Port mirroring concerns on Enterasys S6

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
  • (Edited)
Forgive me if this has been asked before and/or is just a dumb question.  

I'm working with a large installation that has been having regular network communication issues. They're using a wireshark-like device to which they've mirrored every port across their backbone, that's about 200 gigabits of throughput being mirrored to a single gig-ethernet port.  My concern is what sort of performance impact would such a configuration have.  I've been monitoring their interfaces and have yet to see any traffic rise beyond about 300 megabits and that was across 10 gig fiber.  My suspicion is traffic is being constrained to fit that gig-e port.  I've been watching the mirror source and have yet to see any discarded packets which I would expect to happen constantly given the disparity in bandwidth between the targets being mirrored.  In the past I've seen devices wherein port mirroring would block when traffic across interfaces being mirrored reached the limits of the port mirrored to.  While I doubt Enterasys behaves similarly unfortunately I know next to nothing about them and haven't been able to find a definitive answer.  I suspect this is configuration dependent.  Does anyone have a spare moment to school me in the ways of Enterasys port mirroring?  

Here are some device details:

Copyright (c) 2013 by Enterasys Networks, Inc.

Slot Model Serial # Versions ------ ---------------- -------------------- ------------------------- 4 SK8008-1224-F8 ************ Hw: 2 Bp: 01.03.02 Fw: 08.11.02.0001 5 SK8008-1224-F8 ************ Hw: 2 Bp: 01.03.02 Fw: 08.11.02.0001 6 ST8206-0848-F8 ************ Hw: 1 Bp: 01.03.02 Fw: 08.11.02.0001 Option Modules: Slot Module Model Serial # Versions ---- ------ ---------------- -------------------- ------------------------- 6 2 SOT2206-0112 ************ Hw: 10

Port mirror config:

set port mirroring create ge.6.40 tg.4.1 both
set port mirroring create ge.6.40 tg.4.2 both
set port mirroring create ge.6.40 tg.4.3 both
set port mirroring create ge.6.40 tg.4.4 both
set port mirroring create ge.6.40 tg.4.7 both
set port mirroring create ge.6.40 tg.4.8 both
set port mirroring create ge.6.40 tg.5.19 both
set port mirroring create ge.6.40 tg.5.20 both
set port mirroring create ge.6.40 tg.5.21 both
set port mirroring create ge.6.40 tg.5.22 both
set port mirroring create ge.6.40 tg.5.23 both
set port mirroring create ge.6.40 tg.5.24 both
set port mirroring create ge.6.40 ge.6.33 both
set port mirroring create ge.6.40 ge.6.34 both
set port mirroring create ge.6.40 ge.6.35 both
set port mirroring create ge.6.40 ge.6.36 both
set port mirroring create ge.6.40 ge.6.37 both
set port mirroring create ge.6.40 ge.6.38 both
set port mirroring create ge.6.45 tg.4.1 both
set port mirroring create ge.6.45 tg.5.1 both


Any info/advice is most appreciated, thanks!
Photo of Justin Brown

Justin Brown

  • 110 Points 100 badge 2x thumb
  • confused

Posted 3 years ago

  • 0
  • 1
Photo of Mike D

Mike D, Alum

  • 3,852 Points 3k badge 2x thumb
Hello,

I would not expect a straightforward mirror over-subscription scenario to negatively effect traffic elsewhere on the switch or the network.

You mention mirroring every port across the backbone.  Does mirrored traffic ever exit switch x and pipe to switch y's port?
Asked another way - does mirrored traffic in any case *not* go directly to the storage/analysis station?

It looks like you have a config for one mirror source to many mirror destinations here. Are we on the same page?

regards
-Mike


 
Photo of Justin Brown

Justin Brown

  • 110 Points 100 badge 2x thumb
Hi Mike, thank you for replying.  

A Wireshark-like device hangs off ge.6.40.  It has a second connection it uses to communicate the results of its data collection to a traffic analyzer from Riverbed.  As far as I know mirrored packets don't make their way back on the network.

My concern is how does the Enterasys handle situations wherein the aggregate bandwidth being mirrored rises beyond the one gigabit available on ge.6.40.  Does the S6 discard packets, buffer them, block on the mirrored ports to prevent overruns or some combination of the three?  Also, considering "both" ingress and egress are being mirrored, there're likely a lot of packets being mirrored twice as they make their way through multiple mirrored ports.   

It DOES appear one port is being mirrored to multiple other ports, but in fact it's the other way around.  At least as best I've been able to determine.  Apparently in Enterasys nomenclature the source port is the port packets are mirrored TO while the target ports are the ports that packets are mirrored from.  For example:

show port mirroring
Port Mirroring
==============

 Source Port        = ge.6.40      Port Status = Up
 Target Port        = tg.4.1       Port Status = Dormant
 Frames Mirrored    = Rx and Tx
 Admin Status       = enabled
 Operational Status = disabled (port not up)

 Source Port        = ge.6.40      Port Status = Up
 Target Port        = tg.4.2       Port Status = Dormant
 Frames Mirrored    = Rx and Tx
 Admin Status       = enabled
 Operational Status = disabled (port not up)

 Source Port        = ge.6.40      Port Status = Up
 Target Port        = tg.4.3       Port Status = Up
 Frames Mirrored    = Rx and Tx
 Admin Status       = enabled
 Operational Status = enabled


In this ge.6.40, the "source," is the port packets are duplicated to, while the other ports, the "targets," are duplicated from.  I scratched my head on that one too.  I guess target is the target port to mirror while source is the source port to mirror packets out of.

Thanks again for the reply.
Photo of Justin Brown

Justin Brown

  • 110 Points 100 badge 2x thumb
Of course, I could very well have it completely backwards, IE source is the port being mirrored and target is where the packets are mirrored out, but then I haven't the foggiest what this is trying to accomplish because it means traffic sent/received on ge.6.40 is being mirrored out a while bunch of other ports.  Which makes more sense in terms of the wording and syntax but less in terms of why would anyone want to set up such a scenario..  Of course, I'm at the mercy of anyone who knows the answer definitively.
Photo of Justin Brown

Justin Brown

  • 110 Points 100 badge 2x thumb
I got a definitive answer straight from Extreme.  This configuration DOES mirror ge.6.40 to all the other ports.  It should not impact router performance as the mirroring is handled by hardware.  If this were properly configured (ports being mirrored to ge.6.40 instead of the other way around) when overrun packets intended for the target (ge.6.40) would be discarded.  There's currently no method of tracking the discarded packets.  Hopefully this will help anyone else with the same concerns.
Photo of Justin Brown

Justin Brown

  • 110 Points 100 badge 2x thumb
I should add unlike other devices, port mirror targets continue to handle other traffic.  With other devices when a port is configured to be a mirror target that port only mirrors packets (presumably because passing other packets might confuse packet sniffers).  Apparently the S-series behaves differently.
Photo of Mike D

Mike D, Alum

  • 3,852 Points 3k badge 2x thumb
Thank you for the follow-up Justin. I'm certain this info will be of use to our customers in the future. 

I'll create a knowledge base article to the effect that over-subscription of a port mirror does not impact router performance and post the link here.

Regards,
Mike
Photo of Mike D

Mike D, Alum

  • 3,852 Points 3k badge 2x thumb
Hello Justin,

Here is the link to a new knowledge article based on your inquiry.  

https://gtacknowledge.extremenetworks.com/articles/Q_A/S-series-K-series-Will-mirror-oversubscription-impact-routing/

Thanks again for closing the loop. 
Regards,

Mike
(Edited)