Questions regarding port mirroring on cloud router switch

nuttervm · Thu Jan 26, 2017 11:17 pm

Hi all, I have a CRS125-24G-1S-2HnD-IN running v6.38.1 with routerboard firmware 3.33.

My setup is pretty basic, ether1 is WAN port and all other ports are bridged together as LAN (ether2 is master). I want to mirror all ports on the LAN bridge to a port (e.g. ether24) for monitoring. As far as I can tell I need to remove ether24 from the bridge and then configure each port mirror individually via the command line, e.g.:

/interface ethernet switch
set ingress-mirror0=ether24 egress-mirror0=ether24

/interface ethernet switch port
set ether2 ingress-mirror-to=mirror0 egress-mirror-to=mirror0
set ether3 ingress-mirror-to=mirror0 egress-mirror-to=mirror0
set ether4 ingress-mirror-to=mirror0 egress-mirror-to=mirror0
...
set ether23 ingress-mirror-to=mirror0 egress-mirror-to=mirror0

Is this the correct way to mirror every port? Is there an easier/better way of setting this for the whole bridge (similar to how the VLAN setup is described here: http://wiki.mikrotik.com/wiki/Manual:CR ... #Mirroring )

I'm ok with using the CLI but would like to know where would I see this same configuration in the Winbox or WebUI?

nuttervm · Fri Jan 27, 2017 5:28 pm

I executed those commands but am not seeing mirrored traffic on my ether24 port as expected. I'm only seeing broadcast traffic from the switch group that it is a member of. if/when i make master port=none for ether24 I see no traffic.

I've also simplified the configuration so only a single port (ether4) sends ingress/egress traffic to mirror0.

This is a default configuration of my cloud router switch. However, just to be clear are there any other prerequisites for mirroring to work? e.g. change ether24 from network port to switch port? something like that?

nuttervm · Mon Jan 30, 2017 4:46 pm

Can anyone help? Why isn't my mirror port seeing traffic?

Below is a copy and paste of the /export command (with wifi password stripped):

[admin@MikroTik] > /export
# jan/30/2017 09:42:21 by RouterOS 6.38.1
# software id = HUEL-4RGB
#
/interface bridge
add admin-mac=4C:5E:0C:91:7A:6F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="united states" distance=indoors frequency=auto mode=\
    ap-bridge ssid=Nutwork wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] master-port=ether2-master
set [ find default-name=ether7 ] master-port=ether2-master
set [ find default-name=ether8 ] master-port=ether2-master
set [ find default-name=ether9 ] master-port=ether2-master
set [ find default-name=ether10 ] master-port=ether2-master
set [ find default-name=ether11 ] master-port=ether2-master
set [ find default-name=ether12 ] master-port=ether2-master
set [ find default-name=ether13 ] master-port=ether2-master
set [ find default-name=ether14 ] master-port=ether2-master
set [ find default-name=ether15 ] master-port=ether2-master
set [ find default-name=ether16 ] master-port=ether2-master
set [ find default-name=ether17 ] master-port=ether2-master
set [ find default-name=ether18 ] master-port=ether2-master
set [ find default-name=ether19 ] master-port=ether2-master
set [ find default-name=ether20 ] master-port=ether2-master
set [ find default-name=ether21 ] master-port=ether2-master
set [ find default-name=ether22 ] master-port=ether2-master
set [ find default-name=ether23 ] master-port=ether2-master
set [ find default-name=ether24 ] master-port=ether2-master
set [ find default-name=sfp1 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key= wpa2-pre-shared-key=
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/interface ethernet switch
set egress-mirror0=ether24 ingress-mirror0=ether24
/interface ethernet switch port
set 3 egress-mirror-to=mirror0 ingress-mirror-to=mirror0
/ip address
add address=192.168.1.254/24 interface=ether2-master network=192.168.1.0
add address=192.168.1.1/24 interface=ether2-master network=192.168.1.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.254 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=dst-nat chain=dstnat dst-port=22 in-interface=ether1 protocol=tcp to-addresses=192.168.1.201 to-ports=22
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.1.201 to-ports=443
add action=dst-nat chain=dstnat dst-port=8443 in-interface=ether1 protocol=tcp to-addresses=192.168.1.199 to-ports=8443
add action=dst-nat chain=dstnat dst-port=2222 in-interface=ether1 protocol=tcp to-addresses=192.168.1.205 to-ports=22
add action=dst-nat chain=dstnat dst-port=19132 in-interface=ether1 protocol=tcp to-addresses=192.168.1.246 to-ports=19132
add action=dst-nat chain=dstnat dst-port=19132 in-interface=ether1 protocol=udp to-addresses=192.168.1.246 to-ports=19132
add action=dst-nat chain=dstnat dst-port=4242 in-interface=ether1 protocol=tcp to-addresses=192.168.1.241 to-ports=4242
/lcd interface pages
set 2 interfaces=sfp1
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes primary-ntp=192.168.1.211 secondary-ntp=192.168.1.210
/tool graphing interface
add interface=ether1
add interface=bridge
/tool graphing resource
add allow-address=192.168.1.0/24
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

expert · Mon Jan 30, 2017 7:04 pm

I executed those commands but am not seeing mirrored traffic on my ether24 port as expected. I'm only seeing broadcast traffic from the switch group that it is a member of. if/when i make master port=none for ether24 I see no traffic.

What packet sniffer are you using? Wireshark?

nuttervm · Mon Jan 30, 2017 7:23 pm

I send the mirror port to a promiscuous vswitch in VMware, where I have several virtual machines analyzing packets using different tools. I will be using tcpdump/tshark, Wireshark, packet beats, ntop, and possibly some others.

I can tell there is no traffic flowing to the VM by two ways:
1) the mikrotik interface statistics pages show a low amount of Kbps and packets per second on the destination interface. The amount is identical to other interfaces on the same switch/bridge in mikrotik
2) running tcpdump on one of my VMs shows only broadcast traffic is being sent to the ether24interface (presumably because it is on same switch/bridge group)

I can't be the only one using a CRS that wants to mirror so I assume I must be missing something implied (but not stated) in the wiki page I mentioned.

nuttervm · Tue Feb 21, 2017 4:32 pm

I was finally able to partially resolve this error and I wanted to reply to my own post so others could benefit.

Mikrotik support assisted me over the course of several weeks and were unable to reproduce my problem. We tried several different configurations that did not improve matters; my port mirror would always work for somewhere between a few seconds and 2 minutes and then stop working entirely until the next reboot.

In the end, the solution proposed by mikrotik support was to move my egress/ingress mirror port over to ether8 instead of ether24. No other changes were made but for whatever reason that was sufficient to resolve the problem and get a port mirror working consistently, and it has been working flawlessly for about a week now.

I am running RouterOS "v6.39rc25 (testing)" as directed by mikrotik support, and routerboard firmware 3.33 (on firmware type ar9344). During the testing process, I changed these software/firmware revisions, reset the configuration with no defaults, etc and nothing worked until i switched the mirror0 destination to be ether8 instead of ether24

I say "partially resolve" above because mikrotik support was unable to reproduce the problem and did not resolve the problem with ether24 so in my opinion that is a clear indication something is still wrong. Hopefully they will continue to work on this issue so no one else encounters it.

Questions regarding port mirroring on cloud router switch

Questions regarding port mirroring on cloud router switch

Re: Questions regarding port mirroring

Re: Questions regarding port mirroring

Re: Questions regarding port mirroring

Re: Questions regarding port mirroring on cloud router switch

Re: Questions regarding port mirroring on cloud router switch

Who is online