-
Notifications
You must be signed in to change notification settings - Fork 8
SPAN
This section describes the user configuration of SPAN feature. SPAN (port mirroring) enables the mirroring of any packet going through a physical switch port (ingress) to a different switch port (analyzer port).
Marvell Switchdev driver supports only port-based mirroring which can be configured using tc .. matchall filter.
Configuration of packet mirrors is done through tc filters, namely by attaching the matchall filter with action mirred egress mirror. For details of what the filter is and how mirror action is configured see tc-mirred(8) and tc-matchall(8).
Here is the basic format of the command to mirror traffic from one port to another:
tc qdisc add dev <PORT> clsact
tc filter add dev <PORT> (ingress|egress) matchall skip_sw action mirred egress mirror dev <TO-PORT>
Where,
-
<PORT>is the switchdev mirror port -
<TO-PORT>is this switchdev port which is used for mirrored traffic analysis.
The first ingress in the command refers to the direction of original traffic. The latter egress refers to the queue where the mirrored traffic is put and must always be egress.
The skip_sw flag indicates that mirroring should only take place in the hardware. Without this option, the rule is handled by the kernel and hardware.
The egress mirror refers to the queue where the mirrored traffic is put and must always be egress. ingress mirror is not supported.
To mirror ingress traffic to an analyzer port the user must create an ingress matchall filter. To mirror egress traffic the user must create an egress matchall filter:
# mirror ingress traffic from sw1p1 to analyzer port sw1p2
tc filter add dev sw1p1 ingress matchall skip_sw \
action mirred egress mirror dev sw1p2
# mirror egress traffic from sw1p3 to analyzer port sw1p4
tc filter add dev sw1p3 egress matchall skip_sw \
action mirred egress mirror dev sw1p4
If ingress mirroring is enabled on a port, a copy of the packet, as it was received on the port, is sent to the configured analyzer port.
If egress mirroring is enabled on a port, a copy of the packet, as it was about to egress the port, is sent to the configured analyzer port.
Mirroring can be applied to multiple port by utilizing shared blocks. For example, to mirror all traffic from two ports to one analyzer port:
tc qdisc add dev sw1p1 ingress_block 1 clsact
tc qdisc add dev sw1p2 ingress_block 1 clsact
tc filter add block 1 ingress matchall skip_sw action mirred egress mirror dev sw1p3
tc qdisc add dev sw1p11 egress_block 2 clsact
tc qdisc add dev sw1p12 egress_block 2 clsact
tc filter add block 2 egress matchall skip_sw action mirred egress mirror dev sw1p13
For example, we have N source ports, a single D analyzer port, all ports have the same speed of 10G, and they send 100% traffic (line rate) to the same queue. In this case, traffic distribution is "best effort", D is expected to receive ~10G/N from each port.
In case we also have F ports that are sending data traffic to port D. The distribution will be the same ~10G(N+F) from each port N, F. Data traffic will not have any priority over mirrored traffic. In other words mirrored and data traffic are fighting for the bandwidth of analyzer port (bandwidth is distributed equally).
If bandwidth(N+F) > bandwidth(D)
Losses are expected for both mirrored and data traffic
else
D should receive all mirrored and data traffic without losses (if PP resources are not exhausted).
Mirrored packets queued on an analyzer port are not subject to eVLAN/VLAN or Spanning Tree egress filtering. Thus, the traffic can be mirrored from a port which is assigned to one VLAN/Bridge and mirrored to an analyzer port which is in another VLAN/Bridge.
- Both ingress and egress mirroring is supported.
- Up to 7 target/destination/analyzer ports are supported.
- The number of filter (rules) are limited by the number of supported port mirror combinations.
- The filter rule priority should be higher than the minimum priority of all flower rules already installed (see ACL Configuration).
matchallfilter takes precedence over flower ACL rules. - The number of filters created does not affect the maximum number of ACL rules.
- Port mirroring is supported on physical ports only (switchdev ports, lag members).
- Mirroring is possible only to switchdev ports.
- Drop counter statistic is not supported.
- Cannot bind the same source port to multiple analyzer ports.
- Mirror source port can also be used as an analyzer port.
Network Configurations
- Switch Port
- Layer 2
- Layer 3
- Dynamic SCT
- Quality of Service (QoS)
- Access Control Lists (ACL)
- Network Address Translation (NAT)
- Debugging Tools and and Methods
- Resources and Releases
- Marvell® Switchdev Slim (Single-CPU) mode guide