Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Task 9: Identify instances and analyze network traffic with Contrail port mirroring



In this task, you will use the port mirroring feature of Contrail to analyze or identify the traffic between the workloads. To do that, you will use the Wireshark tool as a traffic analyzer which mirrors the traffic between the red and green instances that we created in Task 1.

Disclaimer: The steps in this task are only applicable to Juniper’s Cloud Software Trial tool.

Some values and/or information may vary for users executing this task using a non-Juniper trial tool.


Step-by-Step Procedure

  1. Open the Contrail web interface in the browser by navigating to

    Then, login to the Contrail dashboard using the below credentials.

    Username: admin

    Password: contrail123

    Domain: (leave blank)

  2. Create a virtual network called “red-network” similar to shown in task 1. Expand the Subnets tab, and enter a subnet of Leave all the other values at default and click on Save to complete the creation of virtual network.

  3. Following the instructions along the lines of step 2, create a 2nd virtual network “green-network” with subnet

  4. Create a virtual network called VN_MIRROR. Expand the Subnets tab, and enter a subnet of Leave all the other values as default, and click Save to complete the creation of virtual network.

  5. . In the Configure tab, navigate to Configure > Networking > Policies > default-domain > demo.

    Click on the (+) sign to start the creation of a new network policy. Create a policy, POL1, between VN1 and VN_MIRROR for ANY protocols and ANY ports.

    Specify the direction as bi-directional (<>).

  6. . Edit the virtual networks red-network and VN_MIRROR to attach the POL1 created in the previous step.

  7. Log in to the OpenStack Dashboard.

    Open a new tab and go to

    Log in to the Dashboard using the credentials below.

    Username: admin

    Password: contrail123

    Select the project as “admin”.

    Navigate under Project > Instances and click on the “Launch instance” button on the top right corner to start the creation of a VM.

    • For “Instance name”, enter “red-instance”

    • For “Image Name”, enter “Ubuntu-slim”

    • For “Flavor”, enter m.1.small

    • Click “Next” at the bottom of the “Launch instance” window until you arrive at the “Networks” tab

    • For “Networks”, enter “red-network”

    • Click “Launch Instance” to launch the red-instance

    Repeat the steps shown in the above screenshots for green-insatcne as well.

  8. 8: Repeat step 6 to create an analyzer VM. This time, modify the following parameters:

    • Instance Name: “Analyzer”

    • Flavor: “M1.medium”

    • Network: “VN_MIRROR”.

  9. Confirm that all three VMs are running (Power State should show as Running). Also note down the IP address of the Analyzer VM ( in this case).

  10. Return to the Contrail web interface.

    In the Configure tab, navigate to Configure > Networking > Ports > default-domain > demo.

    Expand the Port configuration of the Virtual Machine port corresponding to the Analyzer VM (IP

    Note down the MAC Address of the port as shown in the screenshot. .

  11. Continue in Configure > Networking > Ports > default-domain > demo to edit the port configuration for virtual machine red-instance (IP using the edit symbol (Nut icon) on the right side of the screen.

    On the edit screen for this port, expand the > Advanced Options tab and scroll down to find a checkbox named Mirroring. Select this checkbox which will result in mirroring-specific options displayed in the edit window.

  12. a. Enter the following values:

    • Analyzer IP Address, enter Analyzer VM IP address from step 10 –

    • Analyzer Name, enter Analyzer1

    • Analyzer MAC Address, enter the MAC address of the Analyzer VM from previous step.

    • Click Save to turn on port-mirroring

  13. Return to the OpenStack Dashboard.

    Under Instances, click on red-instance and go to the nova console. Login to the red-instance console using (username/password: contrail/contrail123), and activate root using command sudo –I (password: contrail123).

    Ping the IP address of green-instance and let the ping run continuously. Login to the nova console of Analyzer VM to verify the ICMP request and response packets between and, as captured by the Wireshark application, running on this VM.