Fortinet black logo

Administration Guide

Configuring a SPAN mirror

Copy Link
Copy Doc ID 0f66c6af-cee6-11eb-97f7-00505692583a:428708
Download PDF

Configuring a SPAN mirror

NOTE: You can use virtual wire ports as ingress and egress mirror sources. Egress mirroring of virtual wire ports will have an additional VLAN header on all mirrored traffic.

Using the GUI:
  1. Go to Switch > Mirror.
  2. Select Add Port Mirror.
  3. Enter a name for the mirror.
  4. Select Enabled to make the mirror active.
  5. Select a destination interface.
    On FortiSwitch models that support RSPAN and ERSPAN, set the trunk or physical port that will act as a mirror. The physical port cannot be part of a trunk.
    On FortiSwitch models that do not support RSPAN and ERSPAN, set the physical port that will act as a mirror. The physical port can be part of a trunk.
  6. Select from the excluded ports which ports to include for ingress mirroring and egress mirroring.
    NOTE: Only one active egress mirror session is allowed.
  7. Select Packet Switching When Mirroring if the destination port is not a dedicated port. For example, enable this option if you connect a laptop to the switch and you are running a packet sniffer along with the management GUI on the laptop.
  8. Select SPAN for the mode.
  9. Select Create to create the mirror.
Using the CLI:

config switch mirror

edit <mirror session name>

set mode SPAN

set dst <interface>

set src-egress <interface_name>

set src-ingress <interface_name>

set switching-packet {enable | disable}

set status active

end

For example:

config switch mirror

edit "m1"

set mode SPAN

set dst "port5"

set src-egress "port2"

set src-ingress "port3" "port4"

set switching-packet enable

set status active

end

Multiple mirror destination ports (MTPs)

With some FortiSwitch models, you can configure multiple mirror destination ports with the following guidelines and restrictions:

  • Always set the destination port before setting the src-ingress or src-egress ports.
  • Any port configured as a src-ingress or src-egress port in one mirror cannot be configured as a destination port in another mirror.
  • The total number of active sessions depends on your configuration.
  • For switch models 124D, 124D-POE, 224D-FPOE, 248D, 248D-POE, 248D-FPOE, 224E, 224E-POE, 248E-POE, 248E-FPOE, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, and 448D-FPOE:
    • For access control lists, you can use a mirror destination that does not have src-ingress or src-egress configured or a mirror destination that has src-ingress or src-egress configured.
  • For switch models 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, and 3032E:
    • For access control lists, you can use a mirror destination that does not have src-ingress or src-egress configured or a mirror destination that has src-ingress or src-egress configured.
  • For switch model FSR-112D-POE:
    • You can configure up to seven mirrors, each with a different destination port.
    • Multiple ingress or egress ports can be mirrored to the same destination port.
    • An ingress or egress port cannot be mirrored to more than one destination port.

These restrictions apply to active mirrors. If you try to activate an invalid mirror configuration, the system will display the Hardware active mirror session limit reached. Please deactivate or delete another active session to make room. error message.

The following example configuration is valid for FortiSwitch-3032D. This configuration includes three ingress ports, one egress port, and four destination ports. The port3 ingress and egress ports are mirrored to multiple destinations.

config switch mirror

edit "m1"

set mode SPAN

set dst "port16"

set status active

set src-ingress "port3" "port5" "port7"

next

edit "m2"

set mode SPAN

set dst "port22"

set status active

set src-ingress "port3" "port5"

next

edit "m3"

set mode SPAN

set dst "port1"

set status active

set src-ingress "port3"

next

edit "m4"

set mode SPAN

set dst "port2"

set status active

set src-egress "port3"

end

The following example configuration includes three ingress ports, three egress ports and four destination ports. Each ingress and egress port is mirrored to only one destination port.

config switch mirror

edit "m1"

set mode SPAN

set dst "port1"

set status active

set src-ingress "port2" "port7"

next

edit "m2"

set mode SPAN

set dst "port5"

set status active

set src-ingress "port2"

next

edit "m3"

set mode SPAN

set dst "port3"

set status active

set src-ingress "port6"

next

edit "m4"

set mode SPAN

set dst "port4"

set status active

set src-egress "port6" "port8"

end

Configuring a SPAN mirror

NOTE: You can use virtual wire ports as ingress and egress mirror sources. Egress mirroring of virtual wire ports will have an additional VLAN header on all mirrored traffic.

Using the GUI:
  1. Go to Switch > Mirror.
  2. Select Add Port Mirror.
  3. Enter a name for the mirror.
  4. Select Enabled to make the mirror active.
  5. Select a destination interface.
    On FortiSwitch models that support RSPAN and ERSPAN, set the trunk or physical port that will act as a mirror. The physical port cannot be part of a trunk.
    On FortiSwitch models that do not support RSPAN and ERSPAN, set the physical port that will act as a mirror. The physical port can be part of a trunk.
  6. Select from the excluded ports which ports to include for ingress mirroring and egress mirroring.
    NOTE: Only one active egress mirror session is allowed.
  7. Select Packet Switching When Mirroring if the destination port is not a dedicated port. For example, enable this option if you connect a laptop to the switch and you are running a packet sniffer along with the management GUI on the laptop.
  8. Select SPAN for the mode.
  9. Select Create to create the mirror.
Using the CLI:

config switch mirror

edit <mirror session name>

set mode SPAN

set dst <interface>

set src-egress <interface_name>

set src-ingress <interface_name>

set switching-packet {enable | disable}

set status active

end

For example:

config switch mirror

edit "m1"

set mode SPAN

set dst "port5"

set src-egress "port2"

set src-ingress "port3" "port4"

set switching-packet enable

set status active

end

Multiple mirror destination ports (MTPs)

With some FortiSwitch models, you can configure multiple mirror destination ports with the following guidelines and restrictions:

  • Always set the destination port before setting the src-ingress or src-egress ports.
  • Any port configured as a src-ingress or src-egress port in one mirror cannot be configured as a destination port in another mirror.
  • The total number of active sessions depends on your configuration.
  • For switch models 124D, 124D-POE, 224D-FPOE, 248D, 248D-POE, 248D-FPOE, 224E, 224E-POE, 248E-POE, 248E-FPOE, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, and 448D-FPOE:
    • For access control lists, you can use a mirror destination that does not have src-ingress or src-egress configured or a mirror destination that has src-ingress or src-egress configured.
  • For switch models 524D, 524D-FPOE, 548D, 548D-FPOE, 1024D, 1048D, 1048E, 3032D, and 3032E:
    • For access control lists, you can use a mirror destination that does not have src-ingress or src-egress configured or a mirror destination that has src-ingress or src-egress configured.
  • For switch model FSR-112D-POE:
    • You can configure up to seven mirrors, each with a different destination port.
    • Multiple ingress or egress ports can be mirrored to the same destination port.
    • An ingress or egress port cannot be mirrored to more than one destination port.

These restrictions apply to active mirrors. If you try to activate an invalid mirror configuration, the system will display the Hardware active mirror session limit reached. Please deactivate or delete another active session to make room. error message.

The following example configuration is valid for FortiSwitch-3032D. This configuration includes three ingress ports, one egress port, and four destination ports. The port3 ingress and egress ports are mirrored to multiple destinations.

config switch mirror

edit "m1"

set mode SPAN

set dst "port16"

set status active

set src-ingress "port3" "port5" "port7"

next

edit "m2"

set mode SPAN

set dst "port22"

set status active

set src-ingress "port3" "port5"

next

edit "m3"

set mode SPAN

set dst "port1"

set status active

set src-ingress "port3"

next

edit "m4"

set mode SPAN

set dst "port2"

set status active

set src-egress "port3"

end

The following example configuration includes three ingress ports, three egress ports and four destination ports. Each ingress and egress port is mirrored to only one destination port.

config switch mirror

edit "m1"

set mode SPAN

set dst "port1"

set status active

set src-ingress "port2" "port7"

next

edit "m2"

set mode SPAN

set dst "port5"

set status active

set src-ingress "port2"

next

edit "m3"

set mode SPAN

set dst "port3"

set status active

set src-ingress "port6"

next

edit "m4"

set mode SPAN

set dst "port4"

set status active

set src-egress "port6" "port8"

end