How to Use Port Mirroring in Your Network

Port mirroring, also known as port redirect, is a network traffic monitoring method. It forwards a copy of each received or transmitted frame (or both) from one or more switch ports (source ports) to another port or ports (destination ports) where the data can be studied. Once the bit stream from one or more source ports is mirrored to one or more destination ports, on an S- and K-Series device you can further analyze the captured data using an RMON probe, a network sniffer, or an Intrusion Detection System (IDS), without affecting the original port's normal switch operation. You can also mirror, to a policy mirror destination, specific received traffic types for source ports associated with a policy. On a 7100-Series device, once the bit stream from one or more source ports is mirrored to one or more destination ports, you can further analyze the captured data using an RMON probe or a network sniffer without affecting the original port's normal switch operation.

Port mirroring is an integrated diagnostic tool for tracking network performance and security that is especially useful for fending off network intrusion and attacks. It is a low-cost alternative to network taps and other solutions that may require additional hardware, may disrupt normal network operation, may affect client applications, and may even introduce a new point of failure into your network. Port mirroring scales better than some alternatives and is easier to monitor. It is convenient to use in networks where ports are scarce.

The S- and K-Series platforms support enhanced port mirroring. Enhanced port mirroring provides for following benefits that non-enhanced port mirrors do not:

Enhanced mode is enabled by default on the K-Series and is disabled by default on the S-Series. A maximum of 4 ports can be enabled for enhanced port mirroring on the S-Series.

The S- and K-Series devices support port mirroring for Outbound Rate Limited (ORL) frames.

On the 7100-Series device, mirroring egress traffic results in the mirrored traffic always having an 802.1Q VLAN tag. The VLAN and priority values are those that were used for transmission of the original packet.

You can set up the following types of port mirroring relationships on received or transmitted traffic (or both):

The S- and K-Series platforms support policy mirroring. Policy mirroring allows for the same mirror relationships, though policy mirroring applies only to received traffic.

Depending on your network, ports that you can configure to participate in mirroring include physical and host ports on all platforms and, virtual ports—including Link Aggregation Group (LAG) on the S- and K-Series platforms, —VLAN interfaces on all platforms, and intrusion detection ports that are members of a LAG on S- and K-Series platforms. For more information, refer to Overview of Port Mirroring Configurations.

You can use port mirroring for analyzing bi-directional traffic and ensuring connectivity between, for example, a departmental switch and its high speed uplink to your backbone switch as shown in the following figure.

Click to expand in new window
Using Port Mirroring to Monitor a Departmental Switch
Graphics/departmental.png

This one-to-one configuration would allow you to capture traffic in both directions to the backbone uplink port. In this example, you would set a port mirror between departmental switch port 4.1 (source) and the destination port 4.2 connected to the traffic probe.

You can also use port mirroring, for example, to monitor all received traffic or a specific type of received traffic to your backbone switch as shown in the following figure.

Click to expand in new window
Using Port Mirroring to Monitor Incoming Traffic to a Backbone Switch
Graphics/backbone.png

The many-to-one configuration in this example would be possible by setting a port mirror on the backbone between source ports 1.2, 2.2 and 2.1 to destination port 1.1. On the S- and K-Series platforms you can monitor a specific type of received traffic (for example, Web traffic—TCP port 80) on the source ports, by associating the source ports with a policy for that traffic type and associate the policy with a policy mirror destination (the destination port). Destination ports can be ports or LAGs.

S- and K-Series Support

The Standalone device and S-Series modules supports 15 port-mirrors. The K-Series module supports 4 port-mirrors. These mirrors can be a mixed variety of port, VLAN, and IDS combinations. Any or all mirrors can be configured in a many-to-one mirroring configuration (that is, many sources mirrored to one destination). The LAG that is the destination of an IDS mirror can consist of up to 10 ports.

Note

Note

Standalone devices and S-Series modules that are part of a Virtual Switch Bond (VSB) system support:
  • 5 port-mirrors
  • 0 IDS mirrors

Examples of port mirroring combinations on an S-Series module include:

  • 15 port mirrors
  • 15 VLAN mirrors
  • 8 port and 7 VLAN mirrors
  • 12 port and 3 VLAN mirrors
  • 14 port and 1 IDS mirror (where the device mirrors to 10 ports)
  • 14 VLAN and 1 IDS mirror (where the device mirrors to 10 ports)

7100-Series Support

The 7100-Series platform supports a maximum of two unique destinations in the following configurations:

  • Up to two one-to-one mirrors
  • Up to two many-to-one mirrors
  • One one-to-two mirror

The 7100-Series supports configurations like:

  • Up to two one-to-one mirrors
  • Up to two many-to-one mirrors, or
  • A single one-to-two mirror.

The 7100-Series supports up to 2 destination ports for the “one-to-many”. Mirror destinations can be physical ports or LAGs, including ones on other switches in the same stack. Mirror destinations can not be VLANs.

There is no limit to the 7100-Series support for the number of source ports for the “many-to-one”. For the port mirror case the source port(s) can be a physical port or VLAN. LAG ports can not be used as the source port for a mirror on the 7100-Series.

On the 7100-Series, the port and VLAN mirror function does not mirror error frames.

Mirroring egress traffic results in the mirrored traffic always having an 802.1Q VLAN tag. The VLAN and priority values are the ones used for transmission of the original packet.