Fortinet black logo

FortiLink Guide

Configuring FortiSwitch port mirroring

Copy Link
Copy Doc ID d392dff4-71d2-11ed-8e6d-fa163e15d75b:173278
Download PDF

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have multiple RSPAN sessions but only one ERSPAN session.

In RSPAN mode, traffic is encapsulated in VLAN 4092. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP ping. If no IP address is specified, the traffic is not mirrored.

NOTE: ERSPAN cannot be used with the other FortiSwitch port-mirroring method.

When you are using RSPAN or ERSPAN, the switch controller automatically configures a policer to limit the traffic. For example:

config switch-controller traffic-policy

edit "sniffer"

set description "Rate control for sniffer mirrored traffic"

set guaranteed-bandwidth 50000

set guaranteed-burst 8192

set maximum-burst 163840

set cos-queue 0

next

end

config system interface

edit "rspan"

set switch-controller-traffic-policy "sniffer"

next

end

Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support the policer.

To configure FortiSwitch port-based mirroring:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config mirror

edit <mirror_name>

set status {active | inactive} // Required

set dst <port_name> // Required

set switching-packet {enable | disable}

set src-ingress <port_name>

set src-egress <port_name>

next

end

next

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config mirror

edit 2

set status active

set dst port1

set switching-packet enable

set src-ingress port2 port3

set src-egress port4 port5

next

end

next

To configure FortiSwitch RSPAN:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror any traffic sent to these ports

set out-ports <portx porty portz ...> // mirror any traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To configure FortiSwitch ERSPAN:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent to this MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent to this IPv4 address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror traffic sent to these ports

set out-ports <portx porty portz ...> // mirror traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip 10.254.254.254

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To disable FortiSwitch port mirroring:

config switch-controller traffic-sniffer

set mode none

end

Configuring FortiSwitch port mirroring

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have multiple RSPAN sessions but only one ERSPAN session.

In RSPAN mode, traffic is encapsulated in VLAN 4092. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which must be reachable by IPv4 ICMP ping. If no IP address is specified, the traffic is not mirrored.

NOTE: ERSPAN cannot be used with the other FortiSwitch port-mirroring method.

When you are using RSPAN or ERSPAN, the switch controller automatically configures a policer to limit the traffic. For example:

config switch-controller traffic-policy

edit "sniffer"

set description "Rate control for sniffer mirrored traffic"

set guaranteed-bandwidth 50000

set guaranteed-burst 8192

set maximum-burst 163840

set cos-queue 0

next

end

config system interface

edit "rspan"

set switch-controller-traffic-policy "sniffer"

next

end

Refer to the FortiSwitchOS feature matrix to see which FortiSwitch models support the policer.

To configure FortiSwitch port-based mirroring:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config mirror

edit <mirror_name>

set status {active | inactive} // Required

set dst <port_name> // Required

set switching-packet {enable | disable}

set src-ingress <port_name>

set src-egress <port_name>

next

end

next

For example:

config switch-controller managed-switch

edit S524DF4K15000024

config mirror

edit 2

set status active

set dst port1

set switching-packet enable

set src-ingress port2 port3

set src-egress port4 port5

next

end

next

To configure FortiSwitch RSPAN:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent FROM this source MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent FROM this source IP address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror any traffic sent to these ports

set out-ports <portx porty portz ...> // mirror any traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode rspan

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To configure FortiSwitch ERSPAN:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip <xxx.xxx.xxx.xxx> // IPv4 address where ERSPAN traffic is sent

config target-mac

edit <MM:MM:MM:SS:SS:SS> // mirror traffic sent to this MAC address

set description <string>

end

config target-ip

edit <xxx.xxx.xxx.xxx> // mirror traffic sent to this IPv4 address

set description <string>

end

config target-port

edit <FortiSwitch_serial_number>

set description <string>

set in-ports <portx porty portz ...> // mirror traffic sent to these ports

set out-ports <portx porty portz ...> // mirror traffic sent from these ports

end

end

For example:

config switch-controller traffic-sniffer

set mode erspan-auto

set erspan-ip 10.254.254.254

config target-mac

edit 00:00:00:aa:bb:cc

set description MACtarget1

end

config target-ip

edit 10.254.254.192

set description IPtarget1

end

config target-port

edit S524DF4K15000024

set description PortTargets1

set in-ports port5 port6 port7

set out-ports port10

end

end

To disable FortiSwitch port mirroring:

config switch-controller traffic-sniffer

set mode none

end