Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Cloud-Native Contrail Networking Feature Guide Analytics

Cloud-Native Contrail Networking Feature Guide

keyboard_arrow_up
close
keyboard_arrow_left
Cloud-Native Contrail Networking Feature Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Flow-Based Mirroring

date_range 18-Jul-23
arrow_backward
arrow_forward

SUMMARY Juniper® Cloud-Native Contrail Networking (CN2) Release 23.2 in a Kubernetes-orchestrated environment supports flow-based network traffic mirroring.

Overview

The flow-based mirroring feature is an extension to the current Port-Based Mirroring feature. CN2 can selectively mirror network traffic on the basis of flow when vRouter is in the flow mode. In flow mode, CN2 has port-based mirroring capability as well as flow-based mirroring capability.

Figure 1: Flow-Based Mirroring Topology []

With this feature, user can mirror any flow, which is specified by the security policy and sends it to the network analyzer that monitors and analyzes the data. The network analyzer is specified with mirrorDestination resource. It also supports mirrorDestination resource present outside the cluster.

In CN2, the flow-based mirroring feature,

  • Uses an existing mirroring functionality of Contrail Networking vRouter to forward the mirrored traffic. There are two cases related to traffic forwarding:
    • If juniperHeader is enabled, the analyzer or destination IP address and UDP port is used to forward the mirrored traffic.
    • If juniperHeader is not enabled, the analyzer or destination mac address should be reachable from the source VMIs VRF. To lookup the destination mac address, L2 lookup is performed in the source VMIs VRF.
  • Adjusts the configuration server settings of CN2 to align with anticipated configuration requirements of vRouter agent.
  • Uses contrail security policies to select the network traffic flow to be mirrored.
  • Is applicable at the policy level or rule level. In case of rule level, the network traffic flow matching the first rule is removed out of two rules.

Configure Flow-Based Mirroring

To configure flow-based mirroring, you need to create a security policy, configure the security policy with MirrorDestination resource that selects the analyzer pod, and create an analyzer pod with the label same as MirrorDestination.

Note:

If you are using custom network to configure flow-based mirroring, then there is a need to create a Virtual Network Router (VNR) between the custom network and ip-fabric network.

  1. Create a security policy to select the traffic flow.
    content_copy zoom_out_map
    ```yaml
apiVersion: core.contrail.juniper.net/v3 
kind: ContrailSecurityPolicy 
metadata: 
  name: example-policy 
  namespace: default 
spec: 
  rules: 
    - srcEP: 
        endPoints: 
          - podSelector: 
              matchLabels: 
                app: frontend 
 
      dstEP: 
        endPoints: 
          - podSelector: 
              matchLabels: 
                app: backend 

      ports: 
        - protocol: TCP 
          port: 80 
 
     action: pass
     secondaryActions: 
            mirrorTo: mirrordestinationprofile1
    Use the following code snippet to create a security policy that mirrors network traffic to an analyzer port:
    content_copy zoom_out_map
    apiVersion: core.contrail.juniper.net/v4
kind: ContrailSecurityPolicy
metadata:
  name: mirror-policy-seq1
  namespace: fm-test
spec:
  rules:
    - srcEP:
        endPoints:
          - namespaceSelector: {}
      dstEP: 
        endPoints:
          - podSelector:
              matchLabels:
                app : analyzer  
  action: pass

    If you define SecondaryAction at the rule level, then mirroring is applicable only at the rule level. In this case, flows matching the rules with mirror destination are mirrored.

    content_copy zoom_out_map
    apiVersion: core.contrail.juniper.net/v3 
kind: ContrailSecurityPolicy 
metadata: 
  name: example-policy 
  namespace: default 
spec: 
  rules:
    - srcEP:
        endPoints:
          - podSelector:
              matchLabels:
                app: frontend
        ports:
          - protocol: TCP
            port: 80
      dstEP:
        endPoints:
          - podSelector:
              matchLabels:
                app: backend
        ports:
          - protocol: TCP
            port: 80
      secondaryActions: 
            mirrorTo: mirrordestinationprofile1   
    - srcEP:
        endPoints:
          - ipBlock:
              cidr: 174.19.12.0/24
              except:
                - 174.19.12.11/32

      dstEP:
        endPoints:
          - ipBlock:
              cidr: 174.19.11.0/24
              except:
                - 174.19.11.11/32
      ports: 
        - protocol: TCP 
          port: 80 
 
     action: pass
  2. Configure MirrorDestination in the security policy. The MirrorDestination potentially resolves multiple destination pods matching the label (internal or external). Only one pod from the matching pods is selected and used to get analyzer-ip-address, mac-address and routing instance.

    In the following example, the MirrorDestination resolves an internal label, core.juniper.net/analyzer-pod-selector.

    content_copy zoom_out_map
    ```yaml
apiVersion: core.contrail.juniper.net/v1alpha1
kind: MirrorDestination
metadata:
  name: mirrordestinationprofile1
  labels: 
    core.juniper.net/analyzer-pod-selector: analyzerpod
spec:
  externalAnalyzer: <bool>
  analyzerIP: <ipaddress>     
  trafficDirection: <ingress|egress|both>
  juniperHeader: <bool>
  udpPort: <int>
  staticNhHeader: <null for dynamic nh|vtep tunnel destip, mac, vxlanid for static nh>
  nextHopMode: <static|dynamic>
  nicAssistedMirroring: <bool>
    nicAssistedVlanID:
  staticNextHopHeader:
    vTEPDestinationIP:
    vTEPDestinationMac:
    vxlanID:
```

    In the following example, an external analyzer has been used. The externalAnalyzer is set as 'true' and analyzerIP is set as '10.87.88.88', which is an external IP address.

    content_copy zoom_out_map
    apiVersion: core.contrail.juniper.net/v4
kind: MirrorDestination
metadata:
  name: mirrordestinationprofile4
  labels:
    core.juniper.net/analyzer-pod-selector: FMAnalyzerVM
spec:
  trafficDirection: both
  juniperHeader: true
  nextHopMode: dynamic
  udpPort: 9088
  nicAssistedMirroring: false
  externalAnalyzer: true
  analyzerIP: 10.87.88.88
    Note:

    A MirrorDestination resource was introduced as part of port-based mirroring in Juniper® Cloud-Native Contrail Networking (CN2) Release 22.2

  3. Create an analyzer pod with label and set the label value same as specified on mirrorDestination. The mirrorDestination controller uses this label to calculate the analyzer-ip-address, mac-address and routing instance. If analyzer-interface is not specified, default interface is used.
    content_copy zoom_out_map
    ```yaml
apiVersion: v1
kind: Pod
metadata:
  name: analyzerpod
  namespace: mirror-ns
  labels:
    core.juniper.net/analyzer-pod: analyzerpod
  annotations:
    core.juniper.net/analyzer-interface: "true"
    k8s.v1.cni.cncf.io/networks: |
      [
        {
          "name": "vn-1",
          "namespace": "mirror-ns",
          "cni-args": {
            "core.juniper.net/analyzer-interface": "true"
          }
        }
      ]
```
arrow_backward PREVIOUS Port-Based Mirroring
NEXT arrow_forward Configurable Categories of Metrics Collection and Reporting (Tech Preview)
external-footer-nav