Reset Search
 

 

Article

Remote Mirror via L2GRE Tunnel from 7100/S/K-Series to S/K-Series

« Go Back

Information

 
TitleRemote Mirror via L2GRE Tunnel from 7100/S/K-Series to S/K-Series
Objective
Configure a port mirror operation so that traffic may be captured on a 7100/S/K-Series and GRE-tunneled to an S-Series or K-Series elsewhere in the network.The 7100-Series can be used only to encapsulate traffic in GRE and not to decapsulate and therefore, can be used as a tunnel source but not destination.
  •  
Environment
  • 7100-Series, firmware 8.31.01.0006 and higher
  • S-Series, firmware 8.02.01.0012 and higher (may require S-EOS-S130 or S-EOS-S150 license)
    • K-Series, firmware 8.02.01.0012 and higher (requires K-EOS-L3 license)
Procedure
A remote port mirror can be used to take unicast, multicast, and broadcast traffic traversing a mirror source port on a 7100/S/K-Series switch, GRE-encapsulate it, and tunnel it across the network to an S/K-Series where it will be GRE-decapsulated.
To instead remote mirror to a third-party entity (such as Wireshark) capable of decapsulating GRE, see Remote Mirror via L2GRE Tunnel from 7100/S/K-Series to Third-party Device.

In this network configuration -
 

                        *Switch1*
                   loop.0.1 10.26.192.192 (Tunnel source)
 User A: 10.26.192.201---ge.1.5 (Mirror source)
 User B: 10.26.192.200---ge.1.3
                         ge.1.1 (Local mirror destination: unlinked port!)
                         ge.1.x
                            |
                         tun.0.1
                            |
       <any number of intermediate switches/routers>
                            |
                         tun.0.1
                            |
                         ge.1.4
                        *SwitchX*
                   loop.0.1 3.3.3.3 (Tunnel destination)
 User C: 10.26.192.210---ge.1.9 (Remote mirror destination)
         Wireshark

      - we use the following end stations:
  • 10.26.192.201 : User A end station is attached to Switch1 port ge.1.5 - the mirror source port - and used to respond to User B's ping traffic.
  • 10.26.192.200 : User B end station is attached to Switch1 port ge.1.3, and used to generate ping traffic to User A.
  • 10.26.192.210 : User C end station - with Wireshark running - is attached to SwitchX port ge.1.9.
To craft a remote mirroring operation that works cleanly, it is necessary to configure the upstream Switch1 which hosts the mirroring source data (steps 1-4), and configure the downstream SwitchX to terminate the tunnel (step 5).
  1. Create the port mirror.  
    
    SSA Switch1(rw)->set port mirroring create ge.1.5 ge.1.1 both
    SSA Switch1(rw)->show port mirror
    Port Mirroring
    ==============
     
     Source Port        = ge.1.5
     Target Port        = ge.1.1
     Frames Mirrored    = Rx and Tx
     Admin Status       = enabled
     Operational Status = enabled
     
    Mirror Outbound Rate Limited Frames : Disabled
    SSA Switch1(rw)->

    In this example a simple port mirror is used, but that need not be the case. Any type of supported mirror operation may be used to originate the traffic which is to be tunnelled to the remote destination device.

    Here, mirror destination port ge.1.1 has no physically attached ethernet user, but is to be configured as a loopback port (step 2 below) which will internally forward its received mirrored traffic into the L2 GRE Tunnel (step 3 below) for delivery to the remote destination device.
     Important Note!  If Using a Fiber Port (the dummy Port, where no cable is connected) for the Mirroring, make sure the GBIC is inserted.

     Important Note!: If this is a 10/100/1000 copper port, it will try to operate in default 10HD mode because it has no  peer device to negotiate
     a higher speed and duplex. For such ports, you must change from the default speed and duplex or the tunnel will not come up error-free:

     SSA Switch1(rw)->set port duplex ge.1.1 full
     SSA Switch1(rw)->set port speed ge.1.1 1000

 
  1. Configure Switch1's loopback address, primarily to act as a tunnel endpoint.
    GRE Traffic sourced here will be sent to a remote tunnel address for decapsulation.
     
    
    SSA Switch1(rw)->configure
    SSA Switch1(rw-config)->interface loop.0.1
    SSA Switch1(rw-config-intf-loop.0.1)->ip address 10.26.192.192 255.255.255.255 primary
    SSA Switch1(rw-config-intf-loop.0.1)->no shutdown
    SSA Switch1(rw-config-intf-loop.0.1)->exit
    SSA Switch1(rw-config)->exit
    SSA Switch1(rw)->
     
  2. Configure Switch1's tunnel. The mirrored L2 traffic will be encapsulated across this GRE link.  
    
    SSA Switch1(rw)->configure
    SSA Switch1(rw-config)->interface tun.0.1
    SSA Switch1(rw-config-intf-tun.0.1)->tunnel source 10.26.192.192
       [Tunnel source is the local loopback address.]
    SSA Switch1(rw-config-intf-tun.0.1)->tunnel mode gre l2 ge.1.1
       [Tunnel mode GRE L2 binds the tunnel source address to the local end point - here, the source port - of tunnel traffic.]
    SSA Switch1(rw-config-intf-tun.0.1)->tunnel mirror enable
       [Enable as a L2 GRE mirrored tunnel.]
    SSA Switch1(rw-config-intf-tun.0.1)->tunnel destination 3.3.3.3
       [Tunnel destination is the loopback address of another S/K-Series, somewhere downstream.]
    SSA Switch1(rw-config-intf-tun.0.1)->no shutdown
       [Activate the tunnel. Note: Use 'shut' and 'no shut' after any change to the tunnel config.]
    SSA Switch1(rw-config-intf-tun.0.1)->exit
    SSA Switch1(rw-config)->exit
    SSA Switch1(rw)->
     
  3. Add in a Static Route to SwitchX's loopback address.

    Although here the end points are all on one subnet, SwitchX's tunnel endpoint (identified per 'tunnel destination 3.3.3.3') is using a loopback address scheme that is outside of standard convention - so we need a static route to reach it. This set of commands is for the route from the origination end to the termination end of the tunnel. Here, IP 10.26.192.1 belongs to the existing default gateway router. If there are intermediate routers within the tunnel path (see the network diagram, above), they also would need equivalent route configuration.
     
    
    SSA Switch1(rw)->configure
    SSA Switch1(rw-config)->ip route 0.0.0.0/0 10.26.192.1 interface vlan.0.1 1
    SSA Switch1(rw-config)->ip route 3.3.3.3/32 10.26.192.140 interface vlan.0.1 1
    SSA Switch1(rw-config)->exit
    SSA Switch1(rw)->
     
Because here SwitchX will be terminating the tunnel and decapsulating the traffic to benefit the attached sniffer, it will need configs similar to those of Switch1. What it will not need is accommodation for a Mirror operation, any ports to be hard set  nor the tunnel mirror activate command.
Note: The configs of both SSAs could be made simpler by using conventional IP addressing for SwitchX's loopback interface. That is, the static route to SwitchX (step 4) could be omitted as well as the VLAN interface configuration of SwitchX (part of step 5). However, environments are not always simple so there is value in showing this alternate way of doing things.
 

SSA SwitchX(rw)->configure
SSA SwitchX(rw-config)->interface loop.0.1
SSA SwitchX(rw-config-intf-loop.0.1)->ip address 3.3.3.3 255.255.255.255 primary
SSA SwitchX(rw-config-intf-loop.0.1)->no shutdown
SSA SwitchX(rw-config-intf-loop.0.1)->exit
SSA SwitchX(rw-config)->interface vlan.0.1
SSA SwitchX(rw-config-intf-vlan.0.1)->ip address 10.26.192.140 255.255.255.0 primary
SSA SwitchX(rw-config-intf-vlan.0.1)->no shutdown
SSA SwitchX(rw-config-intf-vlan.0.1)->exit
SSA SwitchX(rw-config)->interface tun.0.1
SSA SwitchX(rw-config-intf-tun.0.1)->tunnel source 3.3.3.3
   [Tunnel source is the local loopback address.]
SSA SwitchX(rw-config-intf-tun.0.1)->tunnel mode gre l2 ge.1.9
   [Tunnel mode GRE L2 binds the tunnel source address to the local end point - here, the destination port - of tunnel traffic.]
SSA SwitchX(rw-config-intf-tun.0.1)->tunnel destination 10.26.192.192
   [Tunnel destination is the loopback address of the mirroring 7100/S/K-Series.]
SSA SwitchX(rw-config-intf-tun.0.1)->no shutdown
   [Activate the tunnel. Note: Use 'shut' and 'no shut' after any change to the tunnel config.]
SSA SwitchX(rw-config-intf-tun.0.1)->exit
SSA SwitchX(rw-config)->exit
SSA SwitchX(rw)->

For packets starting out at the ethernet-maximum size, GRE-encapsulation will cause them to be seen as oversized - and possibly dropped as a result. It is therefore also helpful to enable Jumbo support (12390) for ingress ports within the tunnel path, to allow for predictable forwarding of such frames:  

SSA SwitchX(rw)->configure
SSA SwitchX(rw-config)->set port jumbo enable ge.1.4
SSA SwitchX(rw-config)->exit
SSA SwitchX(rw)->
 
  1. Use the switch CLI to verify that the Switch1 loopback can ping the SwitchX loopback, and that the SwitchX loopback can respond.  
    
    SSA Switch1(rw)->ping 3.3.3.3

    The end station 10.26.192.210, attached to port ge.1.9 of SwitchX, now cannot be contacted inband. Similar to Switch1's port ge.1.1, SwitchX's port ge.1.9 is no longer able to send and receive normal traffic after having been referenced in the 'tunnel mode gre l2 <port#>' command. It will, however, be able to see all of the traffic mirrored by Switch1.
     
  2. Generate traffic to be mirrored then captured, by pinging from 10.26.192.200 (User B) to 10.26.192.201 (User A) on port ge.1.5 - the remote mirror source port.

    When viewing the Wireshark capture, the SIP/DIP breakout will show the ping source and ping destination IP addresses, and deeper in the packet shows the ICMP pings and replies between devices B and A. In this scenario the sniffer traffic is not encapsulated via GRE, which was stripped by SwitchX.
Additional notes
  • The 7100-Series uses tunnel Bridge ports such as tbp.0.1 and the S/K-Series use physical ports
  • The 7100-Series cannot decapsulate GRE and sso cannot be used as a tunnel destination
  • The 7100-Series encapsulates only IPv4

Note: If you are looking to do a remote VLAN mirror instead of a Port mirror, this configuration has been confirmed to also work:

Replace the above config:
set port mirroring create ge.1.5 ge.1.1

With:
set vlan interface 10 create (VLAN 10 here is mapped to virtual vtap.0.1 port)
set port mirroring create vtap.0.10 ge.1.1 rx

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255