Remote Mirroring Using a Layer 2 GRE Tunnel

The S- K- and 7100-Series devices support remote mirroring using a Layer 2 (L2) GRE tunnel. Any L2 traffic (unicast, multicast, or broadcast) that can be mirrored with a non-L2 GRE remote mirror can be mirrored with an L2 GRE remote mirror. The mirror source port is the source of the mirrored packets found on the local router of interest. The mirror encapsulates the L2 traffic seen by the mirrored source port in an IP GRE header and delivers it to the tunnel destination address on the S- and K-Series or to the L2 tunnel bridge port as the destination address on the 7100-Series. The tunnel destination address is the ultimate destination port of the tunnel where packets are decapsulated and delivered to the port local to the remote router.

Note

The 7100-Series device supports encapsulation for remote mirror; the 7100-Series does not support decapsulation. The remote mirror destination device must be a device that supports decapsulation for full remote mirroring support. A 7100-Series can be used if you intend to use a packet monitoring program as the means of capturing the packet contents.

The 7100-Series supports IPv4 addressing only for remote mirroring.

The tunnel destination port resides on a remote router with the appropriate L2 GRE tunnel configuration back to the ultimate mirror destination. The intermediate mirror destination port is the actual mirror destination of the local SMON or, in the case of S- and K-Series, policy configuration. Once the L2 tunnel is enabled and fully configured, packets sent to an intermediate destination are encapsulated and forwarded for any SMON or policy port mirrors that use the mirror destination port. Once the tunnel is enabled, the tunnel destination port is in internal loopback mode and can no longer be used as a normal switch port.

Configuration of a remote mirror using a L2 GRE tunnel consists of:

Creating a tunnel interface in global configuration mode, with a loopback source address and a route to the destination
Configuring the mirrored port:
- Configure an SMON port mirror by creating the port mirror, specifying the L2 GRE tunnel destination as the destination port (must be a tunnel bridge port (tbp.x.y) on the 7100-Series), or
- Configure a policy port mirror by creating a mirror destination and specifying a policy to be associated with the mirror (S-, K-Series)

The following CLI input sets up the L2 GRE tunnel for mirrored port ge.1.1 by:

Configuring loop.0.1 as the loopback source address (88.88.88.1/32) for the mirrored port
Configuring VLAN 20 as the VLAN interface the tunnel resides on (S-, K-Series)
Entering configuration mode for tunnel 5
- Configuring the tunnel 5 destination address (99.99.99.1)
- Setting the tunnel mode to GRE L2 and specifying ge.1.8 as the mirror destination (S-, K-Series)
- Setting the tunnel mode to GRE L2 and specifying tbp.0.1 as the mirror destination (7100-Series)
- Enabling the mirrored tunnel which allocates the necessary resources to support mirrored packets
Configuring a static route to the mirror destination

S- and K-Series Input

System(rw)->configure
System(rw-config)->interface loop.0.1
System(rw-config-intf-loop.0.1)->ip address 88.88.88.1/32
System(rw-config-intf-loop.0.1)->no shutdown
System(rw-config-intf-loop.0.1)->exit
System(rw-config)->interface vlan.0.20
System(rw-config-intf-vlan.0.20)->ip address 6.1.1.1 255.255.255.0 primary
System(rw-config-intf-vlan.0.20)->no shutdown
System(rw-config-intf-vlan.0.20)->exit
System(rw-config)->interface tunnel 5
System(rw-config-intf-tun.0.5)->tunnel destination 99.99.99.1
System(rw-config-intf-tun.0.5)->tunnel mode gre l2 ge.1.8
System(rw-config-intf-tun.0.5)->tunnel mirror enable
System(rw-config-intf-tun.0.5)->tunnel source 88.88.88.1
System(rw-config-intf-tun.0.5)->no shutdown
System(rw-config-intf-tun.0.5)->exit
System(rw-config)->ip route 99.99.99.1/32 6.1.1.2 interface vlan.0.20 1
System(rw-config)->exit

