This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restrictions of port mirroring on SecureStacks

Restrictions of port mirroring on SecureStacks

dirk
New Contributor II

‎02-24-2015 12:54 PM

Hi folks,

i see some odd behavior in mirrored traffic on the customer side, and i am right now unsure if this need deeper investigation. Or can be clarified in the way how mirror ports are treated on enterasys.

So i did a quick lab setup also also see similar odd behavior.

(Host 172.16.31.164) <----> (Port48)(Switch C3)(Port48) <----> (Port 24)(Switch A2 IP adress 172.16.31.251 / host vlan 1)

C3
ge.1.30 31 N untagged: 31 (traffic generator)
ge.1.34 31 N untagged: 31 (mirror Host)
ge.1.48 31 N untagged: 31 tagged: 2708,2732,2733,2734,2736

A2
fe.1.24 1 N untagged: 1 tagged: 2708,2732,2733,2734,2736

So when im pinging from host 172.16.31.164 to 172.16.31.251 pakets needs to be transmitted untagged in order to recive an reply.
When i setup an mirrorport i see the pakets tagged with vlan 31 in my trace - which have to be incorrect. The reply is without tag - which is obviously correct.

So the traffic that i see in the capture is not the traffic that is leaving the port.
Which information gained from a paket capture can be trusted?

I know its a tricky question, because it depends on the state of processing when the paket is replicated to that mirrorport.

Here are some further information about the switch, that is doing the mirror port.

set port mirroring create ge.1.48 ge.1.34
set port mirroring enable ge.1.48 ge.1.34

C3(rw)->show port mirroring
Port Mirroring
==============
Source Port = ge.1.48
Target Port = ge.1.34
Frames Mirrored = Rx and Tx
Port Mirroring status enabled

C3(rw)->show ver

Model Serial # Versions
-------------- ----------------- -------------------

C3G124-48P 09060162225J Hw:BCM56504 REV 19
Bp:01.00.53
Fw:06.61.13.0006
BuFw:06.61.11.0006
PoE:608_3
CPLD:2.0

I did not had the opportunity to narrow down the ood behavior at the customer side. But i still want to ask if this behavior can be subject of the mirror port.

VM <----> (ge.2.38)(S3 code base probalbly 2014/2013)(lag.0.3 (2xtg memberports)) <===========> (lag.0.4)(B5) ---

A mirror port of lag.0.3 shows that the connected VM sends broadcast traffic.
A (rx/tx) mirror port sees the paket twice. 1x tagged(vlan 10), 1x untagged.
A (tx) mirror port sees the paket twice. 1x tagged(vlan 10), 1x untagged.
A (rx) mirror port sees the paket only untagged.

The mac adress of that VM is only in VLAN 10 on the port 2.38.

Could such a behavior subject on the way how the mirror port works internally? Why?
I also tought that maybe vlan 10 is bridged somewhere with vlan 1 but than i should see the mac of the host in vlan 1, but i dont.
If i tx the packet in vlan 1,10 and i rx the packet in vlan 2, then i should see the paket 3 times if i do a rx/tx trace?!

Probably someone of you has experienced similar observations.

thanks

dirk

0 REPLIES 0
GTM-P2G8KFN