Question

Port mirror to a vlan

  • 21 June 2019
  • 1 reply
  • 215 views

Userlevel 1
We are demoing a IDS device that lives in a VM. The device setup wants a port mirror to be sent to a vlan so the virtual switch on the VM host can then assign the traffic to the correct interface on the vm. The device is connected to a B5-Switch that uplinks to a S4. I'm able to setup a mirror on the S4 to sent the traffic from a vlan to a port but can't see a way to then send that mirror to dedicated vlan that i then get over to the Virtual environment. Is this possible? Surprisingly it looks like you can send a mirror to a vlan on the B-series switches but not the S-series.

The following will let me send the traffic to a physical port on the S4.
set vlan interface
set port mirroring create vtap.0. ge.1.1

1 reply

Userlevel 2
For a port mirror you will need to specify an additional port on the ESX server to receive the mirrored traffic. I don't believe you can mirror traffic to a vlan destination, because mirrored traffic is dead traffic. VLANs provide switching and lookups before forwarding, while dead traffic should just go out everywhere. Thus you are talking about 2 different functions of the packet processor.
Also I wouldn't suggest mirroring traffic onto a vlan and then sending it into esx via a trunk because it can oversubscribe the port and then you lose control traffic.

Again I'd mirror the traffic to a port, then connect that port to a different port on the ESX server with a separate virtual switch, and then tie the virtual IDS interface to that other virtual network.

Reply