Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Flow-Based Mirroring

SUMMARY Juniper® Cloud-Native Contrail Networking (CN2) Release 23.2 in a Kubernetes-orchestrated environment supports flow-based network traffic mirroring.

Overview

The flow-based mirroring feature is an extension to the current Port-Based Mirroring feature. CN2 can selectively mirror network traffic on the basis of flow when vRouter is in the flow mode. In flow mode, CN2 has port-based mirroring capability as well as flow-based mirroring capability.

Figure 1: Flow-Based Mirroring Topology []

With this feature, user can mirror any flow, which is specified by the security policy and sends it to the network analyzer that monitors and analyzes the data. The network analyzer is specified with mirrorDestination resource. It also supports mirrorDestination resource present outside the cluster.

In CN2, the flow-based mirroring feature,

  • Uses an existing mirroring functionality of Contrail Networking vRouter to forward the mirrored traffic. There are two cases related to traffic forwarding:
    • If juniperHeader is enabled, the analyzer or destination IP address and UDP port is used to forward the mirrored traffic.
    • If juniperHeader is not enabled, the analyzer or destination mac address should be reachable from the source VMIs VRF. To lookup the destination mac address, L2 lookup is performed in the source VMIs VRF.
  • Adjusts the configuration server settings of CN2 to align with anticipated configuration requirements of vRouter agent.
  • Uses contrail security policies to select the network traffic flow to be mirrored.
  • Is applicable at the policy level or rule level. In case of rule level, the network traffic flow matching the first rule is removed out of two rules.

Configure Flow-Based Mirroring

To configure flow-based mirroring, you need to create a security policy, configure the security policy with MirrorDestination resource that selects the analyzer pod, and create an analyzer pod with the label same as MirrorDestination.

Note:

If you are using custom network to configure flow-based mirroring, then there is a need to create a Virtual Network Router (VNR) between the custom network and ip-fabric network.
  1. Create a security policy to select the traffic flow.
    Use the following code snippet to create a security policy that mirrors network traffic to an analyzer port:

    If you define SecondaryAction at the rule level, then mirroring is applicable only at the rule level. In this case, flows matching the rules with mirror destination are mirrored.

  2. Configure MirrorDestination in the security policy. The MirrorDestination potentially resolves multiple destination pods matching the label (internal or external). Only one pod from the matching pods is selected and used to get analyzer-ip-address, mac-address and routing instance.

    In the following example, the MirrorDestination resolves an internal label, core.juniper.net/analyzer-pod-selector.

    In the following example, an external analyzer has been used. The externalAnalyzer is set as 'true' and analyzerIP is set as '10.87.88.88', which is an external IP address.

    Note:

    A MirrorDestination resource was introduced as part of port-based mirroring in Juniper® Cloud-Native Contrail Networking (CN2) Release 22.2
  3. Create an analyzer pod with label and set the label value same as specified on mirrorDestination. The mirrorDestination controller uses this label to calculate the analyzer-ip-address, mac-address and routing instance. If analyzer-interface is not specified, default interface is used.