Header Only - DO NOT REMOVE - Extreme Networks

S/N/K-Series Policy Based Mirroring overview


Userlevel 3
Article ID: 12373

Products
S-Series, all firmware
Matrix N-Series DFE, firmware 7.11.01.0025 and higher
K-Series, all firmware

Discussion
Policy based mirroring allows certain data types to be matched by normal policy-based packet pattern classification, sending only that data as a source for a port mirror. This may be useful for analyzing only certain aspects of a conversation on the network; be it a protocol type, a user IP address, etc.

Here are the affected commands. The value in the 'set mirror' commands corresponds with the value in the 'set policy' commands:
set mirror
[create ]
[ {[storage-type {non-volatile | volatile}] | [owner ]}
[ {[mirrorN <#frames>] | [storage-type {non-volatile | volatile}] | [owner ]} (requires f/w 8.x)
[enable {}]
[disable {}]
[ports [append]]

set policy profile [name ]
[pvid-status {enable | disable} {pvid }]
[cos-status {enable | disable} {cos }]
[mirror-destination ] | [clear-mirror] | [prohibit-mirror]
[egress-vlans ]
[forbidden-vlans ]
[untagged-vlans ]
[append] | [clear]
[tci-overwrite {enable | disable}]
[precedence ]
[syslog {enable | disable}]
[trap {enable | disable}]
[disable-port {enable | disable}]

set policy rule {admin-profile | }
{ [] [mask ]}
[port-string ]
[storage-type {non-volatile | volatile}]
[vlan ] | [drop | forward]
[cos ]
[mirror-destination ] | [clear-mirror] | [prohibit-mirror]
[admin-pid ]
[syslog {enable | disable | prohibit}]
[trap {enable |disable | prohibit}]
[disable-port {enable | disable | prohibit}][/code]Note: With S/K-Series firmware 8.01.01.0016 and higher, the mirror command supports the 'mirrorN' feature to specify mirroring a maximum of N frames. The maximum value for <#frames> is 4294967295, equivalent to 0xffffffff.

Here is a sample configuration that uses policy profile 10 to check for ARP frames ingressing policy-applied port ge.5.2, sending them to mirror instance 2 which applies to destination port ge.5.1. Remember that policy rules examine ingress traffic only.
set mirror create 2
set mirror ports ge.5.1 2
set policy profile 10
set policy rule 10 ether 0x806 mirror-destination 2 forward
set policy port ge.5.2 10[/code]Again, the source of the ingressing ARP frames is port ge.5.2 and the sniffer, IDS or other traffic analysis device would plug into port ge.5.1.

In these commands, the 'mirror-destination' parameter may be considered to act similarly to what is already understood for the 'pvid/vlan' and 'cos' parameters. That is, if an underlying rule containing such a parameter (e.g. mirror-destination) is "hit" by a policy-traversing packet, then that rule-specified action is executed for the packet - otherwise the same parameter if present in the profile command is executed for the packet as a default action. Thus, the example presented above mirrors ARP-matching traffic. If instead we wanted to mirror non-ARP-matching traffic, then the 'mirror-destination 2' parameter would be moved from the rule to the profile.

Also see this HowTo Video which provides further background regarding the policy-based mirroring feature.

0 replies

Be the first to reply!

Reply