There was a recent comment asking for some additional information about the limitations of port mirroring on the Nortel Ethernet Routing Switch 8600. Once I started writing my reply I realized that it was probably big enough to stand as it’s own post.
I’ve taken the following definition straight from the “Network Design Guidelines (Part No. 313197-E Rev 00 June 2006)” ;
Port mirroring is a diagnostic tool that can be used for troubleshooting and performing network traffic analysis. When using port mirroring, you have to specify a destination port to see mirrored traffic and specify the source ports from which traffic is mirrored. Unlike other methods used to analyze packet traffic, packets flow normally through the destination port and packet traffic is uninterrupted.
For those Cisco folks in the audience port mirroring on a Cisco Systems switch is generally referred to as Switched Port Analyzer (SPAN) port.
There actually are quite a few different limitations and restrictions depending on the type of hardware you have in the ERS 8010 chassis and the version of software the switch is running. I’m going to limit myself to local port mirroring for this discussion but you can refer to my previous post on remote port mirroring.
- Ingress mirroring mirrors packets that only have valid CRCs
- Ingress mirroring is supported on all modules/cards
- Egress mirroring is only supported on E or M modules/cards
Note: You can identify the type of modules/cards you have in your ERS 8600 with the “show sys info card” command from the CLI interface.
Legacy Modules (Non-E/E/M modules)
In software release 3.2.2 and later the following limitations apply;
- The number of port mirroring entries that you can configure is between 1 and 383 and you can enable all entries simultaneously.
- The number of mirroring ports plus the number of mirrored ports cannot exceed 384 (this is the maximum number of ports available in an ERS 8600 switch).
- You can mirror ports supported by only the same OctaPID (group of eight 10/100 ports of a Gig port) to the same destination.
- You cannot mirror one port.
- You cannot mirror a port to multiple destinations.
- You can configure a maximum of 64 destination ports at one time.
R Modules
On R modules you can configure one port mirroring entry for each lane on a module.
You can find a full list of OctaPID assignments at Nortel’s website.
Here are some examples. First let’s see what type of 8648TX card we have in slot 2;
ERS-8600:5# show sys info card
Card Info :
...
Slot 2 :
FrontType : 48x100BaseTX-E
FrontDescr : TX48
FrontAdminStatus: up
FrontOperStatus : up
FrontSerialNum : SSCHE40FQM
FrontHwVersion : 05
FrontPartNumber : 202572A31
FrontDateCode : 12212001
FrontDeviations :
BackType : BFM6
BackDescr : BFM6
BackSerialNum : SSCHG70ETO
BackHwVersion : 05
BackPartNumber : 209536A11
BackDateCode : 12212001
BackDeviations :It’s an E module so we can support both ingress and egress mirroring. Lets mirror port 2/48 to port 2/1 and we’ll place a packet sniffer (laptop with WireShark) on port 2/1.
ERS-8600:5# config diag mirror-by-port 1
ERS-8600:5/config/diag/mirror-by-port/1# create in-port 2/48 out-port 2/1 mode both enable true
ERS-8600:5/config/diag/mirror-by-port/1# info
Sub-Context:
Current Context:
create :
enable : true
mirrored-port : 2/48
mirroring-port : 2/1
mode : both
delete : N/A
remote-mirror-vlan-id : 0
ERS-8600:5/config/diag/mirror-by-port/1# box
ERS-8600:5# show diag mirror
================================================================================
Diag Mirror-By-Port
================================================================================
ID MIRRORED_PORT MIRRORING_PORT ENABLE MODE REMOTE-MIRROR-VLAN-ID
1 2/48 2/1 true both 0I generally find it’s a good idea to remove the destination port (mirroring-port) from any VLANs. This prevents broadcast traffic from that VLAN from contaminating the packet trace although you’ll still see STP BDUs since the port will still belong to a Spanning Tree group.
Cheers!
Thanks man!
saves me lots of time searching in the Nortel documentation.
Peter
We’ve actually observed throughput issues with ports on NonE, E-modules with mirroring enabled, so the monitoring can come at an unexpected price if you’re caught unawares.
On a gig port, we observed 600-700Mbps sustained when we enabled mirroring on the port (testing throughput with some fluke rfc2544 testers) We didn’t observe the same issues with R-modules, and most probably RS are ok too.
