cancel
Showing results for 
Search instead for 
Did you mean: 

mirroring unicast traffic in vLAN

mirroring unicast traffic in vLAN

Laurent_Rillet
New Contributor II
When I mirror several vLANs toward a port, I can see all broadcast traffic but no unicast traffic. It's a little bit like if the monitoring port had been inclded in the vLANs mirrored but no mirroring happen at all...
Is there some configuration I missed or some limitation here ?

here is the configuration used :

create mirror "VNF9"
configure mirror VNF9 to port 45
enable mirror VNF9
configure mirror VNF9 add vlan VNF09_IAC_R1 ingress
configure mirror VNF9 add vlan VNF09_MEDIA_R1 ingress
configure mirror VNF9 add vlan VNF09_MGMT_R1 ingress
configure mirror VNF9 add vlan VNF09_OM_CN_R1 ingress
configure mirror VNF9 add vlan VNF09_PRAN_R1 ingress
configure mirror VNF9 add vlan VNF09_SIGNALING_R1 ingress

configure vlan VNF09_IAC_R1 description "mbb_gwc01"
configure vlan VNF09_IAC_R1 tag 2094
create vlan "VNF09_MEDIA_R1"
configure vlan VNF09_MEDIA_R1 description "mbb_gwc01"
configure vlan VNF09_MEDIA_R1 tag 2092
create vlan "VNF09_MGMT_R1"
configure vlan VNF09_MGMT_R1 description "mbb_gwc01"
configure vlan VNF09_MGMT_R1 tag 2095
create vlan "VNF09_OM_CN_R1"
configure vlan VNF09_OM_CN_R1 description "mbb_gwc01"
configure vlan VNF09_OM_CN_R1 tag 2093
create vlan "VNF09_PRAN_R1"
configure vlan VNF09_PRAN_R1 description "mbb_gwc01"
configure vlan VNF09_PRAN_R1 tag 2090
create vlan "VNF09_SIGNALING_R1"
configure vlan VNF09_SIGNALING_R1 description "mbb_gwc01"
configure vlan VNF09_SIGNALING_R1 tag 2091
configure vlan VNF09_IAC_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_MEDIA_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_MGMT_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_OM_CN_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_PRAN_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_SIGNALING_R1 add ports 2-8, 26-32, 48 tagged

And here is an extract of a capture while a ping is running on one of these vLANs (only broad cast are catched) :

17:29:17.846331 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 102: vlan 2092, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 1420, offset 0, flags [none], proto OSPF (89), length 84)
21.21.9.22 > 224.0.0.5: OSPFv2, LS-Update, length 64
Router-ID 1.1.1.6, Area 0.0.0.3, Authentication Type: none (0), 1 LSA
LSA #1
Advertising Router 21.21.10.17, seq 0x80000004, age 2s, length 16
External LSA (5), LSA-ID: 21.21.10.161
Options: [External, Demand Circuit]
Mask 255.255.255.255
topology default (0), type 2, metric 0
0x0000: ffff ffff 8000 0000 0000 0000 0000 0000
17:29:18.528759 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 102: vlan 2090, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 54743, offset 0, flags [none], proto OSPF (89), length 84)
21.21.9.6 > 224.0.0.5: OSPFv2, LS-Update, length 64
Router-ID 1.1.1.10, Area 0.0.0.1, Authentication Type: none (0), 1 LSA
LSA #1
Advertising Router 1.1.1.10, seq 0x8000032f, age 1s, length 16
External LSA (5), LSA-ID: 172.20.16.0
Options: [External, Demand Circuit]
Mask 255.255.255.0
topology default (0), type 1, metric 5, forward 21.21.20.1
0x0000: ffff ff00 0000 0005 1515 1401 0000 0000

Limiting the capture, we can see OSPF broadcast, ARP request (but no answers)...

17:34:10.455935 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2091, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 27526, offset 0, flags [none], proto OSPF (89), length 68)
17:34:10.552442 fa:16:3e:6c:1a:c3 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2091, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 59158, offset 0, flags [none], proto OSPF (89), length 68)
17:34:11.278041 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.46 (Broadcast) tell 21.21.9.46, length 46
17:34:11.278047 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2093, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.30 (Broadcast) tell 21.21.9.30, length 46
17:34:11.278126 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.41 (Broadcast) tell 21.21.9.46, length 46
17:34:11.278259 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2093, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.25 (Broadcast) tell 21.21.9.30, length 46
17:34:11.571135 fa:16:3e:1b:ae:a4 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2092, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 22867, offset 0, flags [none], proto OSPF (89), length 68)
17:34:12.446747 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2094, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 44255, offset 0, flags [none], proto OSPF (89), length 68)
17:34:12.551103 fa:16:3e:e4:f4:d5 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2090, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 12804, offset 0, flags [none], proto OSPF (89), length 68)
...

