This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Mirroring on X590 - V400. Troubles with 802.1BR (0x893F) encapsulation

Mirroring on X590 - V400. Troubles with 802.1BR (0x893F) encapsulation

DB2001
New Contributor

‎02-07-2021 02:51 PM

Recently we replaced our Enterasys S4 with a couple of X590 and associated V400 edge switches
We are now facing problems regarding mirroring the traffic of our VLANs and checking the results on our network analyzer where we also NEED to run tcpdump

Here is what I did step by step

Step 1
Let's say I want to monitor what happens on my VLAN 100 and send everything to my analyzer located on port 103:31: IMPORTANT! This analyzer MUST have an IP address in the same VLAN 100 in order to be accessible.
 

  • mirrored port is 1:1 on the X590
  • monitor port is 103:31 on a V400 (belonging to VLAN 100)


In order to keep VLAN 100 on the monitor port I found a solution using the remote-tag keyword (otherwise VLAN is removed)

create mirror "PUBLIC_MIRROR"
configure mirror PUBLIC_MIRROR to port 103:31 remote-tag 100
configure mirror PUBLIC_MIRROR add vlan Internet-V port 1:1 ingress   
enable mirror PUBLIC_MIRROR

This way everything works: my Analyzer with tcpdump can see the traffic of the mirrored port (which resides on X590)

Step 2
Now I want to add another port into the mirror, THIS TIME located on a V400, let's say 103:1
configure mirror PUBLIC_MIRROR add vlan Internet-V port 103:1 ingress   

Now tcpdump on the analyzer start seeing all traffic originated in 103:1 encapsulated with 802.1BR (0x893f), which it is not able to decode
I understand that the 802.1BR tagging is used to handle traffic between X590 and V400, but it makes the traffic in the mirror unreadable.

Step 3
Other tests
1) Connect the Network Analyzer on the X590 instead of V400. No change
2) Connect the Network Analyzer on a remote switch, using "Remote Mirroring" as described in EXOS User Guide, CLI Reference anche KB like
https://extremeportal.force.com/ExtrArticleDetail?an=000074211&q=how%20to%20configure%20remote%20mirror

No joy, the 802.1BR encapsulation is sent also to the remote switch


The problem
This is just to explain the concept: now imagine I have to monitor the whole VLAN 100 with 96 ports on the V400 switches: I'm not able to see anything.
I'm only able to decode traffic which originates on the X590 switches which is unaffected by 802.1BR  (that is all my trunks to remote switches)


How can I handle this situation?
Remember the fundamental facts
1) The analyzer MUST have an IP address on the monitored VLAN
2) TCPDUMP must be used


Thanks




 

0 Kudos
0 REPLIES 0
GTM-P2G8KFN