Hi, did you apply mirror-enable command ?
Could you please share the output of show secure policy-list traffic-flows and show tunnel-server ? You need apply some command like this: tunnel-server 5/2/0 max-interfaces all-available ! You need choose one of the LM4 to share its bandwidth for tunnel creations. Thanks ./diogo -montagner On Wed, Oct 19, 2011 at 11:50 PM, snort bsd <[email protected]> wrote: > hi all > > i need help on the subject of interfaced based packet mirroring in order to > capture transit traffic flows on a certain interfaces. > > > --------------------------- > | | > > | gig11/0/4 {|-------- interface with transit traffic flows > > | | > | gig10/0/1 [|-------- wireshark machine > | | > > | | > > -------------------------- | > > here are what i have done: > > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > 1) physical interface intened to be used for mirroring device - wireshark > machine > > interface gigabitEthernet 10/0/1 > mtu 1522 > encapsulation vlan > ! > interface gigabitEthernet 10/0/1.100 > vlan id 100 > ip address 192.168.1.2 255.255.255.252 > > > > 2) logical tunnel interface that redirect mirror traffic flows > > interface tunnel gre:pm transport-virtual-router lab > tunnel source gigabitEthernet 10/0/1.100 > ip analyzer > ip address 172.16.1.1 255.255.255.252 > > > > 3) stativc route that binds wireshark machine to the tunnel interface > > ip route 100.100.100.2/32 TUNNEL gre:pm > > -- here 100.100.100.2 is the pseudo address of the wireshark machine. > > > > 4) policy that is used to capture mirrored traffic flows > > secure ip policy-list "traffic-flows" > classifier-group * > mirror analyzer-ip-address 100.100.100.2 analyzer-virtual-router lab > > > 5) applying policy to capture transit traffic > > interface gigabitEthernet 11/0/4.10 > ... > ... > ... > ip policy secure-input "traffic-flows" > ip policy secure-output "traffic-flows" > > > 6) result > > it doesn't work. where did i do wrong? i tried to install static arp entry > but failed: > > e320-ida:lab(config)#arp 100.100.100.2 tunnel gre:pm 0010:9400:0001 > > ^ > % Invalid input detected at '^' marker. > e320-ida:lab(config)# > > > i think it failed more than just missing static arp entries. juose docs are > quite vague on the subject of interfaced packet mirroring, to say at least. i > tried it without gre tunnel (using physical interface gig10/0/1 directly), > but i only capture packets destined for the interface gig11/0/4, nothing > about transit traffic. with tunnel interface, it just doesn't work at all. > > on junos, port mirroring has to go through either virtual interfaces (vt) or > logical tunnel interfaces (lt). i assume it is the same for junose based e320 > > thanks > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
