Mirroring
Packet mirroring allows you to collect packets on specified ports and then send them to another port to be collected and analyzed. All FortiSwitch models support switched port analyzer (SPAN) mode, which mirrors traffic to the specified destination interface without encapsulation.
Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains. You can have multiple RSPAN sessions but only one ERSPAN session. In RSPAN mode, traffic is encapsulated in a VLAN. In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers.
NOTE:
- Mirror sources cannot also be mirror destinations or members of mirror destinations if the destination is a trunk. When using RSPAN or ERSPAN in FortiLink mode, the destination ports or trunks are determined automatically (the automatically determined port can be viewed with the
diagnose switch-controller switch-info mirror status
command on the FortiGate device). The destination is often an ISL interface towards the FortiGate device. This destination can cause conflicts if the user tries to configure ports in the ISL as source ports. In the case of conflict, Fortinet recommends disabling the FortiLink traffic sniffer or omitting ports that are part of the ISL. - Some models support setting the mirror destination to “internal.” This is intended only for debugging purposes and might prevent critical protocols from operating on ports being used as mirror sources.
- When there are multiple mirror sessions in the FS-108D-POE, FS-224D-POE, and FSR-112D-POE models, some traffic might not be mirrored to the destination ports.
- Some destination ports are not listed because those models (FSR-112D-POE, FS-108E, FS-124E, FS-108E-POE, FS-108E-FPOE, FS-124E-POE, FS-124E-FPOE, FS-148E, and FS-148E-POE) do not support mirroring to the software interface.
- You cannot select a destination interface for the ERSPAN auto mirror.
- In cases where the mirrored traffic is not unicast, or is flooded unicast, and the mirrored and non-mirrored packets both leave the mirror “dst” port, the
mirror-qos
value is overridden by the QoS value of the non-mirrored packet. - You can use the following commands to specify the quality of service (QoS) priority for mirrored packets on the FortiSwitch unit doing the mirroring:
config switch global
set mirror-qos <0-7>
end
Some of the platform differences are listed in the following table:
|
112D-POE |
108E, 108E-FPOE, 108E-POE, 124E, 124E-FPOE, 124E-POE, 124F, 148F |
124D, 224D-FPOE, 224E, 224E-POE |
248D, 248E-FPOE, 248E-POE |
424D, 424D-FPOE, 424D-POE |
448D, 448D-FPOE, 448D-POE |
424E, 424E-POE, 424E-FPOE, M426-FPOE |
424E-Fiber, 448E, 448E-POE, 448E-FPOE |
524D, 524D-FPOE, 548D, 548D-FPOE, 1048E |
1024D, 1048D, 3032D, 3032E |
---|---|---|---|---|---|---|---|---|---|---|
“dst” values |
Ports only (can be in trunk) |
Ports only (can be in trunk) |
Port or trunk (no trunk members) |
Port or trunk (no trunk members) |
Port or trunk (no trunk members) |
Port or trunk (no trunk members) |
Port or trunk (no trunk members) |
Port or trunk (no trunk members) |
Port or trunk (no trunk members) |
Port or trunk (no trunk members) |
Max. sessions (active or inactive) |
— |
— |
32 |
32 |
32 |
32 |
32 |
32 |
32 |
32 |
Max. active sessions |
7 |
4 |
6 |
6 |
6 |
6 |
8 |
8 |
8 |
4 |
Max. sessions with src-egress |
6 |
4 |
1 |
1 |
1 |
1 |
1 |
1 |
4 |
4 |
Max. sessions with src-ingress |
6 |
4 |
1 |
1 |
1 |
1 |
1 |
4 |
4 |
4 |
Max. sessions when one has src-ingress + src-egress and the rest are src-ingress |
N/A |
N/A |
3 |
3 |
3 |
3 |
3 |
3 |
3 |
3 |
VLAN CFI and priority can be configured in RSPAN |
N/A |
N/A |
Yes |
No |
Yes |
No |
Yes |
Yes |
Yes |
Yes |
SPAN support |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
RSPAN and ERSPAN support |
RSPAN |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
QoS support |
No |
No |
No |
No |
No |
No |
Yes |
Yes |
Yes |
3032D |
The following topics are covered in this chapter:
- Configuring a SPAN mirror
- Configuring an RSPAN mirror
- Configuring an ERSPAN auto mirror
- Configuring an ERSPAN manual mirror
Configuring a SPAN mirror
NOTE: You can use virtual wire ports as ingress and egress mirror sources. Egress mirroring of virtual wire ports will have an additional VLAN header on all mirrored traffic.
