參考文件:AOS-CX 10.12 Monitoring Guide
剛好碰到客戶要做Mirror設定, 一般來說,Mirror的需求是用於分析網路流量,有時候是短暫的除錯,有時候是透過應用程式進行長期的流量分析。
Mirror會將流量複製一份到目的Interface上,爲了避免干擾,通常收集網路流量的設備會關掉該介面的IPv4。
使用限制
- CPU generated packets egressing on a routed L3 interface will not be mirrored to the destination port.
- Untagged egress packets that get mirrored will have the native VLAN tag in the mirrored packet. These extra bytes can cause traffic loss at the mirror destination when running line rate traffic.
- True egress mirroring is not supported on 832x platforms. Egress mirroring takes place at the ingress. The packets that may get dropped at the egress might also have been mirrored at ingress. Traffic will be mirrored even before the policy actions are processed at the egress.
- Packets mirrored to CPU from a Layer-3 Route Only Port (ROP) will have a VLAN tag with the VLAN ID set to the internal VLAN ID assigned to that port.
- 832x platforms have 4 mirror ASIC resources that can be used among the different mirror sessions. Each direction in a mirror session will consume 1 mirror ASIC resource. Hence, a user can have up to 4 unidirectional mirror sessions or 2 bi-directional mirror sessions active at any given time. If there are no mirror ASIC resources available when attempting to enable a mirror session, the ‘Operation Status’ field of show mirror command for session ID will have the status set to ‘platform_session_limit_reached.’
- The mirror destination port among the active mirror sessions must be unique. i.e. if an interface is configured as a source or destination in an active mirror session, the same port cannot be used as a destination in another active mirror session.
- The interface/LAG used to transmit ERSPAN packets cannot be a source in any mirror session.
- The interface/LAG used to transmit ERSPAN packets must be unique per ERSPAN mirror session. If a change in the L3 topology causes multiple ERSPAN mirror sessions to use the same egress interface/LAG to transmit the ERSPAN packets, then only one session will work. The other session(s) will go into an error state.
在實作中,我的環境使用了VSX,並且用8360作爲Mirror源,因爲8360可以支援Source VLAN 。
在兩台8360做VSX,正常ISL會打通VLAN,因此如果在兩台收集流量的話,基本上會得到一模一樣的流量。因此只需要一台做Mirror輸出即可。
Mirror Source是比較沒有問題的,Interface可以爲L3 Interface。
Mirror Destination若使用Interface的話,該Interface需要爲L2 Interface,意即「no routing」,如果爲L3 Interface,實測無法處理Mirror複製輸出。
重點整理
如果做VSX,只需要其中一台輸出即可。
Mirror Destination interface需要爲L2 Interface。
設定
建立基本Mirror的模板設定,使用一個未使用的VLAN做L2 Interface的Untag VLAN。
vlan 100
name mirror
exit
int 1/1/1
no routing
no shutdown
vlan access 100
exit
mirror session 1
comment port_mirror
destination interface 1/1/1
source interface 1/1/24 both
enable
exit檢查Mirror session 1狀態
show mirror 1清除Mirror Session 1計數
clear mirror 1更多指令請參考文件。