Traffic Mirroring
Overview
Traffic Mirroring allows users to create traffic monitoring sessions where traffic on one or more port(s) and/or VLAN(s) can be mirrored to a destination device connected to the same switch, or anywhere within an RSPAN-compliant layer-2 network domains.
Terminology
|
Source switch |
The switch from which the traffic is being collected and mirrored. |
| Source ports or VLANs | Ports or VLANs on the source switch, the traffic on which is being mirrored. A Traffic Mirror session can have either ports or VLANs as the source, but not both. |
|
VLAN Filter |
When mirror traffic from ports covering multiple VLANs, a list (of up to 4 VLANs) can be specified for restricting the VLANs for which traffic is mirrored. This is an optional configuration; when no VLANs are specified in the filter, traffic for all VLANs is captured on the specified ports. |
|
Transit VLAN |
VLAN used specifically for carrying the packets from source switch to destination switch. Also referred to as the RSPAN VLAN. |
|
Analyzer port |
The port on the source switch from which the mirrored packets are sent out. When the destination of a Traffic Mirror is a Transit VLAN, it must be accompanied by a port on which the mirrored traffic must be forwarded. The source switch will send mirrored traffic out of the Analyzer port only, even if other ports are configured to forward the Transit VLAN. The Analyzer port is treated as a regular network port for all other purposes. |
|
Intermediate switch |
Any switch in the network - ideally in the layer 2 path from the source to the destination switch - which forwards the Transit VLAN, carrying the mirrored traffic from its source to destination. To function as an intermediate switch, this device should support disabling of MAC learning in the Transit VLAN. |
|
Destination switch |
The switch to which the destination device for the Traffic Mirror, such as a packet capture analyzer, is connected. |
|
Destination port |
The port on the destination switch to which all mirrored traffic is sent. Ideally, this is the port to which the packet capture analyzer device would be connected. The destination port is a special-purpose port which only forwards traffic captured from the Traffic Mirror source. While being used as a Traffic Mirror destination, this port cannot be configured or used as a regular network port. An uplink port (the port used by switch to connect to the Cisco Cloud) cannot be used a destination port. |
Requirements, guidelines and limitations
-
Hardware and software compatibility requirements: Traffic mirroring using VLANs as the source or destination of a mirror session is supported on the following devices and firmware versions.
MS Switch Family
MS Switch Model
Minimum Firmware Required
MS 100 series
MS120, MS125, MS130, MS150
MS 17.2.1
MS200 series
MS210, MS225, MS250
MS 17.2.1 MS300 series
MS350, MS355
MS 17.2.1 MS400 series
MS410, MS425, MS450
MS 17.2.1 -
Scale and configuration considerations
-
A switch or switch stack can have one Traffic Mirror active at any time.
-
Up to four VLANs can be specified in the VLAN filter when mirroring traffic from a port.
-
Up to four VLANs can be configured as the source VLANs for a Traffic Mirror session.
-
A Link Aggregation Group cannot be used as the destination or analyzer port in a Traffic Mirror. Use of Link Aggregation Groups as Traffic Mirror source ports is supported.
-
-
Interoperability with other features and functions
-
If your network has devices that do not support forwarding of an RSPAN or Transit VLAN, in the path between the source and destination switches, the mirrored traffic will likely be dropped by those devices.
-
On MS130X, MS130-R and MS150 series switches, Traffic Analytics are disabled on ports configured as Traffic Mirroring source ports.
-
If a Dashboard Packet Capture is initiated on a port of a MS130X, MS130-R or MS150 series switch, any Traffic Mirroring configuration on that port will be deactivated for the duration the Packet Capture is running.
-
MAC address learning must be disabled in the VLAN carrying mirrored traffic (Transit VLAN) on all switches in the path of the mirrored traffic.
The Meraki Dashboard automatically configures all feature-compatible Meraki switches in the network to disable MAC learning in the Transit VLAN.
Third party devices should be configured for this as well. On Cisco Catalyst switches, this can be achieved by configuring the VLAN for remote-span. E.g.,
Switch# configure terminal Switch(config)# vlan 100 Switch(config-vlan)# remote-span Switch(config-vlan)# end
-
Configuring a Traffic Mirror
To configure a traffic mirror, navigate to Switching > Switch settings, scroll down to the Traffic mirroring configuration section and Add a mirror scheme for this network to bring up the 4-step guided flow.
