Traffic Mirroring
NOTE: This feature is currently available in Early Access. To use this feature, please enable Traffic Mirroring from the Organization > Early Access page on your Meraki Dashboard.
Overview
Traffic Mirroring allows users to create traffic monitoring sessions where traffic on a specific port(s) and/or VLAN(s) can be mirrored to a destination device connected to the same switch, or anywhere within an RSPAN-compliant layer-2 network domains.
Requirements, guidelines and limitations
-
Hardware and software requirements: Traffic mirroring using VLANs as the source or destination of a mirror sessino is supported on the following devices and firmware versions.
MS Switch Family
MS Switch Model
Minimum Firmware Required
MS 100 series
MS 120, MS125, MS130
MS 17
MS200 series
MS210, MS225, MS250
MS 17
MS300 series
MS350, MS355
MS 17
MS400 series
MS410, MS425, MS450
MS 17
-
Each switch or switch stack can have one Traffic Mirror active at any time.
-
Up to four VLANs can be specified in the VLAN filter or as the source VLANs for a Traffic Mirror session.
-
MAC address learning must be disabled in the VLAN carrying mirrored traffic (Transit VLAN) on all switches in the path of the mirrored traffic.
The Meraki Dashboard automatically configures all feature-compatible Meraki switches in the network to disable MAC learning in the Transit VLAN.
Third party devices should be configured for this as well. On Cisco Catalyst switches, this can be achieved by configuring the VLAN for remote-span. E.g.,
Switch# configure terminal Switch(config)# vlan 100 Switch(config-vlan)# remote-span Switch(config-vlan)# end -
On MS130X and MS130-R switches, Traffic Analytics are disabled on ports configured as Traffic Mirroring source ports. Additionally, if a Packet Capture is initiated for a port, any Traffic Mirroring from that port will be deactivated for the duration that that Packet Capture is running. r, the port will mirror no traffic during this time.
-
When using VLAN as a source, only ingress traffic on the VLAN is captured. For example, if the traffic mirror is configured with VLAN 10 as a source, then all traffic received in VLAN 10, for any destination, will be captured. However, traffic received by the switch in, say, VLAN 20 and routed into VLAN 10, will not be captured.
Terminology
|
Source switch |
The switch from which the traffic is being collected and mirrored. |
|
Destination switch |
The switch to which the destination device for the Traffic Mirror, such as a packet capture analyser, is connected. |
|
Transit VLAN |
VLAN used specifically for carrying the packets from source switch to destination switch. Also referred to as the RSPAN VLAN. |
|
Intermediate switch |
Any switch in the network - ideally in the layer 2 path from the source to the destination switch - which forwards the Transit VLAN, carrying the mirrored traffic from its source to destination. |
|
VLAN Filter |
List of (up to 4) VLANs for which the traffic should be mirrored when using ports as the source. This is an optional configuration; when no VLANs are specified in the filter, traffic for all VLANs is captured on the specified ports. |
|
Analyzer port |
The port from which the mirrored packets are sent out. It can be on either the source switch or the destination switch. |
Configuring a new Traffic Mirror
To configure a traffic mirror, navigate to Switching > Switch settings, scroll down to the Traffic mirroring configuration section and Add a mirror scheme for this network to bring up the 4-step guided flow.
-
Choose endpoints: Choose the source and destination devices for the traffic mirror. The source is the switch or stack from which you want to mirror traffic, and the destination is the switch or stack on which the device capturing the traffic is connected.
You can also specify Tags to identify the session with. The tag is also useful in grouping and searching of mirror instances. -
Configure source: Select whether you want to mirror traffic from specific Ports or VLANs. When using Port as a source, you can select multiple ports on the source switch / stack and specify up to 4 VLANs in the VLAN filter.
When selecting VLAN as a source, you can specify up to 4 source VLANs to mirror traffic from. The traffic is mirrored from all the ports on which these VLAN are configured.
If the source and destination switches are not the same, a Transit VLAN and an Analyzer port must be defined. The Transit VLAN is the VLAN into which the traffic will be mirrored, to be transported to the destination switch over the connected layer 2 network. The Analyzer port is the egress port for mirrored traffic on your Source switch / stack.All traffic in the Transit VLAN is always flooded, and to prevent u-turning of mirrored traffic, MAC address learning should be disabled in this VLAN. When a Traffic Mirror is configured to use a Transit VLAN , all Meraki switches in the Dashboard Network are automatically configured to disable MAC learning and flood traffic in that VLAN.
If there a non-Meraki network device connected to the Meraki network where a Transit VLAN is configured, it must be configured to disable MAC learning on the Transit VLAN. On Cisco Catalyst switches this can be done by configuring the Transit VLAN ID as the RSPAN VLAN.
NOTE : A Transit VLAN should only be allowed on links that are necessary to carry the mirrored traffic to the mirror destination.
-
Configure destination: Select whether destination is port or VLAN on the Destination switch / stack. Ideally, this is a port that your traffic analyzer would be connected to.
-
Summary: Verify the configuration and click Save.
NOTE: If you create an RSPAN instance, that is, a traffic mirror where the destination port is not on the same switch as the source ports or VLANs, the Dashbaord will separate the details of a traffic mirror scheme into config that is relevant to the source and destination switches.
Editing an existing Traffic Mirror
Traffic mirror configuration on each switch can be edited, or deleted, individually. The traffic mirroring table UI allows inline editing of the session for each switch. To edit the configuration of the session on a switch,
-
Click on the pencil icon.
-
Modify the port or VLAN values, tags or comments.
-
Click Save
NOTE: inline editing does not allow you to switch a mirror scheme from Port as a source to VLAN as a source, or vice-versa. In order to change the source type, delete the mirror instance on the switch create a new one for the switch / stack.