Mirroring is a function on existing Extreme Networks switches that allows copies of packets to be replicated to additional ports without affecting the normal switching functionality. The mirrored data actually occupies fabric bandwidth, so it is very likely that normal forwarding and mirroring cannot both be done at line rate. In the most general terms, traffic ingressing and/or egressing an interface is mirrored. For ports, traffic ingressing and/or egressing a port can be mirrored (refer to the configure mirror add command). For VLANs and virtual ports, only traffic ingressing these interfaces are mirroring.
One of the common uses of the mirroring functionality is packet capture; for example sending copies of all packets that arrive on port P, vlan V, to a monitor port Q. Previous implementations of mirroring were limited to a single instance, where only one destination port (or port list) was allowed to be configured in the system. That implementation was also limited to 128 total sources of this traffic (also referred to as filters). Only VLAN and VLAN/port “filters” are currently implemented as filters.
ExtremeXOS supports Multi Instanced Mirroring that expands the number of destinations allowed to match the hardware capabilities. (Current hardware allows for up to 4 ingress mirroring instances and two egress mirroring instances.) A mirroring instance consists of a unique destination port, or port list, and the source filters associated with it. Our current implementation allows for 128 per instance.
NoteYou can have a maximum of 16 mirroring instances in the switch (including the default mirroring instance) but only 4 can be active at a time as explained below:
- Four (4) ingress
- Three (3) ingress and one (1) egress
- Two (2) ingress and two (2) egress
- 2 (ingress + egress)
- 1 (ingress + egress) + 2 ingress
- 1 (ingress + egress) + 1 egress + 1 ingress
NoteYou can accomplish port mirroring using ACLs, or CLEAR-Flow. See ACLs and CLEAR-Flow for more information.
A virtual port is a combination of a VLAN and a port. The monitor port or ports can then be connected to a network analyzer or RMON probe for packet analysis. The system uses a traffic filter that copies a group of traffic to the monitor port(s). You can have only one monitor port or port list on the switch. This feature allows you to mirror multiple ports or VLANs to a monitor port, while preserving the ability of a single protocol analyzer to track and differentiate traffic within a broadcast domain (VLAN) and across broadcast domains (for example, across VLANs when routing).
NoteThe mirroring filter limits discussed later do not apply when you are using ACLs or CLEAR-Flow.
Up to 128 mirroring filters can be configured across all active mirroring instances.
ExtremeXOS can also enables hardware mirroring of Ethernet frames to a specified remote IPv4 address, which can reside zero or more router hops away. This is useful for ExtremeAnalytics, Application Telementry, or other forms of remote network analysis or monitoring.
ExtremeXOS has enhanced mirroring to support IPFIX flows to be mirrored as well. This is done by using the mirroring capabilities in ExtremeXOS along with IPFIX to provide additional information about flows to our Application Analytics appliance (previously known as Purview). As mentioned earlier, ExtremeXOS can collect statistics about flows that are recognized based on configured flow keys. However ExtremeXOS cannot inspect packets deeper than the L4 (TCP) level. Mirroring this traffic to the Application Analytics appliance allows for deep packet inspection beyond L4 when provided a copy of the packet payload. This enhancement provides the ability to mirror the first 15 packets of any flow to a port where Application Analytics can receive copies for deep packet inspection. As with mirroring, this allows you to configure multiple mirroring instances.
Tagging of Mirrored packets
The following conditions describe tagging of mirrored packets:
- Untagged ingress mirrored traffic egresses the monitor port(s) untagged. Tagged ingress mirrored traffic egresses the monitor port tagged.
- Egress mirrored traffic always egresses the monitor port tagged.
- On ExtremeSwitching series switches, all traffic ingressing the monitor port or ports is tagged only if the ingress packet is tagged. If the packet arrives at the ingress port as untagged, the packet egresses the monitor port or ports as untagged.