Configuration options
| Mirror source | Mirror destination | Capture direction | Additional considerations |
|---|---|---|---|
| Port(s) | Port | Both, ingress and egress traffic on the source port(s) is mirrored. | A VLAN filter can be configured to restrict the scope of the traffic capture to up to 4 VLANs. This configuration is useful when the source and destination are on the same switch or switch stack. This configuration is the same as Port Mirroring. |
| VLAN(s) | Port | Only ingress traffic in the source VLAN(s) is mirrored | Up to 4 VLANs can be selected as the mirror source. This configuration is useful when the source and destination are on the same switch or switch stack. |
| Port(s) | Transit VLAN | Both, ingress and egress traffic on the source port(s) is mirrored. | This configuration would apply when the source and destination are on different switches or switch stacks. An analyzer port must be specified. MAC-learning will be disabled in the Transit VLAN. |
| VLAN(s) | Transit VLAN | Only ingress traffic in the source VLAN(s) is mirrored | This configuration would apply when the source and destination are on different switches or switch stacks. An analyzer port must be specified. MAC-learning will be disabled in the Transit VLAN. Using Transit VLAN as a source is not supported. |
Creating a new Traffic Mirror
-
Choose endpoints: Choose the source and destination devices for the traffic mirror. The source is the switch or stack from which you want to mirror traffic, and the destination is the switch or stack on which the device capturing the traffic is connected.
You can also specify Tags to identify the session with. The tag is also useful in grouping and searching of mirror instances. The Dashboard also auto-generates the tags source switch and destination switch, to reflect the selections made in the Traffic Mirror configuration. These tags are for reference only and do not affect the functionality of the feature.
-
Configure source: Select whether you want to mirror traffic from specific Ports or VLANs. When using Port as a source, you can select multiple ports on the source switch / stack and specify up to 4 VLANs in the VLAN filter.
When selecting VLAN as a source, you can specify up to 4 source VLANs to mirror traffic from. The traffic is mirrored from all the ports on which these VLAN are configured.
If the source and destination switches are not the same, a Transit VLAN and an Analyzer port must be defined. The Transit VLAN is the VLAN into which the traffic will be mirrored, to be transported to the destination switch over the connected layer 2 network. The Analyzer port is the egress port for mirrored traffic on your Source switch / stack.All traffic in the Transit VLAN is always flooded, and to prevent u-turning of mirrored traffic, MAC address learning should be disabled in this VLAN. When a Traffic Mirror is configured to use a Transit VLAN , all feature-compatible Meraki switches in the Dashboard Network are automatically configured to disable MAC learning and flood traffic in that VLAN.
If there a non-Meraki network device connected to the Meraki network where a Transit VLAN is configured, it must be configured to disable MAC learning on the Transit VLAN. On Cisco Catalyst switches this can be done by configuring the Transit VLAN ID as the RSPAN VLAN.
NOTE : A Transit VLAN should only be allowed on links that are necessary to carry the mirrored traffic to the mirror destination.
-
Configure destination: Select whether destination is port or VLAN on the Destination switch / stack. Ideally, this is a port that your traffic analyzer would be connected to.
-
Summary: Verify the configuration and click Save.
NOTE: If you create an RSPAN instance, that is, a traffic mirror where the destination port is not on the same switch as the source ports or VLANs, the Dashboard will separate the details of a traffic mirror scheme into config that is relevant to the source and destination switches.
Editing an existing Traffic Mirror
Traffic mirror configuration on each switch can be edited, or deleted, individually. The traffic mirroring table UI allows inline editing of the session for each switch. To edit the configuration of the session on a switch,
-
Click on the pencil icon.
-
Modify the port or VLAN values, tags or comments.
-
Click Save
NOTE: inline editing does not allow you to switch a mirror scheme from Port as a source to VLAN as a source, or vice-versa. In order to change the source type, delete the mirror instance on the switch create a new one for the switch / stack.