Port Mirroring and Link Aggregation

Course Objectives

After completing this course, you will be able to:

• Understand the concepts and configuration of port mirroring on switches.
• Know how to capture and analyze packets.
• Understand the technical principles and configuration of link aggregation.
Contents

Ethernet Port Mirroring

Ethernet Link Aggregation

Technical Background of Switch Port Mirroring (1)

PC1 PC2
Frame Frame

Monitoring PC
Technical Background of Switch Port Mirroring (2)

• In some scenarios, the incoming or outgoing packets sent from a specified switch interface need
to be monitored.

PC2

SWITCH

GE0/0/1
GE0/0/3
Observing
Mirroring port
port
GE0/0/2 Mirroring Monitoring PC
GE0/0/2 GE0/0/3

Monitoring PC
PC1
Port Mirroring Overview

• Applications of port mirroring:

 Traffic observing
 Fault locating
• Mirroring classification:
 Port mirroring
Port mirroring means that the data on a monitored port is copied to a specified monitoring port for
data analysis and monitoring.
 Traffic mirroring
Traffic mirroring means that the service flows that match an ACL are copied to a specified
monitoring port for packet analysis and monitoring.
Port Mirroring (1)

• Port mirroring means that a switch copies a packet sent from a mirroring port (incoming or outgoing
packet) and sends the packet to a specified observing port for monitoring and analysis. IN port
mirroring, all the packets that pass through a mirroring port are copied to a specified observing port.
• Ethernet switches support many-to-one mirroring. Specifically, packets from multiple ports can be
copied to one monitoring port.
Mirroring port

SWITCH

Mirroring port Observing port

GE0/0/3

Monitoring PC
Port Mirroring (2)

Port mirroring is classified into local port mirroring or remote port mirroring.
• Local port mirroring
In local port mirroring, the monitoring host and observing port are directly connected.
• Remote port mirroring
In remote port mirroring, the monitoring host and the device where the observing port resides are
interconnected through a Layer 2 or Layer 3 network.
 Layer 2 port mirroring (RSPAN: Remote Switched Port Analyzer): In case of Layer 2 network

interconnection, the S9300 encapsulates a VLAN ID into a packet sent by the mirroring port, and the
observing port broadcasts the packet in the remote mirroring VLAN. Upon receipt of the packet, the
remote device compares the actual VLAN ID and the VLAN ID in the packet. If they are the same, the
remote device forwards the packet to the remote observing port.
 Layer 3 port mirroring (ERSPAN: Encapsulated Remote SPAN): In case of Layer 3 network

interconnection, the S9300 encapsulates the GRE packet header to and decapsulates the GRE
packet header from a mirroring packet so that the packet can traverse the Layer 3 network, achieving
port mirroring between the device where the mirroring port resides and the device where the
observing port resides over the Layer 3 network.
Traffic Mirroring

• Traffic mirroring means that specific data on a traffic mirroring port is copied to a specified observing
port or CPU for monitoring and analysis. A traffic mirroring port indicates a port that applies a traffic
policy that includes traffic mirroring behavior. If the packets that pass through the traffic mirroring port
match the traffic classification in the traffic policy on the interface, the packets are copied and sent to the
observing port or CPU.

Switch

Mirroring Observing port

port
GE0/0/2 GE0/0/3

Traffic classification Monitoring PC

Configuring Local Port Mirroring (1)

• Mirror the incoming and outgoing packets of GE 0/0/1 on the switch to GE 0/0/24.

GE0/0/1 GE0/0/2

GE0/0/0 GE0/0/0
R1 GE0/0/24 R2

PC1
Configuring Local Port Mirroring (2)

[SW] observe-port 1 interface gigabitethernet0/0/24

[SW] interface gigabitethernet0/0/1
[SW-gigabitethernet0/0/1] port-mirroring to observe-port 1 both

SWITCH

Mirroring port Observing port

GE0/0/1 GE0/0/24

Monitoring PC
Packet Analysis

• An IP network contains various types of traffic.

• The proper operation of network protocols (such as OSPF and STP) is conductive to normal interaction
of protocol packets. The proper sending and receiving of service data is a prerequisite to normal
operation of the service system on the network platform.
• A professional network engineer should have a good understanding of protocols from the perspective of
packets and the common network protocol packets for network management and troubleshooting.

OSPF Packets
SW1 SW2

OSPF Peer
Packet Analysis Tools

• Ethereal
• Wireshark
• Sniffer
Wireshark
Wireshark

• Packet filtering

Packet filtering Logical expression

TCP, UDP, ARP arp or http
Source/destination IP or MAC address ip.addr == 192.168.1.1 and http
eth.addr == 00ac.aacc.00a1 not ip
ip.addr == 192.168.1.1
ip.src/dst == 192.168.1.1
Port filtering
tcp.srcport/dstport == 8080
Wireshark

Telnet 192.168.1.254
GE0/0/24

PC Vlanif 1
192.168.1.1/24 192.168.1.254/24

• Complete IP address configuration on the PC and switch, as shown in the figure.

