I ended up putting a mirror session on each of the two cores as follows as there is no way of knowing which switch the data will be passing through. Each core interface 1/1/45 is going to a separate interface on the cybersecurity appliance using 10G DAC.
Original Message:
Sent: Jan 09, 2024 03:30 PM
From: Evan Z
Subject: Mirroring in VSX Topology
Curious on the outcome of your question.
I will be setting up MC-LAG mirroring on a pair of 8360s in VSX.
Original Message:
Sent: Jul 11, 2023 11:08 AM
From: wdubose
Subject: Mirroring in VSX Topology
I wonder, since I have two SFP+ interfaces available on my security appliance, if I could configure an MC-lag on my two vsx switches and a lag on the appliance. Then specify that MC-lag as the destination and then all of my downstream MC-Lags as the source.
If my only option is to have a single 10G link to my security appliance from my primary core and I have 30+ 10G access layer MC-lags as the source, will this overload the single 10G link?
Original Message:
Sent: Jul 11, 2023 03:59 AM
From: IanNightingale
Subject: Mirroring in VSX Topology
What I have observed is there is no sync across VSX of mirroring. Each physical box is independent. Frames received on one member won't necessarily be seen on the other member. MC-LAG is just a way to negotiate the LACP with the partner switch.
When mirroring for troubleshooting purposes, the mirror from each member of the MC-LAG had frames received on that link. I noted that some frames were seen on both outputs when source was a vlan and not a physical interface. I questioned Aruba Support and they said this is because the frames are shared on active-gateways rather than the mirror session is sync'd.
Therefore I can't see any situation where if you want all traffic, you can avoid having a mirror session on each member of VSX and therefore the IDS would need two physicals.
I would also be cautious about mirroring all the MC-LAGs. Clearly there is the opportunity for over subscription and therefore the IDS missing packets. Which is something that will lead to false positives or worse.
Finally, mirroring to CPU is good to get a flavor of what is on the link but in testing I found huge packet loss, even at 100Mb traffic flows. So if while developing your solution you use this to observe be cautious. The absesense of frames doesn't mean they weren't on the wire. Mirroring to an interface is very different.
Original Message:
Sent: Jul 10, 2023 07:31 AM
From: parnassus
Subject: Mirroring in VSX Topology
@wdubose Hi! I'm interested about that too, how to deal with a VSX deployment when an IDS is used (on a bare metal server) as the destination of mirrored traffic (e.g. from all VLAN as sources): Server link to VSX Primary only or a Server LACP (Bond) to both VSX members (thus through a VSX LAG)?
Original Message:
Sent: Jul 09, 2023 02:36 PM
From: wdubose
Subject: Mirroring in VSX Topology
I would like more clarification to your response. I have a vsx pair of 8325 switches that I want to set up mirroring on for all of my MC-LAGS. I have a security appliance that the mirrored traffic will be sent to. For the destination, would I set up a single 10G interface going to the appliance on just the primary switch in the mirror session and then specify all of the MC-LAGs as the source interface? Does the same mirror session and source/destinations need to be set up on the secondary switch as well? If so, do I need to have a MC-LAG going to my appliance from the destination interface on each VSX paired switch?
Original Message:
Sent: Oct 26, 2022 03:03 AM
From: vincent.giles
Subject: Mirroring in VSX Topology
Same command than for lag.
source interface lag9 both
(assuming lag9 is your VSX multi-chassis LAG).
Original Message:
Sent: Oct 25, 2022 06:12 AM
From: SHAY ELIASI
Subject: Mirroring in VSX Topology
searching for the best-practise for configuring mirroring ports on mc-lags of both members.
cant find any reference for mc-lags in the documentation (vsx,monitoring,security..).
please reply with relevant reference.
single chassis lag example,
switch(config-mirror-4)# source interface lag1 both
regards,