Port Mirroring Behaviour
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-14-2016 11:24 AM
Hello, I'm trying to find an issue within my network. At random times during the day, port utilization spikes to 100%. I am trying to mirror a port that spikes so I can see what it is that it is receiving. When setting up the mirror these are the commands I use; Create mirror "Orsett" to port "38" configure mirror "Orsett" add port "7" enable mirror "Orsett" For some reason I am not only seeing the traffic associated with the port but also the traffic to which the port is a member of a vlan. When using wireshark I can see all traffic on the vlan associated with the port rather than just port traffic? This isnt helpful as I want to target the specific port rather than the VLAN? I dont specify the vlan in the mirroring config so why does it enable it by default?
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-14-2016 02:03 PM
If you want to look at this all the time without a mirror you could also setup and enable sflow on that port and have the ability of going back in time and looking at what traffic created your spikes... There are open source collectors out there and sflow will give you a picture of what is there. We use Solarwinds and have around 800 interfaces on the Extreme side and another 1200 or so on our core internet routers and it has proven to be a great information source for tracking down high usage problems ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-14-2016 12:26 PM
ok thank you for the replies, I will go away and double check the behavior again. the original behavior we got was like I was plugging the laptop into a port in the vlan and running wireshark, which would display everything in the vlan the port was in. one thing that might have happened, and I can't really confirm now because a wiped the mirror config from the switch is that the default mirror profile was enabled and outputting based on the whole vlan. I will confirm tomorrow when I visit as this was a a remote site.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-14-2016 12:19 PM
Hello Ian
Yes in that configuration you will see all traffic that is flows through that port for all VLANs.
When you say you see communications from other devices are those unicast packets? I wouls suspect they are multicast or broadcast packets.
Can you do a show port info detail so we can see what other VLANs are on that port? Sometimes the default VLAN is left on unintentionally. Also you are not using secondary IP addresses are you? This is where you have multiple IP networks on the same VLAN?
Thanks
P
Yes in that configuration you will see all traffic that is flows through that port for all VLANs.
When you say you see communications from other devices are those unicast packets? I wouls suspect they are multicast or broadcast packets.
Can you do a show port info detail so we can see what other VLANs are on that port? Sometimes the default VLAN is left on unintentionally. Also you are not using secondary IP addresses are you? This is where you have multiple IP networks on the same VLAN?
Thanks
P
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-14-2016 12:14 PM
this is the output of the mirror config on the switch Orsett (Enabled) Description: Mirror to port: 38 Source filter instances used : 1 Port 7, all vlans, ingress and egress so in wireshark on a pc which is connected to 38, i will only see traffic from and to the device connected to port 7? I
