Port Mirroring Behaviour


Userlevel 2
Hello, I'm trying to find an issue within my network. At random times during the day, port utilization spikes to 100%. I am trying to mirror a port that spikes so I can see what it is that it is receiving. When setting up the mirror these are the commands I use; Create mirror "Orsett" to port "38" configure mirror "Orsett" add port "7" enable mirror "Orsett" For some reason I am not only seeing the traffic associated with the port but also the traffic to which the port is a member of a vlan. When using wireshark I can see all traffic on the vlan associated with the port rather than just port traffic? This isnt helpful as I want to target the specific port rather than the VLAN? I dont specify the vlan in the mirroring config so why does it enable it by default?

12 replies

Userlevel 6
Hi Ian, you can use "configure mirror "Orsett" add port 7 vlan ".

However, when specifying vlan you can only mirror ingress traffic.
Userlevel 4
You do want to see, what kind of traffic utilizes a 100% of the port, right? So, you see all the traffic that comes to port. It could be a multicast issue, for example.
Userlevel 2
Hi, but that would still mirror all traffic on the vlan to the port? I dont want to be able to see traffic conversations from other devices, just the device associated with the port I am mirroring
Userlevel 4
Ian Broadway wrote:

Hi, but that would still mirror all traffic on the vlan to the port? I dont want to be able to see traffic conversations from other devices, just the device associated with the port I am mirroring

No, it mirrors ALL traffic, that comes to port, but not that traffic, that goes through vlan. You probably see some kind of broadcast/multicast traffic, e.g. ARP or DHCP requests/replies
Userlevel 6
Ian,

What exactly do you mean by "but also the traffic to which the port is a member of a vlan seeing all traffic on the VLAN"?

With your configuration you should only see traffic that is ingressing/egressing that port. So, you would see traffic destined to/from devices connected to that port plus broadcast and multicast for the VLAN. If you are seeing other traffic from the VLAN it could be possible that there is unicast flooding in the network. This could be the source of your high utilization that you are seeing.
Userlevel 2
this is the output of the mirror config on the switch Orsett (Enabled) Description: Mirror to port: 38 Source filter instances used : 1 Port 7, all vlans, ingress and egress so in wireshark on a pc which is connected to 38, i will only see traffic from and to the device connected to port 7? I
Userlevel 6
Ian Broadway wrote:

this is the output of the mirror config on the switch Orsett (Enabled) Description: Mirror to port: 38 Source filter instances used : 1 Port 7, all vlans, ingress and egress so in wireshark on a pc which is connected to 38, i will only see traffic from and to the device connected to port 7? I

Assuming there is only a single device and VLAN on that port, that is correct, but you would also see any broadcast and some multicast for that VLAN. If you see unicast traffic flows for other devices not connected to that port then that is likely unicast flooding and could indicate a problem.
Userlevel 2
Ian Broadway wrote:

this is the output of the mirror config on the switch Orsett (Enabled) Description: Mirror to port: 38 Source filter instances used : 1 Port 7, all vlans, ingress and egress so in wireshark on a pc which is connected to 38, i will only see traffic from and to the device connected to port 7? I

hmm ok I understand it then to work the way you have specified and how we originally thought aswell. I'm sure though that we did see unicast flows from for other devices which is why I raised this issue.
Userlevel 6
Ian Broadway wrote:

this is the output of the mirror config on the switch Orsett (Enabled) Description: Mirror to port: 38 Source filter instances used : 1 Port 7, all vlans, ingress and egress so in wireshark on a pc which is connected to 38, i will only see traffic from and to the device connected to port 7? I

If the port is tagged to multiple vlans, you will see traffic for that port regardless of vlan.

If you want to check traffic for an specific port and specific vlan (considering that port is tagged for multiple vlans) you should use the command below:

"configure mirror "Orsett" add port 7 vlan ".
    Virtual port - All traffic ingressing the switch on a specific VLAN and port combination is copied to the monitor port(s).
Userlevel 6
Hello Ian

Yes in that configuration you will see all traffic that is flows through that port for all VLANs.

When you say you see communications from other devices are those unicast packets? I wouls suspect they are multicast or broadcast packets.

Can you do a show port info detail so we can see what other VLANs are on that port? Sometimes the default VLAN is left on unintentionally. Also you are not using secondary IP addresses are you? This is where you have multiple IP networks on the same VLAN?

Thanks
P
Userlevel 2
ok thank you for the replies, I will go away and double check the behavior again. the original behavior we got was like I was plugging the laptop into a port in the vlan and running wireshark, which would display everything in the vlan the port was in. one thing that might have happened, and I can't really confirm now because a wiped the mirror config from the switch is that the default mirror profile was enabled and outputting based on the whole vlan. I will confirm tomorrow when I visit as this was a a remote site.
Userlevel 6
If you want to look at this all the time without a mirror you could also setup and enable sflow on that port and have the ability of going back in time and looking at what traffic created your spikes... There are open source collectors out there and sflow will give you a picture of what is there. We use Solarwinds and have around 800 interfaces on the Extreme side and another 1200 or so on our core internet routers and it has proven to be a great information source for tracking down high usage problems ...
Userlevel 6
If you want to look at this all the time without a mirror you could also setup and enable sflow on that port and have the ability of going back in time and looking at what traffic created your spikes... There are open source collectors out there and sflow will give you a picture of what is there. We use Solarwinds and have around 800 interfaces on the Extreme side and another 1200 or so on our core internet routers and it has proven to be a great information source for tracking down high usage problems ...

Reply