Categories

TechTip: Port-mirroring on Avaya ERS/Nortel Baystack 5xxx series using CLI

Port-mirroring is a powerful tool, especially if used in combination with packet-sniffing utilities such as Snort or Wireshark. Avaya Enterprise Routing Switches (formerly Nortel Baystack) 5000 series offer multiple ways of configuring port mirroring, including doing it via the built-in web-interface, Avaya's COM server interface or through CLI (note that SNMP-based Device Manager (JDM) has been decommissioned after Nortel's acquisition by Avaya). While not being the most intuitive, the CLI method is by far the most versatile because it can be used even on "dumb" switches that do not have an IP address assigned to them, and therefore cannot be accessed via other means.

Connecting to Avaya ERS/Nortel Baystack CLI

If a switch you are connecting to has an IP address and you still chose to configure it via CLI, you can use telnet to connect to the switch. Otherwise you will need a serial cable to connect to the front of the switch with the following settings:
  • Bits per second: 9600
  • Data bits: 8
  • Parity bits: None
  • Stop bits: 1
  • Harware acceleration: None
Once connected (wether via telnet or serial), press Ctrl+Y to open the switch management menu (you will be prompted for password if cli password parameter has been set):


Using switch management menu

Avaya ERS series have a CLI that contains, besides the traditional command line, a convenient management menu that can be used to configure port mirroring. To access the Port Mirroring sub-menu from the switch management menu, navigate to Switch Configuration --> Port Mirroring Configuration:


While port mirroring is disabled, you will only be able to access one field - "Monitoring Mode", which will show "Disabled". To enable the monitoring, press the spacebar on that field until you see the desired mode:

-> Port X (mirror all the traffic coming into specified port on the switch)
Port X -> (mirror all the traffic coming out of the specified port on the switch)
<-> Port X (mirror both incoming and outgoing traffic on a specified switchport)
-> Port X or Port Y -> (mirror all traffic coming into port X or coming out of port Y on the switch)
-> Port X and Port Y -> (mirror all traffic coming into port X and coming out of port Y on the switch)
<-> Port X and Port Y <-> (mirror both incoming and outgoing traffic on two ports of the switch)
Address A -> Any address (mirror switch traffic from a specified MAC address to any other destination)
Any address -> Address A (mirror switch traffic from any destination to a specified MAC address)
<-> Address A (mirror all draffic to and from a specific MAC address)
Address A -> Address B (mirror all traffic from MAC address A to MAC address B)
Address A -> Address B (mirror all traffic between two specified MAC addresses)

Once you have selected a desired mirroring mode, press the Enter key to apply it and proceed with selecting the ports. You will see a prompt appear on the bottom asking you "Is your port mirroring configuration complete? [No]" and the cursor will move to the next available field:


In this case we are configuring port mirroring all traffic coming in and out of port 2 to port 21, where our laptop with a sniffing program running is attached, so in this case "Monitor Unit/Port" will be "21" and "Unit/Port X" value will be "2" (unit value only needs to be specified on stacked switches, when there is more than one switch present in the farm):


Double check your configuration (you don't want to set the Monitor Unit/Port value to a valid/functioning port - this will stop all normal traffic on that port and will definitely disconnect any systems connected to it) and then press Spacebar to toggle the configuration complete prompt response to "Yes" and confirm it with the Enter key to begin mirroring the port. You will see a message that says "Port mirroring configuration has taken effect" and the configuration you selected will be displayed under "Currently Active Port Mirroring Configuration":


All traffic coming in and out of port X will no be getting transmitted out of port 21 of the switch for you to capture and analyse. To disable the port-mirroring, highlight the "Monitoring Mode" and use Spacebar to toggle it to "Disabled", then press Enter and select "Yes" on the port mirroring configuration confirmation dialogue and again press Enter to confirm. You will see the "Port mirroring has been disabled." message on the screen and the active port mirroring field will be blank:



You can use the Ctrl+R key combination to exit the port mirroring configuration screen and navigate back to the main switch management menu. Select "Logout" in the main manu to logout from the switch.