• Enable the Telnet service on the switch.
• Open Wireshark on the PC to monitor the Ethernet card.
• Telnet the switch from the PC and observe the captured packets.
Contents

Ethernet Port Mirroring

Ethernet Link Aggregation

Technical Background of Link Aggregation (1)

• Some links on the network carry

high-volume traffic, creating
bottlenecks in link bandwidth.
• Single points of failures exist on links.
Technical Background of Link Aggregation (2)

Ethernet link aggregation bundles multiple Ethernet

links to increase bandwidth while at the same time
providing load balancing and link redundancy.
Link Aggregation Overview

• Link aggregation, defined in IEEE 802.3ad, bundles multiple physical interfaces into a logical interface
to increase bandwidth. The logical interface is a Link Aggregation Group (LAG), also called a multiple-
interface load-balancing group.
• A group of links between two devices, which are bundled together to better utilize bandwidth and
enhance reliability of communication between the two devices (hardware upgrade is not needed then).
Also known as the multi-port load balancing group, a LAG provides redundancy protection for the
communication between two devices.

GE0/0/1 GE0/0/1

GE0/0/2 GE0/0/2

Eth-Trunk
Working Mode: Manual Load Balancing

• In manual load balancing mode, an Eth-Trunk is created manually and member interfaces are added to
the Eth-Trunk manually. LACP packets do not participate in this process.

• In manual load balancing mode, all active links participate in data forwarding and evenly balance traffic.
This is how this mode gets its name.

• If an active link becomes faulty, the link aggregation group automatically evenly balances traffic among
the remaining active links.

• The manual load balancing mode can be used when a large link bandwidth needs to be provided
between two directly connected devices that do not support LACP.
Working Mode: Static LACP

• The static LACP mode refers to a link aggregation method of determining active and inactive interfaces
by negotiating parameters through LACP.
• In static LACP mode, an Eth-Trunk needs to be created manually, member interfaces need to be
manually added to the Eth-Trunk, and LACP is used to negotiate active and inactive interfaces.
• The static LACP mode is also called the M:N mode. This mode implements both link load balancing and
link backup. M active links in the link aggregation group are responsible for forwarding data and
performing load balancing, while the other N inactive links are standby and do not forward data. If an
active link becomes faulty, the system selects the link with the highest priority from the N inactive links.
The inactive link becomes active and starts to forward data.
• The main difference between the static LACP mode and manual load balancing mode is that the static
LACP mode implements link backup whereas the manual load balancing mode requires all member
interfaces to share traffic loading.
• In contrast to the static LACP mode, the dynamic LACP mode requires only LACP auto-negotiation to
create an Eth-Trunk or add member interfaces, instead of performing manual operations. The dynamic
LACP mode provides convenience for users but is difficult to manage due to its flexibility. Therefore, the
S9300 does not support link aggregation in dynamic LACP mode.
Working Mode: Static LACP

SwitchA SwitchB
High LACP system Low LACP system
priority priority
Active interface selected by SwitchA

Active interface selected by SwitchB

SwitchA SwitchB
High LACP system Low LACP system
priority priority
Test 1: Link Aggregation in Manual Load Balancing Mode

• SW1 and SW2 are interconnected through GE 0/0/23 and GE 0/0/24. These interfaces are bundled as
an Eth-Trunk and the manual load balancing mode is used. The Eth-Trunk interface is configured as a
Trunk interface so that the aggregation link can carry traffic for multiple VLANs.

Eth-Trunk
SW1 SW2
GE0/0/23 – GE0/0/24

GE

GE
1
/
0/0

/
0/0
0/0

0/0
GE

GE
/

/
2

2
PC1 PC2 PC3 PC4
VLAN10 VLAN20 VLAN10 VLAN20
192.168.10.1/24 192.168.20.1/24 192.168.10.2/24 192.168.20.2/24
Test 1: Link Aggregation in Manual Load Balancing Mode

Configuration on SW1:
[SW1] vlan batch 10 20
[SW1] interface gigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1] port link-type access
[SW1-GigabitEthernet0/0/1] port default vlan 10
[SW1] interface gigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2] port link-type access
[SW1-GigabitEthernet0/0/2] port default vlan 20
[SW1-GigabitEthernet0/0/2] quit
Test 1: Link Aggregation in Manual Load Balancing Mode

