Fabric RSPAN (Mirror to I-SID)

Table 1. Fabric RSPAN product support
Feature	Product	Release introduced
Fabric RSPAN (Mirror to I-SID)	5320 Series	Fabric Engine 8.6
	5420 Series	VOSS 8.4
	5520 Series	VOSS 8.2.5

Remote mirroring is an important functionality that helps in:

Intrusion Detection or Intrusion Prevention Systems
Network Port debugging and packet capture
Mirror and Monitor traffic to central collector or analyzers
Mirror and Monitor traffic to distributed collectors or analyzers

With the Fabric RSPAN (Mirror to I-SID) feature, mirrored traffic captured from any switch in the network is sent to a remote switch over an SPB cloud for traffic analysis. With this feature, you can monitor traffic on ports from different switches connected in the network, using just one network analyzer connected to a remote switch which acts as a collector. The source device where the traffic is mirrored to an I-SID, is known as Mirroring BEB (Backbone Edge Bridge), and the remote device where the traffic analyzer is connected for mirrored traffic analysis is known as Monitoring BEB.

The traffic source on the mirroring BEB is supported in the following ways:

Port based mirroring — Any packet incoming or outgoing through a port is mirrored to a monitoring I-SID configured for that port.
Flow based mirroring — Any particular packet flow configured in the system using filter based ACLs is mirrored to a monitoring I-SID configured for that flow.

Fabric RSPAN (Mirror to I-SID) Restrictions and Requirements

Remote mirroring of traffic is not supported on NNI ports or Fabric Extend Layer 2 core ports.
Mirroring resources will be shared between Fabric RSPAN and regular port mirroring. Fabric RSPAN uses one out of four resources for mirroring if the mode is configured as Rx (Ingress) mirroring. In case of mode Tx (Egress) mirroring, it uses one more entry with same TX-LB port. Hence if mode Rx and Tx are configured for Fabric RSPAN, then only two unique destination ports can be used for regular port mirroring. For example, if you configure Fabric RSPAN on the switch, the regular port mirroring functionality can use only three unique destination ports. And, if all the four unique ports are used by the port mirroring functionality, you cannot configure Fabric RSPAN functionality on that node.
When the monitor I-SID used for mirroring Fabric RSPAN traffic ingressing to I-SID is used to mirror regular traffic into SPB network, it will remove the customer tag in the mirrored packets. Hence, as a best practice, use different monitor I-SIDs for mirroring regular traffic and Fabric RSPAN traffic.
Monitoring egress-ports and egress-mlt will not support regular production network traffic.
The QoS value must be same for all mirror entries having common monitor I-SID, as the BMAC QoS is mapped to a monitor I-SID. QoS value configured for a specific monitor I-SID offset overrides the existing value for all mirroring entries sharing the same monitor I-SID.
Do not configure the source of mirrored traffic (mirroring to an I-SID) and the analyzer (monitoring an I-SID) on the same local device with the same I-SID offset. If you require mirroring and monitoring on the same local device, use standard port-based mirroring instead of Fabric RSPAN. Fabric RSPAN mirrors traffic into an I-SID of the SPB Fabric network and monitors traffic on the remote device; the network analyzer resides on the remote monitoring device and not on the same local device.
Egress flow-based I-SID mirroring is not supported.
5520 Series does not support the following combinations for I-SID mirroring:
- Deny option for Filter ACL with monitor-isid-offset for Inport/Invlan/InVSN
- Redirect-Next-Hop along with monitor-isid-offset when monitor-isid-offset is greater than 1
- Remove Tag option along with monitor-isid-offset