cancel
Showing results for 
Search instead for 
Did you mean: 

mirroring unicast traffic in vLAN

mirroring unicast traffic in vLAN

Laurent_Rillet
New Contributor II
When I mirror several vLANs toward a port, I can see all broadcast traffic but no unicast traffic. It's a little bit like if the monitoring port had been inclded in the vLANs mirrored but no mirroring happen at all...
Is there some configuration I missed or some limitation here ?

here is the configuration used :

create mirror "VNF9"
configure mirror VNF9 to port 45
enable mirror VNF9
configure mirror VNF9 add vlan VNF09_IAC_R1 ingress
configure mirror VNF9 add vlan VNF09_MEDIA_R1 ingress
configure mirror VNF9 add vlan VNF09_MGMT_R1 ingress
configure mirror VNF9 add vlan VNF09_OM_CN_R1 ingress
configure mirror VNF9 add vlan VNF09_PRAN_R1 ingress
configure mirror VNF9 add vlan VNF09_SIGNALING_R1 ingress

configure vlan VNF09_IAC_R1 description "mbb_gwc01"
configure vlan VNF09_IAC_R1 tag 2094
create vlan "VNF09_MEDIA_R1"
configure vlan VNF09_MEDIA_R1 description "mbb_gwc01"
configure vlan VNF09_MEDIA_R1 tag 2092
create vlan "VNF09_MGMT_R1"
configure vlan VNF09_MGMT_R1 description "mbb_gwc01"
configure vlan VNF09_MGMT_R1 tag 2095
create vlan "VNF09_OM_CN_R1"
configure vlan VNF09_OM_CN_R1 description "mbb_gwc01"
configure vlan VNF09_OM_CN_R1 tag 2093
create vlan "VNF09_PRAN_R1"
configure vlan VNF09_PRAN_R1 description "mbb_gwc01"
configure vlan VNF09_PRAN_R1 tag 2090
create vlan "VNF09_SIGNALING_R1"
configure vlan VNF09_SIGNALING_R1 description "mbb_gwc01"
configure vlan VNF09_SIGNALING_R1 tag 2091
configure vlan VNF09_IAC_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_MEDIA_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_MGMT_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_OM_CN_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_PRAN_R1 add ports 2-8, 26-32, 48 tagged
configure vlan VNF09_SIGNALING_R1 add ports 2-8, 26-32, 48 tagged

And here is an extract of a capture while a ping is running on one of these vLANs (only broad cast are catched) :

17:29:17.846331 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 102: vlan 2092, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 1420, offset 0, flags [none], proto OSPF (89), length 84)
21.21.9.22 > 224.0.0.5: OSPFv2, LS-Update, length 64
Router-ID 1.1.1.6, Area 0.0.0.3, Authentication Type: none (0), 1 LSA
LSA #1
Advertising Router 21.21.10.17, seq 0x80000004, age 2s, length 16
External LSA (5), LSA-ID: 21.21.10.161
Options: [External, Demand Circuit]
Mask 255.255.255.255
topology default (0), type 2, metric 0
0x0000: ffff ffff 8000 0000 0000 0000 0000 0000
17:29:18.528759 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 102: vlan 2090, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 54743, offset 0, flags [none], proto OSPF (89), length 84)
21.21.9.6 > 224.0.0.5: OSPFv2, LS-Update, length 64
Router-ID 1.1.1.10, Area 0.0.0.1, Authentication Type: none (0), 1 LSA
LSA #1
Advertising Router 1.1.1.10, seq 0x8000032f, age 1s, length 16
External LSA (5), LSA-ID: 172.20.16.0
Options: [External, Demand Circuit]
Mask 255.255.255.0
topology default (0), type 1, metric 5, forward 21.21.20.1
0x0000: ffff ff00 0000 0005 1515 1401 0000 0000

Limiting the capture, we can see OSPF broadcast, ARP request (but no answers)...

17:34:10.455935 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2091, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 27526, offset 0, flags [none], proto OSPF (89), length 68)
17:34:10.552442 fa:16:3e:6c:1a:c3 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2091, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 59158, offset 0, flags [none], proto OSPF (89), length 68)
17:34:11.278041 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.46 (Broadcast) tell 21.21.9.46, length 46
17:34:11.278047 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2093, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.30 (Broadcast) tell 21.21.9.30, length 46
17:34:11.278126 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2095, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.41 (Broadcast) tell 21.21.9.46, length 46
17:34:11.278259 00:02:3b:10:12:8f > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 2093, p 6, ethertype ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 21.21.9.25 (Broadcast) tell 21.21.9.30, length 46
17:34:11.571135 fa:16:3e:1b:ae:a4 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2092, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 22867, offset 0, flags [none], proto OSPF (89), length 68)
17:34:12.446747 00:02:3b:10:12:8f > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2094, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 44255, offset 0, flags [none], proto OSPF (89), length 68)
17:34:12.551103 fa:16:3e:e4:f4:d5 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 86: vlan 2090, p 0, ethertype IPv4, (tos 0xc0, ttl 1, id 12804, offset 0, flags [none], proto OSPF (89), length 68)
...

Can you help please ?
7 REPLIES 7

simon_bingham
New Contributor II
Some NIC don't always go into promiscuous mode as commanded by the software ( TCPDUMP or wireshark ) , I have seen this with some USB NICs or in VMWARE environments.

simon_bingham
New Contributor II
Problem is if you were to capture egress and ingress on every port in a vlan, you would see every packet twice. I'm not sure how if the extreme captures traffic being routed internally on vlan ( does that count as a port ) would be good if someone here knew.

EtherMAN
Contributor III
Key to this is where is you mirror port in relation to where the source and destination are for what info you are trying to capture. Since you are only looking at ingress on all the vlans what type of traffic would be coming into the vlans from the world? If you have both ingress and egress in your filter then all traffic would be presented on the egress of your filter port and you should be able to see more than broadcast and multicast traffic. Even with just ingress as your filter it should send all incoming frames from the provisioned ports to the egress of port 45 to be captured so if this switch was setting in the middle between source and destination you would see all traffic... If it is the router on one end then maybe not unless you add the egress...
GTM-P2G8KFN