Port Mirroring Behaviour

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
Hello,

I'm trying to find an issue within my network.

At random times during the day, port utilization spikes to 100%.

I am trying to mirror a port that spikes so I can see what it is that it is receiving.

When setting up the mirror these are the commands I use;

Create mirror "Orsett" to port "38"

configure mirror "Orsett" add port "7"

enable mirror "Orsett"

For some reason I am not only seeing the traffic associated with the port but also the traffic to which the port is a member of a vlan. When using wireshark I can see all traffic on the vlan associated with the port rather than just port traffic?

This isnt helpful as I want to target the specific port rather than the VLAN?

I dont specify the vlan in the mirroring config so why does it enable it by default?
Photo of Ian Broadway

Ian Broadway

  • 1,572 Points 1k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Ian, you can use "configure mirror "Orsett" add port 7 vlan <vlan_name>".

However, when specifying vlan you can only mirror ingress traffic.
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,404 Points 2k badge 2x thumb
You do want to see, what kind of traffic utilizes a 100% of the port, right? So, you see all the traffic that comes to port. It could be a multicast issue, for example.
Photo of Ian Broadway

Ian Broadway

  • 1,572 Points 1k badge 2x thumb
Hi,

but that would still mirror all traffic on the vlan to the port? I dont want to be able to see traffic conversations from other devices, just the device associated with the port I am mirroring
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,404 Points 2k badge 2x thumb
No, it mirrors ALL traffic, that comes to port, but not that traffic, that goes through vlan. You probably see some kind of broadcast/multicast traffic, e.g. ARP or DHCP requests/replies
(Edited)
Photo of Chad Smith

Chad Smith, Senior Escalation Support Engineer

  • 5,620 Points 5k badge 2x thumb
Ian,

What exactly do you mean by "but also the traffic to which the port is a member of a vlan seeing all traffic on the VLAN"?

With your configuration you should only see traffic that is ingressing/egressing that port.  So, you would see traffic destined to/from devices connected to that port plus broadcast and multicast for the VLAN.  If you are seeing other traffic from the VLAN it could be possible that there is unicast flooding in the network.  This could be the source of your high utilization that you are seeing.
Photo of Ian Broadway

Ian Broadway

  • 1,572 Points 1k badge 2x thumb
this is the output of the mirror config on the switch

Orsett (Enabled)
Description:
Mirror to port: 38
Source filter instances used : 1
Port 7, all vlans, ingress and egress

so in wireshark on a pc which is connected to 38, i will only see traffic from and to the device connected to port 7? I
Photo of Chad Smith

Chad Smith, Senior Escalation Support Engineer

  • 5,620 Points 5k badge 2x thumb
Assuming there is only a single device and VLAN  on that port, that is correct, but you would also see any broadcast and some multicast for that VLAN.  If you see unicast traffic flows for other devices not connected to that port then that is likely unicast flooding and could indicate a problem.
Photo of Ian Broadway

Ian Broadway

  • 1,572 Points 1k badge 2x thumb
hmm ok I understand it then to work the way you have specified and how we originally thought aswell.

I'm sure though that we did see unicast flows from for other devices which is why I raised this issue.
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
If the port is tagged to multiple vlans, you will see traffic for that port regardless of vlan.

If you want to check traffic for an specific port and specific vlan (considering that port is tagged for multiple vlans) you should use the command below:

"configure mirror "Orsett" add port 7 vlan <vlan_name>".
  • Virtual port - All traffic ingressing the switch on a specific VLAN and port combination is copied to the monitor port(s). 

Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hello Ian

Yes in that configuration you will see all traffic that is flows through that port for all VLANs.

When you say you see communications from other devices are those unicast packets?  I wouls suspect they are multicast or broadcast packets.

Can you do a show port info detail so we can see what other VLANs are on that port?  Sometimes the default VLAN is left on unintentionally.  Also you are not using secondary IP addresses are you?  This is where you have multiple IP networks on the same VLAN?

Thanks
P
Photo of Ian Broadway

Ian Broadway

  • 1,572 Points 1k badge 2x thumb
ok thank you for the replies, I will go away and double check the behavior again.

the original behavior we got was like I was plugging the laptop into a port in the vlan and running wireshark, which would display everything in the vlan the port was in.

one thing that might have happened, and I can't really confirm now because a wiped the mirror config from the switch is that the default mirror profile was enabled and outputting based on the whole vlan.

I will confirm tomorrow when I visit as this was a a remote site.
(Edited)
Photo of EtherMAN

EtherMAN, Embassador

  • 6,456 Points 5k badge 2x thumb
If you want to look at this all the time without a mirror you could also setup and enable sflow on that port and have the ability of going back in time and looking at what traffic created your spikes... There are open source collectors out there and sflow will give you a picture of what is there.  We use Solarwinds and have around 800 interfaces on the Extreme side and another 1200 or so on our core internet routers and it has proven to be a great information source for tracking down high usage problems ...