switch as a transit switch

    Posted 02-11-2020 10:59

    Hi RyRy,

     

    I would just create a dummy VLAN on the 'transit' QFX and disable MAC learning on that VLAN so traffic that ingresses is flooded out the ports of that VLAN, be careful, you would only need this 'dummy' VLAN on two ports, be sure not to flood the traffic on all ports by mistake. with that logic you can put any trasit device with similar configuration.

     

    To disable MAC learning in a VLAN:

    [edit]
    user@switch# edit ethernet-switching-options interfaces xe-0/0/0.0

    [edit ethernet-switching-options interfaces xe-0/0/0.0]
    user@switch# set no-mac-learning

     

    Regards, 

    Benjamin