wrx230 at gmail
Aug 14, 2012, 1:48 AM
Post #2 of 2
I ended up heading to the datacenter to try it out, seems to work. This is
Re: How to run analyzers on multiple EX3300's back to a single analyzer output. RSPAN not supported?
[In reply to]
my best solution for now it seems.
On Mon, Aug 13, 2012 at 11:41 PM, Morgan McLean <wrx230 [at] gmail> wrote:
> Hey everyone..
> So, I read some things that lead me to believe I could run RSPAN on my
> EX3300 devices. Ideally I create an analyzer on my EX3300 top of rack
> switches, set the input to the ingress of ge-0/0/0 through 47, and send
> that to an analyzer VLAN (vlan-id 998) which gets trunked to the upstream
> core on an XE.
> I had configured my core 8208 to firewall filter on the ethernet-switching
> family input of the top of rack uplink, filtering for vlan-id 998, then
> sending to the analyzer which then sends traffic from the multiple switch
> uplinks into one central analyzer port.
> The following page is an example of something leading me to believe this
> could work:
> This is what JTAC referred me to:
> It says port mirror is supported, but enhanced port mirroring is not
> Basically what I ended up experiencing is only traffic that left the top
> of rack switch completely was caught (I did TCP dumps to watch traffic).
> Port ge-0/0/0 to ge-0/0/1 is not captured, but ge-0/0/0 out the xe-0/1/0
> trunk to somewhere else in the L2 domain was caught. I do not analyze the
> uplink port, so this is some odd behavior. If I just send the analyzer
> output to a local port, I get all the traffic and don't experience this
> Either way Juniper says its officially not supported, so I'm up a creek.
> Here is my main problem: How can I now aggregate the analyzer data from
> 32+ top of rack switches into a couple 10 gig ports on an appliance? I
> realize there are specialized devices that do this, but we spent a lot of
> money for our gigamon device that does this. I don't think the security
> team wants to buy another one, not to mention that many 10 gig interfaces
> would literally cost us 500,000$ with gigamon.
> I am considering throwing up an EX4500 I have laying around, connecting
> the analyzer 10G output from every top of rack switch, and then running an
> analyzer for all 10G top of rack feeds into one or two analyzer outputs.
> Any reason why this wouldn't work?
> Kind of an odd work around..but I don't really have any other options at
> the moment. I thought everything was working great today, until I started
> noticing some traffic not being displayed. :3
juniper-nsp mailing list juniper-nsp [at] puck