7100-Series Input

System(rw)->configure
System(rw-config)->interface loop.0.1
System(rw-config-intf-loop.0.1)->ip address 88.88.88.1/32
System(rw-config-intf-loop.0.1)->no shutdown
System(rw-config-intf-loop.0.1)->exit
System(rw-config)->interface tunnel 5
System(rw-config-intf-tun.0.5)->tunnel destination 99.99.99.1
System(rw-config-intf-tun.0.5)->tunnel mode gre l2 tbp.0.1
System(rw-config-intf-tun.0.5)->tunnel mirror enable
System(rw-config-intf-tun.0.5)->tunnel source 88.88.88.1
System(rw-config-intf-tun.0.5)->no shutdown
System(rw-config-intf-tun.0.5)->exit
System(rw-config)->ip route 99.99.99.1/32 6.1.1.2 interface vlan.0.20 1
System(rw-config)->exit

The following CLI input creates an SMON port mirror specifying the L2 GRE mirror-destination (ge.1.8 on the S- and K-Series; tbp.0.1 on the 7100-Series) as the destination:

S-K-Series(rw)->set port mirror create ge.1.1 ge.1.8 both
7100-Series(rw)->set port mirroring create ge.1.1 tbp.0.1 both
System(rw)->

The following CLI input sets up the L2 GRE tunnel on the mirror destination router. The 7100-Series does not support decapsulation of the mirrored packet. If you require decapsulation of the mirrored packet, the following CLI input sets up the L2 GRE tunnel on the mirror destination router for an S-Series or K-Series device, by:

Configuring loop.0.1 as the loopback source address (99.99.99.1/32) for the mirrored port
Configuring VLAN 33 as the VLAN interface the tunnel resides on
Entering configuration mode for tunnel 12
- Configuring the tunnel 12 destination address (88.88.88.1)
- Setting the tunnel mode to GRE L2 and specifying ge.2.4 as the mirror destination
  You do not enable the mirrored tunnel on the mirror destination router. The L2 GRE-encapsulated packets:
- Arrive with source 88.88.88.1 and destination 99.99.99.1
- Are decapsulated and forwarded out physical port ge.2.4
  A PC running a packet-monitoring program, such as WireShark, can be attached to this port. The packet-monitoring program displays the L2 traffic that is seen by ge.1.1 on the router on which the mirrored port resides.

Configure a static route to the router on which the mirror port resides (88.88.88.1/32)

S-K-Series(rw)->configure
S-K-Series(rw-config)->interface loop.0.1
S-K-Series(rw-config-intf-loop.0.1)->ip address 99.99.99.1/32
S-K-Series(rw-config-intf-loop.0.1)->no shutdown
S-K-Series(rw-config-intf-loop.0.1)->exit
S-K-Series(rw-config)->interface vlan.0.33
S-K-Series(rw-config-intf-vlan.0.33)->ip address 5.1.1.1 255.255.255.0 primary
S-K-Series(rw-config-intf-vlan.0.33)->no shutdown
S-K-Series(rw-config-intf-vlan.0.33)->exit
S-K-Series(rw-config)->interface tunnel 12
S-K-Series(rw-config-intf-tun.0.12)->tunnel destination 88.88.88.1
S-K-Series(rw-config-intf-tun.0.12)->tunnel mode gre l2 ge.2.4
S-K-Series(rw-config-intf-tun.0.12)->tunnel source 99.99.99.1
S-K-Series(rw-config-intf-tun.0.12)->no shutdown
S-K-Series(rw-config-intf-tun.0.12)->exit
S-K-Series(rw-config)->ip route 88.88.88.1/32 5.1.1.2 interface vlan.0.33 1
S-K-Series(rw-config)->exit
S-K-Series(rw)->

The following CLI input (S-, K-Series):

Creates policy profile 1 and applies mirror-destination index 2 to the profile
Creates an admin-profile rule for port ge.1.1 and applies it to policy profile 1
Creates policy port mirror index 2

Sets port ge.1.8 as the destination for port mirror index 2

System(rw)->set policy profile 1 mirror-destination 2
System(rw)->set policy rule admin-profile port ge.1.1 mask 16 port-string ge.1.1 admin-pid 1
System(rw)->set mirror create 2
System(rw)->set mirror ports ge.1.8 2

Published May 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback