Introduction of Mirroring

Owned by Tracy Yang
Mar 19, 2024
4 min read

PICOS port mirroring supports two scenarios: local port mirroring and remote port mirroring.

Local Port Mirroring

In local port mirroring, the output port is directly connected to the Data Monitoring Server. As shown in Figure 1, local port mirroring is enabled on Switch B, the output port forwards the messages copied from the input port to the data monitoring server directly connected to it.

Figure1. Local Port Mirroring

NOTEs:

  • The mirroring port can belong to any VLAN. This port can be either a trunk port or an access port but will not participate in Layer2 or Layer3 forwarding.
  • The egress port or ingress port can be either an access port or a trunk port.
  • When user sends untagged packets, the priority of mirroring is higher than the priority of adding tag.
  • When user receives tagged packets, the priority of mirroring is higher than the priority of removing tag.
  • The mirroring port can also analyze BPDU/LACP/LLDP packets.
  • When user configures ACL for ingress/egress port, the priority of mirroring is higher than the priority of filter.
  • The duplicated traffic of egress port may be different from the outgoing traffic as there are other forwarding operations before or after the mirroring operation. For example, if the received packet is tagged with PVID, the PVID tag needs to be stripped off before forwarding the packet, the duplicated traffic may be different from the outgoing traffic because it may have been duplicated to the mirroring port before the PVID was stripped off. 

     On the following platforms, the duplicate packets are the same as the outgoing packets, but it is not certain on other platforms.

Switch ASIC

Model

Triumph2

PRONTO3296, PRONTO3295, PRONTO3290

Appllo2

ES4654

Helix4

AS4610 Series Switches

Remote Port Mirroring

ERSPAN

As shown in Figure 2, ERSPAN (Encapsulated Remote Switched Port Analyzer) is a remote port mirroring technology which is enabled on the mirror Source Device. In ERSPAN, the output port remotely connects to the Data Monitoring Server, and forwards the copied message from the input port to the Data Monitoring Server through a GRE tunnel over the IP network.

Figure 2. ERSPAN (Encapsulated Remote Switched Port Analyzer)

The output port encapsulates the original mirrored layer 2 packet with the GRE tunnel header, and then sends the entire GRE message in the data part of the IP message through the GRE tunnel. The encapsulated packets have the following format:

 ------------------------------------------------------------------------

| MAC_HEADER | IP_HEADER | GRE_HEADER | L2_Mirrored_Packet |

 ------------------------------------------------------------------------

The IP header encapsulated in the outer layer of the GRE message is manually configured by the following commands:

set interface ethernet-switching-options analyzer <mirror-name> erspan output source-ip <source-ip>

set interface ethernet-switching-options analyzer <mirror-name> erspan output dest-ip <dest-ip>

After configuration, use command run show analyzer [<mirror-name>] to display information about the mirroring information.

The switch finds the outgoing port of the mirror packet by looking for the destination IP network in its routing table. When configuring, the specified destination IP address should be configured the same as the IP address of the remote Data Monitoring Server to ensure the destination is reachable for the mirrored messages. Usually, the source IP address can be configured as the IP address of the Source Device.

As shown in Figure 2, the Source Device is not required to support the GRE function. ERSPAN is provided with GRE tunnel encapsulation capability. As a route forwarding device, Destination Device forwards GRE messages to the Data Monitoring Server.

The Data Monitoring Server does not need to support ERSPAN, but should support Linux GRE to decapsulate the receiving GRE messages.

NOTEs:

  • A pair of source IP and destination IP addresses form a GRE tunnel.
  • Multiple input ports mirroring through the same GRE tunnel is allowed only when the analyzer names are the same. However, the same GRE tunnel cannot be configured to different analyzer names, or it will commit fail and an error will be printed: "the same erspan tunnel already exists". For example,
admin@Xorplus# set interface ethernet-switching-options analyzer 333 erspan input egress te-1/1/2
admin@Xorplus# set interface ethernet-switching-options analyzer 333 erspan output source-ip 100.100.100.100
admin@Xorplus# commit
admin@Xorplus# set interface ethernet-switching-options analyzer 444 erspan input ingress te-1/1/1
admin@Xorplus# set interface ethernet-switching-options analyzer 444 erspan output source-ip 100.100.100.100
admin@Xorplus# set interface ethernet-switching-options analyzer 444 erspan output dest-ip 200.200.200.200
admin@Xorplus# commit
the same erspan tunnel already exist
Commit failed.

ACL-based ERSPAN

In ACL-based ERSPAN, service flows matching configured ACL rules is copied to the mirroring output port and then forwarded to the remote monitoring device through the GRE tunnel for analysis and monitoring. As shown in Figure 2 in last section, on the Source Device, the input port copies the service flows matching the ACL rules to the output port, and then the output port forwards the copied service flows through the GRE tunnel to the remote monitoring device.

ACL-based ERSPAN is a remote port mirroring feature developed based on PICOS firewall filter feature, which supports all the firewall filter matching fields (destination-address-ipv4, destination-mac-address, destination-port, ospf, etc.) except the IPv6 filters (destination-address-ipv6/ source-address-ipv6).

Security ACL filter rules and ACL-based ERSPAN rules are put together in the order of the sequence number, which is also the match priority. The match criteria of ACL-based ERSPAN rules is the same as that of Security ACL rules, please refer to ACL configuration guide for details about Security ACL.

The ACL action commands of ACL-based ERSPAN are listed below, which are separated from the Security ACL action:

set firewall filter <filter-name> sequence <number> then erspan source-ip <source-ip>

set firewall filter <filter-name> sequence <number> then erspan dest-ip <dest-ip>

set firewall filter <filter-name> sequence <number> then erspan vrf <vrf-name>

set firewall filter <filter-name> sequence <number> then erspan ttl <ttl-value>

After configuration, use command run show filter [<text>] to display information about all filters or a specified filter.




Copyright © 2024 Pica8 Inc. All Rights Reserved.