Restrictions of port mirroring on SecureStacks

dirk — Tue, 24 Feb 2015 20:54:00 GMT

Hi folks,

i see some odd behavior in mirrored traffic on the customer side, and i am right now unsure if this need deeper investigation. Or can be clarified in the way how mirror ports are treated on enterasys.

So i did a quick lab setup also also see similar odd behavior.

(Host 172.16.31.164) <----> (Port48)(Switch C3)(Port48) <----> (Port 24)(Switch A2 IP adress 172.16.31.251 / host vlan 1)

C3
ge.1.30 31 N untagged: 31 (traffic generator)
ge.1.34 31 N untagged: 31 (mirror Host)
ge.1.48 31 N untagged: 31 tagged: 2708,2732,2733,2734,2736

A2
fe.1.24 1 N untagged: 1 tagged: 2708,2732,2733,2734,2736

So when im pinging from host 172.16.31.164 to 172.16.31.251 pakets needs to be transmitted untagged in order to recive an reply.
When i setup an mirrorport i see the pakets tagged with vlan 31 in my trace - which have to be incorrect. The reply is without tag - which is obviously correct.

So the traffic that i see in the capture is not the traffic that is leaving the port.
Which information gained from a paket capture can be trusted?

I know its a tricky question, because it depends on the state of processing when the paket is replicated to that mirrorport.

Here are some further information about the switch, that is doing the mirror port.

set port mirroring create ge.1.48 ge.1.34
set port mirroring enable ge.1.48 ge.1.34

C3(rw)->show port mirroring
Port Mirroring
==============
Source Port = ge.1.48
Target Port = ge.1.34
Frames Mirrored = Rx and Tx
Port Mirroring status enabled

C3(rw)->show ver

Model Serial # Versions
-------------- ----------------- -------------------

C3G124-48P 09060162225J Hw:BCM56504 REV 19
Bp:01.00.53
Fw:06.61.13.0006
BuFw:06.61.11.0006
PoE:608_3
CPLD:2.0

I did not had the opportunity to narrow down the ood behavior at the customer side. But i still want to ask if this behavior can be subject of the mirror port.

VM <----> (ge.2.38)(S3 code base probalbly 2014/2013)(lag.0.3 (2xtg memberports)) <===========> (lag.0.4)(B5) ---

A mirror port of lag.0.3 shows that the connected VM sends broadcast traffic.
A (rx/tx) mirror port sees the paket twice. 1x tagged(vlan 10), 1x untagged.
A (tx) mirror port sees the paket twice. 1x tagged(vlan 10), 1x untagged.
A (rx) mirror port sees the paket only untagged.

The mac adress of that VM is only in VLAN 10 on the port 2.38.

Could such a behavior subject on the way how the mirror port works internally? Why?
I also tought that maybe vlan 10 is bridged somewhere with vlan 1 but than i should see the mac of the host in vlan 1, but i dont.
If i tx the packet in vlan 1,10 and i rx the packet in vlan 2, then i should see the paket 3 times if i do a rx/tx trace?!

Probably someone of you has experienced similar observations.

thanks

dirk

topic Restrictions of port mirroring on SecureStacks in ExtremeSwitching (Other)

Restrictions of port mirroring on SecureStacks