ExtremeSwitching (EXOS)

Expand all | Collapse all

mirroring unicast traffic in vLAN

  • 1.  mirroring unicast traffic in vLAN

    Posted 10-10-2018 14:39
    When I mirror several vLANs toward a port, I can see all broadcast traffic but no unicast traffic. It's a little bit like if the monitoring port had been inclded in the vLANs mirrored but no mirroring happen at all...
    Is there some configuration I missed or some limitation here ?

    here is the configuration used :

    create mirror "VNF9"
    configure mirror VNF9 to port 45
    enable mirror VNF9
    configure mirror VNF9 add vlan VNF09_IAC_R1 ingress
    configure mirror VNF9 add vlan VNF09_MEDIA_R1 ingress
    configure mirror VNF9 add vlan VNF09_MGMT_R1 ingress
    configure mirror VNF9 add vlan VNF09_OM_CN_R1 ingress
    configure mirror VNF9 add vlan VNF09_PRAN_R1 ingress
    configure mirror VNF9 add vlan VNF09_SIGNALING_R1 ingress

    configure vlan VNF09_IAC_R1 description "mbb_gwc01"
    configure vlan VNF09_IAC_R1 tag 2094
    create vlan "VNF09_MEDIA_R1"
    configure vlan VNF09_MEDIA_R1 description "mbb_gwc01"
    configure vlan VNF09_MEDIA_R1 tag 2092
    create vlan "VNF09_MGMT_R1"
    configure vlan VNF09_MGMT_R1 description "mbb_gwc01"
    configure vlan VNF09_MGMT_R1 tag 2095
    create vlan "VNF09_OM_CN_R1"
    configure vlan VNF09_OM_CN_R1 description "mbb_gwc01"
    configure vlan VNF09_OM_CN_R1 tag 2093
    create vlan "VNF09_PRAN_R1"
    configure vlan VNF09_PRAN_R1 description "mbb_gwc01"
    configure vlan VNF09_PRAN_R1 tag 2090
    create vlan "VNF09_SIGNALING_R1"
    configure vlan VNF09_SIGNALING_R1 description "mbb_gwc01"
    configure vlan VNF09_SIGNALING_R1 tag 2091
    configure vlan VNF09_IAC_R1 add ports 2-8, 26-32, 48 tagged
    configure vlan VNF09_MEDIA_R1 add ports 2-8, 26-32, 48 tagged
    configure vlan VNF09_MGMT_R1 add ports 2-8, 26-32, 48 tagged
    configure vlan VNF09_OM_CN_R1 add ports 2-8, 26-32, 48 tagged
    configure vlan VNF09_PRAN_R1 add ports 2-8, 26-32, 48 tagged
    configure vlan VNF09_SIGNALING_R1 add ports 2-8, 26-32, 48 tagged

    And here is an extract of a capture while a ping is running on one of these vLANs (only broad cast are catched) :

    17:29:17.846331 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 102: vlan 2092, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 1420, offset 0, flags [none], proto OSPF (89), length 84)
    21.21.9.22 > 224.0.0.5: OSPFv2, LS-Update, length 64
    Router-ID 1.1.1.6, Area 0.0.0.3, Authentication Type: none (0), 1 LSA
    LSA #1
    Advertising Router 21.21.10.17, seq 0x80000004, age 2s, length 16
    External LSA (5), LSA-ID: 21.21.10.161
    Options: [External, Demand Circuit]
    Mask 255.255.255.255
    topology default (0), type 2, metric 0
    0x0000: ffff ffff 8000 0000 0000 0000 0000 0000
    17:29:18.528759 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 102: vlan 2090, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 54743, offset 0, flags [none], proto OSPF (89), length 84)
    21.21.9.6 > 224.0.0.5: OSPFv2, LS-Update, length 64
    Router-ID 1.1.1.10, Area 0.0.0.1, Authentication Type: none (0), 1 LSA
    LSA #1
    Advertising Router 1.1.1.10, seq 0x8000032f, age 1s, length 16
    External LSA (5), LSA-ID: 172.20.16.0
    Options: [External, Demand Circuit]
    Mask 255.255.255.0
    topology default (0), type 1, metric 5, forward 21.21.20.1
    0x0000: ffff ff00 0000 0005 1515 1401 0000 0000

    Limiting the capture, we can see OSPF broadcast, ARP request (but no answers)...

    17:34:10.455935 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2091, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 27526, offset 0, flags [none], proto OSPF (89), length 68)
    17:34:10.552442 fa:16:3e:6c:1a:c3 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2091, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 59158, offset 0, flags [none], proto OSPF (89), length 68)
    17:34:11.278041 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.46 (Broadcast) tell 21.21.9.46, length 46
    17:34:11.278047 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2093, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.30 (Broadcast) tell 21.21.9.30, length 46
    17:34:11.278126 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.41 (Broadcast) tell 21.21.9.46, length 46
    17:34:11.278259 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2093, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.25 (Broadcast) tell 21.21.9.30, length 46
    17:34:11.571135 fa:16:3e:1b:ae:a4 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2092, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 22867, offset 0, flags [none], proto OSPF (89), length 68)
    17:34:12.446747 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2094, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 44255, offset 0, flags [none], proto OSPF (89), length 68)
    17:34:12.551103 fa:16:3e:e4:f4:d5 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2090, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 12804, offset 0, flags [none], proto OSPF (89), length 68)
    ...

