Mirroring

Mirroring is a function on existing Extreme Networks switches that allows copies of packets to be replicated to additional ports without affecting the normal switching functionality. The mirrored data actually occupies fabric bandwidth, so it is very likely that normal forwarding and mirroring cannot both be done at line rate. In the most general terms, traffic ingressing and/or egressing an interface is mirrored. For ports, traffic ingressing and/or egressing a port can be mirrored (refer to the configure mirror add command). For VLANs and virtual ports, only traffic ingressing these interfaces are mirroring.

One of the common uses of the mirroring functionality is packet capture; for example sending copies of all packets that arrive on port P, vlan V, to a monitor port Q. Previous implementations of mirroring were limited to a single instance, where only one destination port (or port list) was allowed to be configured in the system. That implementation was also limited to 128 total sources of this traffic (also referred to as filters). Only VLAN and VLAN/port “filters” are currently implemented as filters.

ExtremeXOS 15.3 and above supports Multi Instanced Mirroring that expands the number of destinations allowed to match the hardware capabilities (current hardware allows for up to 4 ingress mirroring instances and two egress mirroring instances). A mirroring instance consists of a unique destination port, or port list, and the source filters associated with it. While the previous implementation allowed for sixteen sources, our current implementation allows for 128 per instance.

ExtremeXOS 16.2 has enhanced mirroring to support IPFIX flows to be mirrored as well. This is done by using the mirroring capabilities in ExtremeXOS along with IPFIX to provide additional information about flows that can be analyzed with our Extreme Application Analytics application. As mentioned earlier, IPFIX can collect statistics about flows that are recognized based on configured flow keys. However IPFIX cannot inspect packets deeper than the L4 (TCP) level as the deepest flow keys configurable are L4 Source and Destination Ports. Extreme Application Analytics however, can do deep packet inspection beyond L4 if it is provided a copy of the packet payload. This enhancement provides the ability to mirror the first 15 packets of any IPFIX flow to a port where Extreme Application Analytics can receive a copy of the packet for deep packet inspection. As with mirroring, this allows you to configure multiple mirroring instances. This feature is supported on Summit X460 and X460-G2, and BlackDiamond X8 (40G12X-XL, 100G4X-XL, and 100G4X).

Note

Note

You can have a maximum of 16 mirroring instances in the switch (including default mirroring instance) but only 4 can be active at a time as explained below:
  • Four (4) ingress
  • Three (3) ingress and one (1) egress
  • Two (2) ingress and two (2) egress
The maximum possible combinations for mirroring instances include:
  • 2 (ingress + egress)
  • 1 (ingress + egress) + 2 ingress
  • 1 (ingress + egress) + 1 egress + 1 ingress
In general, there are four hardware resource slots. Each single instance uses one slot, while one (ingress + egress) instance uses two slots. So, you can use of total four slots, but there can be no more then two egress instances.
Note

Note

You can accomplish port mirroring using ACLs, or CLEAR-Flow. See ACLs and CLEAR-Flow for more information.

A virtual port is a combination of a VLAN and a port. The monitor port or ports can then be connected to a network analyzer or RMON probe for packet analysis. The system uses a traffic filter that copies a group of traffic to the monitor port(s). You can have only one monitor port or port list on the switch. This feature allows you to mirror multiple ports or VLANs to a monitor port, while preserving the ability of a single protocol analyzer to track and differentiate traffic within a broadcast domain (VLAN) and across broadcast domains (for example, across VLANs when routing).

Note

Note

The mirroring filter limits discussed later do not apply when you are using ACLs or CLEAR-Flow.

Up to 128 mirroring filters can be configured across all active mirroring instances.

Tagging of Mirrored packets

The following conditions describe tagging of mirrored packets:

  • Untagged ingress mirrored traffic egresses the monitor port(s) untagged. Tagged ingress mirrored traffic egresses the monitor port tagged.
  • Egress mirrored traffic always egresses the monitor port tagged.
  • On Summit family switches, all traffic ingressing the monitor port or ports is tagged only if the ingress packet is tagged. If the packet arrives at the ingress port as untagged, the packet egresses the monitor port or ports as untagged.