mirroring unicast traffic in vLAN

  • 0
  • 1
  • Question
  • Updated 1 day ago
When I mirror several vLANs toward a port, I can see all broadcast traffic but no unicast traffic. It's a little bit like if the monitoring port had been inclded in the vLANs mirrored but no mirroring happen at all...
Is there some configuration I missed or some limitation here ?

here is the configuration used :

create mirror "VNF9"
configure mirror VNF9 to port 45
enable mirror VNF9
configure mirror VNF9 add vlan VNF09_IAC_R1 ingress
configure mirror VNF9 add vlan VNF09_MEDIA_R1 ingress
configure mirror VNF9 add vlan VNF09_MGMT_R1 ingress
configure mirror VNF9 add vlan VNF09_OM_CN_R1 ingress
configure mirror VNF9 add vlan VNF09_PRAN_R1 ingress
configure mirror VNF9 add vlan VNF09_SIGNALING_R1 ingress


configure vlan VNF09_IAC_R1 description "mbb_gwc01"
configure vlan VNF09_IAC_R1 tag 2094
create vlan "VNF09_MEDIA_R1"
configure vlan VNF09_MEDIA_R1 description "mbb_gwc01"
configure vlan VNF09_MEDIA_R1 tag 2092
create vlan "VNF09_MGMT_R1"
configure vlan VNF09_MGMT_R1 description "mbb_gwc01"
configure vlan VNF09_MGMT_R1 tag 2095
create vlan "VNF09_OM_CN_R1"
configure vlan VNF09_OM_CN_R1 description "mbb_gwc01"
configure vlan VNF09_OM_CN_R1 tag 2093
create vlan "VNF09_PRAN_R1"
configure vlan VNF09_PRAN_R1 description "mbb_gwc01"
configure vlan VNF09_PRAN_R1 tag 2090
create vlan "VNF09_SIGNALING_R1"
configure vlan VNF09_SIGNALING_R1 description "mbb_gwc01"
configure vlan VNF09_SIGNALING_R1 tag 2091
configure vlan VNF09_IAC_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_MEDIA_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_MGMT_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_OM_CN_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_PRAN_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_SIGNALING_R1 add ports 2-8, 26-32, 48 tagged


And here is an extract of a capture while a ping is running on one of these vLANs (only broad cast are catched) :


17:29:17.846331 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 102: vlan 2092, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 1420, offset 0, flags [none], proto OSPF (89), length 84)
    21.21.9.22 > 224.0.0.5: OSPFv2, LS-Update, length 64
        Router-ID 1.1.1.6, Area 0.0.0.3, Authentication Type: none (0), 1 LSA
          LSA #1
          Advertising Router 21.21.10.17, seq 0x80000004, age 2s, length 16
            External LSA (5), LSA-ID: 21.21.10.161
            Options: [External, Demand Circuit]
            Mask 255.255.255.255
                topology default (0), type 2, metric 0
            0x0000:  ffff ffff 8000 0000 0000 0000 0000 0000
17:29:18.528759 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 102: vlan 2090, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 54743, offset 0, flags [none], proto OSPF (89), length 84)
    21.21.9.6 > 224.0.0.5: OSPFv2, LS-Update, length 64
        Router-ID 1.1.1.10, Area 0.0.0.1, Authentication Type: none (0), 1 LSA
          LSA #1
          Advertising Router 1.1.1.10, seq 0x8000032f, age 1s, length 16
            External LSA (5), LSA-ID: 172.20.16.0
            Options: [External, Demand Circuit]
            Mask 255.255.255.0
                topology default (0), type 1, metric 5, forward 21.21.20.1
            0x0000:  ffff ff00 0000 0005 1515 1401 0000 0000


Limiting the capture, we can see OSPF broadcast, ARP request (but no answers)...

17:34:10.455935 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2091, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 27526, offset 0, flags [none], proto OSPF (89), length 68)
17:34:10.552442 fa:16:3e:6c:1a:c3 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2091, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 59158, offset 0, flags [none], proto OSPF (89), length 68)
17:34:11.278041 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.46 (Broadcast) tell 21.21.9.46, length 46
17:34:11.278047 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2093, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.30 (Broadcast) tell 21.21.9.30, length 46
17:34:11.278126 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.41 (Broadcast) tell 21.21.9.46, length 46
17:34:11.278259 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2093, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.25 (Broadcast) tell 21.21.9.30, length 46
17:34:11.571135 fa:16:3e:1b:ae:a4 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2092, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 22867, offset 0, flags [none], proto OSPF (89), length 68)
17:34:12.446747 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2094, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 44255, offset 0, flags [none], proto OSPF (89), length 68)
17:34:12.551103 fa:16:3e:e4:f4:d5 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2090, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 12804, offset 0, flags [none], proto OSPF (89), length 68)
...