Be aware when enabling this on heavily-utilised links.
Hi Glen,
Thanks for the input. There are also cases where the mirror’d traffic will get modified from the original stream.
You might want to read this post, http://blog.michaelfmcnamara.com/2008/03/ethernet-frames-maligned/
It took me a long time to figure out that the problem wasn’t the network but the port mirroring facility in the ERS 8600.
Cheers!
Hi all,
My post it’s not really linked with this article but I was searching some informations about the R-modules. I have the following problem and I’ve been searching an explanation for quite a long time :
We have 2x 8010 with 1x8683XLR card each. The IST link between the two 8010 (with VRRP configured) passes through the 8683XLR cards (2 fiber links). When we try to tranfer a file between two PCs (different VLANs )connected as the traffic has to go through the IST link, the transfer rate is very, very low (35 minutes for 100Mb). There are no routing issues because when we moved the IST to another card (8648TXE – 1Gb ports) we transfered the same file in less than 1 minute.
Again, even if the IST is on the 8683XLR cards and we are tranfering the same file but between two PCs connected on the same VLAN, everything it’s OK (transfer time less than 1 minute). So we can exclude ports or fiber problems.
The software version installed on the 8010 is 4.1.7.1.
I posted this message thinking that maybe someone has already encountered this type of problem.
Anyway, I think I will open a Nortel case and I’ll post a message with the solution provided.
Thanks.
Mary
Hi Mary,
i work for Nortel (in ER). If you can send me the case number you opened and based on the data provided (e.g., show tech, config file, etc) I can do a data base search and see if there are any knows issues with the fiber line card (8683XLR).
-Chris
Hi Mary,
I would have guessed you had a duplex mis-match at the workstation and/or server although it seems you’ve eliminated that scenario. While your not running the latest and greatest software (4.1.8.2) I don’t believe I remember reading any known issues that resemble the problem your describing. What your suggesting is that if you need to route between switches across a 10Gb port using the 8683XLR you have severe performance issues although bridged traffic performs fine.
Very interesting to say the least. Have you rebooted your switches recently? I’ve noticed a few different problems that can occur over time and are resolved with a reboot of the switch. You might also want to upgrade to 4.1.8.2 before you get to far into troubleshooting.. it might be your quick fix.
While I have 8683XLR cards in quite a few of my chassis I’ve elected to keep the IST on two separate 1Gb pors (86830GBR cards) for redundancy.
I would suggest that you open a case and try to work the problem through Nortel support.
Good Luck!
Hi Michael,
Thanks for your replay.
Yes, indeed, when traffic is bridged, everything works fine but when it has to be routed we have very low transfer rates ..
I didn’t reboot the switches recently but we did change one of them and we still have the same issue. I opened a Nortel TAC case yesterday but I don’t have any feedback yet.
I’ll let you all know about the solution/explanaition provided.
Mary
Hello,
I want to ask you the following
équipement:ETHERNET ROUTING SWITCH 4550T-PWR WITH 4
version:
FW :5.1.0.7
SW :V5.1.2.005
Equipment has lost its configuration. Could you tell me if there is a bug related to the installed
version.
best regards
sofiane hammiche
Your question really doesn’t related to port mirroring on the ERS 8600…
I have not heard of any software issues that might cause a “lost configuration” on the ERS 4500 series switches.
Cheers!
Hi all,
Just to let you know that the problem I’ve described some time ago (latencies on 10GB cards, IST link,when traffic is routed) is not solved yet and Nortel TAC didn’t find the cause of the problem.
I’ll let you know if there will be something new.
Best regards,
Mary
Hello,
I am trying to mirror a fibre port on a 8608GBE card using Network General Sniffer. We can mirror rj-45 ports with no problems, but when mirroring the port on the 8608GBE card you see no traffic apart from broadcasts if you have added the mirroring port to the chosen VLAN. Without adding it to the VLAN you see nothing at all. Is it possible to mirror with this card, and if it is do you have any suggestions?
