HPE Community
Comware Based
1821055 Members
2387 Online
109631 Solutions
New Discussion

VLAN mirroring on a stack of 5700-32XGT-8XG-2QSFP+ and some access switches

 
SOLVED
Go to solution
Pistoletjes
Frequent Visitor

‎05-13-2020 01:04 PM

‎05-13-2020 01:04 PM

VLAN mirroring on a stack of 5700-32XGT-8XG-2QSFP+ and some access switches

Hi,

I'm running 4 5700-32XGT switches in a partial mesh. All VLANs are distributed across all switches using dedicated trunking links. Each switch has an IRF partner. The switches are distributed over 2 locations, and running version 7.1.045, Release 2422P02. 

We're implementing a security solution that needs to 'listen in' to traffic on one or more VLANs. In documentation I only find options to configure traffic mirroring on interfaces, not VLANs. I could create VLAN interfaces, but since we're only doing L2 stuff I don't expect any traffic on these VLAN interfaces. 

Does anyone know if it's possible to do VLAN mirroring / monitoring on these switches? 

Thanks alot! 

0 Kudos
5 REPLIES 5
Ivan_B
HPE Pro

‎05-14-2020 12:29 AM

‎05-14-2020 12:29 AM

Solution

Re: VLAN mirroring on a stack of 5700-32XGT-8XG-2QSFP+ and some access switches

Hello!

Please, check if "Configure flow mirroring" section, sub-section "Applying a QoS policy to a VLAN" of the guide https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c04406886 is not what you are looking for.

Hope it helps!

 

I am an HPE employee

Accept or Kudo

Pistoletjes
Frequent Visitor

‎05-14-2020 12:40 AM

‎05-14-2020 12:40 AM

Re: VLAN mirroring on a stack of 5700-32XGT-8XG-2QSFP+ and some access switches

This looks like the right direction. Thanks alot! I will come back to accept the answer if it works for me.

Thanks again. 

0 Kudos
Pistoletjes
Frequent Visitor

‎05-14-2020 05:28 AM

‎05-14-2020 05:28 AM

Re: VLAN mirroring on a stack of 5700-32XGT-8XG-2QSFP+ and some access switches

Okay, I managed to mirror traffic to an interface or interface set (BAGG). Thanks for show me the way to go forwards.

Question: is it possible to keep the VLAN tag of the source packet or somehow be able to get this information into the mirror interface as well? 

0 Kudos
Ivan_B
HPE Pro

‎05-15-2020 12:20 AM

‎05-15-2020 12:20 AM

Re: VLAN mirroring on a stack of 5700-32XGT-8XG-2QSFP+ and some access switches

Actually I would expect mirrored traffic to be sent out of monitoring-port with the original VLAN tags. I have seen it before how some NICs, especially some Intel-manufactured ones were stripping VLAN tags before relaying it to the monitoring software, so please, be sure you can see tagged frames from some other source on this particular packet capturing facility to ensure to issue is not in  it. Maybe I am missing some specifics of this particular device or this way of capturing traffic, but let's rule out the most probable issues first.

 

 

I am an HPE employee

Accept or Kudo

Pistoletjes
Frequent Visitor

‎05-15-2020 01:24 AM

‎05-15-2020 01:24 AM

Re: VLAN mirroring on a stack of 5700-32XGT-8XG-2QSFP+ and some access switches

I checked some captures that I created and unfortunately there's no VLAN information. It may have been stripped by the network card driver (but I don't really expect that's the case). I can imagine that the VLAN information might be preserved if I use port based mirroring -- I will give that a try (although it will not be a solution for me). 

 

Frame 2519: 132 bytes on wire (1056 bits), 132 bytes captured (1056 bits) on interface \Device\NPF_{2E0928F2-D82C-42ED-954C-A194A1FFAC97}, id 0
Ethernet II, Src: PaloAlto_, Dst: VMware_
Destination: VMware_
Address: VMware_
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: PaloAlto_
Address: PaloAlto_
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.47.150.68, Dst: 192.168.1.16
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.