This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Port Mirroring Behaviour

Port Mirroring Behaviour

Ian_Broadway
New Contributor III

‎06-14-2016 11:24 AM

Hello, I'm trying to find an issue within my network. At random times during the day, port utilization spikes to 100%. I am trying to mirror a port that spikes so I can see what it is that it is receiving. When setting up the mirror these are the commands I use; Create mirror "Orsett" to port "38" configure mirror "Orsett" add port "7" enable mirror "Orsett" For some reason I am not only seeing the traffic associated with the port but also the traffic to which the port is a member of a vlan. When using wireshark I can see all traffic on the vlan associated with the port rather than just port traffic? This isnt helpful as I want to target the specific port rather than the VLAN? I dont specify the vlan in the mirroring config so why does it enable it by default?
0 Kudos
12 REPLIES 12

Henrique
Extreme Employee
In response to Ian_Broadway

‎06-14-2016 12:14 PM

If the port is tagged to multiple vlans, you will see traffic for that port regardless of vlan.

If you want to check traffic for an specific port and specific vlan (considering that port is tagged for multiple vlans) you should use the command below:

"configure mirror "Orsett" add port 7 vlan ".
    Virtual port - All traffic ingressing the switch on a specific VLAN and port combination is copied to the monitor port(s).
0 Kudos

Ian_Broadway
New Contributor III
In response to Ian_Broadway

‎06-14-2016 12:14 PM

hmm ok I understand it then to work the way you have specified and how we originally thought aswell. I'm sure though that we did see unicast flows from for other devices which is why I raised this issue.
0 Kudos

Chad_Smith1
Extreme Employee
In response to Ian_Broadway

‎06-14-2016 12:14 PM

Assuming there is only a single device and VLAN on that port, that is correct, but you would also see any broadcast and some multicast for that VLAN. If you see unicast traffic flows for other devices not connected to that port then that is likely unicast flooding and could indicate a problem.
0 Kudos

Chad_Smith1
Extreme Employee

‎06-14-2016 12:09 PM

Ian,

What exactly do you mean by "but also the traffic to which the port is a member of a vlan seeing all traffic on the VLAN"?

With your configuration you should only see traffic that is ingressing/egressing that port. So, you would see traffic destined to/from devices connected to that port plus broadcast and multicast for the VLAN. If you are seeing other traffic from the VLAN it could be possible that there is unicast flooding in the network. This could be the source of your high utilization that you are seeing.
0 Kudos

Ian_Broadway
New Contributor III

‎06-14-2016 12:06 PM

Hi, but that would still mirror all traffic on the vlan to the port? I dont want to be able to see traffic conversations from other devices, just the device associated with the port I am mirroring
0 Kudos
GTM-P2G8KFN