Security

Hello,

we are currently implementing a NDR solution, which works by receiving & analysing all traffic through a mirror port session / SPAN session from the switch where it is connected to.
As for many other solutions also this one is dependent on the fact that the network traffic should be complete to have full "security coverage".

As this is the first time we are dealing with mirror sessions I was wondering if there are any best practices on configuring these sessions.
Currently we were thinking about the following:
We include all interfaces as source from the switch (for sure except for the destination interface of the mirror session) but only the "rx" part of the traffic.
The advantage of this should be that we have no traffic duplicated on the mirror session.
I see in many configurations that "both" is configured as direction. But from our point of view that only makes sense, when only specific ports are part of the mirror session.
Would you agree that when mirroring all ports on a switch only "rx" should be enough to have full coverage of all traffic passing through that switch and meanwhile not having the whole traffic duplicated on the destination interface of the mirror session?

Another topic:
Is there generally any advantage / disadvantage from configuring the mirror session with vlans as source instead of physical interfaces?

Our configuration for a 6300M 24SFP+ 4SFP56 Switch for example looks like this:

 Mirror Session: 1
 Admin Status: enable
 Operation Status: enabled
 Source: vlan rx none
 Source: vlan tx none
 Source: interface 1/1/12 rx
 Source: interface 1/1/13 rx
 Source: interface 1/1/14 rx
 Source: interface 1/1/15 rx
 Source: interface 1/1/16 rx
 Source: interface 1/1/17 rx
 Source: interface 1/1/18 rx
 Source: interface 1/1/19 rx
 Source: interface 1/1/20 rx
 Source: interface 1/1/21 rx
 Source: interface 1/1/22 rx
 Source: interface 1/1/23 rx
 Source: interface 1/1/24 rx
 Source: interface lag1 rx
 Source: interface lag2 rx
 Source: interface lag3 rx
 Source: interface lag4 rx
 Source: interface lag5 rx
 Source: interface tx none
 Destination: interface 1/1/10

The interfaces + the link aggregation groups (the source interfaces) represent every interface that has an active link on the switch.

Many thanks, Simon

I would ask the NDR vendor for guidance. In most cases the uplinks are much higher bandwidth than the downlink ports (1/1/1-1/1/24 for example). If your uplinks are 10/25/50G and you are mirroring to a 1G interface you will quickly overload the mirror output (1/1/10); and in practice you see such taps closer to your distribution/core, but then you miss traffic between clients on the lower level if these are in the same VLAN or your routing happens on the access switches. If this 6300M is an access switch in a larger network, then you would probably not do your mirroring as there will be many switches and each of them need to mirror to a port on the NDR solution. Also, mirroring on the uplinks allows the VLAN tag to be preserved, if you mirror individual ports and the uplinks on rx only, it depends on the NDR solution if it can handle that. It also depends if this 6300 is doing your routing or is just L2.

Using span ports for NDR solutions is challenging with no generic solution. There is a whole industry for 'packet brokers' to solve this issue, including the de-duplication and selection of interesting traffic (example: exclude backup or other high-volume traffic flows).

If it's just this switch, then your approach may work, but the 1/1/10 1G interface may be easily overloaded resulting in dropped traffic.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Hi, many thanks for your reply. Yes we are currently in contact again with the NDR solution provider about it.
About the overloading that is for sure a point - we have this in mind - the result of overloading the destination interface should be dropped packets on the destination interface right? We are currently monitoring the dropped packets counter for the destination interface of the mirror session.

In our case it is a 6300M SFP only switch - we are currently mirroring 4x 10G ports to one 10G port - for sure also there is a risk of overloading the destination interface and then have dropped packets on the destination interface of the mirror session.

You are completly right - This 6300M is a core switch on a smaller site, which does the whole routing for this site - the access switches do not route between VLANs. For sure the traffic on the access switches between devices in the same VLAN will never get to the NDR solution.
That is a bit of a weakness but till now I am only aware of these two solutions for that problem:
- Physically connect the NDR solution to each access switch and do mirroring on every switch in the environment (that is a bit of a cost factor)
- Create a Remote SPAN session on the access switches (with the disadvantage that we will have double of the load on the uplinks between the access and the core switch)

Neither of them are the most elegant solutions but till now I am not aware of any other solution...?

So basically what we are doing is - we have the 6300M which has the L3 functionality as core switch on this site.
To this core switch 3x (L2) access switches are connected to and also 1x server (4x 10G interfaces).

We are mirroring these 4x 10G interfaces - only rx part of the traffic - to the destination interface on this core switch where the NDR solution is connected to.
But I am still not sure if we miss some traffic because we have not selected "both" for the direction of the traffic... but as often as I think about it I am the opinion that only the rx part should be enough to have all traffic that is passing through that core switch in this scenario.

