If you're like us (and most places), you want to look at traffic from time to to time...or all the time. Juniper doesn't let you create a "span" port or mirror port on their routers -- only on their switches. You can't get any of the layer 2 stuff, only layer 3 and up (family inet). There are some posts out there about using GRE to encapsulate mirrored traffic to a monitoring station, then using something like wireshark or tshark to "look through" the GRE and analyze the mirrored datagrams. That's great...if you use wireshark or tshark. Most tools out there won't look through the GRE headers because they're designed to be used on simple span ports. (Juniper, this is a serious shortcoming). The best you can do is fake it out with a dummy ARP entry.
The overall idea here is simple. The next-hop interface for the mirror statement must include a physical and logical address. The physical part is easy (it's where your monitoring box hangs off). But what do you put down for logical? Easy, a dummy IP address on a /30 and hardcode the other end of the /30 to a fake ARP entry. That way the router doesn't have to perform an ARP resolution and will always have it in cache and will always just blast the traffic down the link. Here are some examples: diq@router> show configuration forwarding-options port-mirroring input { rate 50; } family inet { output { interface ge-1/0/4.0 { next-hop 172.16.50.2; } no-filter-check; } } diq@router> show configuration interfaces ge-1/0/4 unit 0 { family inet { address 172.16.50.1/30 { arp 172.16.50.2 mac 00:ff:85:7f:78:03; } } } Throw some port-mirror statements in your firewall rules, and you should be good. Comments are closed.
|
AuthorA NOLA native just trying to get by. I live in San Francisco and work as a digital plumber for the joint that runs this thing. (Square/Weebly) Thoughts are mine, not my company's. Archives
May 2021
Categories
All
|