Using the GUI:
- Go to Switch > Mirror.
- Select Add Port Mirror.
- Enter a name for the mirror.
- Select Enabled to make the mirror active.
- Select a destination interface.
On FortiSwitch models that support RSPAN and ERSPAN, set the trunk or physical port that will act as a mirror. The physical port cannot be part of a trunk.
On FortiSwitch models that do not support RSPAN and ERSPAN, set the physical port that will act as a mirror. The physical port can be part of a trunk. - Select from the excluded ports which ports to include for ingress mirroring and egress mirroring.
NOTE: Only one active egress mirror session is allowed. - Select Packet Switching When Mirroring if the destination port is not a dedicated port. For example, enable this option if you connect a laptop to the switch and you are running a packet sniffer along with the management GUI on the laptop.
- Select SPAN for the mode.
- Select Create to create the mirror.
Using the CLI:
config switch mirror
edit <mirror session name>
set mode SPAN
set dst <interface>
set src-egress <interface_name>
set src-ingress <interface_name>
set switching-packet {enable | disable}
set status active
end
For example:
config switch mirror
edit "m1"
set mode SPAN
set dst "port5"
set src-egress "port2"
set src-ingress "port3" "port4"
set switching-packet enable
set status active
end
Multiple mirror destination ports (MTPs)
With some FortiSwitch models, you can configure multiple mirror destination ports with the following guidelines and restrictions:
- Always set the destination port before setting the src-ingress or src-egress ports.
- Any port configured as a src-ingress or src-egress port in one mirror cannot be configured as a destination port in another mirror.
- The total number of active sessions depends on your configuration.
- For switch models 124D, 124D-POE, 224D-FPOE, 248D, 248D-POE, 248D-FPOE, 224E, 224E-POE, 248E-POE, 248E-FPOE, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, and 448D-FPOE:
- For access control lists, you can use a mirror destination that does not have src-ingress or src-egress configured or a mirror destination that has src-ingress or src-egress configured.
- For switch models 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, and 3032E:
- For access control lists, you can use a mirror destination that does not have src-ingress or src-egress configured or a mirror destination that has src-ingress or src-egress configured.
- For switch model FSR-112D-POE:
- You can configure up to seven mirrors, each with a different destination port.
- Multiple ingress or egress ports can be mirrored to the same destination port.
- An ingress or egress port cannot be mirrored to more than one destination port.
These restrictions apply to active mirrors. If you try to activate an invalid mirror configuration, the system will display the Hardware active mirror session limit reached. Please deactivate or delete another active session to make room.
error message.
The following example configuration is valid for FortiSwitch-3032D. This configuration includes three ingress ports, one egress port, and four destination ports. The port3 ingress and egress ports are mirrored to multiple destinations.
config switch mirror
edit "m1"
set mode SPAN
set dst "port16"
set status active
set src-ingress "port3" "port5" "port7"
next
edit "m2"
set mode SPAN
set dst "port22"
set status active
set src-ingress "port3" "port5"
next
edit "m3"
set mode SPAN
set dst "port1"
set status active
set src-ingress "port3"
next
edit "m4"
set mode SPAN
set dst "port2"
set status active
set src-egress "port3"
end
The following example configuration includes three ingress ports, three egress ports and four destination ports. Each ingress and egress port is mirrored to only one destination port.
