Introduction of Mirroring
PICOS port mirroring supports two scenarios: local port mirroring and remote port mirroring.
Local Port Mirroring
In local port mirroring, the output port is directly connected to the Data Monitoring Server. As shown in Figure 1, local port mirroring is enabled on Switch B, the output port forwards the messages copied from the input port to the data monitoring server directly connected to it.
Figure1. Local Port Mirroring
NOTEs:
On the following platforms, the duplicate packets are the same as the outgoing packets, but it is not certain on other platforms.
|
Remote Port Mirroring
ERSPAN
As shown in Figure 2, ERSPAN (Encapsulated Remote Switched Port Analyzer) is a remote port mirroring technology which is enabled on the mirror Source Device. In ERSPAN, the output port remotely connects to the Data Monitoring Server, and forwards the copied message from the input port to the Data Monitoring Server through a GRE tunnel over the IP network.
Figure 2. ERSPAN (Encapsulated Remote Switched Port Analyzer)
The output port encapsulates the original mirrored layer 2 packet with the GRE tunnel header, and then sends the entire GRE message in the data part of the IP message through the GRE tunnel. The encapsulated packets have the following format:
------------------------------------------------------------------------
| MAC_HEADER | IP_HEADER | GRE_HEADER | L2_Mirrored_Packet |
------------------------------------------------------------------------
The IP header encapsulated in the outer layer of the GRE message is manually configured by the following commands:
set interface ethernet-switching-options analyzer <mirror-name> erspan output source-ip <source-ip>
set interface ethernet-switching-options analyzer <mirror-name> erspan output dest-ip <dest-ip>
After configuration, use command run show analyzer [<mirror-name>] to display information about the mirroring information.
The switch finds the outgoing port of the mirror packet by looking for the destination IP network in its routing table. When configuring, the specified destination IP address should be configured the same as the IP address of the remote Data Monitoring Server to ensure the destination is reachable for the mirrored messages. Usually, the source IP address can be configured as the IP address of the Source Device.
As shown in Figure 2, the Source Device is not required to support the GRE function. ERSPAN is provided with GRE tunnel encapsulation capability. As a route forwarding device, Destination Device forwards GRE messages to the Data Monitoring Server.
The Data Monitoring Server does not need to support ERSPAN, but should support Linux GRE to decapsulate the receiving GRE messages.
NOTEs:
admin@Xorplus# set interface ethernet-switching-options analyzer 333 erspan input egress te-1/1/2 admin@Xorplus# set interface ethernet-switching-options analyzer 333 erspan output source-ip 100.100.100.100 admin@Xorplus# commit admin@Xorplus# set interface ethernet-switching-options analyzer 444 erspan input ingress te-1/1/1 admin@Xorplus# set interface ethernet-switching-options analyzer 444 erspan output source-ip 100.100.100.100 admin@Xorplus# set interface ethernet-switching-options analyzer 444 erspan output dest-ip 200.200.200.200 admin@Xorplus# commit the same erspan tunnel already exist Commit failed. |
ACL-based ERSPAN
In ACL-based ERSPAN, service flows matching configured ACL rules is copied to the mirroring output port and then forwarded to the remote monitoring device through the GRE tunnel for analysis and monitoring. As shown in Figure 2 in last section, on the Source Device, the input port copies the service flows matching the ACL rules to the output port, and then the output port forwards the copied service flows through the GRE tunnel to the remote monitoring device.
ACL-based ERSPAN is a remote port mirroring feature developed based on PICOS firewall filter feature, which supports all the firewall filter matching fields (destination-address-ipv4, destination-mac-address, destination-port, ospf, etc.) except the IPv6 filters (destination-address-ipv6/ source-address-ipv6).
Security ACL filter rules and ACL-based ERSPAN rules are put together in the order of the sequence number, which is also the match priority. The match criteria of ACL-based ERSPAN rules is the same as that of Security ACL rules, please refer to ACL configuration guide for details about Security ACL.
The ACL action commands of ACL-based ERSPAN are listed below, which are separated from the Security ACL action:
set firewall filter <filter-name> sequence <number> then erspan source-ip <source-ip>
set firewall filter <filter-name> sequence <number> then erspan dest-ip <dest-ip>
set firewall filter <filter-name> sequence <number> then erspan vrf <vrf-name>
set firewall filter <filter-name> sequence <number> then erspan ttl <ttl-value>
After configuration, use command run show filter [<text>] to display information about all filters or a specified filter.
Copyright © 2024 Pica8 Inc. All Rights Reserved.