Using the command line

You can access the traditional switch command line from the main switch management menu by selecting the "Command Line Interface" menu item:


Once in the command line, you will need to enter the configuration mode by using the following commands:

enable [press Enter] (command line suffix will change from ">" to "#")
configure terminal [press Enter] (command line suffix will change to "(config)#")

The port-mirroring command uses the following format:

port-mirroring mode [mode] monitor-port [unit/port] (mirror-port-X [unit/port]/mirror-port-Y [unit/port]/mirror-MAC-A [####.####.####]/mirror-MAC-B [####.####.####])

Where ####.####.#### is the MAC address and mode could be any of the following:

disable (disable port mirroring)

Adst (mirror packets with destination MAC address A)
Asrc (mirror packets with source MAC address A)
AsrcBdst (mirror packets with source MAC address A and destination MAC address B)
AsrcBdstOrBsrcAdst (mirror packets with source MAC address A and destination MAC address B, or packets with source MAC address B and destination MAC address A)
AsrcOrAdst (mirror packets with source or destination MAC address A)
ManytoOneRx (many to one port mirroring ingress traffic)
ManytoOneRxTx (any to one port mirroring ingress & egress traffic)
ManytoOneTx (many to one port mirroring egress traffic)
Xrx (mirror packets received on port X)
XrxOrXtx (mirror packets received or transmitted on port X)
XrxOrYtx (mirror packets received on port X or transmitted on port Y)
XrxYtx (mirror packets received on port X and transmitted on port Y)
XrxYtxOrYrxXtx (mirror packets received on port X and transmitted on port Y, or packets received on port Y and transmitted on port X)
Xtx (mirror packets transmitted on port X)

For example, for the same mirroring configuration as was created above using the management menu:

(config)#port-mirroring mode XrxOrXtx monitor-port 21 mirror-port-X 2

To check whether the port mirroring is running, you can use the following command

(config)#show port-mirroring

Monitoring Mode: XrxOrXtx ( <-> Port X )
Monitor Unit/Port: 21
Unit/Port X: 2

To disable port mirroring use the following command:

(config)#no port-mirroring

The "show port-mirroring" command will now show that it is diabled:

(config)#show port-mirroring

Monitoring Mode: Disabled

To mirror all traffic coming to and from a certain MAC address (useful if mirroring a trunk port, or a server with multiple "teamed" network cards):

port-mirroring mode AsrcOrAdst monitor-port 21 mirror-MAC-A 000A.B1C2.D4E5

Note that MAC address annotation does not follow the usual ##-##-##-##-##-## or ##:##:##:##:##:## formats in this case, but rather a ####.####.#### format.

8 comments:

Anonymous said...

Excellent in both scope and presentation. Very easy to understand

Anonymous said...

thank you
very good Explanation

Anonymous said...

thanks very good..

Anonymous said...

Can you mirror multiple ports (more than 2) as source to one destination port where you have your sniffer? would this do it: ManytoOneRxTx (any to one port mirroring ingress & egress traffic)

Oleksiy Gayda said...

It's been a while since I worked with this, and my initial response is that yes - you should be able to do it with the ManytoOneRxTx command ("ManytoOneRxTx monitor-port X mirror-ports Y, Z, W"). However, just doing some quick online searches for the syntax, it looks like it may depend on the switch model/firmware version - at least some of the documentation is suggesting that this command works with MAC addresses as opposed to port numbers ("ManytoOneRxTx monitor-port X mirror-MAC-A aaaa.bbbb.cccc"). Hope this helps.

Anonymous said...

is there a way to sniff the same port (source) to two diffrent sniffers (dest) on 5520 platform?
(this option should be called OneToMany)

Unknown said...

It appears that you can only make 1 session...I tried making different sessions but everything I did gets replaced by the last one I created...so I think it is not possible... If you can make several sessions then it would be possible...

Unknown said...




I successfully loaded this configuration on 4550T switch:
port-mirroring mode ManytoOneRxTx monitor-port 48 mirror-ports 45-47 so yes it is possible.... After typing port-mirroring mode ManytoOneRxTx monitor-port 48 ?...the ONLY option that became available is mirror-ports...emphasis on the PORTSSSSS