Monitoring and Analyzing Switch Operation

Traffic Mirroring

Operating Notes

Mirroring Dropped Traffic: Where an interface is configured to mirror- ing traffic to a destination, it does so regardless of whether the traffic is dropped while on the interface.

Mirroring and Spanning Tree: Mirroring is done regardless of the spanning-tree (STP) state of a port or trunk. This means, for example, that inbound traffic on a port blocked by STP can still be monitored for STP protocol packets during the STP setup phase.

Tagged and Untagged Frames: For a frame entering or leaving the switch on a mirrored port, the mirrored copy retains the tagged or untagged state the original frame carried when it entered into or exited from the switch. (The tagged or untagged VLAN membership of ports in the path leading to the mirroring destination does not affect the tagged or untagged status of the mirrored copy itself.) Thus, if a tagged frame arrives on a mirrored port, the mirrored copy will also be tagged, regardless of the status of ports in the destination path. If a frame exits from the switch on a mirrored port that is a tagged member of a VLAN, then the mirrored copy will also be tagged for the same reason.

Effect of IGMP on Mirroring: If both inbound and outbound mirroring is operating when IGMP is enabled on any VLAN, two copies of mirrored IGMP frames may appear at the mirroring destination.

Mirrored Traffic Not Encrypted: Mirrored traffic undergoes IPv4 encapsulation, but mirrored, encapsulated traffic is not encrypted.

IPv4 Header Added: The IPv4 encapsulation of mirrored traffic adds a 54-byte header to each mirrored frame. If a resulting frame exceeds the maximum MTU allowed in the network, it will be dropped. To reduce the number of dropped frames, enable jumbo frames in the mirroring path, including all intermediate switches and/or routers. (The maximum transmission unit—MTU—on the switch is 9220 bytes, which includes 4 bytes for the 802.1Q VLAN tag.) For more information, refer to “Maximum Supported Frame Size” on page B-42.To configure the switch for jumbo frames, refer to “Configuring Jumbo Frame Operation” on page 12-4.

Intercepted or Injected Traffic: The mirroring feature does not protect against either mirrored traffic being intercepted or traffic being injected into a mirrored stream by an intermediate host.

Inbound Mirrored IPv4-Encapsulated Frames are Not Mirrored: The switch does not mirror IPv4-encapsulated mirrored frames that it receives on an interface. This prevents duplicate mirrored frames in configurations where the port connecting the switch to the network path for mirroring to a destination is also a port whose inbound or outbound traffic is being mirrored. For example, if traffic leaving the switch through

B-45