Restrictions of port mirroring on SecureStacks

  • 0
  • 2
  • Question
  • Updated 3 years ago

Hi folks,

i see some odd behavior in mirrored traffic on the customer side, and i am right now unsure if this need deeper investigation. Or can be clarified in the way how mirror ports are treated on enterasys.

So i did a quick lab setup also also see similar odd behavior.

(Host <----> (Port48)(Switch C3)(Port48) <----> (Port 24)(Switch A2 IP adress / host vlan 1)

ge.1.30        31         N          untagged: 31 (traffic generator)
ge.1.34        31         N          untagged: 31 (mirror Host)
ge.1.48        31         N          untagged: 31 tagged: 2708,2732,2733,2734,2736

fe.1.24        1          N          untagged: 1 tagged: 2708,2732,2733,2734,2736

So when im pinging from host to pakets needs to be transmitted untagged in order to recive an reply.
When i setup an mirrorport i see the pakets tagged with vlan 31 in my trace - which have to be incorrect. The reply is without tag - which is obviously correct.

So the traffic that i see in the capture is not the traffic that is leaving the port.
Which information gained from a paket capture can be trusted?

I know its a tricky question, because it depends on the state of processing when the paket is replicated to that mirrorport.

Here are some further information about the switch, that is doing the mirror port.

set port mirroring create ge.1.48 ge.1.34
set port mirroring enable ge.1.48 ge.1.34

C3(rw)->show port mirroring
Port Mirroring
Source Port     = ge.1.48
Target Port     = ge.1.34
Frames Mirrored = Rx and Tx
Port Mirroring status enabled

C3(rw)->show ver

Model           Serial #           Versions
--------------  -----------------  -------------------

C3G124-48P      09060162225J       Hw:BCM56504 REV 19

I did not had the opportunity to narrow down the ood behavior at the customer side. But i still want to ask if this behavior can be subject of the mirror port.

VM <----> (ge.2.38)(S3 code base probalbly 2014/2013)(lag.0.3 (2xtg memberports)) <===========> (lag.0.4)(B5) ---

A mirror port of lag.0.3 shows that the connected VM sends broadcast traffic.
A (rx/tx) mirror port sees the paket twice. 1x tagged(vlan 10), 1x untagged.
A (tx) mirror port sees the paket twice. 1x tagged(vlan 10), 1x untagged.
A (rx) mirror port sees the paket only untagged.

The mac adress of that VM is only in VLAN 10 on the port 2.38.

Could such a behavior subject on the way how the mirror port works internally? Why?
I also tought that maybe vlan 10 is bridged somewhere with vlan 1 but than i should see the mac of the host in vlan 1, but i dont.
If i tx the packet in vlan 1,10 and i rx the packet in vlan 2, then i should see the paket 3 times if i do a rx/tx trace?!

Probably someone of you has experienced similar observations.



Photo of dirk


  • 150 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 2

Be the first to post a reply!