Mirror all ports on CRS328

RouterOS General
1

After spending too many hours listening to the robots, I have come to the conclusion that it’s not possible for me to mirror all ports on my CRS328 to a single target port (currently hooked up to a IDS box).

Couple of questions if I may:

  1. Is this true? CRS is running v6.48.4

  2. If it is true, will it suddenly start working if I upgrade to v7? (My RB5009 seems to work just fine with individually specifying which ports should mirror ingress/egress).

Just want to check with the experts before I go down the path of upgrading the switch to v7…

Thank you for your help in advance.

2

Hi and welcome.

Don't know about the mirroring part but upgrading to V7 is no problem.
Somewhere in the upgrade path, if following GUI/CLI process, wireless package will be added ( why ? Nobody knows...).
It can be removed ( unless you need it for legacy capsman).

3

Check the Wiki

It seems to apply also to CRS3xx series

Then further down on the section “Mirroring” there are some examples. They do mention “multiple source ports” and there is some example on ROS 7.15

1 Like
4

OT, but provoked: wireless driver was part of basic bundle in ROS v6 (it was possible to unbundle v6 installation but that's not important here). After v7 was introduced, wireless driver was part of base routeros package. When wireless/wifi package refactoring between 7.12.1 and 7.13, built-in updater automatically included (now optional) wireless package even on devices without wifi hardware (there were exceptions to this rule). And the reason is simple: legacy capsman code is part of wireless driver package. To skip installation of this package on devices without wifi hardware, updater would have to analyze running configuration (to verify that device doesn't run capsman) ... which is obviously beyond the scope of package updater. Removing wireless package is an easy task anyway and can be performed by device admin at any time (who is then to blame if that breaks anything).

5

Well, I think i’ve found a solution… (v6)

/interface ethernet switch
set 0 mirror-target=sfp-sfpplus2

/interface ethernet switch rule
add mirror=yes ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp-sfpplus1 switch=switch1

This seems to be mirroring packets now..

Now, time to learn SecurityOnion. I am not convinced it’s working fully.

6

Further OT:
I do understand where it may come from but especially on 16Mb devices it's sometimes "problematic" if that package also comes over when it's totally not needed.
I mean, someone using a switch as capsman controller, surely should know what package needs to be added again after such an upgrade ?

Now they chose the path of "install it regardless" instead of "let's not install it and whomever needs it, can add it themselves".
My 0.02€ ...

Anyhow, all my devices already passed that upgrade version and where it wasn't needed, I removed it.

7

I guess MT was considering the following two options when moving towards wifi/wireless package split:

  1. Install wireless package in any case. The drawback is that on certain portion of devices it'll just consume flash space. Otherwise it won't break anyone's configuration. Bonus: it's not even necessary to consider hardware, logic is simply in looking at packages already installed.
  2. Remove wireless package on devices without elligible hardware. That will definitely create problems on switches running capsman. And upgrader would have to consider things beyond installed packages (hardware present in particular) ... which is probably way out of upgrader scope (was and still is).

Which option is bad and which is worse really depends on each individual setup. But breaking config is IMO definitely worse. If MT was to significantly broaden the scope of upgrader, that would probably add a bag of bugs ... perhaps leading to worst possibility.