Posts
Mirroring Multiple VLANs on ERS 8600
Posted On Jul 24, 2008 at at 3:47 PM by DophiThis lab is designed to verity the restriction of LANE design of R modules. On previous version firmware of ERS8600 period to 4.1, there are some restrictions on R modules for mirroring because of the LANE numbers. This is a table from a Nortel document below and it shows the limitation of port mirroring on a R module. Indeed, we couldn't create the VLAN mirroring more than the LANE numbers on a ERS8600 when it was running software 4.0 or 4.1. But, this has been changed since software 5.0 was released.
The topology of this lab is listed as below. It tests multiple VLANs mirroring on a ERS8600 even a 802.1Q tagged port connected to ERS5500 (Only L2 enabled).
I prepare a 8648GTR and insert it into slot 3. As we know, there are only two LANEs on a 8648GTR and it can't mirror more than 2 ports or VLANs when runs version 4.0 or 4.1. Therefore, I create four VLANs and assign port members acrossing two LANEs on a 8648GTR. The ERS5500 has four VLANs as well and connects to ERS8600 with a 802.1Q tagged link. The clients connected to ERS5500 can be the comparison with others on ERS8600.
Configurations of ERS8600:
- VLAN Configuraiton:
vlan 1 ip create 10.1.1.254/255.0.0.0 mac_offset 0
vlan 2 create byport 1 color 1
vlan 2 ports remove 1/1-1/48,2/1-2/30,3/2-3/12,3/25-3/48 member portmember
vlan 2 ports add 3/1,3/13-3/24 member portmember
vlan 2 ip create 20.1.1.254/255.0.0.0 mac_offset 1
vlan 3 create byport 1 color 2
vlan 3 ports remove 1/1-1/48,2/1-2/30,3/2-3/24,3/37-3/48 member portmember
vlan 3 ports add 3/1,3/25-3/36 member portmember
vlan 3 ip create 30.1.1.254/255.0.0.0 mac_offset 2
vlan 4 create byport 1 color 3
vlan 4 ports remove 1/1-1/48,2/1-2/30,3/2-3/36 member portmember
vlan 4 ports add 3/1,3/37-3/48 member portmember
vlan 4 ip create 40.1.1.254/255.0.0.0 mac_offset 3
- ACL Configuration: Setup ACLs to mirror any TCP packets with destination port 80
filter act 1 protocol tcpDstPort
filter act 1 apply
filter acl 1 create inVlan act 1 name "vlan1_mirror"
filter acl 1 vlan add 1
filter acl 1 ace 1 create name "mirror_80"
filter acl 1 ace 1 action permit
filter acl 1 ace 1 debug mirror enable mirroring-dst-ports 3/47
filter acl 1 ace 1 protocol tcp-dst-port eq 80
filter acl 1 ace 1 enable
filter acl 2 create inVlan act 1 name "vlan2_mirror"
filter acl 2 vlan add 2
filter acl 2 ace 1 create name "mirror_80"
filter acl 2 ace 1 action permit
filter acl 2 ace 1 debug mirror enable mirroring-dst-ports 3/47
filter acl 2 ace 1 protocol tcp-dst-port eq 80
filter acl 2 ace 1 enable
filter acl 3 create inVlan act 1 name "vlan3_mirror"
filter acl 3 vlan add 3
filter acl 3 ace 1 create
filter acl 3 ace 1 action permit
filter acl 3 ace 1 debug mirror enable mirroring-dst-ports 3/47
filter acl 3 ace 1 protocol tcp-dst-port eq 80
filter acl 3 ace 1 enable
filter acl 4 create inVlan act 1 name "vlan4_mirror"
filter acl 4 vlan add 4
filter acl 4 ace 1 create name "mirror_80"
filter acl 4 ace 1 action permit
filter acl 4 ace 1 debug mirror enable mirroring-dst-ports 3/47
filter acl 4 ace 1 protocol tcp-dst-port eq 80
filter acl 4 ace 1 enable
Configuration of ERS5500:
- VLAN Configuration:
5510-24T(config)#show vlan
Id Name Type Protocol User PID Active IVL/SVL Mgmt
--- -------------------- -------- ---------------- -------- ------ ------- ----
1 VLAN #1 Port None 0x0000 Yes IVL Yes
Port Members: 1-6,23-24
2 VLAN #2 Port None 0x0000 Yes IVL No
Port Members: 7-10,23
3 VLAN #3 Port None 0x0000 Yes IVL No
Port Members: 11-16,23
4 VLAN #4 Port None 0x0000 Yes IVL No
Port Members: 17-23
Total VLANs: 4
With those configurations, ERS8600 mirrors any ingress TCP packets with destination port 80 to port 3/47 that a SPAN device connecting to. I use a packet capturing software on a PC connected to port 3/47 and get the result as below.
The mirroring restriction never exists on software version 5.0. This ACL mirroring provides more flexible control for troubleshooting or monitoring traffic.
