PORT MIRRORING & PORT

MONITORING
 WHAT IS PORT MONITORING?

An essential tool of the network engineer is a network packet capture device.

We should be able to view monitored file, by using a software such as
WireShark or ethereal.
The port monitoring feature allows you to examine packets to and from a
specific Ethernet port.
Port monitoring capture file is generated as a result of one of the following
scenarios:
o User disables the port monitoring session
o User disables all the monitored ports of the monitoring session
o User deletes the monitoring session.
o Monitoring timeout occurs.
 PORT MONITORING PROPERTIES
Captures data in Network General file format.
A file called pmonitor.enc is created in the /flash memory when you configure and
enable a port monitoring session.
One port monitored at a time.
All packets cannot be captured. (Estimated packet capture rate is around 500
packets/second.)
Only the first 64 bytes of the traffic is captured in brief mode. If the monitoring capture-
type is set to full the entire packet is captured (Maximum size is 16 Meg).
Monitoring of logical ports (link aggregation) is not possible, but members of a logical port
may be monitored individually.
If both mirroring and monitoring are enabled, then packets is either mirrored or monitored
(i.e., sent to CPU), whichever comes first.
PORT MONITORING COMMAND

Disables, pauses, resume, or deletes an existing port

monitoring session.

port-monitoring port_monitor_sessionid {disable | pause | resume}

Configures a port monitoring session.

port-monitoring port_monitor_sessionid [no] source [chassis/]slot/port [-

port2][[chassis/]slot/port] [[chassis/]slot/port1][[-port2] ..] [{file filename [size
filesize]}] [overwrite {on | off}] [inport | outport | bidirectional] [capture-
type {brief|full}] [timeout seconds] [enable | disable]
 PORT MONITORING PARAMETERS
Default Values
CLI Input Object Syntax Type Range

port monitor sessionid Integer 1 to 2147483647 NA

Slot (1-8) , port depends on Module
Source Slot/port chassis/slot/port Type, (1-48) NA

filename String up to 64 char long /flash/pmonitor.enc

filesize Integer 1 to 256 1

overwrite Text off/on on

direction Text inport/outport/bidirectional bidirectional

capture-type Text brief/full brief

Timeout Integer 0 to 2147483647 0

Monitor Status text Enabled/Disabled Disabled

DISPLAYING PORT MONITORING STATUS AND DATA

The show port-monitoring file CLI shows the first 170 captured packets in the
monitoring file.
 PORT MIRRORING

Port mirroring copies packets entering or exiting a

port or entering a VLAN and sends the copies to a
local interface for local monitoring or to a VLAN for
remote monitoring.
Use port mirroring to send traffic to applications
that analyze traffic for purposes such as monitoring
compliance, enforcing policies, detecting
intrusions, monitoring and predicting traffic
patterns, correlating events, and so on.
 HOW PORT MIRRORING WORK?

When a frame is received on a mirrored port, it is

copied and sent to the mirroring port. The received
frame is actually transmitted twice across the switch
backplane - once for normal bridging and then again
to the mirroring port.
When a frame is transmitted by the mirrored port, a
copy of the frame is made, tagged with the mirroring
port as the destination, and sent back over the switch
backplane to the mirroring port. The diagram below
illustrates the data flow between the mirrored and
mirroring ports.
 RESTRICTIONS
The number of maximum sessions that can be configured is based on the availability
of the hardware resources .
Port mirroring and monitoring configuration cannot exist on same port.
User cannot add/remove source or destination mirroring/monitoring ports into a
mirroring/monitoring session which is in enabled state.
User cannot remove all destination mirroring ports from an existing mirroring session
i.e. a minimum of one (1) destination mirroring port must exist in a session. A
destination mirroring port cannot be a tagged/untagged member of a VLAN which has
the same VLAN-ID as the RPMIR VLAN.
Unblocked VLAN and RPMIR configuration cannot co-exist in the same port mirroring
session.
If the Mirrored port is of higher speed than mirroring port, then data loss is expected
on the mirrored traffic. It is recommended to have mirroring port that is equal or
greater speed capacity than mirrored port to avoid data loss.
 Unblocking Ports (Protection from Spanning Tree)

Spanning tree is disabled by default on an MTP port. When unblocked VLAN is

configured , the VLAN ID specified is assigned to the MTP port as the default VLAN.
Hence allowing inbound traffic and handling traffic for that VLAN ID. Spanning tree
remains disabled
All ingress traffic into a destination mirroring port would be dropped if such a port is a
destination mirroring port of a session which has no RPMIR or Unblocked VLAN
configuration.
All tagged traffic ingressing into the destination mirroring port would be dropped if
such a port is a destination mirroring port of a session with Unblocked VLAN
configuration.
 MANY TO MANY PORT MIRRORING
Many-to-one
Many-to-many
One to many

