Switching

Hello,

 I am new at this, sorry in advanced if I am missing something. So I am trying to figure out this issue of remote analyzer. We have an IDS device which is connected to another 4600 in our comp room. Our core switch is located in another room. I was reading that I could do RSPAN on the ports that I want to mirror to the 4600 in our comp room. So the topology is as shown below

Core4600 ---(fiber link)-- Edge4600--IDS device (I have only connected the ports to 4600 which they want to use to monitor traffic)

This is how I set up the analyzer on my core4600

root@4600-core# show forwarding-options analyzer
Firewall-External-Monitor {
input {
ingress {
interface ge-0/0/14.0;
}
egress {
interface ge-0/0/14.0;
}
}
output {
vlan {
Remote-Analyzer-External;
}
}
}
Firewall-Internal-Monitor {
input {
ingress {
interface ge-0/0/10.0;
}
egress {
interface ge-0/0/10.0;
}
}
output {
vlan {
Remote-Analyzer-Internal;
}
}
}

On the edge Ex4600, this is what I have configured

root@edgeex4600# show forwarding-options analyzer
Firewall-External {
input {
ingress {
vlan Remote-Analyzer-External;
}
}
output {
interface ge-0/2/6.0;
}
}
Firewall-Internal {
input {
ingress {
vlan Remote-Analyzer-Internal;
}
}
output {
interface ge-0/2/0.0;
}
}

Here is the uplink configuration between the switches

Core EX4600

root@4600-core# show interfaces xe-1/2/7
description Uplink-To-4600-Edge-1;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ Test1 Test2 Test3 Test4 Remote-Analyzer-Internal Remote-Analyzer-External ];
}
}
}

Edge4600

root@edge4600-1# show interfaces xe-0/0/0
description Uplink-To-4600-core;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ Test1 Test2 Test3 Test4 Remote-Analyzer-Internal Remote-Analyzer-External ];
}
}
}

The analyzers both show up on both the switches, I can't confirm if its running. Is my config correct? Please let me know if I am missing anything here. 

Hi Pre91,

With two directly connected switches, you may use the sample configuration from here:
https://www.juniper.net/documentation/en_US/junos/topics/example/port-mirroring-remote-ex-series.html (this is non-ELS but same config should work at "forwarding-options" hierarchy for your switch if using ELS i.e. newer Junos than 14.1)

Also check this out:
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/port-mirroring-limitations-qfx-series.html

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Hello,
Thank you, I did follow this link but I’m not sure it works as I see no activity on the mirrored ports. Is there something else that I need to try? Is there a way to verify that this works?

Port mirroring varies by platform due to the chip set differences this is the ex4600 covered document.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/port-mirroring-local-qfx-series-els.html

 

Hi Steve,

  Thank you, I am more looking for something like this document on the link

https://www.juniper.net/documentation/en_US/junos/topics/example/port-mirroring-qfx-series-remote-els.html

I have the source switch part done, I am not sure how do I configure the destination ports on my remote switch. Do they need to be on a vlan? access mode? trunk mode? I am attaching a topology diagram, hopefully this helps. Please let me know if you need anything else.

Thank you!

@Pre91 the link you are using says:

 

• VLAN remote-analyzer is configured on all switches in the topology to carry the mirrored traffic.

Hello,

 So this is what I have on my source switch (adding the config below), I created two vlans Remote-Analyzer-External and Remote-Analyzer-Internal

root@4600-core# show forwarding-options analyzer
Firewall-External-Monitor {
input {
ingress {
interface ge-0/0/14.0;
}
egress {
interface ge-0/0/14.0;
}
}
output {
vlan {
Remote-Analyzer-External;
}
}
}
Firewall-Internal-Monitor {
input {
ingress {
interface ge-0/0/10.0;
}
egress {
interface ge-0/0/10.0;
}
}
output {
vlan {
Remote-Analyzer-Internal;
}
}
}

The uplink configuration between source and destination switch is below where both vlans are part of the trunk.

