OcNOS-DC : System Management Guide : System Management Configuration Guide : Traffic Mirroring Configuration
Traffic Mirroring Configuration
This chapter contains a sample local and remote switched port analyzer feature configuration.
SPAN Overview
Switched Port Analyzer (SPAN) refers to selecting network traffic for analysis by a network analyzer. SPAN feature is introduced on switches as the switch forwards traffic that is destined for a MAC address directly to the corresponding port leaving no scope to analyze the traffic.
SPAN monitors the traffic on source port and sends a copy of the traffic to a destination port. The network analyzer, which is attached to the destination port, analyzes the received traffic. Source port can be a single port or multiple ports. A replication of the packets is sent to the destination port for analysis
SPAN is originally referred to port mirroring or port monitoring where all the network traffic on the source port is mirrored to destination port. Port mirroring has three subdivisions.
Ingress mirroring: Traffic received on the source port will be monitored
Egress mirroring: Traffic transmitted from the source port will be monitored
Ingress and egress mirroring: Both received and transmitted traffic on the source port will be monitored.
With enhancements to SPAN, mirroring can be classified into three categories.
Port Mirroring
In port mirroring, source will be a port which could be a physical interface or a port channel. All the traffic on the source port will be mirrored to destination port. Either traffic received on the source port or traffic transmitted from the source port or both can be monitored.
Note: If monitor session configured with two or more source interfaces in the Egress direction (tx) then the destination mirror port will receive only one copy of the non-unicast packet.
Also, the mirrored packet would be having default TPID of the mirror destination port i.e. 0x8100.
VLAN Mirroring
In VLAN mirroring, the source is a VLAN identifier and the traffic received on all ports with the VLAN identifier matching source VLAN identifier are mirrored to destination port.
Rule Based Mirroring
In rule based mirroring, there is a set of matching criteria for the ingress traffic such as matching destination MAC address, matching frame type, and so on. The traffic matching the rules is mirrored to the destination port
Topology
SPAN Topology
Port Mirroring Configuration
This example shows detailed configuration of port mirroring.
#configure terminal
Enter configure mode.
(config)# bridge 1 protocol mstp
Configure bridge 1 as MSTP bridge.
(config)# vlan 101-110 bridge 1 state enable
Configure VLANs.
(config)#interface xe10
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up.
(config-if)#exit
Exit interface mode.
(config)#interface xe20
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up.
(config-if)#exit
Exit interface mode.
(config)#interface xe5
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)#exit
Exit interface mode.
(config)# monitor session 1
Enter monitor session configuration mode
(config-monitor)# destination interface xe5
Configure the interface as destination port
(config-monitor)# source interface xe10 both
Configure the source interface to mirror ingress as well as egress direction traffic
(config-monitor)# no shut
Activate monitor session
(config-monitor)#end
Exit monitor session configuration mode
Validation
Enter the below commands to confirm the configurations.
#show running-config monitor
!
monitor session 1
source interface xe10 both
destination interface xe5
no shut
 
#show monitor session all
session 1
---------------
type : local
state : up
source intf :
tx : xe10
rx : xe10
both : xe10
source VLANs :
rx :
destination ports : xe5
filter count :
 
Legend: f = forwarding enabled, l = learning enabled
 
If monitor session configured with two source interface as egress direction (tx) then the destination port will receive only one copy of the egressed packet.
#configure terminal
Enter configure mode.
(config)# bridge 1 protocol mstp
Configure bridge 1 as MSTP bridge.
(config)# vlan 101-110 bridge 1 state enable
Configure VLANs.
(config)#interface xe10
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up.
(config-if)#exit
Exit interface mode.
(config)#interface xe20
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up.
(config-if)#exit
Exit interface mode.
(config)#interface xe30
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up.
(config-if)#exit
Exit interface mode.
(config)#interface xe5
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)#exit
Exit interface mode.
(config)# monitor session 1
Enter monitor session configuration mode
(config-monitor)# destination interface xe5
Configure the interface as destination port
(config-monitor)# source interface xe10 tx
Configure the source interface to mirror egress direction traffic
(config-monitor)# source interface xe30 tx
Configure the source interface to mirror egress direction traffic
(config-monitor)# no shut
Activate monitor session
(config-monitor)#end
Exit monitor session configuration mode
Validation
#show running-config monitor
!
monitor session 1
source interface xe10 tx
source interface xe30 tx
destination interface xe5
no shut
 
#show monitor session all
session 1
---------------
Type : local
State : up
source intf :
tx : xe10 xe30
rx :
both :
source VLANs :
rx :
destination ports : xe5
filter count :
Legend: f = forwarding enabled, l = learning enable
If you send 10 frames from xe20 packets egress via xe10 and xe30, then on mirror destination port only 10 packets are received.
 
VLAN and Rule Based Mirroring
This example shows detailed configuration of VLAN with rule based mirroring.
 
