Fortinet black logo

Administration Guide

Configuring an ERSPAN manual mirror

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:428706
Download PDF

Configuring an ERSPAN manual mirror

For an ERSPAN manual mirror, traffic on specified ports is mirrored to the specified destination interface using ERSPAN encapsulation. You need to manually configure the header contents with layer-2 and layer-3 addresses.

Using the GUI:
  1. Go to Switch > Mirror.
  2. Select Add Port Mirror.
  3. Enter a name for the mirror.
  4. Select Enabled to make the mirror active.
  5. Select a destination interface.
    NOTE: The destination interface cannot be part of a trunk.
  6. Select from the excluded ports which ports to include for ingress mirroring and egress mirroring.
    NOTE: Only one active egress mirror session is allowed.
  7. Select Packet Switching When Mirroring if the destination port is not a dedicated port. For example, enable this option if you connect a laptop to the switch and you are running a packet sniffer along with the management GUI on the laptop.
  8. Select ERSPAN Manual for the mode.
  9. Enable Strip VLAN Tags from Mirrored Traffic if you want to remove VLAN tags from mirrored traffic.
  10. Select Add ERSPAN Headers if you want to add the VLAN header to the encapsulated traffic.
  11. In the Collector IP field, enter the IP address for the ERSPAN collector.
  12. In the IPv4 Source Address field, enter the IPv4 source address in the ERSPAN IP header.
  13. In the IPv4 TTL field, enter the IPv4 TTL value in the ERSPAN IP header.
  14. In the IPv4 TOS field, enter the ToS value or enter the DSCP and ECN values in the ERSPAN IP header.
  15. In the GRE Protocol field, enter the protocol value in the ERSPAN GRE header.
  16. In the VLAN ID field, enter the VLAN identifier in the ERSPAN VLAN header.
    This field is available only if Add ERSPAN Headers is selected.
  17. In the TPID field, enter the TPID for the encapsulating VLAN header.
    This field is available only if Add ERSPAN Headers is selected.
  18. In the Priority field, enter the CoS bits in the ERSPAN VLAN header.
    This field is available only if Add ERSPAN Headers is selected.
  19. In the CFI/DEI field, enter the CFI or DEI bit in the ERSPAN VLAN header.
    This field is available only if Add ERSPAN Headers is selected.
  20. In the Source MAC Address field, enter the source MAC address in the ERSPAN Ethernet header.
    This field is available only if Add ERSPAN Headers is selected.
  21. In the Destination MAC Address field, enter the MAC address of the next-hop or gateway on the path to the ERSPAN collector IP address.
    This field is available only if Add ERSPAN Headers is selected.
  22. Select Create to create the mirror.
Using the CLI:

config switch mirror

edit <mirror session name>

set mode ERSPAN-manual

set dst <interface>

set encap-gre-protocol <hexadecimal_integer>

set encap-ipv4-src IPv4_address>

set encap-ipv4-tos <hexadecimal_integer>

set encap-ipv4-ttl <0-255>

set encap-mac-dst <MAC_address>

set encap-mac-src <MAC_address>

set encap-vlan {tagged | untagged}

set encap-vlan-cfi <0-1>

set encap-vlan-id <1-4094>

set encap-vlan-priority <0-7>

set encap-vlan-tpid <0x0001-0xfffe>

set erspan-collector-ip <IPv4_address>

set src-egress <interface_name>

set src-ingress <interface_name>

set strip-mirrored-traffic-tags {disable | enable}

set switching-packet {enable | disable}

set status active

end

Configuring an ERSPAN manual mirror

For an ERSPAN manual mirror, traffic on specified ports is mirrored to the specified destination interface using ERSPAN encapsulation. You need to manually configure the header contents with layer-2 and layer-3 addresses.

Using the GUI:
  1. Go to Switch > Mirror.
  2. Select Add Port Mirror.
  3. Enter a name for the mirror.
  4. Select Enabled to make the mirror active.
  5. Select a destination interface.
    NOTE: The destination interface cannot be part of a trunk.
  6. Select from the excluded ports which ports to include for ingress mirroring and egress mirroring.
    NOTE: Only one active egress mirror session is allowed.
  7. Select Packet Switching When Mirroring if the destination port is not a dedicated port. For example, enable this option if you connect a laptop to the switch and you are running a packet sniffer along with the management GUI on the laptop.
  8. Select ERSPAN Manual for the mode.
  9. Enable Strip VLAN Tags from Mirrored Traffic if you want to remove VLAN tags from mirrored traffic.
  10. Select Add ERSPAN Headers if you want to add the VLAN header to the encapsulated traffic.
  11. In the Collector IP field, enter the IP address for the ERSPAN collector.
  12. In the IPv4 Source Address field, enter the IPv4 source address in the ERSPAN IP header.
  13. In the IPv4 TTL field, enter the IPv4 TTL value in the ERSPAN IP header.
  14. In the IPv4 TOS field, enter the ToS value or enter the DSCP and ECN values in the ERSPAN IP header.
  15. In the GRE Protocol field, enter the protocol value in the ERSPAN GRE header.
  16. In the VLAN ID field, enter the VLAN identifier in the ERSPAN VLAN header.
    This field is available only if Add ERSPAN Headers is selected.
  17. In the TPID field, enter the TPID for the encapsulating VLAN header.
    This field is available only if Add ERSPAN Headers is selected.
  18. In the Priority field, enter the CoS bits in the ERSPAN VLAN header.
    This field is available only if Add ERSPAN Headers is selected.
  19. In the CFI/DEI field, enter the CFI or DEI bit in the ERSPAN VLAN header.
    This field is available only if Add ERSPAN Headers is selected.
  20. In the Source MAC Address field, enter the source MAC address in the ERSPAN Ethernet header.
    This field is available only if Add ERSPAN Headers is selected.
  21. In the Destination MAC Address field, enter the MAC address of the next-hop or gateway on the path to the ERSPAN collector IP address.
    This field is available only if Add ERSPAN Headers is selected.
  22. Select Create to create the mirror.
Using the CLI:

config switch mirror

edit <mirror session name>

set mode ERSPAN-manual

set dst <interface>

set encap-gre-protocol <hexadecimal_integer>

set encap-ipv4-src IPv4_address>

set encap-ipv4-tos <hexadecimal_integer>

set encap-ipv4-ttl <0-255>

set encap-mac-dst <MAC_address>

set encap-mac-src <MAC_address>

set encap-vlan {tagged | untagged}

set encap-vlan-cfi <0-1>

set encap-vlan-id <1-4094>

set encap-vlan-priority <0-7>

set encap-vlan-tpid <0x0001-0xfffe>

set erspan-collector-ip <IPv4_address>

set src-egress <interface_name>

set src-ingress <interface_name>

set strip-mirrored-traffic-tags {disable | enable}

set switching-packet {enable | disable}

set status active

end