Configuring Remote Port Mirroring


Configuring VLAN-based Remote Port Mirroring


Remote port mirroring copies traffic between different switches and the mirrored traffic is carried over a specified VLAN. This functionality is also known as RSPAN.


Take for example, the topology below:

Figure 11-5: VLAN-based Remote Port Mirroring Topology


To configure remote port mirroring over a VLAN, you must first create a mirror instance on the source switch (switch1). You must also specify over-vlan as encapsulation scheme. For example:


CLI (network-admin@switch1) > mirror-create name mirror33 direction ingress in-port 81 out-port 86 other-egress-out allow span-encap over-vlan span-tagging-vlan 200


Use the mirror-show command to view the configuration:


CLI (network-admin@switch1) > mirror-show

name:              mirror33

direction:         ingress

out-port:          86

in-port:           81

filtering:         port

enable:            yes

other-egress-out:  allow

span-encap:        over-vlan

span-tagging-vlan: 200

nvie-mirror:       false  

 

This command tags all ingress packets on port 81 with VLAN 200 and these packets are sent out on port 86. If VLAN 200 is not configured on switch2, the packets are dropped at port 3. Thus, VLAN 200 must be configured on port 3 and port 10 of switch2.


CLI (network-admin@switch2) > vlan-create id 200 scope local ports 3,10


The alternate method is to configure a mirror on switch2 with a VLAN 200 tagging.


For example: 


CLI (network-admin@switch2) > mirror-create name mirror35 in-port 3 out-port 10 span-encap over-vlan span-tagging-vlan 200


Use the mirror-show command to view the configuration:


CLI (network-admin@switch2) > mirror-show

name:              mirror35

direction:         ingress

out-port:          10

in-port:           3

filtering:         port

enable:            yes

other-egress-out:  prevent

span-encap:        over-vlan

span-tagging-vlan: 200

nvie-mirror:       false


With this configuration, the mirrored packets can be analyzed at port 10 of switch2 by using a packet analyzer tool.


Note: If the path for the mirrored packets to reach the destination include multiple switches, the SPAN tagging VLAN must be configured on all the intermediate switches.


Configuring IP-based Remote Port Mirroring


Remote port mirroring can be configured to send packets to a destination reachable over Layer 3. This is achieved by encapsulating mirrored packets with an L3 header so that the packets can be routed. This functionality is also known as ERSPAN.


Consider for example, the topology below:

Figure 11-6 - IP-based Remote Port Mirroring Topology


To create a mirror over IP configuration, you must specify over-ip as encapsulation scheme.


For example:


CLI (network-admin@switch1) > mirror-create name mirror37 in-port 1 out-port 8 span-encap over-ip span-local-ip 1.1.1.1 span-remote-ip 2.2.2.2 span-src-mac 33:44:55:66:77:88 span-dst-mac 99:aa:bb:cc:dd:ee other-egress-out allow


To view the configuration, use the mirror-show command:


CLI (network-admin@switch1) > mirror-show layout vertical

switch:            switch1

name:              mirror37

direction:         ingress

out-port:          8

in-port:           1

filtering:         port

enable:            yes

other-egress-out:  allow

span-encap:        over-ip

span-local-ip:     1.1.1.1

span-remote-ip:    2.2.2.2

span-src-mac:      33:44:55:66:77:88

span-dst-mac:      99:aa:bb:cc:dd:ee

span-tos:          0

nvie-mirror:       false


Note that the IP-based configuration has local and remote IP addresses and MAC addresses explicitly specified. VLAN tagging and ToS setting are optional parameters.


  • span-local-ip and span-src-mac can be specified as the router IP and MAC addresses of the local switch on which the mirror is created. 
  • span-remote-ip must be the IP address of the packet analyzer tool.
  • span-dst-mac must be the next-hop MAC address.
  • other-egress-out allow must be configured as the L3 protocol fails to come up otherwise.
  • out-port must be the egress port to reach the next-hop IP address.


Note: The local router should have a route to reach the packet analyzer's IP address.


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south