Thanks
Adie (Details of mirror are shown below. I have tried it with VLAN 6 and without VLAN6 with no difference)
Current Context:
create :
enable : true
mirrored-port : 10/1
mirroring-port : 10/4
mode : both
delete : N/A
remote-mirror-vlan-id : 6
================================================================================
Diag Mirror-By-Port
================================================================================
ID MIRRORED_PORT MIRRORING_PORT ENABLE MODE REMOTE-MIRROR-VLAN-ID
1 1/27 2/20 true both 0
2 3/47 2/20 true both 0
3 3/10 1/24 true both 0
4 1/34 1/24 false both 0
5 10/1 10/4 true both 6
Hi Adrian,
You can certainly perform a port mirror on the 8608GBE cards.
I would suspect you have two problems…1) you shouldn’t have “remote-mirror-vlan-id: 6”, I would delete the port mirror and re-create it leaving the remote-mirror-vlan option blank. 2) is your sniffer able to received 802.1q tagged packets? The port 10/1 is most probably a tagged port (802.1q) and your sniffer might be discarding the 802.1q packets because it doesn’t understand the extended packets?
Have a look at the WireShark Wiki; http://wiki.wireshark.org/CaptureSetup/VLAN
Please let us know if you still have issues.
You might also want to visit the forums; http://forums.networkinfrastructure.info/nortel-ethernet-switching/ for additional help and information.
Good Luck!
Nice one thanks Michael. Like someone said earlier it saved me a lot of digging.
Hello Michael,
I am facing a very strange problem with Nortel ERS 8300 Switch. I am using this command to make one port (2/43) in monitoring mode to get the mirrored traffic from 2/46
diag mirror-by-port 2 create in-port 2/46 out-port 2/43 mode both ( 2/46 is mirrored port and 2/43 is monitor port)
When I am connecting to 2/43 to take tcp dump, I am getting VLAN ID :4094 in each packet. I found some artcles describing it as security purpose. No device other than Nortel can manage this traffic. I am connecting this port to Websense device Network Agent. So I have to stripe off VLAN TAG from mirrored traffic .
Help..
Thanks,
Anish
Hi Anish,
Can you post the configuration for 2/46 and 2/43?
You should have both ports configured as “Access” with both ports in the same VLAN and PVID. You should not have “Perform-Tagging” enabled on either of them.
Good Luck!
Hello Michael,
I have cisco experience only and I have not put the 2/43 ( Monitor Port) to any VLAN.
But I will put 2/43 to the same VLAN of 2/46 ( Port in my Firewall VLAN-105). But Again I need to use PVID? Pl explain more.
Thanks,
Anish
I would need to see your configuration to venture a guess. VLAN IDs up around 4094 are generally reserved for Brouter ports (similar to routed ports in Cisco terminology).
Good Luck!
Here my config
2/46 Port is part of Firewall VLAN and SMLT 12
mlt 12 create
mlt 12 add ports 2/46
mlt 12 name “Firewall”
mlt 12 smlt create smlt-id 12
VLAN and VRRP Configuration – Port 2/46 and 2/43 is part of VLAN 105
vlan 105 create byport 1 name “FIREWALL” color 1
vlan 105 add-mlt 1
vlan 105 add-mlt 12
vlan 105 ports remove 1/1-1/46,2/1-2/4,2/6-2/42,2/44-2/45,2/47-2/48,5/1-5/8 member portmember
vlan 105 ports add 1/47-1/48,2/5,2/43,2/46 member portmember
vlan 105 ip create 192.168.105.5/255.255.255.0
vlan 105 ip vrrp 105 address 192.168.105.4
vlan 105 ip vrrp 105 backup-master enable
vlan 105 ip vrrp 105 priority 101
vlan 105 ip vrrp 105 enable
Status of STP
ethernet 2/43 stg 1 stp disable
ethernet 2/46 name “Firewall”
ethernet 2/46 stg 1 stp disable
Mirroring configartion
diag mirror-by-port 2 create in-port 2/46 out-port 2/43 mode both
mirror info
DI-CORE1:5/config/diag/mirror-by-port/2# info
Sub-Context:
Current Context:
create :
enable : true
mirrored-port : 2/46
mirroring-port : 2/43
mode : both
delete : N/A
Michael – No I observed something different. When I am sending a packet to internet through 2/46 (where my firewall connected) the VLAN ID is 4094 in the mirrored traffic obtained from 2/43. But when the return packet from internet to 192.168.21.199 – VLAN 21 ( a user VLAN) is mirrored to 2/43 I can see the VLAN id is 21.