Configuration on SW1:
# Create an aggregation interface Eth-trunk1 and add GE 0/0/23 and GE 0/0/24 to the aggregation link.
[SW1] interface Eth-Trunk 1
[SW1-Eth-Trunk1] mode manual load-balance # The manual load balancing mode is used by default.
[SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/23
[SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/24
# Eth-trun1 needs to carry multiple VLANs and therefore the trunk mode must be configured.
[SW1-Eth-Trunk1] port link-type trunk
[SW1-Eth-Trunk1] port trunk allow-pass vlan 10 20
[SW1-Eth-Trunk1] quit
Test 1: Link Aggregation in Manual Load Balancing Mode

After the Eth-Trunk interface is created, add member interfaces (physical interfaces) to the Eth-Trunk.
There are two ways of configuration here with the same effect.

[SW1] interface Eth-Trunk 1

1 [SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/23
[SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/24

[SW1] interface Eth-Trunk 1

[SW1-Eth-Trunk1] quit
2 [SW1] interface GigabitEthernet 0/0/23
[SW1-GigabitEthernet0/0/23] eth-trunk 1
[SW1] interface GigabitEthernet 0/0/24
[SW1-GigabitEthernet0/0/24] eth-trunk 1
Test 1: Link Aggregation in Manual Load Balancing Mode

Configuration on SW2:
[SW2] vlan batch 10 20
[SW2] interface gigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1] port link-type access
[SW2-GigabitEthernet0/0/1] port default vlan 10
[SW2] interface gigabitEthernet 0/0/2
[SW2-GigabitEthernet0/0/2] port link-type access
[SW2-GigabitEthernet0/0/2] port default vlan 20
[SW2-GigabitEthernet0/0/2] quit
Test 1: Link Aggregation in Manual Load Balancing Mode

Configuration on SW2:
[SW2] interface Eth-Trunk 1
[SW2-Eth-Trunk1] trunkport GigabitEthernet 0/0/23
[SW2-Eth-Trunk1] trunkport GigabitEthernet 0/0/24
[SW2-Eth-Trunk1] port link-type trunk
[SW2-Eth-Trunk1] port trunk allow-pass vlan 10 20
[SW2-Eth-Trunk1] quit
Verification of Test 1

[SW1] display eth-trunk 1

Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/23 Up 1
GigabitEthernet0/0/24 Up 1
Test 2: Link Aggregation in Static LACP Mode

• SW1 and SW2 are interconnected through GE0/0/22, GE 0/0/23, and GE 0/0/24. These interfaces are
bundled as Eth-Trunk. The static LACP mode is used. There are two active links, with one functioning
as the backup link. SW1 functions as the LACP Actor.

Eth-Trunk
SW1 SW2
GE0/0/22 – GE0/0/24

GE

GE
1
/
0/0

/
0/0
0/0

0/0
GE

GE
/

/
2

2
PC1 PC2 PC3 PC4
VLAN10 VLAN20 VLAN10 VLAN20
192.168.10.1/24 192.168.20.1/24 192.168.10.2/24 192.168.20.2/24
Test 2: Link Aggregation in Static LACP Mode

Key configurations on SW1:

[SW1] interface Eth-Trunk 1
[SW1-Eth-Trunk1] mode lacp
[SW1-Eth-Trunk1] max active-linknumber 2 #Specifies the maximum number of active links. The
default value is 8.
[SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/22
[SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/23
[SW1-Eth-Trunk1] trunkport GigabitEthernet 0/0/24

[SW1] lacp priority 1 #The system LACP priority of the device is set to 1.
#A smaller system LACP priority value indicates a higher priority. The
default value is 32768.
Test 2: Link Aggregation in Static LACP Mode

Key configurations on SW2:

[SW2] interface Eth-Trunk 1
[SW2-Eth-Trunk1] mode lacp
[SW2-Eth-Trunk1] max active-linknumber 2
[SW2-Eth-Trunk1] trunkport GigabitEthernet 0/0/22
[SW2-Eth-Trunk1] trunkport GigabitEthernet 0/0/23
[SW2-Eth-Trunk1] trunkport GigabitEthernet 0/0/24
Verification of Test 2

[SW1]display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 1 System ID: 4c1f-cce2-392e
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: up Number Of Up Port In Trunk: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/22 Selected 1000TG 32768 23 401 10111100 1
GigabitEthernet0/0/23 Selected 1000TG 32768 24 401 10111100 1
GigabitEthernet0/0/24 Unselect 1000TG 32768 25 401 10100000 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/22 32768 4c1f-cccf-4da7 32768 23 401 10111100
GigabitEthernet0/0/23 32768 4c1f-cccf-4da7 32768 24 401 10111100
GigabitEthernet0/0/24 32768 4c1f-cccf-4da7 32768 25 401 10100000