19.1.4 Notes on using port mirroring
- <Structure of this section>
(1) Coexistence with other functions
-
When the following functions are used together, the target packet is a packet to be sent by software, so it is not mirrored.
-
All DHCP packets sent by the Switch when spontaneous DHCP snooping is enabled
-
All ARP packets sent by the Switch when dynamic ARP checking is enabled
-
-
When using policy-based mirroring together, note the following:
-
The monitor session number used for policy-based mirroring cannot be used.
-
Transmit frames cannot be mirrored.
-
A port used as a mirror port in policy-based mirroring cannot be configured as a mirror port.
-
(2) Notes on mirroring transmission frames
-
The order of frames sent from the mirror port may differ from the order of frames sent from the monitor port.
-
When multiple monitor ports are set for one monitor session, frames flooded to multiple monitor ports mirror only one frame.
-
When a IP multicast forwarding frame is transmitted on the monitor port, the frame sent from the mirror port is a Tagged frame with VLAN ID of VLAN that received the frame. In addition, the headers of Ethernet frames other than VLAN Tag are also used when a frame is received.
-
Some frames are mirrored even if the monitor port cannot communicate because of the following conditions:
-
Blocking, Discarding, Listening, or Learning status caused by the Spanning Tree Protocols
-
Blocking status caused by GSRP
-
Blocking status caused by the Ring Protocol
-
Standby port for uplink redundancy
-
Not authorized by IEEE 802.1X
The following shows the frames to be mirrored.
-
Flooded frames
-
Frames that match entries in the MAC address table while the MAC address table is being cleared to prevent the status of the monitoring port from being sent
-
-
When a VXLAN Access port is specified as a monitor port and frames received on that port are flooded, the corresponding frames are mirrored.
At this time, if VNI mapping method is used in the subinterface mapping for the applicable VXLAN Access port and a frame to be flooded for Untagged frame is received, VLAN ID of the mirroring frame is Tagged frame 4095. [SL-L3A]
-
If the Switch is using IP multicast routing functionality and IGMP/MLD snooping functionality at the same time, and if a port for which IP multicast is enabled is specified as a monitor port, and a IP multicast packet corresponding to a registered negative cache or forwarding entry is received on the corresponding monitor port, the corresponding IP multicast packet is mirrored.
(3) Notes on using the port mirroring 802.1Q Tag facility
-
Because of VLAN Tag, it must be able to handle frames that are 4 bytes larger than normal. In particular, when mirroring Tagged and transmit frames, the mirroring frame has two VLAN Tag and must be able to handle 8-byte large frames.
-
Connect a trunk port to the port that you want to configure as a mirror port.
-
Mirroring frames are sent regardless of the link aggregation configured on the same port as the mirror port or the communication status of the Layer 2 Switch functionality.
-
If a unicast frame received at the monitor port is addressed to the relay device, the relay device with MAC of the mirroring frame receives the unicast frame as its own address. Therefore, Layer 2 forwarding based on the attached VLAN Tag cannot be performed. To perform Layer 2 forwarding on the relay device, set MAC addressfor each VLAN for VLAN to which the frames to be monitored are forwarded.
Figure 19-3: Mirroring of frames addressed to the relay device -
A unicast frame addressed to Switch B is received at the monitor port of Switch A.
VLAN of the frame received on the monitor port and 802.1Q Tag grant function MAC addressis the same.
-
The mirroring frame is received as its own destination by this device B.
Because Layer 2 forwarding is not performed for self-addressed frames, they cannot be transferred to the analyzer.
-