How to configure Port Mirror in Switching

03/07/2023 116 People found this article helpful 482,507 Views

Description

This article provides information on how to configure Port Mirroring in Switching.

NOTE: This option is NOT available on TZ models!

SonicOS provides Layer 2 (data link layer) switching functionality with its unique PortShield architecture. Layer 2 switching features enhance the deployment and interoperability of SonicWall devices within existing Layer-2 networks with the following benefits:

Increased security across multiple switch ports The PortShield architecture provides the flexibility to configure all switch ports into separate security zones such as LANs, WLANs and DMZs, providing protection not only from the WAN and DMZ, but also between devices inside the LAN. Effectively, each security zone has its own wire-speed mini-switch' that benefits from the protection of a dedicated deep packet inspection firewall.
Port Mirroring allows the sending of a copy of network packets seen on one or more switch ports to another switch port called the mirror port. By connecting to the mirror port, you can monitor traffic passing through the mirrored ports.
A PortShield VLAN trunk port can be mirrored.

Resolution

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Step 1. Create a Port Mirror group

Login to the SonicWall UTM appliance and configure Port Mirroring from the Manage | Switching | Port Mirroring page. To create a new port mirror group, click the New Group button.

Port Mirroring allows the sending of a copy of network packets seen on one or more switch ports to another switch port called the mirror port. By connecting to the mirror port, you can monitor traffic passing through the mirrored ports. You can port mirror a PortShield Vlan trunk port but the Vlan trunk port cannot be a port mirror itself. VLAN trunk ports are used to pass traffic to other networking devices. By comparison, traffic arriving on a mirror port has already been handled or sent to its destination, and the mirror port does not forward it again. Typically, the traffic is passed from the mirror port to a computer where the administrator can use an application, such as Wireshark, to view the traffic content.

Step 2. Configure Port Mirror attributes

In the Edit Port Mirror Window. Enter a user define name in Interface Group Name field.

For Direction, you may pick the radio buttons labeled ingress, ergress, both. Select ingress to monitor traffic arriving on the mirrored ports. Select egress to monitor traffic being sent out on the mirrored ports. Select both to monitor traffic in both directions on the mirrored ports.

In the All Interfaces list, select the port to mirror the traffic to and click the top right-arrow button to move it to the Mirror Port field. You must use an unassigned port as the mirror port.

Next, select one or more ports to be monitored, and click the lower right-arrow button to move it/them to the Mirrored Ports field. The ports in the Mirrored Ports list will be monitored by the Mirror Port. In this example Mirror Port X7 will mirror data from Ports X0, X2, and X5.

To enable port mirroring, select the Enable checkbox. Click OK.

Step 3. View Mirror ports configuration in Interface Settings

Mirror Port (X7) is setup to monitor ports X0, X2, and X5.

X0 is LAN PortSheld, X2 is the DMZ PortShield, and X5 is a VLAN Trunk.

Step 4. Demonstrate the capturing of traffic that is seen on the mirror port with an application called Wireshark.

To view this traffic, attach a PC running Wireshark to the SonicWall's mirror port.

In this example, the Windows PC running Wireshark is connected to Mirror Port (X7). Wireshark puts the PC s Ethernet adapter in promiscuous mode to capture packets.

The Mirror Port X7 is setup to mirror packets from the DMZ PortSheild interface (Port X2)

On port X2, we see some ping Echo requests and ping Echo replies.

The Mirror Port also mirrors packets from the LAN PortSheild interface (Port X0)

On port X1, we see a SSHv2 session.

The Mirror Port also mirrors packets from the VLAN Trunk interface (Port X5)

VLAN Trunk (Port X5) is connected to a Cisco 2950 switch. On the switch, we see a PC running a HTTP session.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Step 1. Create a Port Mirror group

Login to the SonicWall UTM appliance and configure Port Mirroring from the Switching | Port Mirroring page. To create a new port mirror group, click the New Group button.

Port Mirroring allows the sending of a copy of network packets seen on one or more switch ports to another switch port called the mirror port. By connecting to the mirror port, you can monitor traffic passing through the mirrored ports. You can port mirror a PortShield Vlan trunk port but the Vlan trunk port cannot be a port mirror itself. VLAN trunk ports are used to pass traffic to other networking devices. By comparison, traffic arriving on a mirror port has already been handled or sent to its destination, and the mirror port does not forward it again. Typically, the traffic is passed from the mirror port to a computer where the administrator can use an application, such as Wireshark, to view the traffic content.

Step 2. Configure Port Mirror attributes

In the Edit Port Mirror Window. Enter a user define name in Interface Group Name field.

For Direction, you may pick the radio buttons labeled ingress, ergress, both. Select ingress to monitor traffic arriving on the mirrored ports. Select egress to monitor traffic being sent out on the mirrored ports. Select both to monitor traffic in both directions on the mirrored ports.

In the All Interfaces list, select the port to mirror the traffic to and click the top right-arrow button to move it to the Mirror Port field. You must use an unassigned port as the mirror port.

Next, select one or more ports to be monitored, and click the lower right-arrow button to move it/them to the Mirrored Ports field. The ports in the Mirrored Ports list will be monitored by the Mirror Port. In this example Mirror Port X7 will mirror data from Ports X0, X2, and X5.

To enable port mirroring, select the Enable checkbox. Click OK.

Step 3. View Mirror ports configuration in Interface Settings

Mirror Port (X7) is setup to monitor ports X0, X2, and X5.

X0 is LAN PortSheld, X2 is the DMZ PortShield, and X5 is a VLAN Trunk.

Step 4. Demonstrate the capturing of traffic that is seen on the mirror port with an application called Wireshark.

To view this traffic, attach a PC running Wireshark to the SonicWall's mirror port.

In this example, the Windows PC running Wireshark is connected to Mirror Port (X7). Wireshark puts the PC s Ethernet adapter in promiscuous mode to capture packets.

The Mirror Port X7 is setup to mirror packets from the DMZ PortSheild interface (Port X2)

On port X2, we see some ping Echo requests and ping Echo replies.

The Mirror Port also mirrors packets from the LAN PortSheild interface (Port X0)

On port X1, we see a SSHv2 session.

The Mirror Port also mirrors packets from the VLAN Trunk interface (Port X5)

VLAN Trunk (Port X5) is connected to a Cisco 2950 switch. On the switch, we see a PC running a HTTP session.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

How to configure Port Mirror in Switching

Description

Resolution

Resolution for SonicOS 6.5

Resolution for SonicOS 6.2 and Below

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch