Analyzing traffic on juniper switches
<yambe:breadcrumb self="Analyzing traffic on juniper switches">Switch configuration notes|Switch configuration notes</yambe:breadcrumb>
Analyzing traffic on juniper switches
In juniper switches there are two separate concepts:
- Analyzer configuration
- This is similar to port mirroring on Dell or Cisco. We can select a set of interfaces as source and then a specific interface or VLAN as destination for port-mirroring / analyzer
- Port mirroring
- This is more advanced version of analyzer where we can write a filter to match against all incoming traffic on all interfaces. Then traffic which passes filter can be mirrored to a specific port or VLAN for analysis.
Setting VLAN as destination for port mirroring or analyzer can help in doing mirroring across different devices (Source machines can be on one switch and Destination analyzer can be on different switch) as long as selected VLAN for mirroring is trunked between the two devices.
Basic analyzer configuration
For basic analyzer configuration we need to remove all configuration from destination port even 'ethernet-switching':
set analyzer <analyzer-name-1> input ingress interface <interface-name-1> set analyzer <analyzer-name-1> input egress interface <interface-name-1> set analyzer <analyzer-name-1> output interface <interface-name-2>
In above example all incoming (ingress) and outgoing (egress) traffic from <interface-name-1> would be copied to <interface-name-2> for packet capture via wireshark / tcpdump etc.
Then we can see analyzer configuration via below in operational mode:
show analyzer
Refer:
Configuring analyzer output via VLAN for remote analyzer
Since it is possible for analyzer to send output to VLAN, we can have packets captured on one switch and then have analyzer on some remote switch with a few switches in between. To do this in general we need to follow:
- Configure input of analyzer as physical interfaces everywhere. Capture both ingress and egress.
- Configure output of analyzer on initial and intermediate switch to a VLAN.
- In last switch configure output of analyzer as physical port where analyzer (Packet capturing) machine is connected.
- Configure one port for output as trunk port on first and intermediate switch where only this VLAN is trunked. When doing this careful of configurations where all VLANs are trunked between switches / switch to hypervisor
- Configure input port on intermediate and last switch as trunk for this specific VLAN. Again avoid configuration on any port which trunks all VLANs
- If possible disable MAC learning for this VLAN on all switches
- If possible set loss priority to high so that packet capture does not affect more critical production traffic
- If transit switch (If juniper) supports setting ingress and egress interfaces for a VLAN then no need to configure analyzer on transit switch. There we can simply specify input and output trunk ports for the VLAN without configuring analyzer
Refer:
- https://www.juniper.net/documentation/en_US/junos/topics/example/port-mirroring-remote-on-transit-switch.html
- https://www.juniper.net/documentation/en_US/junos/topics/example/port-mirroring-remote-ex-series.html
<yambe:breadcrumb self="Analyzing traffic on juniper switches">Switch configuration notes|Switch configuration notes</yambe:breadcrumb>