If I would mirror "both" directions (rx & tx) I would not expect more unique traffic I only think we would double the traffic as we duplicate the same packets on one interface as "rx" traffic and on the other one as "tx" traffic... please correct me if I am wrong?

Thanks, Simon

Original Message:
Sent: Mar 03, 2025 10:55 AM
From: Herman Robers
Subject: Mirror session for NDR system

I would ask the NDR vendor for guidance. In most cases the uplinks are much higher bandwidth than the downlink ports (1/1/1-1/1/24 for example). If your uplinks are 10/25/50G and you are mirroring to a 1G interface you will quickly overload the mirror output (1/1/10); and in practice you see such taps closer to your distribution/core, but then you miss traffic between clients on the lower level if these are in the same VLAN or your routing happens on the access switches. If this 6300M is an access switch in a larger network, then you would probably not do your mirroring as there will be many switches and each of them need to mirror to a port on the NDR solution. Also, mirroring on the uplinks allows the VLAN tag to be preserved, if you mirror individual ports and the uplinks on rx only, it depends on the NDR solution if it can handle that. It also depends if this 6300 is doing your routing or is just L2.

Using span ports for NDR solutions is challenging with no generic solution. There is a whole industry for 'packet brokers' to solve this issue, including the de-duplication and selection of interesting traffic (example: exclude backup or other high-volume traffic flows).

If it's just this switch, then your approach may work, but the 1/1/10 1G interface may be easily overloaded resulting in dropped traffic.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

I would advise to check with the NDR solution which type of traffic is needed. CX switches has the capability to use filter before traffic is mirrored. This will help to prevent overloading. 

------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125
------------------------------

Original Message:
Sent: Mar 04, 2025 06:29 AM
From: simon18
Subject: Mirror session for NDR system

Hi, many thanks for your reply. Yes we are currently in contact again with the NDR solution provider about it.
About the overloading that is for sure a point - we have this in mind - the result of overloading the destination interface should be dropped packets on the destination interface right? We are currently monitoring the dropped packets counter for the destination interface of the mirror session.

In our case it is a 6300M SFP only switch - we are currently mirroring 4x 10G ports to one 10G port - for sure also there is a risk of overloading the destination interface and then have dropped packets on the destination interface of the mirror session.

You are completly right - This 6300M is a core switch on a smaller site, which does the whole routing for this site - the access switches do not route between VLANs. For sure the traffic on the access switches between devices in the same VLAN will never get to the NDR solution.
That is a bit of a weakness but till now I am only aware of these two solutions for that problem:
- Physically connect the NDR solution to each access switch and do mirroring on every switch in the environment (that is a bit of a cost factor)
- Create a Remote SPAN session on the access switches (with the disadvantage that we will have double of the load on the uplinks between the access and the core switch)

Neither of them are the most elegant solutions but till now I am not aware of any other solution...?

So basically what we are doing is - we have the 6300M which has the L3 functionality as core switch on this site.
To this core switch 3x (L2) access switches are connected to and also 1x server (4x 10G interfaces).

We are mirroring these 4x 10G interfaces - only rx part of the traffic - to the destination interface on this core switch where the NDR solution is connected to.
But I am still not sure if we miss some traffic because we have not selected "both" for the direction of the traffic... but as often as I think about it I am the opinion that only the rx part should be enough to have all traffic that is passing through that core switch in this scenario.

If I would mirror "both" directions (rx & tx) I would not expect more unique traffic I only think we would double the traffic as we duplicate the same packets on one interface as "rx" traffic and on the other one as "tx" traffic... please correct me if I am wrong?

Thanks, Simon

Original Message:
Sent: Mar 03, 2025 10:55 AM
From: Herman Robers
Subject: Mirror session for NDR system

I would ask the NDR vendor for guidance. In most cases the uplinks are much higher bandwidth than the downlink ports (1/1/1-1/1/24 for example). If your uplinks are 10/25/50G and you are mirroring to a 1G interface you will quickly overload the mirror output (1/1/10); and in practice you see such taps closer to your distribution/core, but then you miss traffic between clients on the lower level if these are in the same VLAN or your routing happens on the access switches. If this 6300M is an access switch in a larger network, then you would probably not do your mirroring as there will be many switches and each of them need to mirror to a port on the NDR solution. Also, mirroring on the uplinks allows the VLAN tag to be preserved, if you mirror individual ports and the uplinks on rx only, it depends on the NDR solution if it can handle that. It also depends if this 6300 is doing your routing or is just L2.

Using span ports for NDR solutions is challenging with no generic solution. There is a whole industry for 'packet brokers' to solve this issue, including the de-duplication and selection of interesting traffic (example: exclude backup or other high-volume traffic flows).

If it's just this switch, then your approach may work, but the 1/1/10 1G interface may be easily overloaded resulting in dropped traffic.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.