Wired Intelligent Edge

 View Only
last person joined: 17 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

mirror-port sees half of traffic as vlan tagged

This thread has been viewed 0 times

  • 1.  mirror-port sees half of traffic as vlan tagged

    Posted May 02, 2016 06:36 PM

    I am trying to use a mirror-port on an HP 2530, but half the mirrored traffic is vlan tagged and I'm trying to determine if I can avoid this.  I'm wondering if anybody knows if that is possible.  The documentation seems inaccurate, and I don't really trust it.

    It is a very simple mirror-port configuration, where I am monitoring a single interface which has a single untagged vlan.  The mirror-port has a different untagged vlan on it.  There are no tagged vlan ports anywhere on the switch.

    When looking at traffic on the mirror-port, all the ingress traffic to the monitor port is untagged, but all egress traffic from the monitor port is tagged.

    I've tried a number of variations. For example, making the mirror-port untagged on the same vlan as the monitor port.  I have not seen any change in behavior.  I also tried booting into YA.15.x firmware.

    release #YA.16.01.0004



  • 2.  RE: mirror-port sees half of traffic as vlan tagged

    Posted May 04, 2016 10:49 AM

    I should add the device connected to the mirror-port is a Linux box.  Here are a couple of packets from tcpdump that show the issue.  The monitored port is connected directly to the 10.10.255.1 device.  The packet leaving the monitored port arrives to my Linux box as vlan tagged (ethertype 802.1Q (0x8100)).  The packet arriving at the monitored port is not vlan tagged (ethertype IPv4 (0x0800))

    16:27:01.721917 f0:9c:e9:a6:8c:80 > b4:0c:25:4b:1c:10, ethertype 802.1Q (0x8100), length 102: vlan 1, p 0, ethertype IPv4, 10.10.255.109 > 10.10.255.1: ICMP echo request, id 25693, seq 0, length 64


    16:27:01.722912 b4:0c:25:4b:1c:10 > f0:9c:e9:a6:8c:80, ethertype IPv4 (0x0800), length 98: 10.10.255.1 > 10.10.255.109: ICMP echo reply, id 25693, seq 0, length 64

    Has anybody else seen behavior like this?  The older switches I replaced with the 2530s did not act this way.



  • 3.  RE: mirror-port sees half of traffic as vlan tagged

    EMPLOYEE
    Posted May 04, 2016 02:22 PM

    48 port variety of 2530?  I was able to reproduce, am investigating.

     



  • 4.  RE: mirror-port sees half of traffic as vlan tagged

    Posted May 04, 2016 03:41 PM

    Thanks Michael.  It is a 24 port model.  J9776A 2530-24G



  • 5.  RE: mirror-port sees half of traffic as vlan tagged

    Posted May 05, 2016 10:51 AM

    I was able to test a 2824 and a 3400cl, and they both exhibited the same behavior of half the traffic being vlan-tagged.  The 2524 I am replacing with the 2530 did not tag any packets to the mirror port.

    This leads me to believe this is intended behavior and is not a change nor a bug.  It still seems strange to me.

    The line in the documentation I keep staring at trying to see if I can change the egress traffic vlan tagging hasn't helped me

    egress mirroring does not reflect the tagged or untagged
    characteristic to the mirror port, instead it reflects the tagged or untagged characteristic of the
    mirror port.



  • 6.  RE: mirror-port sees half of traffic as vlan tagged

    Posted May 05, 2016 03:59 PM

    After rethinking this issue:
    If you want to mirror a port having multiple VLANs....there's no other way than to keep the tags


    #mirror


  • 7.  RE: mirror-port sees half of traffic as vlan tagged

    Posted May 05, 2016 05:37 PM

    The problem is the monitored port does not have multiple VLANs.  Every port on the switch has a single untagged VLAN associated with it. 

    In other words, traffic never arrives at the switch tagged or leaves the switch tagged.  However, the mirror-port is sent tagged packets.

    My conclusion at this point is that this is simply how the mirror-port is implemented.



  • 8.  RE: mirror-port sees half of traffic as vlan tagged

    Posted May 05, 2016 09:19 PM

    My understanding is that when *we* talk about traffic being "tagged" or "untagged" we are always talking about the frame format being implemented on a switchport.

    Switches need to know what VLAN every single frame belongs to, independently of whether that frame arrived with a tag or not, and independently of whether the outgoing switchport is going to tag it or not.

    So, internally and independently of any switchport, each frame is tagged by the switch when it is being switched.

    Normally, you don't see these tags, but I wouldn't be surprised that some switches show slightly different behaviour around this.



  • 9.  RE: mirror-port sees half of traffic as vlan tagged

    EMPLOYEE
    Posted May 05, 2016 11:34 PM

    Spoke with one of our developers for this product and it appears to be a quirk of the switch chip when doing egress mirroring.  All packets transit the switch with a VLAN tag and it is removed for untagged ports just prior to egressing the swtich.  The mirrored copy is happening before that action is performed, so you get the tag in your mirror-port.

    There doesn't appear to be anything that can be done in software to fix this behavior.  I filed a bug internally to track it while we investigate further but I think this may just be how it works...

     



  • 10.  RE: mirror-port sees half of traffic as vlan tagged

    Posted May 06, 2016 11:37 AM

    Thanks guys, I truly appreciate the assistance and insight.  It does seem like this is just how it works.  It would be a nice-to-have if this was configurable, and the documentation could be made clearer.