    Can you help please ?


  • 2.  RE: mirroring unicast traffic in vLAN

    Posted 10-10-2018 15:30
    Key to this is where is you mirror port in relation to where the source and destination are for what info you are trying to capture. Since you are only looking at ingress on all the vlans what type of traffic would be coming into the vlans from the world? If you have both ingress and egress in your filter then all traffic would be presented on the egress of your filter port and you should be able to see more than broadcast and multicast traffic. Even with just ingress as your filter it should send all incoming frames from the provisioned ports to the egress of port 45 to be captured so if this switch was setting in the middle between source and destination you would see all traffic... If it is the router on one end then maybe not unless you add the egress...


  • 3.  RE: mirroring unicast traffic in vLAN

    Posted 10-10-2018 15:30
    Problem is if you were to capture egress and ingress on every port in a vlan, you would see every packet twice. I'm not sure how if the extreme captures traffic being routed internally on vlan ( does that count as a port ) would be good if someone here knew.



  • 4.  RE: mirroring unicast traffic in vLAN

    Posted 10-11-2018 04:15
    Some NIC don't always go into promiscuous mode as commanded by the software ( TCPDUMP or wireshark ) , I have seen this with some USB NICs or in VMWARE environments.


  • 5.  RE: mirroring unicast traffic in vLAN

    Posted 10-11-2018 11:42
    Hi,
    Thanks for the attention...

    So, traffic I would like to see is ICMP, BtW between 2 addresses. from 21.21.9.41 to 21.21.9.46.

    .41 is on port 29, .46 is on port 48 and the pings are successful

    You can see the initial ARP request
    17:34:11.278126 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.41 (Broadcast) tell 21.21.9.46, length 46

    from the router point of view :
    21.21.10.41 fa:16:3e:70:26:06 3195 ARPA 3/19 vlan-id 2105
    21.21.10.46 00:02:3b:10:12:8f - ARPA 3/19 vlan-id 2105

    From the switch :
    * X670-48x.4 # sh fdb | inc VNF09_MG
    00:02:3b:10:12:8f VNF09_MGMT_R1(2095) 0043 d m 48
    fa:16:3e??5e:40 VNF09_MGMT_R1(2095) 0013 d m 29

    For me it's quite good and traffic is OK... Only vLAN mirroring is weird, behaving like if mirror destination port (45) was member of vLANs (receiving then broadcast and multicast but no unicast when mac is in the FDB)

    BtW, if I apply my mirroring on port level, ingress side I can see the unicast, in the right vLAN on port 45 and tagged vlan 2095...

    addendum : EXOS version is : 15.6.3.1



  • 6.  RE: mirroring unicast traffic in vLAN

    Posted 10-15-2018 06:26
    Hi,
    No more tip or solution ?


  • 7.  RE: mirroring unicast traffic in vLAN

    Posted 10-15-2018 06:26
    confirmed I can see icmp traffic one way if you ingress vlan only and switch is one of the ip's....

    Since it is all ingress traffic so if I add a vlan in the middle of network between two sources I see both sides and full conversions doing same vlan filter ingress only.

    If at edge then you will only see incoming traffic to that switch due to ingress only vlan filter. If at edge and you are not terminating any of the traffic for those vlans anbd it si only at the edge through that switch then all i see is broadcast and mcast traffic that is not snooped.

    Also confirmed an ingress only vlan with egress ports sees full traffic on that vlan and it is not duplicated but it is all the traffic as long as 2 way traffic is dependent on the switch you have the mirror on. So ping and snmpc and polling i see all the two way traffic one I added the port Egress filter to the ip of the switch i have the mirror on.

    Not sure if indeed you are seeing something different or not than I have set up in one of our 460 stacks that does monitoring and management traffic for our network..

    one thing to remember .. mirror vlan is igress only, Mirror port is all vlans on the port egress or ingress or both and anomaly ....

    For me at least the mirror seems to work as designed and I am also running 15.6.3.1

    Slot-1 PLW_X460G2_5959Basement_stack.27 # sh mir "test_vlan"

    test_vlan (Enabled)
    Description:
    Mirror to port: 1:20
    Source filter instances used : 2
    Port 1:26, all vlans, egress only
    All ports, vlan rtr_nm_plw_3879, ingress only

    Mirrors defined: 2
    Mirrors enabled: 1 (Maximum 4)
    HW filter instances used: 2 (Maximum 128)
    HW mirror instances used: 1 ingress, 1 egress (Maximum 4 total, 2 egress)



  • 8.  RE: mirroring unicast traffic in vLAN

    Posted 10-16-2018 15:43
    Thanks, but what if the switch is not the IP (use case of my setup, switch used as a switch, not as a router.

    vLAN : VNF09_OM_CN_R1 tag 2093 :

    PC <=> Port 29 X670 Port 48 <=> Router
    21.21.9.41 21.21.9.46

    With
    create mirror "VNF9"
    configure mirror VNF9 to port 45
    enable mirror VNF9
    configure mirror VNF9 add vlan VNF09_OM_CN_R1 ingress

    When I ping 21.21.9.41 from 21.21.9.46, I'm supposed to see :

    Arp request ingress broadcast on port 48 => OK I see it !
    Arp reply ingress unicast on port 29 => this one I cannot see it
    ICMP request unicast ingress on port 48 => not seen as well
    ICMP reply unicast ingress on port 29 => not seen either...

    Somebody knows why ?