Re: 1)Accelar mirroring 2)JFWD

To: Brett Wilson <bwilson@tislabs.com>
Subject: Re: 1)Accelar mirroring 2)JFWD
From: "Phil Wang" <pywang@nortelnetworks.com>
Date: Thu, 07 Sep 2000 12:36:08 -0400
CC: Rob Jaeger <rfj@cs.umd.edu>, Open Networks <open_networks@openetlab.org>, Active Networks <active_networks@openetlab.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
Organization: Nortel Networks
References: <XFMail.20000907120305.bwilson@tislabs.com>
Sender: owner-open_networks@openetlab.org

Brett,

Your experiment is interesting. -:)

The Accelar has three mirring features at shown in the MIB structures.
They are port mirroring (rcMirroring), packet mirroring
(rcIpFilterTable) and diag mirroring (rcDiag). You used the second one,
"packet mirroring", which I think is not designed to be bound with a
particular port (but the action is). You may use the port mirroring to
mirror the traffic of give port(s) or specify the sources of the packet
mirroring to mirror filtered packets.

Regards,
Phil

> 
> Okay. I did a little more verification using the following and removing
> any retransmitting by computer X to stop those annoying packet storms.
> 
>             ------------------------------------
>            |              Router                |
>            | 1          2          3          4 |
>             ------------------------------------
>              |          |          |          |
>             ---        ---        ---        ---
>            | A |      | B |      | C |      | X |
>             ---        ---        ---        ---
> 
> Mirror Port: 4
> 
> Filter is set to match:
>         Src: 0/0
>         Dst: A/32
>         Mir: Yes
>         Act: Deny
> 
> Filter is added to Port 2
> 
> >From B (port 2):
>         ping A
>         no response
>         but packets are seen reflected at port 4
> 
> >From C (port 3):
>         ping A
>         get a response
>         and packet are still seen reflected at port 4
> 
> >From X (port 4):
>         ping A
>         get a response
>         and echo request packet is seen reflected back out port 4
> 
> Basically, what I see is the filter matching and denying ICMP to A
> just on port 2 like I set it up to do.  And the mirror only mirrors
> packets that match the particular IP header requirements.
> 
> But, it also mirrors ICMP packet not going through port 2.  The reason
> I mentioned the ethernet headers before is that I found it odd that
> they mirrored packets had the ethernet header information for the ethernet
> cards of Port1 and ComputerA which means that either it is mirroring things
> it saw on port 1 (the outgoing route of packets matching this filter) or
> it mirrored them after it had finished its routing decision and changed
> the hardware addresess.
> 
> Obviously this is not a key router issue as only silly people
> like me would be mirroring packet to then make decision with
> them on an external box but it was a test to see how well it
> worked as Dan was concerned as to how much in CPU filtering
> the router could do as its primary focus is on hardware routing.
> I just thought I would mention it.
> 
> Brett
> 
> ---------------------------------------------------------
> Brett M. Wilson                     <bwilson@tislabs.com>
> Adaptive Network Defense Group
> NAI Labs, Glenwood, MD

References:
- Re: 1)Accelar mirroring 2)JFWD
  - From: Brett Wilson <bwilson@tislabs.com>

Prev by Date: Re: 1)Accelar mirroring 2)JFWD
Next by Date: Re: 1)Accelar mirroring 2)JFWD
Prev by thread: Re: 1)Accelar mirroring 2)JFWD
Next by thread: Re: 1)Accelar mirroring 2)JFWD
Index(es):
- Date
- Thread

Home | Date Index | Thread Index