The Nortel Ethernet Routing Switch 8600 supports port mirroring feature to analyze traffic ingressing/egressing a specific switch port. The ERS 8600 also supports remote port mirroring by moving mirrored traffic across a switch network to a remote switch port.
This allows you to deploy a centralized network analyzer or probe to capture packets for the entire Local Area Network (LAN). This is accomplished by encapsulating the mirrored packets in a remote mirroring encapsulation wrapper. The encapsulation frame is bridged through the network by a seperate port-based VLAN to the remote mirroring termination port.
The following example is taken from the Nortel document “Using Diagnostic Tools”.
We’ll mirror port 1/15 on S1 to port 1/15 on S3 using the remote mirroring feature of the ERS 8600 Switch. As I mentioned above the packets to be mirrored will be encapsulated and put onto a specific port-based VLAN to be bridged across the network. In the following example we’ll create VLAN 99 for this purpose.
Configure S3:
ERS-8610:5# config vlan 99 create byport 1 ERS-8610:5# config vlan 99 ports add 1/15, 2/8 ERS-8610:5# config ethernet 1/15 remote-mirroring create ERS-8610:5# config ethernet 1/15 remote-mirroring add-vlan-id 99 ERS-8610:5# config ethernet 1/15 remote-mirroring mode termination ERS-8610:5# config ethernet 1/15 remote-mirroring enable true
We’ll need to determine the MAC address of the switch port that will be connecting to the network analyzer (sniffer). We’ll need this information in order to configure the originating switch properly.
ERS-8610:5# config ethernet 1/15 remote-mirroring info port 1/15 Enable = TRUE Mode = termination srcmac = 00:e0:7b:82:9c:0e dstmac = 00:e0:7b:82:9d:9c ether-type = 0x8103 vlan-id-list =10
We’ll need to record the “dstmac” MAC address above as we’ll need it when configuring the origin switch.
Configure S1:
ERS-8610:5# config vlan 99 create byport 1 ERS-8610:5# config vlan 99 ports add 1/1 ERS-8610:5# config diag mirror-by-port 1 create in-port 1/15 out-port 1/1 mode both enable true remote-mirror-vlan-id 99 ERS-8610:5# config ethernet 1/1 remote-mirroring create ERS-8610:5# config ethernet 1/1 remote-mirroring dstmac 00:e0:7b:82:9d:9c ERS-8610:5# config ethernet 1/1 remote-mirroring enable true
Configure S2:
ERS-8610:5# config vlan 99 create byport 1 ERS-8610:5# config vlan 99 ports add 1/1,2/8
I’ve actually used this feature to mirror traffic from the ELAN interface on a Nortel Succession 1000M (Option 81C) from a closet ERS 8600 to a core ERS 8600 where I had a network analyzer setup to perform network traces.
I was and still am impressed with the feature.
Cheers!
Hi, i have a question about port mirroring in Passport 8600 and i was wondering if you can help me.
I want to know how many port mirrors can be configured and what are the limitations.
Hope you answer me soon.
Keep up the good work in your blog.
Hi David,
Thanks for the reply. I actually decided to make my response a separate post. You can find that post here; http://blog.michaelfmcnamara.com/2008/07/port-mirroring-with-ers-8600/.
The only issue that continually causes me grief are the legacy non-E cards since they don’t support egress port mirroring. Unfortunately we were fairly early adopters of the ERS 8600 product and we’ve got quite a few non-E cards in our environment.
Cheers!
Is this possible in Nortel ERS 8300. Please help..
Hi Anish,
Have you tried the commands above on an ERS 8300?
Good Luck!
Hi Michael,
My Box is still not installed. I am preparing the configuration document. If This not working, I have to find some other solution. Installation of ERS planned on Next Week. I need this for Integation with Websense V10000 Proxy Appliance.
I don’t believe the ERS 8300 supports Remote Port Mirroring as the ERS 8600 does although I could be wrong. If you don’t have the hardware in front of you I would suggest you review the documentation for the ERS 8300.
Good Luck!
Dear Michael,
It is not clear in ERS 8300 Documentation. Also I dont find any specific documentation. Anyway I will try the commands in ERS 8300 and will reply. But why you specifically said “I don’t believe the ERS 8300 supports Remote Port Mirroring “
I could find no mention of remote port mirroring in any ERS 8300 documentation.
Hi there,
I have a questiom concerning remote port mirroring.
The following situation:
Core switch 1 ————> access switch 2 ————> access switch 3
if i send traffic from access switch 2 to access switch 3 is it possible to capture that traffic on core switch 1 with remote port mirroring? or do i have to set an extra core switch at access switch 2?
So is it generally possible to redirect outbound traffic from switch 2 to switch 1 if this traffic is destined for switch 3
Thanks in advanced!
Ivannick
Hi Ivannick,
You need switches at both ends that support Remote Port Mirroring, the switches in the middle just forward the encapsulated frames between the two endpoints. In the past I’ve setup a remote port mirror from one ERS 8600 to another ERS 8600 with a third ERS 8600 in the middle that didn’t have any configuration other than bridging the VLAN between the two switches. You need switches that support Remote Port Mirroring so they can encapsulate the Ethernet frame and then de-encapsulate the Ethernet frame at the far end before it hits your sniffer or whatever device you are mirroring the packets to.
Good Luck!
Hi Michael,
Thanks for your response. It is clear that i need switches that support remote mirroring. I have another question if u dont mind. I red that local mirror captures ip packets and data packets. But remote mirroring only captures data packets. Is this true? what if i want to capture ip packets wth remote mirroring? can i enable both a local mirror port as a remote mirror port on the same switch? or do i have to connect another switch to the switch iam monitoring on? can u please advise me?
Thanks,
Ivannick
Hi Ivannick,
It’s my understanding that all (valid) Ethernet frames should be mirrored regardless if they are an IP frame or an IPX/SPX frame or anything else.
Avaya has a technical configuration guide available here;
http://support.avaya.com/css/P8/documents/100123967
Good Luck!
Hi Micheal,
Regarding your post where you said that the middle switch between two others switches on which port mirroring is enabled, What if the middel switch is also connected to other devices? Can the middle switch pass his own data as well as the data coming from the source switch to the destination switch on which is going to be monitored? Do i need to configure 2 port mirroring sessions on the destination switch? one for the middle switch and one for the source switch?
Thanks in advanced!
Is ERSPAN supported in ERS 4000 and ERS 5000 switches . I have two ERS 5000 connected to a cisco router . Can i span traffic on ERS 5000 on one end to ERS 5000 on the other end when cisco router is in between ?
I believe ERSPAN is supported on the latest software release for the ERS 5000, I’m not sure about the 4000 but it’s probably supported on the 4800. I would suggest you check the release notes to find the answer. I believe both Avaya (formerly Nortel) and Cisco support remote span/mirror ports by encapsulating the traffic in a proprietary L2 frame so unless you are bridging on that Cisco router I don’t believe it will traverse routed links.
Good Luck!
Thanks a ton Michael . One more question does ERS 5000 switches support , port mirroring based on vlan ?
Thanks in advance
I believe they only support port based mirror ports.
Cheers!
Thanks
Hey Mich ,
I found some where that (ERSPAN) encapsulated Remote SPAN as the name says, brings generic routing encapsulation (GRE) for all captured traffic and allows it to be extended across Layer 3 domains.
Hey Mick ,
You are doing a great job . I have a question .
Is vlan-based port mirroring supported in ERS switches