show interfaces xe-1/2/7
description Uplink-To-4600-Edge-1;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ Test1 Test2 Test3 Test4 Remote-Analyzer-Internal Remote-Analyzer-External ];
}
}
}

 

Destination Switch Config is below, the vlans that carry the mirrored traffic is already added between the trunks and I also created an analyzer which would take the vlans as an input and forward it to the ports where the IDS is connected on,

interfaces {
xe-0/0/0 {
description Uplink-To-ex4600-core;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [  est1 Test2 Test3 Test4 Remote-Analyzer-Internal Remote-Analyzer-External  ];
}
}
}
}
ge-0/2/0 {
description Firewall-Internal;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members Remote-Analyzer-Internal;
}
}
}
}
ge-0/2/6 {
description Firewall-External;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members Remote-Analyzer-External;
}
}
}
}

forwarding-options {
storm-control-profiles default {
all;
}
analyzer {
Firewall-External {
input {
ingress {
vlan Remote-Analyzer-External;
}
}
output {
interface ge-0/2/6.0;
}
}
Firewall-Internal {
input {
ingress {
vlan Remote-Analyzer-Internal;
}
}
output {
interface ge-0/2/0.0;
}
}
}
}

Why 2 different VLANs?  There is now way to route Analyzer traffic to a remote analyzer, I believe.  There should be a unique VLAN from Source to Analyzer ports as this is just a L2 flood of traffic.

 

You need to be able to extend L2 between Source and Remote-Analyzer, I believe.

 

OK?

That method is only supported on the EX4650-48Y running Junos OS 18.3R1 or higher.  Do you have that as your model?

 

No, I have EX4600 running on 14.1X53 code. What are my options to make this work? Due to space and power reasons, I can't have this IDS device in the same room as my core switches. 

 

Hi Pre91 

 

good day !

Please refer to the below link for the example  configuration that is used in your environment 

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16324&cat=SWITCHING&actp=LIST

 

I hope it works for you .

 

Regards ,

Sharanya

Hi Pre91, 

 

Have you tried to use 1 analyzer at a time? for example , deactivate firewall-internal analyzer and leave firewall-external? 

 

After that make sure that you compare current pps value on the interface before and after you enable the analyzer. - monitor interface ge-x/y/z (output interface analyzer)

 

Is it possible to send the traffic maybe to your PC or a server test directly connected to your core switch?and see if that works? 

 

I don't see the vlan configuration, so I'm assuming it is already configured.

 

Let us know your results.

 

Thank you, 

Franky

Hello,

  Yes I was doing some more testing today. So I tried the following

1.) Try with only one analyzer - No luck :(, I had a laptop running wireshark running on the edge switch port and all i saw was just the arp traffic or broadcast traffic. But no mirror traffic.

2.) Try it locally on the core switch itself with wireshark laptop - This one works as long as I set my output to the port (this was expected to work, but I wanted to try it)

3.) Try it locally on the core switch locally with output as vlan - this one failed, I setup the monitoring port on the core switch to access mode first and also configured the vlan to it but both of them failed. Not sure if this is designed this way to not work.

I am wondering if there is something else I need to setup on the vlans itself? Here is my config for both vlans.

set vlans Remote-Analyzer-External vlan-id 4001

set vlans Remote-Analyzer-Internal vlan-id 4000

I do have a third port which needs to carry all of our vlans to that port, something like vlan mirroring in cisco world. I am wondering if its possible to basically do an ingress on all the vlans such as the internet vlan, critical servers vlan, firewall mgt vlan and output them to xe-1/2/7 (uplink to the edge), the traffic will be too much but the IDS should smart enough isolate or separate them hopefully. Is that something possible?

I really appreciate everyone jumping on this and helping me out I also opened a jtac case to see if they come up with something else.

I wanted to update everyone on this, we were hitting an issue with our firmware (14.1X53D46.7), so this is most likely why we weren't able to make rspan work. JTAC also ran into this issue when they performed this in their lab. I guess this can be closed now. Thanks everyone to all the suggestions and help on this.