Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

How to run analyzers on multiple EX3300's back to a single analyzer output. RSPAN not supported?

 

 

nsp juniper RSS feed   Index | Next | Previous | View Threaded


wrx230 at gmail

Aug 13, 2012, 11:41 PM

Post #1 of 2 (565 views)
Permalink
How to run analyzers on multiple EX3300's back to a single analyzer output. RSPAN not supported?

Hey everyone..

So, I read some things that lead me to believe I could run RSPAN on my
EX3300 devices. Ideally I create an analyzer on my EX3300 top of rack
switches, set the input to the ingress of ge-0/0/0 through 47, and send
that to an analyzer VLAN (vlan-id 998) which gets trunked to the upstream
core on an XE.

I had configured my core 8208 to firewall filter on the ethernet-switching
family input of the top of rack uplink, filtering for vlan-id 998, then
sending to the analyzer which then sends traffic from the multiple switch
uplinks into one central analyzer port.

The following page is an example of something leading me to believe this
could work:
http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/port-mirroring-cli.html

This is what JTAC referred me to:
http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview.html#network-manage-monitor-features-by-platform-table

It says port mirror is supported, but enhanced port mirroring is not
(RSPAN?).

Basically what I ended up experiencing is only traffic that left the top of
rack switch completely was caught (I did TCP dumps to watch traffic). Port
ge-0/0/0 to ge-0/0/1 is not captured, but ge-0/0/0 out the xe-0/1/0 trunk
to somewhere else in the L2 domain was caught. I do not analyze the uplink
port, so this is some odd behavior. If I just send the analyzer output to a
local port, I get all the traffic and don't experience this weirdness.

Either way Juniper says its officially not supported, so I'm up a creek.

Here is my main problem: How can I now aggregate the analyzer data from 32+
top of rack switches into a couple 10 gig ports on an appliance? I realize
there are specialized devices that do this, but we spent a lot of money for
our gigamon device that does this. I don't think the security team wants to
buy another one, not to mention that many 10 gig interfaces would literally
cost us 500,000$ with gigamon.

I am considering throwing up an EX4500 I have laying around, connecting the
analyzer 10G output from every top of rack switch, and then running an
analyzer for all 10G top of rack feeds into one or two analyzer outputs.
Any reason why this wouldn't work?

Kind of an odd work around..but I don't really have any other options at
the moment. I thought everything was working great today, until I started
noticing some traffic not being displayed. :3

Thanks,
Morgan
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


wrx230 at gmail

Aug 14, 2012, 1:48 AM

Post #2 of 2 (536 views)
Permalink
Re: How to run analyzers on multiple EX3300's back to a single analyzer output. RSPAN not supported? [In reply to]

I ended up heading to the datacenter to try it out, seems to work. This is
my best solution for now it seems.

Morgan

On Mon, Aug 13, 2012 at 11:41 PM, Morgan McLean <wrx230 [at] gmail> wrote:

> Hey everyone..
>
> So, I read some things that lead me to believe I could run RSPAN on my
> EX3300 devices. Ideally I create an analyzer on my EX3300 top of rack
> switches, set the input to the ingress of ge-0/0/0 through 47, and send
> that to an analyzer VLAN (vlan-id 998) which gets trunked to the upstream
> core on an XE.
>
> I had configured my core 8208 to firewall filter on the ethernet-switching
> family input of the top of rack uplink, filtering for vlan-id 998, then
> sending to the analyzer which then sends traffic from the multiple switch
> uplinks into one central analyzer port.
>
> The following page is an example of something leading me to believe this
> could work:
> http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/configuration/port-mirroring-cli.html
>
> This is what JTAC referred me to:
> http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview.html#network-manage-monitor-features-by-platform-table
>
> It says port mirror is supported, but enhanced port mirroring is not
> (RSPAN?).
>
> Basically what I ended up experiencing is only traffic that left the top
> of rack switch completely was caught (I did TCP dumps to watch traffic).
> Port ge-0/0/0 to ge-0/0/1 is not captured, but ge-0/0/0 out the xe-0/1/0
> trunk to somewhere else in the L2 domain was caught. I do not analyze the
> uplink port, so this is some odd behavior. If I just send the analyzer
> output to a local port, I get all the traffic and don't experience this
> weirdness.
>
> Either way Juniper says its officially not supported, so I'm up a creek.
>
> Here is my main problem: How can I now aggregate the analyzer data from
> 32+ top of rack switches into a couple 10 gig ports on an appliance? I
> realize there are specialized devices that do this, but we spent a lot of
> money for our gigamon device that does this. I don't think the security
> team wants to buy another one, not to mention that many 10 gig interfaces
> would literally cost us 500,000$ with gigamon.
>
> I am considering throwing up an EX4500 I have laying around, connecting
> the analyzer 10G output from every top of rack switch, and then running an
> analyzer for all 10G top of rack feeds into one or two analyzer outputs.
> Any reason why this wouldn't work?
>
> Kind of an odd work around..but I don't really have any other options at
> the moment. I thought everything was working great today, until I started
> noticing some traffic not being displayed. :3
>
> Thanks,
> Morgan
>
>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.