config switch mirror
edit "m1"
set mode SPAN
set dst "port1"
set status active
set src-ingress "port2" "port7"
next
edit "m2"
set mode SPAN
set dst "port5"
set status active
set src-ingress "port2"
next
edit "m3"
set mode SPAN
set dst "port3"
set status active
set src-ingress "port6"
next
edit "m4"
set mode SPAN
set dst "port4"
set status active
set src-egress "port6" "port8"
end
Configuring an RSPAN mirror
NOTE: RSPAN traffic crossing a switch on a VLAN configured with “RSPAN-VLAN” enabled will appear as unknown unicast, multicast, or broadcast traffic. This traffic is not exempt from storm control and might be rate limited as a result. To avoid this issue, you can dedicate a port or ports to RSPAN and then disable storm control on those ports. Non-RSPAN VLANs can be used on those ports as well, but they will not be protected by storm control.
Using the GUI:
- Go to Switch > Mirror.
- Select Add Port Mirror.
- Enter a name for the mirror.
- Select Enabled to make the mirror active.
- Select a destination interface.
NOTE: The destination interface cannot be part of a trunk. - Select from the excluded ports which ports to include for ingress mirroring and egress mirroring.
NOTE: Only one active egress mirror session is allowed. - Select Packet Switching When Mirroring if the destination port is not a dedicated port. For example, enable this option if you connect a laptop to the switch and you are running a packet sniffer along with the management GUI on the laptop.
- Select RSPAN for the mode.
- In the VLAN ID field, enter the VLAN identifier for the RSPAN VLAN header.
- In the TPID field, enter the tag protocol identifier (TPID) for the encapsulating VLAN header.
The default value, 0x8100, is for an IEEE 802.1Q-tagged frame. - In the Priority field, enter the class of service (CoS) bits in the RSPAN VLAN header.
NOTE: This option is not available on the 248D, 248D-POE, 248D-FPOE, 248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models. - In the CFI/DEI field, enter the canonical format identifier (CFI) or drop eligible indicator (DEI) bit in the RSPAN VLAN header.
NOTE: This option is not available on the 248D, 248D-POE, 248D-FPOE, 248E, 248E-POE, 248E-FPOE, 448D, 448D-POE, and 448D-FPOE models. - Select Create to create the mirror.
Using the CLI:
config switch mirror
edit <mirror session name>
set mode RSPAN
set dst <interface>
set switching-packet {enable | disable}
set src-ingress <interface_name>
set src-egress <interface_name>
set encap-vlan-tpid <0x0001-0xfffe>
set encap-vlan-priority <0-7>
set encap-vlan-cfi <0-1>
set encap-vlan-id <1-4094>
set status active
end
Configuring an ERSPAN auto mirror
For an ERSPAN auto mirror, traffic on specified ports is mirrored to the specified destination interface using ERSPAN encapsulation. The header contents are automatically configured; you only need to specify the ERSPAN collector address.
Using the GUI:
- Go to Switch > Mirror.
- Select Add Port Mirror.
- Enter a name for the mirror.
- Select Enabled to make the mirror active.
- Select from the excluded ports which ports to include for ingress mirroring and egress mirroring.
NOTE: Only one active egress mirror session is allowed. - Select ERSPAN Auto for the mode.
- Enable Strip VLAN Tags from Mirrored Traffic if you want to remove VLAN tags from mirrored traffic.
- In the Collector IP field, enter the IP address for the ERSPAN collector.
- In the IPv4 TTL field, enter the IPv4 time-to-live (TTL) value in the ERSPAN IP header.
- In the IPv4 TOS field, enter the type of service (ToS) value or enter the DSCP and ECN values in the ERSPAN IP header.
- In the GRE Protocol field, enter the protocol value in the ERSPAN GRE header.
- In the TPID field, enter the TPID for the encapsulating VLAN header.
The default value, 0x8100, is for an IEEE 802.1Q-tagged frame. - In the Priority field, enter the CoS bits in the ERSPAN VLAN header.
