Fortinet white logo
Fortinet white logo

FortiLink Guide

Configuring FortiSwitch port mirroring

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have one RSPAN session or one ERSPAN session.

In RSPAN mode, traffic is encapsulated in VLAN 4092 and sent toward the FortiGate device, where it can be captured using packet capture. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which is the device acting as an ERSPAN collector. The collector must be reachable by the FortiSwitch unit using IPv4 ICMP ping (NOTE: A firewall policy might be required on the FortiGate device.). If the collector IP address is not specified, the traffic is not mirrored.

Note

ERSPAN cannot be used with SPAN or RSPAN.

When you are using RSPAN or ERSPAN, the switch controller automatically configures a policer to limit the traffic. For example:

config switch-controller traffic-policy

edit "sniffer"

set description "Rate control for sniffer mirrored traffic"

set guaranteed-bandwidth 50000

set guaranteed-burst 8192

set maximum-burst 163840

set cos-queue 0

next

end

config system interface

edit "rspan"

set switch-controller-traffic-policy "sniffer"

next

end

Note

Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support the policer.

FortiSwitch port-based mirroring

To configure FortiSwitch port-based mirroring:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config mirror

edit <mirror_name>

set status {active | inactive} // Required

set dst <port_name> // Required

set switching-packet {enable | disable}

set src-ingress <port_name>

set src-egress <port_name>

next

end

next

In the following example, the ingress traffic from port2 and port3 and the egress traffic from port4 and port5 are mirrored to port1, where the traffic-monitoring device is connected.

config switch-controller managed-switch

edit S524DF4K15000024

config mirror

edit 2

set status active

set dst port1

set switching-packet enable

set src-ingress port2 port3

set src-egress port4 port5

next

end

next

To disable FortiSwitch port mirroring:

config switch-controller traffic-sniffer

set mode none

end

FortiSwitch RSPAN

To configure FortiSwitch RSPAN:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror any traffic sent to these ports

set out-ports <portx porty portz ...> // mirror any traffic sent from these ports

end

end

In the following example, traffic matching any of the target-mac, target-ip, and target-port parameters is captured.

To monitor the traffic on a FortiGate device, go to Network > Diagnostics > Packet Capture and capture the traffic on the “rspan” VLAN. The traffic can also be downloaded as a PCAP file. For more details, see Using the packet capture tool.

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

FortiSwitch ERSPAN

To configure FortiSwitch ERSPAN:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent from this MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent from this IPv4 address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror traffic sent to these ports

set out-ports <portx porty portz ...> // mirror traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip 10.255.12.201

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

Configuring FortiSwitch port mirroring

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have one RSPAN session or one ERSPAN session.

In RSPAN mode, traffic is encapsulated in VLAN 4092 and sent toward the FortiGate device, where it can be captured using packet capture. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which is the device acting as an ERSPAN collector. The collector must be reachable by the FortiSwitch unit using IPv4 ICMP ping (NOTE: A firewall policy might be required on the FortiGate device.). If the collector IP address is not specified, the traffic is not mirrored.

Note

ERSPAN cannot be used with SPAN or RSPAN.

When you are using RSPAN or ERSPAN, the switch controller automatically configures a policer to limit the traffic. For example:

config switch-controller traffic-policy

edit "sniffer"

set description "Rate control for sniffer mirrored traffic"

set guaranteed-bandwidth 50000

set guaranteed-burst 8192

set maximum-burst 163840

set cos-queue 0

next

end

config system interface

edit "rspan"

set switch-controller-traffic-policy "sniffer"

next

end

Note

Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support the policer.

FortiSwitch port-based mirroring

To configure FortiSwitch port-based mirroring:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config mirror

edit <mirror_name>

set status {active | inactive} // Required

set dst <port_name> // Required

set switching-packet {enable | disable}

set src-ingress <port_name>

set src-egress <port_name>

next

end

next

In the following example, the ingress traffic from port2 and port3 and the egress traffic from port4 and port5 are mirrored to port1, where the traffic-monitoring device is connected.

config switch-controller managed-switch

edit S524DF4K15000024

config mirror

edit 2

set status active

set dst port1

set switching-packet enable

set src-ingress port2 port3

set src-egress port4 port5

next

end

next

To disable FortiSwitch port mirroring:

config switch-controller traffic-sniffer

set mode none

end

FortiSwitch RSPAN

To configure FortiSwitch RSPAN:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror any traffic sent to these ports

set out-ports <portx porty portz ...> // mirror any traffic sent from these ports

end

end

In the following example, traffic matching any of the target-mac, target-ip, and target-port parameters is captured.

To monitor the traffic on a FortiGate device, go to Network > Diagnostics > Packet Capture and capture the traffic on the “rspan” VLAN. The traffic can also be downloaded as a PCAP file. For more details, see Using the packet capture tool.

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

FortiSwitch ERSPAN

To configure FortiSwitch ERSPAN:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent from this MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent from this IPv4 address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror traffic sent to these ports

set out-ports <portx porty portz ...> // mirror traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip 10.255.12.201

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end