Port Mirroring

Table 1. Port Mirroring product support

Feature

Product

Release introduced

Ingress mirroring (port and flow-based)

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

Egress mirroring (port-based)

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

True egress port-based mirroring that produces an identical copy of an outgoing packet is not supported. The mirrored copy does not reflect changes that occur in the switch to the outgoing packet (for example, packet fields that are updated during IP routing). As a result, the mirrored copy is not identical to the outgoing packet.

Use the port mirroring feature to monitor and analyze network traffic. Port mirroring supports both ingress (incoming traffic) and egress (outgoing traffic) port mirroring. When you enable port mirroring, the system forwards ingress or egress packets normally from the mirrored (source) port, and sends a copy of the packet to the mirroring (destination) port.

Port Mirroring Overview

Port mirroring causes the switch to make a copy of a traffic flow and send the copy to a device for analysis. Use port mirroring in diagnostic sniffing—use the mirror to view the packets in the flow without breaking the physical connection to place a packet sniffer inline. You can also use mirroring for security reasons.

You can use egress mirroring to monitor packets as they leave specified ports. Egress mirroring on the switch is done at the end of the ingress pipeline. Since packet modifications occur in the egress pipeline, some of the changes will not be reflected in the mirrored version of the packet. Changes that occur in the egress pipeline may be reflected in the mirrored packed due to the metadata that is carried with the packet. Metadata notifies the egress pipeline what to change.

Use a network analyzer to observe and analyze packet traffic at the mirroring port. Unlike other methods that analyze packet traffic, the packet traffic is uninterrupted and packets flow normally through the mirrored port.

You can mirror to a port or list of ports or a MultiLink Trunking (MLT) group. The switch supports one-to-many, many-to-one, and many-to-many mirroring configurations.

Ingress and Egress Mirrored Ports

You can use all ports in the system to function as an ingress port for mirroring (mirrored port), an egress port for mirroring (mirrored port), or as a mirroring port (where all the mirrored traffic is redirected. The number of mirroring ports (also called destination ports) that you can configure is limited by the hardware. The hardware limitation is four ports simultaneously (where each mirroring direction counts as one). For example, if two mirroring ports are designated to mirror both ingress and egress traffic then all four mirroring ports are consumed.

The following table describes ingress mirroring functionality. Only one type of mirroring destination is supported at a time. You cannot mirror the same port to multiple classes of destinations, for example, MLT. However, you can mirror to multiple physical destinations.

Important

Important

Mirroring packets from one NNI port to another NNI port is not supported. Mirror to access ports, not NNI ports.

Table 2. Ingress mirroring functionality

Function

Support information

Ingress port mirroring and ingress flow mirroring

Supported. Maximum of four mirror-to-ports per box.

One port to one port

Supported

One to MLT group [for threat protection system (TPS applications)]

Supported

One to many (multicast group ID/VLAN)

Not supported

One to one (remote mirrored destination)

Not supported

Many to one (multiple mirrored ports to one mirroring port)

Supported

Many to MLT group

Supported

Many to many (VLAN/multicast group ID) (multiple ports with several different destinations)

Not supported

Many to one (relation between Remote Mirror Source [RMS] and Remote Mirror Termination [RMT])

Not supported

VLAN and port combination as a mirroring destination

Not supported

Ingress flow mirroring

Supported

Allow filters to specify a separate destination for each access control entry

Supported

The following table describes egress mirroring functionality.

Table 3. Egress mirroring functionality

Function

Support information

Egress port mirroring

Supported

One port to one port

Supported

One to MLT groups (for TPS applications)

Supported

One to many (multicast group ID/VLAN)

Not supported

Many to one (multiple mirrored ports to one mirroring port)

Supported

Many to MLT group

Supported

Many to many (multicast group ID) (multiple ports with several different destinations)

Supported

Many to one (relation between Remote Mirror Source [RMS] and Remote Mirror Termination [RMT])

Not supported

VLAN and port combination as mirroring destination

Not supported

Egress flow mirroring

Supported

Allow filter to specify a separate destination for each access control entry

Supported

Port Configuration

You can specify a destination multilink trunking (MLT) group, a destination port or set of ports.

There are two port mirroring modes: rx (ingress, that is, inPort) and tx (egress, that is, outPort). In rx mode, when you configure the ACE mirror or ACL global options to mirror packets, use the ACE to configure the mirroring destination port.

To modify a port mirroring instance, first disable the instance. Also, to change a port or MLT entry, first remove whichever parameter is attached to the entry, and then add the required entry.

ACLs, ACEs, and Port Mirroring

You can use filters to reduce the amount of mirrored traffic. You can configure the mirroring action globally in an access control list (ACL), or for a specific access control entry (ACE) by using the ACE mirror actions. If you use the global action, mirroring applies to all ACEs that match in an ACL.

To use filters with port mirroring, apply an ACL to the mirrored port in the egress and ingress directions. Traffic patterns that match the ACL or ACE with an action of permit are forwarded to the destination and also to the mirroring port. Traffic patterns that match an ACE with an action of drop (deny) are not forwarded to the destination, but still reach the mirroring port. For example, for an ACL or ACE with a match action of permit, packets are mirrored to the specified mirroring destination on the ACE. If you enable a port or VLAN filter, then that filter is the mirroring filter.

You can specify more than one mirroring destination by using multiple ACEs. Use each ACE to specify a different destination.

You can configure a port-based and a flow-based mirroring filter on the same port. If such a case occurs, then the flow-based mirror takes precedence.

For information about how to configure ACLs and ACEs for port mirroring using CLI, see the following sections:

For information about how to configure ACLs and ACEs for port mirroring using EDM, see the following sections: