Hi
I have a heXs 2025 router with a Mikrotik Ethernet sfp.
I am struggling to get port mirror working from ether1 (WAN source) to sfp1 (mirror)
Please can someone post s step by step description of how to acheive this?
I have gone through various ‘solutions’ but no success.
Thanks
Aimee
# 1. Create the port mirror configuration (switched mode)
/interface ethernet switch
set switch1 mirror-source=ether1 mirror-target=sfp1
# 2. Enable mirroring on the switch chip
/interface ethernet switch rule
add copy-to-cpu=no mirror=yes ports=ether1 switch=switch1
# 1. Check if your ports are on the same switch chip
/interface ethernet switch port
print
# 2. If ports are on different switch chips, use this method:
/interface ethernet switch
set switch1 mirror-source=ether1 mirror-target=sfp1 mirror=yes
# Check if mirroring is enabled
/interface ethernet switch print
# Monitor traffic on the mirror port
/tool sniffer quick interface=sfp1
Switch Chip Requirement: Both source (ether1) and destination (sfp1) must be on the same switch chip for hardware mirroring to work. On heXs 2025:
Most ethernet ports are on switch1
SFP ports might be on a different switch or directly connected to CPU
If SFP is on Different Chip: You may need to use CPU-based mirroring:
/tool traffic-monitor
add interface=ether1 mirror-to=sfp1
Could you share the output of /interface ethernet switch port print to better understand your switch chip configuration?
Hmmm.
There Is a block diagram:
There Is only one SFP Port and It Is NOT connected to the switch chip.
Hi
Thanks for the list of commands.
Will try it out soon.
The diagram clarifies matters.
I am a newbie with this product, so again thanks
Aimee
No problem I'm here to assist you.is this on public IP?
Well, then please review the info you post, so that it is accurate.
You posted what seems at first sight some AI generated "vague" recommendations that - at least when it comes to this specific device - largely do not apply.
You posted:
This is wrong, there is ONLY one SFP port and it is definitely connected to CPU.
Then:
OK, if this is accurate, then, since the hEX S has NO SFP port connected to the same switch chip as ether ports, the whole stuff DOES NOT APPLY to this model.
OR, it is the requirement to be on the same switch chip that does not apply, and since the SFP is directly connectecd to CPU, ONLY CPU-based mirroring is possible on this specific model.
Well, when it really clarifies something, it should be: it cannot be done. So no need to try.
Unless you really do not mean “mirror” but you want to “bridge” them, of course that can be done.
I wish to mirror (tap) all traffic passing through the WAN interface, and send the mirrored stream to a data analyser, for example Zeek.
Cannot upload the output, but it failed
Plan B, can I use ether2 as the WAN, and mirror traffic to ether5.
If so what are the ramifications regard cpu usage?
The device is not on a public ip, but hopefully will be connected to a 300Mbs fttp service.
Aimee
In theory port mirroring should happen on the switch chip (if both ports are connected to the same switch chip), aka hardware mirroring.
So there shouldn't be much aggraviation of CPU use.
It has to be seen whether - even if the two ports (WAN ether2 and mirrored ether5) are connected to a same switch chip the device allows that (i.e. if there are those /interface ethernet switch commands available and if they work).
You will probably "loose" one port because there is the need to keep ether1 out of the LAN bridge (so your LAN bridge will have only ether3 and 4 ports) for the reason we are discussing in this other thread: