A remote port mirror can be used to take unicast, multicast, and broadcast traffic traversing a mirror source port on a 7100/S/K-Series switch, GRE-encapsulate it, and tunnel it across the network to a third-party entity (such as Wireshark) capable of decapsulating GRE.
To instead remote mirror to a S-Series or K-Series, see Remote Mirror via L2GRE Tunnel from 7100/S/K-Series to 7100/S/K-Series
.In this network configuration -
loop.0.1 10.26.192.192 (Tunnel source)
User A: 10.26.192.201---ge.1.5 (Mirror source)
User B: 10.26.192.200---ge.1.3
ge.1.1 (Local mirror destination: unlinked port!)
<any number of intermediate switches/routers>
User C: 10.26.192.210---ge.1.z (Tunnel destination, Remote mirror destination)
- we use the following end stations:
To craft a remote mirroring operation that works cleanly, it is necessary to configure the upstream Switch1 which hosts the mirroring source data (steps 1-4), and configure the downstream Wireshark application to refine the scope of the displayed traffic data (step 5). In this scenario there is no official termination of the tunnel at the remote end. The encapsulated data is simply delivered on a best-effort basis.
- 10.26.192.201 : User A end station is attached to Switch1 port ge.1.5 - the mirror source port - and used to respond to User B's ping traffic.
- 10.26.192.200 : User B end station is attached to Switch1 port ge.1.3, and used to generate ping traffic to User A.
- 10.26.192.210 : User C end station - with Wireshark running - is attached to a SwitchX port that need not be identified.
Note: It is possible that downstream switches will encounter oversized packets that may as a result be dropped. Please review the Jumbo config at the end of step 5, in Remote Mirror via L2GRE Tunnel from 7100/S/K-Series to 7100/S/K-Series.
- Create the port mirror.
SSA Switch1(rw)->set port mirroring create ge.1.5 ge.1.1
SSA Switch1(rw)->show port mirror
Source Port = ge.1.5
Target Port = ge.1.1
Frames Mirrored = Rx and Tx
Admin Status = enabled
Operational Status = enabled
Mirror Outbound Rate Limited Frames : Disabled
In this example a simple port mirror is used, but that need not be the case. Any type of supported mirror operation may be used to originate the traffic which is to be tunnelled to the remote destination device.
The 7100-Series uses a Tunnel Bridge Port TBP and the S-Series and K-Series use a physical port for the destination port. The S-Series and K-Series mirror destination port ge.1.1 has no physically attached ethernet user, but is to be configured as a loopback port (step 2 below) which will internally forward its received mirrored traffic into the L2 GRE Tunnel (step 3 below) for delivery to the remote destination device.
Important Note!: If this is a 10/100/1000 copper port, it will try to operate in default 10HD mode because it has no attached peer device to negotiate a higher speed and duplex. For such ports, you must change from the default speed and duplex or the tunnel will not come up error-free:
SSA Switch1(rw)->set port duplex ge.1.1 full
SSA Switch1(rw)->set port speed ge.1.1 1000
Note: If a small form factor port is used, an SFP module must be populated in the card for L2-GRE to operate.. 2 Configure Switch1's loopback address, primarily to act as a tunnel endpoint.GRE Traffic sourced here will be sent to a remote tunnel address for decapsulation.
SSA Switch1(rw-config)->interface loop.0.1
SSA Switch1(rw-config-intf-loop.0.1)->ip address 10.26.192.192 255.255.255.255 primary
SSA Switch1(rw-config-intf-loop.0.1)->no shutdown
3 Configure Switch1's tunnel. The mirrored L2 traffic will be encapsulated across this GRE link.
SSA Switch1(rw-config)->interface tun.0.1
SSA Switch1(rw-config-intf-tun.0.1)->tunnel source 10.26.192.192
[Tunnel source is the local loopback address.]
SSA Switch1(rw-config-intf-tun.0.1)->tunnel mode gre l2 ge.1.1
[Tunnel mode GRE L2 binds the tunnel source address to the local end point - here, the source port - of tunnel traffic. If configuring a 7100-Series use a tunnel bridge port such as tbp.0.1]
SSA Switch1(rw-config-intf-tun.0.1)->tunnel mirror enable
[Enable as a L2 GRE mirrored tunnel.]
SSA Switch1(rw-config-intf-tun.0.1)->tunnel destination 10.26.192.210
[Tunnel destination is a laptop running Wireshark, somewhere downstream.]
SSA Switch1(rw-config-intf-tun.0.1)->no shutdown
[Activate the tunnel. Note: Use 'shut' and 'no shut' after any change to the tunnel config.]
4 Use the switch CLI to verify that the loopback can ping the tunnel destination 10.26.192.210 (User C), and that User C can respond.
SSA Switch1(rw)->ping 10.26.192.210
In this example, both ends of the tunnel are on the same IP subnet, but that need not always be the case. Do note that if tunnelling between IP subnets, available L3 routing information will be used to forward the traffic to the desired tunnel endpoint (here, 'tunnel destination 10.26.192.210'). In the absence of the necessary dynamic L3 routing information (and especially if using loopback addressing that is outside of conventional IP address schemes), it may be necessary to configure a static route to that device before the ping will work. 5 The destination end station's Wireshark application will receive not only the GRE-encapsulated traffic from the remote mirror operation but may also receive other broadcast/multicast/unicast network traffic by normal means. In order to focus Wireshark to only see the remotely mirrored GRE traffic, add this Wireshark display filter which includes only GRE traffic not sourced from itself:
gre and !ip.src==10.26.192.210
6 Generate traffic to be mirrored then captured, by pinging from 10.26.192.200 (User B) to 10.26.192.201 (User A) on port ge.1.5 - the remote mirror source port.
When viewing the Wireshark capture, the SIP/DIP breakout will show the tunnel source and tunnel destination IP addresses, and deeper in the packet shows the encapsulated ICMP pings and replies between devices B and A.