Can you help please ?
Photo of Laurent Rillet

Laurent Rillet

  • 202 Points 100 badge 2x thumb

Posted 1 week ago

  • 0
  • 1
Photo of EtherMAN

EtherMAN, Embassador

  • 7,200 Points 5k badge 2x thumb
Key to this is where is you mirror port in relation to where the source and destination are for what info you are trying to capture.  Since you are only looking at ingress on all the vlans what type of traffic would be coming into the vlans from the world?  If you have both ingress and egress in your filter then all traffic would be presented on the egress of your filter port and you should be able to see more than broadcast and multicast traffic.  Even with just ingress as your filter it should send all incoming frames from the provisioned ports to the egress of port 45 to be captured so if this switch was setting in the middle between source and destination you would see all traffic... If it is the router on one end then maybe not unless you add the egress...   
Photo of simon bingham

simon bingham

  • 1,228 Points 1k badge 2x thumb
Problem is if you were to capture egress and ingress on every port in a vlan, you would see every packet twice. I'm not sure how if the extreme captures traffic being routed internally on vlan ( does that count as a port ) would be good if someone here knew. 
Photo of simon bingham

simon bingham

  • 1,228 Points 1k badge 2x thumb
Some NIC don't always go into promiscuous mode as commanded by the software ( TCPDUMP or wireshark )  , I have seen this with some USB NICs or in VMWARE environments. 
Photo of Laurent Rillet

Laurent Rillet

  • 202 Points 100 badge 2x thumb
Hi, 
Thanks for the attention...

So, traffic I would like to see is ICMP, BtW between 2 addresses. from 21.21.9.41 to 21.21.9.46.

.41 is on port 29, .46 is on port 48 and the pings are successful

You can see the initial ARP request
17:34:11.278126 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.41 (Broadcast) tell 21.21.9.46, length 46

from the router point of view :
21.21.10.41       fa:16:3e:70:26:06   3195   ARPA  3/19 vlan-id 2105
21.21.10.46       00:02:3b:10:12:8f   -      ARPA  3/19 vlan-id 2105

From the switch :
* X670-48x.4 # sh fdb | inc VNF09_MG
00:02:3b:10:12:8f VNF09_MGMT_R1(2095) 0043  d m            48
fa:16:3e:ac:5e:40 VNF09_MGMT_R1(2095) 0013  d m            29

For me it's quite good and traffic is OK... Only vLAN mirroring is weird, behaving like if mirror destination port (45) was member of vLANs (receiving then broadcast and multicast but no unicast when mac is in the FDB)

BtW, if I apply my mirroring on port level, ingress side I can see the unicast, in the right vLAN on port 45 and tagged vlan 2095...

addendum : EXOS version is :      15.6.3.1



Photo of Laurent Rillet

Laurent Rillet

  • 202 Points 100 badge 2x thumb
Hi,
No more tip or solution ?
Photo of EtherMAN

EtherMAN, Embassador

  • 7,190 Points 5k badge 2x thumb
confirmed I can see icmp traffic one way if you ingress vlan only and switch is one of the ip's....

Since it is all ingress traffic so if I add a vlan in the middle of network between two sources I see both sides and full conversions doing same vlan filter ingress only.

If at edge then you will only see incoming traffic to that switch due to ingress only vlan filter. If at edge and you are not terminating any of the traffic for those vlans anbd it si only at the edge through that switch then all i see is broadcast and mcast traffic that is not snooped.

Also confirmed an ingress only vlan with egress ports sees full traffic on that vlan and it is not duplicated but it is all the traffic as long as 2 way traffic is dependent on the switch you have the mirror on. So ping and snmpc and polling i see all the two way traffic one I added the port Egress filter to the ip of the switch i have the mirror on. 

Not sure if indeed you are seeing something different or not than I have set up in one of our 460 stacks that does monitoring and management traffic for our network..

one thing to remember .. mirror vlan is igress only, Mirror port is all vlans on the port egress or ingress or both and anomaly .... 


For me at least the mirror seems to work as designed and I am also running 15.6.3.1

 Slot-1 PLW_X460G2_5959Basement_stack.27 # sh mir "test_vlan"

test_vlan   (Enabled)
    Description:
    Mirror to port: 1:20
    Source filter instances used :  2
        Port 1:26, all vlans, egress only
        All ports, vlan rtr_nm_plw_3879, ingress only

Mirrors defined:          2
Mirrors enabled:          1 (Maximum 4)
HW filter instances used: 2 (Maximum 128)
HW mirror instances used: 1 ingress, 1 egress (Maximum 4 total, 2 egress)



Photo of Laurent Rillet

Laurent Rillet

  • 202 Points 100 badge 2x thumb
Thanks, but what if the switch is not the IP (use case of my setup, switch used as a switch, not as a router.

vLAN : VNF09_OM_CN_R1 tag 2093 :

PC        <=>     Port 29 X670 Port 48     <=> Router
21.21.9.41                                             21.21.9.46

With 
create mirror "VNF9"
configure mirror VNF9 to port 45
enable mirror VNF9
configure mirror VNF9 add vlan VNF09_OM_CN_R1 ingress

When I ping 21.21.9.41 from 21.21.9.46, I'm supposed to see :

Arp request ingress broadcast on port 48 => OK I see it !
Arp reply ingress unicast on port 29 => this one I cannot see it
ICMP request unicast ingress on port 48 => not seen as well
ICMP reply unicast ingress on port 29 => not seen either...

Somebody knows why ?

(Edited)