Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Issue with EX2300 Trunk to Many Port Mirroring

  • 1.  Issue with EX2300 Trunk to Many Port Mirroring

    This message was posted by a user wishing to remain anonymous
    Posted 12-22-2021 20:25
    This message was posted by a user wishing to remain anonymous

    We need to mirror a trunk port to two hosts for monitoring on a EX2300-48P running Junos 21.3R1.9. Port 46 is the trunk. Ports 44 and 45 are physically connected with a loop cable. Ports 42 and 43 connect to the monitoring hosts. The relevant portions of the configuration are below:

    ge-0/0/42 {
        flexible-vlan-tagging;
        native-vlan-id 1;
        encapsulation extended-vlan-bridge;
        unit 1000 {
            vlan-id-list 1-4094;
            input-vlan-map push;
            output-vlan-map pop;
            family ethernet-switching {
                storm-control default;
                recovery-timeout 120;
            }
        }
    }
    ge-0/0/43 {
        flexible-vlan-tagging;
        native-vlan-id 1;
        encapsulation extended-vlan-bridge;
        unit 1000 {
            vlan-id-list 1-4094;
            input-vlan-map push;
            output-vlan-map pop;
            family ethernet-switching {
                storm-control default;
                recovery-timeout 120;
            }
        }
    }
    ge-0/0/44 {
        flexible-vlan-tagging;
        native-vlan-id 1;
        encapsulation extended-vlan-bridge;
        unit 1000 {
            vlan-id-list 1-4094;
            input-vlan-map push;
            output-vlan-map pop;
            family ethernet-switching { 
                storm-control default;  
                recovery-timeout 120;   
            }                           
        }                               
    }                                   
    ge-0/0/45 {                         
        unit 0 {                        
            family ethernet-switching { 
                storm-control default;  
                recovery-timeout 120;   
            }                           
        }                               
    }                                   
    ge-0/0/46 {                         
        unit 0 {                        
            family ethernet-switching { 
                interface-mode trunk;   
                vlan {                  
                    members 100-101;    
                }                       
                storm-control default;  
                recovery-timeout 120;   
            }                           
        }                               
    }
    forwarding-options {
        analyzer {                          
            internet-monitor {
                input {
                    ingress {
                        interface ge-0/0/46.0;
                    }
                    egress {
                        interface ge-0/0/46.0;
                    }
                }
                output {
                    interface ge-0/0/45.0;
                }
            }
        }
    }
    protocols {
        mstp {
            interface ge-0/0/42 {
                disable;
            }
            interface ge-0/0/43 {
                disable;
            }
            interface ge-0/0/44 {
                disable;
            }
            interface ge-0/0/45 {
                disable;
            }
    }
    vlans {
        DMZ {
            vlan-id 101;
            l3-interface irb.101;
        }
        INET {
            vlan-id 100;
            l3-interface irb.100;
        }
        MONITOR {
            interface ge-0/0/42.1000;
            interface ge-0/0/43.1000;
            interface ge-0/0/44.1000;
            switch-options {
                no-mac-learning;
            }
        }
    }
    

    When I connect a host to port 45, tcpdump shows traffic flowing in both directions. The VLAN tags for the outbound traffic are incorrect. This is listed as a known limitation in the Juniper documentation and we can work around it. The issue occurs when port 45 is cross connected with port 44 and a host is connected to port 42 or port 43. The host running tcpdump on port 42 or port 43 only shows traffic flowing in one direction.

    Any advice is appreciated.
    Thanks