Can you help please ?
7 REPLIES 7

Laurent_Rillet
New Contributor II
Thanks, but what if the switch is not the IP (use case of my setup, switch used as a switch, not as a router.

vLAN : VNF09_OM_CN_R1 tag 2093 :

PC <=> Port 29 X670 Port 48 <=> Router
21.21.9.41 21.21.9.46

With
create mirror "VNF9"
configure mirror VNF9 to port 45
enable mirror VNF9
configure mirror VNF9 add vlan VNF09_OM_CN_R1 ingress

When I ping 21.21.9.41 from 21.21.9.46, I'm supposed to see :

Arp request ingress broadcast on port 48 => OK I see it !
Arp reply ingress unicast on port 29 => this one I cannot see it
ICMP request unicast ingress on port 48 => not seen as well
ICMP reply unicast ingress on port 29 => not seen either...

Somebody knows why ?

EtherMAN
Contributor III
confirmed I can see icmp traffic one way if you ingress vlan only and switch is one of the ip's....

Since it is all ingress traffic so if I add a vlan in the middle of network between two sources I see both sides and full conversions doing same vlan filter ingress only.

If at edge then you will only see incoming traffic to that switch due to ingress only vlan filter. If at edge and you are not terminating any of the traffic for those vlans anbd it si only at the edge through that switch then all i see is broadcast and mcast traffic that is not snooped.

Also confirmed an ingress only vlan with egress ports sees full traffic on that vlan and it is not duplicated but it is all the traffic as long as 2 way traffic is dependent on the switch you have the mirror on. So ping and snmpc and polling i see all the two way traffic one I added the port Egress filter to the ip of the switch i have the mirror on.

Not sure if indeed you are seeing something different or not than I have set up in one of our 460 stacks that does monitoring and management traffic for our network..

one thing to remember .. mirror vlan is igress only, Mirror port is all vlans on the port egress or ingress or both and anomaly ....

For me at least the mirror seems to work as designed and I am also running 15.6.3.1

Slot-1 PLW_X460G2_5959Basement_stack.27 # sh mir "test_vlan"

test_vlan (Enabled)
Description:
Mirror to port: 1:20
Source filter instances used : 2
Port 1:26, all vlans, egress only
All ports, vlan rtr_nm_plw_3879, ingress only

Mirrors defined: 2
Mirrors enabled: 1 (Maximum 4)
HW filter instances used: 2 (Maximum 128)
HW mirror instances used: 1 ingress, 1 egress (Maximum 4 total, 2 egress)

Laurent_Rillet
New Contributor II
Hi,
No more tip or solution ?

Laurent_Rillet
New Contributor II
Hi,
Thanks for the attention...

So, traffic I would like to see is ICMP, BtW between 2 addresses. from 21.21.9.41 to 21.21.9.46.

.41 is on port 29, .46 is on port 48 and the pings are successful

You can see the initial ARP request
17:34:11.278126 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.41 (Broadcast) tell 21.21.9.46, length 46

from the router point of view :
21.21.10.41 fa:16:3e:70:26:06 3195 ARPA 3/19 vlan-id 2105
21.21.10.46 00:02:3b:10:12:8f - ARPA 3/19 vlan-id 2105

From the switch :
* X670-48x.4 # sh fdb | inc VNF09_MG
00:02:3b:10:12:8f VNF09_MGMT_R1(2095) 0043 d m 48
fa:16:3e??5e:40 VNF09_MGMT_R1(2095) 0013 d m 29

For me it's quite good and traffic is OK... Only vLAN mirroring is weird, behaving like if mirror destination port (45) was member of vLANs (receiving then broadcast and multicast but no unicast when mac is in the FDB)

BtW, if I apply my mirroring on port level, ingress side I can see the unicast, in the right vLAN on port 45 and tagged vlan 2095...

addendum : EXOS version is : 15.6.3.1

GTM-P2G8KFN