#configure terminal
Enter configure mode.
(config)# bridge 1 protocol mstp
Configure bridge 1 as MSTP bridge.
(config)# vlan 101-110 bridge 1 state enable
Configure VLANs
(config)#interface xe10
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up
(config-if)#exit
Exit interface mode.
(config)#interface xe20
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up
(config-if)#exit
Exit interface mode.
(config)#interface xe5
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)#exit
Exit interface mode.
(config)# monitor session 1
Enter monitor session configuration mode
(config-monitor)# destination interface xe5
Configure the interface as destination port
(config-monitor)# source vlan 101
Configure source VLAN to be mirrored
(config-monitor)# filter src-mac host 0000.0000.0005
Configure the rule to match the source MAC
(config-monitor)# no shut
Activate monitor session
(config-monitor)#end
Exit monitor session configuration mode
Validation
Enter the below commands to confirm the configurations.
#show running-config monitor
!
monitor session 1
source vlan 101
destination interface xe5
10 filter src-mac host 0000.0000.0005
no shut
 
 
#show monitor session all
session 1
---------------
type : local
state : up
source intf :
tx :
rx :
both :
source VLANs :
rx : 101
destination ports : xe5
filter count : 1
 
Legend: f = forwarding enabled, l = learning enabled
 
 
#show monitor session 1 filter
session 1
---------------
filter count : 1
 
---------------
match set 1
---------------
source mac address : 0000.0000.0005 (host)
RSPAN Overview
When several switches need to be analyzed with a single centralized sniffer, remote switched port analyzer (RSPAN) is used. In RSPAN, all the mirrored traffic will be tagged with a RSPAN VLAN ID and forwarded to remote destination via a port called reflector port. Reflector port will have the same characteristics of a local destination port. RSPAN VLAN ID will be a dedicated VLAN for the monitoring purpose and will not participate in bridging. RSPAN destination switch will strip the RSPAN VLAN tag and send it the sniffer for analysis. RSPAN will have the same sub-categories as SPAN except that the mirrored traffic will be tagged with RSPAN VLAN header and forwarded to destination switch for analysis.
Topology
RSPAN Topology
Port Mirroring Configuration
This example shows detailed configuration of port mirroring.
 
#configure terminal
Enter configure mode.
(config)# bridge 1 protocol mstp
Configure bridge 1 as MSTP bridge.
(config)# vlan 101-110 bridge 1 state enable
Configure VLANs.
(config)#interface xe10
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up.
(config-if)#exit
Exit interface mode.
(config)#interface xe20
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up.
(config-if)#exit
Exit interface mode.
(config)#interface xe5
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)#exit
Exit interface mode.
(config)# monitor session 1 type remote
Enter monitor session configuration mode.
(config-monitor)# destination remote vlan 100 reflector-port xe5
Configure the interface as remote destination port
(config-monitor)# source interface xe10 both
Configure the source interface to mirror ingress as well as egress direction traffic.
(config-monitor)# no shut
Activate monitor session.
(config-monitor)#end
Exit monitor session configuration mode.
Validation
Enter the commands below to confirm the configurations
#show running-config monitor
!
monitor session 1 type remote
source interface xe10 both
destination remote vlan 100 reflector-port xe5
no shut
 
 
#show monitor session all
session 1
---------------
type : remote
state : up
source intf :
tx : xe10
rx : xe10
both : xe10
source VLANs :
rx :
rspan VLAN : 100
reflector ports : xe5
filter count :
 
Legend: f = forwarding enabled, l = learning enabled
VLAN and Rule Based Mirroring Configuration
This example shows detailed configuration of VLAN with rule based mirroring.
 
#configure terminal
Enter configure mode.
(config)# bridge 1 protocol mstp
Configure bridge 1 as MSTP bridge.
(config)# vlan 101-110 bridge 1 state enable
Configure VLANs.
(config)#interface xe10
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up.
(config-if)#exit
Exit interface mode.
(config)#interface xe20
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)# bridge-group 1
Associate bridge to an interface.
(config-if)# switchport mode trunk
Configure port as a trunk.
(config-if)# switchport trunk allowed vlan add 101-110
Allow VLANs 101-110 on the interface.
(config-if)# no shutdown
Make interface admin up.
(config-if)#exit
Exit interface mode.
(config)#interface xe5
Enter interface mode.
(config-if)# switchport
Configure interface as a layer 2 port.
(config-if)#exit
Exit interface mode.
(config)# monitor session 1 type remote
Enter monitor session configuration mode.
(config-monitor)# destination remote vlan 100 reflector-port xe5
Configure the interface as remote destination port.
(config-monitor)# source vlan 101
Configure source VLAN to be mirrored.
(config-monitor)# filter src-mac host 0000.0000.0005
Configure the rule to match the source MAC.
(config-monitor)# no shut
Activate monitor session.
(config-monitor)#end
Exit monitor session configuration mode.
Validation
Enter the commands below to confirm the configuration.
#show running-config monitor
!
monitor session 1 type remote
source vlan 101
destination remote vlan 100 reflector-port xe5
10 filter src-mac host 0000.0000.0005
no shut
 
 
#show monitor session all
session 1
---------------
type : remote
state : up
source intf :
tx :
rx :
both :
source VLANs :
rx : 101
rspan VLAN : 100
reflector ports : xe5
filter count : 1
 
Legend: f = forwarding enabled, l = learning enabled
 
 
#show monitor session 1 filter
session 1
---------------
filter count : 1
 
---------------
match set 1
---------------
source mac address : 0000.0000.0005 (host)