- In the CFI/DEI field, enter the CFI or DEI bit in the ERSPAN VLAN header.
- Select Create to create the mirror.
Using the CLI:
config switch mirror
edit <mirror session name>
set mode ERSPAN-auto
set encap-gre-protocol <hexadecimal_integer>
set encap-ipv4-tos <hexadecimal_integer>
set encap-ipv4-ttl <0-255>
set encap-vlan-cfi <0-1>
set encap-vlan-priority <0-7>
set encap-vlan-tpid <0x0001-0xfffe>
set erspan-collector-ip <0.0.0.1-255.255.255.255>
set src-egress <interface_name>
set src-ingress <interface_name>
set strip-mirrored-traffic-tags {disable | enable}
set status active
end
Configuring an ERSPAN manual mirror
For an ERSPAN manual mirror, traffic on specified ports is mirrored to the specified destination interface using ERSPAN encapsulation. You need to manually configure the header contents with layer-2 and layer-3 addresses.
Using the GUI:
- Go to Switch > Mirror.
- Select Add Port Mirror.
- Enter a name for the mirror.
- Select Enabled to make the mirror active.
- Select a destination interface.
NOTE: The destination interface cannot be part of a trunk. - Select from the excluded ports which ports to include for ingress mirroring and egress mirroring.
NOTE: Only one active egress mirror session is allowed. - Select Packet Switching When Mirroring if the destination port is not a dedicated port. For example, enable this option if you connect a laptop to the switch and you are running a packet sniffer along with the management GUI on the laptop.
- Select ERSPAN Manual for the mode.
- Enable Strip VLAN Tags from Mirrored Traffic if you want to remove VLAN tags from mirrored traffic.
- Select Add ERSPAN Headers if you want to add the VLAN header to the encapsulated traffic.
- In the Collector IP field, enter the IP address for the ERSPAN collector.
- In the IPv4 Source Address field, enter the IPv4 source address in the ERSPAN IP header.
- In the IPv4 TTL field, enter the IPv4 TTL value in the ERSPAN IP header.
- In the IPv4 TOS field, enter the ToS value or enter the DSCP and ECN values in the ERSPAN IP header.
- In the GRE Protocol field, enter the protocol value in the ERSPAN GRE header.
- In the VLAN ID field, enter the VLAN identifier in the ERSPAN VLAN header.
This field is available only if Add ERSPAN Headers is selected. - In the TPID field, enter the TPID for the encapsulating VLAN header.
This field is available only if Add ERSPAN Headers is selected. - In the Priority field, enter the CoS bits in the ERSPAN VLAN header.
This field is available only if Add ERSPAN Headers is selected. - In the CFI/DEI field, enter the CFI or DEI bit in the ERSPAN VLAN header.
This field is available only if Add ERSPAN Headers is selected. - In the Source MAC Address field, enter the source MAC address in the ERSPAN Ethernet header.
This field is available only if Add ERSPAN Headers is selected. - In the Destination MAC Address field, enter the MAC address of the next-hop or gateway on the path to the ERSPAN collector IP address.
This field is available only if Add ERSPAN Headers is selected. - Select Create to create the mirror.
Using the CLI:
config switch mirror
edit <mirror session name>
set mode ERSPAN-manual
set dst <interface>
set encap-gre-protocol <hexadecimal_integer>
set encap-ipv4-src IPv4_address>
set encap-ipv4-tos <hexadecimal_integer>
set encap-ipv4-ttl <0-255>
set encap-mac-dst <MAC_address>
set encap-mac-src <MAC_address>
set encap-vlan {tagged | untagged}
set encap-vlan-cfi <0-1>
set encap-vlan-id <1-4094>
set encap-vlan-priority <0-7>
set encap-vlan-tpid <0x0001-0xfffe>
set erspan-collector-ip <IPv4_address>
set src-egress <interface_name>
set src-ingress <interface_name>
set strip-mirrored-traffic-tags {disable | enable}
set switching-packet {enable | disable}
set status active
end