Mirror MLAG/sharing port possible?

  • 0
  • 2
  • Question
  • Updated 1 day ago
  • Answered
Hi,

I have the following config in one of my switches:

create mirror "Mirror5"
configure mirror Mirror5 to port 5
enable mirror Mirror5
configure mirror Mirror5 add port 10 ingress
configure mirror Mirror5 add vlan LAN3 port 11 ingress

When i connect a pc with wireshark to port 5 i can see packets
mirrored from port 10, i don't see packets from vlan "LAN3" on port 11.
Port 11 is part of a sharing/MLAG configuration:

enable mlag port 11 peer "SW-2-2" id 112
enable sharing 11 grouping 11 algorithm address-based L3_L4 lacp

Is it even possible to mirror traffic from a sharing/MLAG port?
Photo of dilu

dilu

  • 244 Points 100 badge 2x thumb

Posted 1 week ago

  • 0
  • 2
Photo of David Rahn

David Rahn

  • 974 Points 500 badge 2x thumb
What happens if you add the ISC to the mirror?
Photo of dilu

dilu

  • 244 Points 100 badge 2x thumb
Alright i tried to add the ISC to the mirror, nothing.
I tried to remove the vlan filter from the mirror, still nothing.

I've changed the command to:
configure mirror Mirror5 port 11 ingress
configure mirror Mirror5 port 13 ingress (ICS)

On the other switch I've also tried to mirror the ICS port (nothing).

Maybe some important information, the switches are stacked.


Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,886 Points 10k badge 2x thumb
Hi,

if I remember correctly, the port mirror works on the physical port, not the logical sharing port. If you want to mirror all packets of a sharing port you need to add all physical ports of the sharing.

In general you do not know which of the physical ports of a sharing are used by a given data flow, thus you need to look at all of them.

With MLAG ports, you need to mirror on both switches of the MLAG pair to see all the data.

Another caveat with a port mirror is that e.g. OnePolicy filters before the packets are mirrored, so you might not see what was sent because it was dropped before the port mirror got the packet (I encountered this problem once and at first thought the data in question was not sent at all, but I did see it when connecting the packet capture laptop directly to the sender).

Thanks,
Erik
Photo of dilu

dilu

  • 244 Points 100 badge 2x thumb
Hi,

I turned out to be a problem with the packet capturing device/network, the traffic on port 10 was all untagged traffic (which i saw) and the traffic on port 11 was all tagged (which i didn't see).
Mirroring (MLAG) port 11 is enough to capture all the traffic (on both MLAG peers offcourse), no need to add the ICS port to the mirror in my configuration.

Thanks,
Dilu