Wired Intelligent Edge (Campus Switching and Routing)

Reply
Contributor II

Port Mirroring Limit on 5412R and 3810M

Hi there,

I saw from the ArubaOS-Switch 16.05 guide that:

Traffic mirroring supports the configuration of port and VLAN interfaces as mirroring sources in up to four mirroring sessions on a switch. Each session can have one or more sources (ports and/or static trunks, a mesh, or a VLAN interface) that monitor traffic entering and/or leaving the switch.

 

Question 1:

What is the hard limit for a 24/48 ports port mirroring to a single port? Is it 4 ports only?

 

Question 2:

Does it mean for 5406 and 5412 zl2 series also allows only 4 sessions per chassis? Even though all the line cards are inserted?

 

Thanks.

Re: Port Mirroring Limit on 5412R and 3810M

Hi,

 

Thank you for your question. Would be great if you can provide some additional details on the use model? Do you think 4 destinations is not enough? Below I've copied the question and try to provide an answer. 

 

Question 1:

What is the hard limit for a 24/48 ports port mirroring to a single port? Is it 4 ports only?

 

The 4 ports are related to exit ports. To be honest I don't think there is a hard limit and you're able to add all ports. The only limit you of course always have is the bandwidth of the exit port.  If you want to monitor all ports on certain traffic this is also possible with policies. Or you can better monitor uplinks / VLAN's. 

 

Question 2:

Does it mean for 5406 and 5412 zl2 series also allows only 4 sessions per chassis? Even though all the line cards are inserted?

 

You have 4 mirror session that can provide as an exit port. There is also an option to set-up remote mirror sessions which can be very nice since you just copy traffic from one switch to another. 

 

Let me know if there are any questions / comments. 

 

New Contributor

Re: Port Mirroring Limit on 5412R and 3810M

Is i want to monitor traffic from 2 VLANs on all Ports of the switch and mirror it to 1 mirror port. How can i do that?

 

I have configured the following but it is not working:

 

class ipv4 "all-traffic"

     10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

   exit

mirror 1 name "Forescout" port A24

policy mirror "Forescout"

     10 class ipv4 "all-traffic" action mirror 1

   exit

interface A24

   name "FFMFSC02-MirrorPort"

   exit

 

vlan 100

   name "LAN"

   untagged A2-A20,C1-C20,E1-E20

   tagged A1,A21-A24,B21-B24,C21-C24,D21-D24,E21-E24,F21-F24

   ip address 192.168.89.200 255.255.255.0

   service-policy "Forescout" in

   exit

vlan 200

   name "VOIP"

   untagged B1-B20,D1-D20,F1-F20

   tagged A1,A21-A24,B21-B24,C21-C24,D21-D24,E21-E24,F21-F24

   no ip address

   service-policy "Forescout" in

   exit

 

FFMCoreSW200(vlan-100)# show monitor 1

Network Monitoring

 

   Session: 1    Session Name: Forescout

      Mirror Destination:  A24   (Port)

 

      Monitoring Sources  Direction Truncation Mirror Policy

      ------------------  --------- ---------- -------------

      VLAN: 100           In         No         Forescout

      VLAN: 200           In         No         Forescout

 

 

Can some advise how to do make it working?

 

Many Thanks

Philip

Re: Port Mirroring Limit on 5412R and 3810M

Hi Philip,

 

If you just want to monitor all traffic on these VLANS and have local mirror (exit) port you can simply use these commands without all the classifications. 

 

Let's say VLAN 10 and 20 you need to monitor and port 24 on the switch is the port where all the traffic is send to. 

 

- Configure mirror session (exit):

mirror 1 port 24

- Configure monitor on VLANs

vlan 10

   monitor all both mirror 1

vlan 20

  monitor all both mirror 1

 

If I'm correct then this is it. You're done and ready to start monitoring traffic. Be aware when you monitor complete VLAN's that are really busy or have lots of ports on the same switch and send all of this traffic to one port you can potentially overload the mirror port. 

 

Regards, Dobias

Occasional Contributor II

Re: Port Mirroring Limit on 5412R and 3810M

Hi Dobias,

 

When is HP going to remove the restriction of using only one static source VLAN in both TX/RX direction?

 

On Cisco you can enter multiple source VLANs in both directions.

 

I was hoping I would not have to do with this restriction since I have now the 5406r zl2/5412r zl2 in place, but it seems that there is still a limitation of only having policy based mirroring, on the inbound direction.

 

How would i go about requesting such an upgrade to firmware/functionality with HP/Aruba in general?

Occasional Contributor II

Re: Port Mirroring Limit on 5412R and 3810M

I want to monitor client traffic. But from more than 4 client VLANs, AND in both RX and TX direction.

 

I do see the option that you can monitor trunks as a source, but then you would have to copy data incoming on a 10G trunk to a IPS which has only 1G capabilities.

 

Is there some way to filter traffic based on source ip, where you can have direction both TX and RX? Even when filtering on a trunk, as to not overload the IPS?

 

Or is it only the classifier based policy, with the RX limitation?

Occasional Contributor I

Re: Port Mirroring Limit on 5412R and 3810M

Hi,

 

you can just create an ACL to filter what traffic you want to be forwarded to the mirror port. This is the output from an 5406zl (old gear).

 

The help command is very very useful if you don't have the manuals nearby. 

 

5406zl (config)# int a1 monitor help
Usage: 1) [no] monitor all {in|out|both} mirror {<DestNumber> | <DestName>}
[1-4 | NAME-STR]...
[no] monitor ip access-group <ACL-NAME> <in> mirror
<1-4 | NAME-STR> [1-4 | NAME-STR]...

Description: Monitor traffic on the port.

The network traffic seen by the monitored ports is copied to
the Mirroring Destination to which a network analyzer can be
attached.

Note: When mirroring multiple ports in a busy network,
some frames may not be copied to the mirroring port.

This is an interface context command. It can be entered
in interface context as shown or follow the
'interface [ethernet] <PORT-LIST>' command.

Parameters: o 1-4 - Mirror destination number
o NAME-STR - Friendly name associated with the mirror
destination number.
o ACL-NAME - Standard or Extended Access Control List number.
o <in|out|both> direction of the traffic to be monitored.

 

 

You can create extended ACLs to filter through IP addresses or MAC ACLs with this command:

 

3810M(config)# mac-access-list help
Usage: [no] mac-access-list { standard | extended } <ACL-ID>
mac-access-list resequence <ACL-ID> <Start> <Increment>

Description: Configure a MAC ACL to filter packets based on Ethernet
header information. MAC ACLs can filter based on the
source MAC address, destination MAC address, EtherType, CoS
priority, or VLAN number.

 

 

So, summing up, you monitor all the ports where you know the traffic is coming or going and apply the ACL so you only copy traffic from/to the hosts you want to monitor. If I'm not mistaken that should do what you are asking.

 

FYI, if you monitor all the ports you will probably end up having duplicated traffic.

 

Aarón

Occasional Contributor II

Re: Port Mirroring Limit on 5412R and 3810M

I understand what you are saying, thanks for the information.

 

But it would be much more convenient let's say to have the option to supply more than one static VLAN as the source to be mirrored.

 

I have like 30 client VLANs, and would like to verify traffic going between any one VLAN.

 

Would i have to input multiple trunk source interfaces as the source?

 

What would be the effect on the Core switch if i monitor this as a source, any idea on what type of cpu/mem this would cost?

 

The client traffic output wouldn't be that much of course, just worried that i am copying source server and other heavy traffic as well, which the switch has to process via the ACL.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: