Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Devices Managed by FortiOS

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have multiple RSPAN sessions but only one ERSPAN session.

In RSPAN mode, traffic is encapsulated in VLAN 4092. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

NOTE: RSPAN is supported on FSR-112D-POE, FSR-124D, and on platforms 2xx and higher.

In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP ping. If no IP address is specified, the traffic is not mirrored.

NOTE: ERSPAN is supported on FSR-124D and platforms 2xx and higher. ERSPAN cannot be used with the other FortiSwitch port-mirroring method.

To configure FortiSwitch port-based mirroring:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config mirror

edit <mirror_name>

set status {active | inactive} // Required

set dst <port_name> // Required

set switching-packet {enable | disable}

set src-ingress <port_name>

set src-egress <port_name>

next

end

next

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config mirror

edit 2

set status active

set dst port1

set switching-packet enable

set src-ingress port2 port3

set src-egress port4 port5

next

end

next

To configure FortiSwitch RSPAN:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror any traffic sent to these ports

set out-ports <portx porty portz ...> // mirror any traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To configure FortiSwitch ERSPAN:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent to this MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent to this IPv4 address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror traffic sent to these ports

set out-ports <portx porty portz ...> // mirror traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip 10.254.254.254

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To disable FortiSwitch port mirroring:

config switch-controller traffic-sniffer

set mode none

end

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have multiple RSPAN sessions but only one ERSPAN session.

In RSPAN mode, traffic is encapsulated in VLAN 4092. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

NOTE: RSPAN is supported on FSR-112D-POE, FSR-124D, and on platforms 2xx and higher.

In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP ping. If no IP address is specified, the traffic is not mirrored.

NOTE: ERSPAN is supported on FSR-124D and platforms 2xx and higher. ERSPAN cannot be used with the other FortiSwitch port-mirroring method.

To configure FortiSwitch port-based mirroring:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config mirror

edit <mirror_name>

set status {active | inactive} // Required

set dst <port_name> // Required

set switching-packet {enable | disable}

set src-ingress <port_name>

set src-egress <port_name>

next

end

next

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config mirror

edit 2

set status active

set dst port1

set switching-packet enable

set src-ingress port2 port3

set src-egress port4 port5

next

end

next

To configure FortiSwitch RSPAN:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror any traffic sent to these ports

set out-ports <portx porty portz ...> // mirror any traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To configure FortiSwitch ERSPAN:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent to this MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent to this IPv4 address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror traffic sent to these ports

set out-ports <portx porty portz ...> // mirror traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip 10.254.254.254

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To disable FortiSwitch port mirroring:

config switch-controller traffic-sniffer

set mode none

end