cancel
Showing results for 
Search instead for 
Did you mean: 

EXOS Using new feature "Mirroring to Remote IP Addresses"

EXOS Using new feature "Mirroring to Remote IP Addresses"

M_Nees
Contributor III
How can i use this new 22.4 EXOS feature ?

It sounds perfect to troubleshoot / debug unknown client problems from a remote switch.

I configure this on a EXOS switch in the field and grep the data directly on netsight ubuntu appliance via tcpdump. Unfortunately EXOS encapsulated this traffic into GRE Tunnel.

* Slot-1 12.125.37 # sh mirror
DefaultMirror (Enabled)
Description: Default Mirror Instance, created automatically
Mirror to remote IP: 10.2.0.34 VR : VR-Default
From IP : 10.1.12.125 Ping check: On
Status : Up
Source filter instances used : 1
Port 1:40, all vlans, ingress only

Mirrors defined: 1
Mirrors enabled: 1 (Maximum 4)
HW filter instances used: 1 (Maximum 128)
HW mirror instances used: 1 ingress, 0 egress (Maximum 4 total, 2 egress)
* Slot-1 12.125.38 #09:55:18.931614 IP (tos 0x0, ttl 62, id 0, offset 0, flags [none], proto GRE (47), length 84)
10.1.12.125 > 10.2.0.34: GREv0, Flags [none], length 64
gre-proto-0x88be
09:55:18.931642 IP (tos 0xc0, ttl 64, id 58906, offset 0, flags [none], proto ICMP (1), length 112)
10.2.0.34 > 10.1.12.125: ICMP 10.2.0.34 protocol 47 unreachable, length 92
IP (tos 0x0, ttl 62, id 0, offset 0, flags [none], proto GRE (47), length 84)
10.1.12.125 > 10.2.0.34: GREv0, Flags [none], length 64
gre-proto-0x88be
09:55:18.947159 IP (tos 0x0, ttl 62, id 0, offset 0, flags [none], proto GRE (47), length 84)
10.1.12.125 > 10.2.0.34: GREv0, Flags [none], length 64
gre-proto-0x88be
Is there a (easy) way to look into this GRE Tunnel - prefered with tcpdump ? On Netsight ?

I am looking for a fast troubleshooting way without any graphical GUI and without needing Analytics License - just for analysing packets with tcpdump (but remotely from a EXOS Switch)

Regards,
Matthias

9 REPLIES 9

Did you have to change any settings in Wireshark, or did you just point the remote ip to your PC and start a capture?

M_Nees
Contributor III
Aruba handle the same issue with this:

Cause : By default, Aruba uses GRE mode 0 which doesn't allow wireshark to decrypt the contents.

Solution : Set the GRE mode to 25944 on both the ends of the tunnel:

https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-can-we-see-the-packets-tunneled-in...

But there must be a change in EXOS Code to modify GRE Mode number ...

James_A
Valued Contributor
This is the config that my purview VM used to have when I used GRE:

auto gre1
iface gre1 inet manual
ifaceup ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Then you can tcpdump on gre1

M_Nees
Contributor III
Hi James,

i try that on standard XMC like this:

But it seems tcpdump have also a problem (like wireshark) to decode the GRE
tunnel payload:
ip tunnel add sniffer mode gre local 10.0.1.51 remote 10.1.0.4 dev eth0

# ip tunnel
gre0: gre/ip remote any local any ttl inherit nopmtudisc
sniffer: gre/ip remote 10.1.0.4 local 10.0.1.51 dev eth0 ttl inherit

tcpdump -ni sniffer
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on sniffer, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:44:15.354690 IP6 fe80::5efe:a00:133 > ff02::2: ICMP6, router solicitation, length 16
10:44:19.362724 IP6 fe80::5efe:a00:133 > ff02::2: ICMP6, router solicitation, length 16
10:45:29.746336 In ethertype Unknown (0x88be), length 258:
0x0000: 68f7 28db 16fc 085b 0e24 eca1 8100 0014 h.(....[.$......
0x0010: 0800 4500 00e0 6077 0000 3811 d4ba 4fe7 ..E...'w..8...O.
0x0020: de4d 0a01 14a6 1194 1194 00cc 0000 1eaa .M..............
0x0030: baac 0000 00ee 7266 478d 1a33 c5a8 815c ......rfG..3...\
...
10:45:29.747665 In ethertype Unknown (0x88be), length 578:
0x0000: 68f7 28db 16fc 085b 0e24 eca1 8100 0014 h.(....[.$......
0x0010: 0800 4500 0220 6079 0000 3811 d378 4fe7 ..E...'y..8..xO.
0x0020: de4d 0a01 14a6 1194 1194 020c 0000 1eaa .M..............
0x0030: baac 0000 00ef e307 8601 82a4 abc7 b80b ................
0x0040: acfd aeaa e360 5207 40c2 1321 1921 4754 .....'R.@..!.!GT
...10:45:29.747849 In ethertype Unknown (0x88be), length 210:
0x0000: 68f7 28db 16fc 085b 0e24 eca1 8100 0014 h.(....[.$......
0x0010: 0800 4500 00b0 607b 0000 3811 d4e6 4fe7 ..E...'{..8...O.
0x0020: de4d 0a01 14a6 1194 1194 009c 0000 1eaa .M..............
...

Zdeněk_Pala
Extreme Employee
if you send the GRE to the Analytics Engine, then the GRE is decapsulated there. probably you can configure GRE on any linux includinging XMC (NetSight). sorry for not giving detailed answer.
Regards Zdeněk Pala
GTM-P2G8KFN