ExtremeSwitching (EOS)

  • 1.  S-Series: port mirror not working as long as Policy based mirror is enabled

    Posted 01-26-2016 11:44
    Our Customers S8 Series core (S-150 class) has configured a policy based mirroring for Purview. We mirror nearly all ports to this destination.

    Config:

    set mirror create 1
    set mirror 1 mirrorN 15
    set mirror ports tg.4.104 1
    .
    .
    .
    set policy profile 2 name PurView pvid-status enable pvid 4095 mirror-destination 1
    set policy rule admin-profile port ge.2.42 mask 16 port-string ge.2.42 admin-pid 2
    .
    .
    .

    If we then configure:

    set port mirroring create ge.2.7 ge.2.42 both
    set port mirroring create ge.3.7 ge.2.42 both

    We did not get the full traffic on ge.2.42, it is about 1/10 of the traffic.

    Is there any know restrictions about that situations?

    If we disable the mirror (policy based mirroring) the port-mirror works fine....

    


  • 2.  RE: S-Series: port mirror not working as long as Policy based mirror is enabled

    Posted 01-26-2016 15:07
    There are many restrictions to mirroring. Most are addressed in the release notes. For the most part Traffic may only be mirrored once. So if traffic is subject to the policy mirror it can not also be subject to the port mirror.


  • 3.  RE: S-Series: port mirror not working as long as Policy based mirror is enabled

    Posted 01-27-2016 18:50

    Hello,
    Additional info on this topic:

    S-series 150 class switches support policy mirror as first priority. The 150 class will not support both mirror-n for Purview and port mirror simultaneously with one exception: if you make the mirror an enhanced mirror, the port mirror will work for “tx” (packets outbound on the port), even when the policy mirror is enabled.

    S-series 140-180 class modules with additional switch fabric capability are not subject to this exclusive mirror type behavior.

    Hope that helps,
    Mike

    Adding a KCS knowledge base article to this effect in short order.



  • 4.  RE: S-Series: port mirror not working as long as Policy based mirror is enabled

    Posted 01-28-2016 06:52
    WOW, thank you very very much Mike, that makes it complete clear.



  • 5.  RE: S-Series: port mirror not working as long as Policy based mirror is enabled

    Posted 01-28-2016 08:21
    Is it possible to create more then one policy based mirror?

    currently we had defined in the old config that policy profile 2 (where all other ports are in) are sending to tg.4.101 (where the PurView appliance is connected), if I would create another policy based mirror where I only contain the 2 source ports ge.2.7 and ge.3.7 and mirror it to ge.2.44 (where is the sniffer connected)??

    Would this work?


  • 6.  RE: S-Series: port mirror not working as long as Policy based mirror is enabled

    Posted 01-28-2016 15:03


    Hello,

    If policy profile 2 is already applied to ge.2-3.7 another policy mirror instance will not work on that same traffic. In this case the limit of a single mirror replication of any specific traffic holds true.

    You can of course apply a different instance of policy mirror to ports with no previously active mirror - but I don't think this is your goal. You could also add another destination port to your policy so the mirror-n traffic goes to multiple destinations - but this also misses the mark as I understand your question.

    Enhanced-mode-port-mirror overlay with its tx-only offering is the only wiggle room allowing policy-n and port based mirroring to act on (a subset of) the same traffic.

    Mike



  • 7.  RE: S-Series: port mirror not working as long as Policy based mirror is enabled

    Posted 01-28-2016 18:25

    Incidentally, as I poked around discussing details of mirror behavior in-house, I ran into a puzzle piece I could have used earlier in this thread. It doesn't change the previous answer but adds to an understanding of the behavior noted in your original description.

    As you observed, if present policy mirror will be the operational mirror.

    Here's the rest of the list of what steps on what - highest to lowest precedence.

    Policy Mirror

    Smon Ingress Port

    Smon Egress Port

    Smon Ingress Vlan

    Smon Egress Vlan

    This rule applies for the 150 class S-series, 140-180 class S-series and K-series products.

    Regards,

    Mike



  • 8.  RE: S-Series: port mirror not working as long as Policy based mirror is enabled

    Posted 02-04-2016 12:18
    Thats interessting.

    I got this response by Luke F. a few minutes ago (GTAC Case 01183964)

    Hi Rainer,

    Yes, both mirrors will work at the same time except for traffic that would have to be mirrored twice. .

    .

    .



  • 9.  RE: S-Series: port mirror not working as long as Policy based mirror is enabled

    Posted 02-07-2016 04:31
    Let us know how your testing goes Ranier