I’m confused with your configuration… why is there any reference to an SMLT configuration on port 2/46? Do you have an SMLT configuration to your firewall?
I was looking to see if you have the port configured as “Access” or “Trunk” (perform-tagging enable) and what the PVID of the port was.
Cheers!
SMLT configuration was there to connect these port to another ERS 2526 before connecting to firewall. But I removed it when I am connecting two Juniper NSRP firewalls to each port of Nortel 2/46 port.
My 2/46 and 2/43 is part of one VLAN only ( Access Ports) even then the problem was there.
At last I got the solution.
My Swith module in Slot 2 is adding the VLAN ID of source address of the packet to each mirrored traffic. If the packet is destined to Internet, there is no VLAN for destination address and addes 4094 Vlan ID.
Now I changed the monitor port to 5/2 ( second port of my SF ) and now the feature of adding VLAN ID is not there.) This completely solved the problem. Looks stange? right. But I found this an undocumented feature of ERS 8300
NB: I was resgistering one account for your forum and still not approved from your side. Please make it fast. id :techsource
Thanks,
Anish
Hello Michael,
Model: Nortel ERS 8010
Code: 4.1.3
Q1: Was wondering if the commands are the same for port mirroring on my 8010 w/ 4.1.3 code that my site is running? I have been asked to deploy a Packeteer to capture some statistics from a server interface.
Packeteer INSDIE port for management. Nortel side: port 1/3
Packeteer OUTSIDE port for monitoring. Nortel side port 1/4
Server interface : Nortel side port 1/5
%%%% commands %%%%%
ERS-8600:5# config diag mirror-by-port 1
ERS-8600:5/config/diag/mirror-by-port/1# create in-port 1/5 out-port 1/4 mode both enable true
You also stated that best practice is to remove ALL VLANs from the (out/mirroring port)?
Q2: how do i undo the mirroring configuration after I am done? A simple “NO” in front of the command?
Thank you in advance
Hi Aaron,
I was using 8306. In that I had bad experience when configuring mirroring. Even though there was no VLAN configured in the out port, VLAN ID 4094 appeared in each packet. I think it was a bug in 8300 and wont be appearing 8600.
I have the mirroring configuration for 8300, but wont be same as 8600. If you need any help, post it.
-Anish Peter
Anish,
thank you so much for your insight.
I was able to deploy the packeteer today with in my Nortel platform with out incident.
Have a wonderful weekend.
i have cisco ip phone connected to switch 2960
these cisco switch 2960 are connected fiber trunk to nortel core 8300 supervisor module
we need record voice call from cisco ip phone to record server in the 8300
i made port mirrored for trunk port in 8300 to mirroring port rj-45
but not work .
please advice me
I am trying to mirror one port to multiple destination ports. We have multiple monitoring solutions with different functions on our network. All examples I have found online show one to one configurations. How do I create a 1 to many port mirror and for future reference how do I create a many to 1 mirror?
Cards I’m using are 8648GTR and 8630GBR. The software is 4.1.8.5
Thanks for any help you can give me.
There are some limitations around the hardware being used. Have you tried creating multiple port mirrors with the same source port?
Greetings Michael,
my question to you is this….
I previsouly able to config our ERS 8300 for port mirroring. (mirror-by-port).
But i am now being asked to monitor not just a port but an entire VLAN.
Can you provide an example of what those config lines would look like?
Thank you so much, greatly appreciated.
HI Aaron,
I don’t believe the feature is available on the ERS 8300 switch. I believe it is available on the VSP 9000.
Sorry.
Thank you Michael.
Would you happen to know if the Nortel ERS 8600 line doesn’t support the VLAN mirroring either?
Thank you in advance
Hi Aaron,
I believe the newer software (v7.x) support VLAN mirroring.
Good Luck!
is remote port mirroring (RSPAN) supported on Avaya 4500 switches?
Hi Andrew,
I don’t believe the remote port mirroring is support on anything but the ERS 8600/8800 platform.
http://blog.michaelfmcnamara.com/2007/12/remote-port-mirroring/
Sorry.