Wired Intelligent Edge

Hello,

pretty new to Aruba, and I was wondering if there is:

1. A way to run a host application on Aruba switch directly? (same as Cisco host application with docker)

2. Is there a way to build a dynamic port mirroring using Ip's? for e.g, port mirroring to a specific computer without know his port (only mac, ip address), and be able to change the mirror IP/mac dynamically from Pc from remote).

Thanks in advance,

John Raid

Hi John,

No for docker application on a switch (only can run some python script)

for second, i think, it is possible with python script (and API)

Thanks a lot, its super helpful.

few more questions:

1. for installing the python script on the Aruba switch, can I do it from a computer on the subnet if I have the switch credentials? or from the cloud?

2. Can I access the managed mac table of the switch so my phyton script will be able to know for specific IP on which port its connect?

Thanks again,

John Raid.

it is a NAE Python, and the script don't need cloud for be install on the switch

Yes, you can access to ARP table via REST API

ERSPAN is supported on AOS-CX. It means that the destination for the mirrored traffic is the GRE tunnel to your desired destination server

receiving pcap. Look at the configuration guide.

Thanks for the reply.

just making sure I understand, my goal is to be able to do as describe:

There is a subnet running with Aruba switch - I want dynamically from a computer in the Subnet, to run a software that will reach the switch and set that all network traffic that received on the switch will be mirror to my computer., you mentioned it is possible to do that with the python script?

Another solution that I would be happy to know if possible:

Can I also do capture filter directly on the switch processor - 

What I mean is that I want to mirror only specific traffic - for e.g I want to read the packet, and decide dynamiclly if I want to forward it to the port mirror computer or not, Is that possible? (my assumption is that if ill run a script on the switch and will read the packets, and only specific packet that are relevant ill look on the arp table, and decide who to forward this)

Any info would help,

Thanks a lot for your help,

John Raid.

it is possible to make capture on the switch but limited to traffic go to CPU (like routing protocol...)

There is what is called "Global Policy" available on 6300/6400/8400 that allows to set a policy with ACL to match a given traffic type. Then the action of that policy is a mirror session. In the mirror session, you can set the destination being the CPU of the switch or being a GRE tunnel with destination being your PC. Pay attention that in case the destination is the switch CPU, the CPU won't be able to handle reception

of 10/40/100Gb/s of data (It seems obvious, just to make sure).

This global policy is not yet available on 8320/8325.

For these platforms you can still set policy to perform the same mirroring action, but instead of policy being applied globally, this will be applied per port or per VLAN.

When destination is CPU, you can then copy the thsark-pcap file from the switch to any repository.

Thanks!

I think the thing you described are mostly for diagnosis, I'm trying to understand if its possible to run on the network gear (the subnet switches) and in that code on the switch, get full packets, and decide for each packet if I want to mirror it or not.

So I've saw that I can have access to the arp table, but not sure If I have access to the full packet capture on the switch itself - regards CPU performance I'm aware but I will parse only IPs that are relevant to me and in my tests on my subnet it should be a very low traffic from this IPs.

Do you think its possible? if yes what are the ways to upload this code to the switch and what are the APIs for getting the full packets?

What I describe will help you. This is just of matter of the ACL definition that you set to define which traffic is going to be mirrored. This is the nice aspect of this method. You can set the ACL through API, and customize it as you need. Per ACL, and orchestration tool, you can even collect each pcap file per defined ACL.

The definition of your ACL must be pro-active and not reactive, in the sense you need to know what traffic you want to collect.

Thanks a lot.

It looks really helpful.

I saw that I configure what types of protocol I want to get + from which IPs, etc.

Is there a way to use the ACL for  - I have list of IPs, every packet that received which the source IP/mac and the dest IP/mac are not part of this list of IPs/mac, it will mirror to me?

And is it possible to run it for a full day? (because it seems like most of the usage are for diagnosis for specific time, I would like to run it always on specific subnet, but i will mirror the traffic inside the subnet and not use the up/down port)

Anything that does not match the class, will have no action (in action you set the mirror session).

Now, this can be more tricky, you can define a class-1 for matching say

1.1.1.1 to 2.2.2.2 for https, and a class-2 that will match anything but what is in class-1.

In the policy you ca have:

policy test
10 class ip class1 action mirror 1
20 class ip class2 action mirror 2

In mirror session 1 you define the tunnel destination for server1

In mirror session 2 you define the tunnel destination for server2

As long as you do not mirror to the switch CPU, you can keep it for years, as mirrored traffic is processed directly by the ASIC line-rate,

including the ERSPAN for GRE encapsulation.

Just be careful about the BW available for the destination receiving mirrored traffic. If you mirrored a VLAN collecting 10x ports of 10G,

you won't be able to mirror this volume to a desitnation behind 10G port: obvious BW limitation.