Remote mirroring and coprocessing

If you have a FAUCET stack network, with potentially many switches, it would sure be nice to have a way to be able to mirror any port on any switch, and have that traffic show up on one port on one switch.

You can do this, across multiple vendor switches, by combining several FAUCET features – tunneling, coprocessing – and a hardware loopback coprocessor.

Here’s our scenario. We have two switches in our FAUCET stack. We want to mirror any port on any switch and have that traffic appear on port 12 on DP 1. In our example below, we’ve chosen to mirror the host on DP 2, port 3.

Here’s the config for DP1:

dps: 
  dp1:
    dp_id: 1
    stack:
      priority: 1
    interfaces:
      12:
        output_only: true
      24:
        tagged_vlans:
        - untrusted
      28:
        stack:
          dp: dp2
          port: 10

And here’s the config for DP2:

dps:
  dp2:
    dp_id: 2
    interfaces:
      3:
        native_vlan: untrusted
      4:
        acls_in: [remotemirror]
        coprocessor:
          strategy: vlan_vid
        mirror: [3]
      10:
        stack:
          dp: dp1
          port: 28
acls:
  remotemirror:
    rules:
    - rule:
      vlan_vid: 333
      actions:
        allow: 0
    - rule:
      actions:
        allow: 0
        output:
          tunnel:
            type: vlan
            tunnel_id: 333
            dp: dp1
            port: 12

Essentially, traffic from the host on DP 2 port 3 is switched on the untrusted VLAN as normal.

However, we want to now mirror DP port 3. So we add the mirror configuration to port 4 (we could add as many ports for mirroring to this same port 4 as we like).

Traffic to and from port 3, is sent to port 4 (per standard FAUCET mirroring). That traffic is looped back in port 4, where it is subjected to the remote mirror ACL. The last rule in that ACL adds VLAN 333 to that traffic which then enters a FAUCET tunnel. The destination of that tunnel is DP 1, port 12 (FAUCET takes care of the details of getting that traffic delivered over the stacking topology).

The first rule is present to prevent accidents – a packet entering the loop cable again with VLAN 333 would be repeatedly relooped, and we wouldn’t want that!

If you have a switch with a roomy action budget, then it would be convenient not to need the loopback plug – a future FAUCET version will allow you to do this. However this solution accommodates most all switches and can be used to implement centralized mirroring and coprocessing today.