Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

4200vl monitoring port and VLAN tags

Jordan D
Occasional Contributor

4200vl monitoring port and VLAN tags

I have a customer who is attempting to run a linux based program called ARPwatch. This program needs to receive traffic untagged to look inside the packets.

While monitoring his uplink which has four vlans worth of tagged traffic, the mirror port is passing these tags as expected.

We have tried to put the mirror port in a single vlan untagged, but this subnet's packets are all that end up sniffed by ARPwatch.

Is there any way to get the ProCurve to strip tags on the way out of the mirror port? For that matter, is there any way to copy this traffic without the vlan tags?

Any help always appreciated.
5 REPLIES
Matt Hobbs
Honored Contributor

Re: 4200vl monitoring port and VLAN tags

When monitoring the uplink port which is already tagged on these VLAN's, that's most likely expected behaviour.

I'm just wondering, instead of monitoring that tagged only port, can you monitor 4 ports that are untagged in each one of those VLANs? Since the ARP traffic is mostly broadcast this might be a solution that could work (but I have seen instances where it will actually add an 802.1q tag even when monitoring untagged ports).
Jordan D
Occasional Contributor

Re: 4200vl monitoring port and VLAN tags

Beside the customer being concerned about over-subscribing the mirror port, you nailed it.

Thanks a bunch.
Paul Boven
Occasional Advisor

Re: 4200vl monitoring port and VLAN tags

I have a 5412zl switch (K12.14), and all ports are just native, untagged ports in their respective VLANs. However, when setting up one of the ports for monitoring, the traffic that leaves the monitored port gets a VLAN tag added to it, while the traffic that comes into the monitored port doesn't.

This makes running standard analysis tools on a packet trace quite complicated. Putting the mirror port in the same VLAN as the port that is being monitored does not make a difference.

Does anyone know how to make the switch stop making up VLAN tags for monitored traffic?

Regards, Paul Boven.
VLBI - it's a fringe science
Matt Hobbs
Honored Contributor

Re: 4200vl monitoring port and VLAN tags

I'm surprised that it's adding this tag even when in the same VLAN as the mirror-port. I have seen it add the tag when in different VLANs and believe this is normal behaviour on certain switches.

Can you try a K.11.xx version and see if this still occurs?
Paul Boven
Occasional Advisor

Re: 4200vl monitoring port and VLAN tags

Hi everyone,

Back when my 5412zl still had K11.33 on it, it also put the VLAN tags on half the packets (see above).

Regards, Paul Boven.
VLBI - it's a fringe science