Extreme Networks

Article ID: 10518

Products
G-Series, firmware 1.02.00.0043 and higher
C5-Series, all firmware
C3-Series, firmware 1.01.06.0007 and higher
B5-Series, all firmware
B3-Series, firmware 1.01.06.0007 and higher

Solution
Remote Port Mirroring is an extension to port mirroring (5595).
This feature is described in release notes as simply "".

Remote Port Mirroring facilitates simultaneous mirroring of multiple source ports on multiple switches, with each such switch feeding the traffic (now tagged as being associated with a single configured Mirror VLAN) to a single monitor port.

From there a Mirroring-capable switch may consolidate many such streams to a mirror monitor port, from which it is transmitted (as configured) either tagged or untagged.

Functionally, here is the sequence of events:
Phase I. Configure one or more G/C/B-Series switches to each write mirrored traffic into a "Mirror VLAN" via a dedicated-purpose monitor port, for propagation to a "consolidation switch".

1. Create the special-purpose Mirror VLAN:

   set vlan create

   <

   mirror VLAN ID

   >
2. Identify the special-purpose Mirror VLAN ID (see the Notes section, below):

   set mirror vlan

   <

   mirror VLAN ID

   >
3. Set up an otherwise conventional port mirror of up to eight non-LAGged source ports and one non-LAGged destination/monitor port, per stack:

   set port mirroring create

   <

   source port a

   > <

   monitor port to consolidator

   >

   set port mirroring create

   <

   source port b

   > <

   same monitor port

   >

   set port mirroring create

   <

   source port c

   > <

   same monitor port

   >

   set port mirroring create

   <

   source port d

   > <

   same monitor port

   >

   set port mirroring create

   <

   source port e

   > <

   same monitor port

   >

   set port mirroring create

   <

   source port f

   > <

   same monitor port

   >

   set port mirroring create

   <

   source port g

   > <

   same monitor port

   >

   set port mirroring create

   <

   source port h

   > <

   same monitor port

   >
4. Explicitly set tagged egress of the Mirror VLAN from the monitor port:

   set vlan egress

   <

   mirror VLAN ID

   > <

   same monitor port

   >

   tagged

5. Prevent the possibility of switched traffic egress from the monitor port:

   clear vlan egress

   <

   any other egressing VLANs

   > <

   same monitor port

   >
6. Prevent the possibility of (untagged) switched traffic ingress via the monitor port:

   set port ingress-filter

   <

   same monitor port

   >

   enable

The collective purpose of extra steps I.1-I.2 and I.4 is so that the mirrored traffic may be readily identified, downstream, as belonging to the Mirror VLAN. It is otherwise possible that the mirrored traffic would consist of a combination of untagged traffic and traffic tagged of a variety of VLANs, and would thus more readily (and undesirably) blend in with switched traffic. The original VLAN membership of mirrored traffic is lost while the 'set mirror vlan' command is active.
The collective purpose of extra steps I.5-I.6 is so that the monitor port will function only to egress mirrored traffic. More about this in the Notes section, below.
Phase II. Configure one or more downstream S/N/K-Series systems to consolidate the mirrored VLAN traffic by "re-Mirroring" it, this time using a VLAN mirror (5398) to ingress the Mirror VLAN traffic (from multiple source ports, each attached to an upstream G/C/B-Series monitor port) and egress it to a monitor port. It is thus possible to funnel traffic from many G/C/B-Series ports to a single remote monitor port for sniffer or other analysis.

1. Create a VLAN MIB-2 interface to use for the SMON mib:

   set vlan interface

   <

   mirror VLAN ID

   >

   create

2. Create the port (now, effectively VLAN) mirror:

   set port mirror create vtap.0.

   <

   mirror VLAN ID

   > <

   monitor port

   >

   rx

3. Send out the mirrored traffic to a monitor (or recorder, or sniffer, etc) port, optionally tagged or untagged:

   set vlan egress

   <

   mirror VLAN ID

   > <

   same monitor port

   >

   tagged

4. Prevent the possibility of switched traffic egress from the monitor port:

   clear vlan egress

   <

   any other egressing VLANs

   > <

   same monitor port

   >
5. Prevent the possibility of (untagged) switched traffic ingress via the source port(s):

   set port ingress-filter

   <

   source port

   >

   enable

6. Prevent the possibility of switched traffic egress from the source port(s):

   clear vlan egress

   <

   all egressing VLANs

   > <

   source port

   >
7. Drop Mirror VLAN traffic from the learning/switching/routing process, after mirroring it:

   set policy profile 86 name "Drop Mirror VLAN"

   set policy rule 86 vlantag

   <

   mirror VLAN ID

   >

   drop

   set policy port

   <

   source port

   >

   86

8. Never include GVRP Dynamic VLAN Egress for the Mirror VLAN:

   set gvrp vlan

   <

   mirror VLAN ID

   >

   restricted enable

9. Disable these protocols only if this port(s) is not also switching/routing:

   set port lacp port

   <

   source port

   >

   disable

   set spantree portadmin

   <

   source port

   >

   disable

All of this is Functions as Designed (FAD).
Notes:

• This feature scales relatively well. However it is helpful to ensure that the available port bandwidth won't be overrun. The mirror VLAN must first be created ('

  set vlan create...

  ') and then instantiated ('

  set mirror vlan...

  ') before the port mirror operation is created/enabled ('

  set port mirroring create...

  '). Release notes state, in the 'Known Restrictions and Limitations / Known Issues' section:

  VLAN marking of mirrored traffic - Edge only

  Traffic mirrored to a VLAN may contain protocol control traffic, which may be interpreted by a downstream neighbor as legal control frames. Users should disable any protocols (e.g. Spanning Tree) on ISLs that might be affected by this.

  This is true, and is accommodated in steps II.8-II.9. Release notes state, in the 'Known Restrictions and Limitations / Known Issues' section:

  VLAN marking of mirrored traffic - Edge only

  MAC addresses will be learned for packets tagged with the mirror VLAN ID. This will prevent the ability to snoop traffic across multiple hops.

  This is true, and is a key (but not the only) reason why a G/C/B-Series cannot readily be used as a "consolidation switch". The Configuration Guide - at least as of March 2013 - overstates the capabilities of Remote Port Mirroring, concluding with this bullet item:

  With the introduction of remote port mirroring; on switches where the mirror VLAN has been configured, any traffic on that VLAN will be flooded on the VLAN. It will never be unicast, even if the source address of the traffic has been learned on the switch.

  This is untrue, conflicting with the Release Notes item cited above. The functional description is expected to be reworded to better reflect feature operation, though no specific release date for that change has been announced. The Configuration Guide states, in the Remote Port Mirroring section:

  With the introduction of remote port mirroring; configured mirror destination ports will NOT lose their switching or routing properties.

  This is true. With the I/G/D/C/B/A-Series products, typically a mirror monitor port loses its switching and routing properties, making the traffic flow on the monitor port egress-only, so it cannot be simultaneously used to propagate (unmirrored) switched/routed traffic. That is not the case while the '

  set mirror VLAN...

  ' command is active. Though a potentially very useful behavior (for example, facilitating remote operation of a network sniffer), for simplicity of explanation in this document it is specifically suppressed (steps I.5-I.6).

For further background, please refer to the Configuration Guide specific to your product.