Network Architecture & Design

  • 1.  S-Series, Copy Port / Policy Mirror To Two Different Ports

    Posted 04-03-2018 18:40


    Have a scenario where I need to take mirrors of all the connections on the network to two different destinations, the first one is N+15 for Extreme Analytics and the other for another product that requires a full mirror.

    Currently the network does a policy mirror from 6 separate S-Series switches from virtually all the ports and sends the traffic via GRE tunnels directly to Extreme Analytics.

    This is a problem though as the policy mirror would override a physical mirror and I can't (that I know of) send a copy of the mirror traffic to two different ports. There seems to be one exception:

    But this limited to four ports?!

    What I'm considering is changing the policy mirrors to physical mirrors and using a tap aggregator to send the feeds to the two different appliances.

    This causes its own problems though, as although it does the job of duplicating the mirrored traffic they are both port mirrors and I need N+15 for analytics. Additionally if these are EXOS devices I can't do Netflow on these devices.

    Am wondering though if something inventive could be created with an additional S-Series switch inline, like making use of a GRE tunnel. You could take a mirror from the GRE tunnel termination end and one from the physical interface (burn port) that the GRE tunnel uses... or loop back the mirror ports back to the switch and take mirrors from where they ingress and where they are looped back in etc

    I know that might seem ludicrous, but hopefully gives a helpful example to my point.

    Have raised a case 01517007 but no other solution could be found apart from taking mirrors from other ports not already mirrored.

    Many thanks in advance

  • 2.  RE: S-Series, Copy Port / Policy Mirror To Two Different Ports

    Posted 06-13-2018 17:43
    It looks like this case was closed. Here's one of the case closure notes, for future reference. I'll mark the topic as "answered" as well.

    So far the only two options we have been able to come up with are either to put another switch in line for one of the mirrors, or to try to swap the policy mirror to an overlay model.

  • 3.  RE: S-Series, Copy Port / Policy Mirror To Two Different Ports

    Posted 06-13-2018 19:17
    Hi Drew,

    Thanks for posting back.

    The diagram below depicts something I had previously thought of, not tried and tested but don't see why it shouldn't work - which uses an S-Series as a kind of tap aggregator.

    Basically it takes a port mirror from all ports on each of the cores and sends that to an S-Series switch like the SSA shown in the diagram below. Configure an IDS mirror to get two copies of each of the mirrored ports from the cores. One copy gets fed as a raw port mirror into the forensic tool and the other is feedback to the switch where I do a policy mirror and netflow for Analytics.

    The only fallback I can see is that there is a possibility packets could be dropped, and its not really designed for this purpose so there could be some other side effects?

    When the case answered with 'put another switch in-line' I assume this is what it meant? With regards to overlay I'm thinking it could mean taking policy mirrors from one location and port mirrors from another?

    The reason I haven't gone for the later is I don't believe I could implement that in a fashion were I could be sure I was capturing all the flows / packets of all traffic. For example; taking a port mirror between cores but policy mirrors on the all the other ports; if traffic flowed between ports on the same core this would be missed by the port mirrors.

    That was my interpretation of the case but not sure 100% that is correct, if yourself or anyone is able to confirm or elaborate that would be really helpful?

    Many thanks in advance.