One to many Many-to-many

 REMOTE PORT MIRRORING(RPMIR)

Remote Port Mirroring expands the port mirroring Source Intermediate Destination
functionality by allowing mirrored traffic to be carried Switch
A
Switch
B
Switch
C
over the network to a remote switch. Tagged Tagged

The traffic for this mirroring session is carried across

Mirrored Mirrored
Packets Packets

these switches through the user specified RPMIR Vlan, Local

MTP
which is dedicated for the mirroring traffic configured
Remote
across all these switches. MTP UnTagged
The mirroring traffic from the source ports is tagged onto Mirrored
Packets
the RPMIR Vlan through the mirror to port (MTP) in the Mirrored Ports
source switch and then forwarded over the intermediate
switch ports that are carrying the RPMIR Vlan to the
destination switch.
 REMOTE PORT MIRRORING (RPMIR)
Since Remote Port Mirroring requires traffic to be carried over the network, the following
exceptions to regular port mirroring exist:

Spanning Tree must be disabled for the Remote Port Mirroring VLAN on all switches.
There must not be any physical loop present in the Remote Port Mirroring VLAN.
The VLAN ID used for RPMIR cannot be assigned to the MTP port.
The VLAN ID used for RPMIR cannot be assigned to the unblocked VLAN.
On the intermediate and destination switches, source learning must be disabled or overridden
on the ports belonging to the Remote Port Mirroring VLAN.

The following types of traffic are not mirrored:

Link Aggregation Control Packets (LACP)

802.1AB (LLDP)
802.1x port authentication
802.3ag (OAM)
Layer 3 control packets
Generic Attribute Registration Protocol (GARP)
BPDUs are not mirrored on OS10K switches.
 PORT MIRRORING COMMAND

port-mirroring port_mirror_sessionid source {chassis/slot/port[-port2]

[chassis/slot/port[-port2]...] destination chassis/slot/port [rpmir-vlan vlan_id]
[bidirectional |inport |outport] [unblocked vlan_id] [enable | disable]

port-mirroring port_mirror_sessionid no source [chassis/slot/port[-port2]

[chassis/slot/port[-port2]...]
 PORT MIRRORING PARAMETER VALUES

CLI Input Object Syntax Type Range Default values Description

Configures the port
port mirror sessionid integer 1 to 2147483647 NA mirroring session id.
Configures the interface
Slot (1-16) , port depends index (ifIndex) of the
Source Slot/port(s) chassis/slot/port on Module Type, (2-24) NA mirrored port.
Configures the interface
Slot (1-16) , port depends index (ifIndex) of the
Destination Slot/port(s) chassis/slot/port on Module Type, (2-24) NA destination mirroring port.
Configures Direction of
Direction text inport/outport/bidirectional bidirectional traffic to mirror
Configures the remote port
mirroring VLAN ID for the
rpmir-vlan integer 2-4093 NA session.

Configures the Unblocked

VLAN for the mirroring
Unblocked VLAN ID integer 1-4093 NA session.

Configures the
enable/disable status of the
session and/or mirrored port
Mirroring Status text Enabled/Disabled Disabled and/or mirroring port.
 CONFIGURING REMOTE PORT MIRRORING

Configuring Source Switch

Follow the steps given below to configure the Source
Switch:
-> port-mirroring 8 source 1/1
-> port-mirroring 8 destination 1/2 rpmir-vlan 1000

Configuring Intermediate Switch

Follow the steps given below to configure all the
Intermediate Switches:
-> vlan 1000
-> spantree vlan 1000 admin-state disable
-> vlan 1000 members port 2/1-2 tagged
Enter the following QoS commands to override source
learning:
-> policy condition c_is1 source vlan 1000
-> mac-learning vlan 1000 disable
-> policy rule r_is1 condition c_is1 action a_is1
-> qos apply
Configuring Destination Switch
Follow the steps given below to configure the Destination
Switch:
-> vlan 1000
-> spantree vlan 1000 admin-state disable
-> vlan 1000 members port 3/1-2 tagged
Enter the following QoS commands to override source
learning:
-> policy condition c_ds1 source vlan 1000
-> mac-learning vlan 1000 disable
-> policy rule r_ds1 condition c_ds1 action a_ds1
-> qos apply