-
Notifications
You must be signed in to change notification settings - Fork 8
SPAN
This section describes the user configuration of SPAN feature. SPAN (port mirroring) enables the mirroring of any packet going through a physical switch port (ingress) to a different switch port (analyzer port).
Marvell Switchdev driver supports only port-based mirroring which can be configured using tc .. matchall filter.
Configuration of packet mirrors is done through tc filters, namely by attaching the matchall filter with action mirred ingress mirror. For details of what the filter is and how mirror action is configured see tc-mirred(8) and tc-matchall(8).
Here is the basic format of the command to mirror traffic from one port to another:
tc qdisc add dev <PORT> clsact
tc filter add dev <PORT> ingress matchall skip_sw action mirred egress mirror dev <TO-PORT>
Where,
-
<PORT>is the switchdev mirror port -
<TO-PORT>is this switchdev port which is used for mirrored traffic analysis.
The first ingress in the command refers to the direction of original traffic. The latter egress refers to the queue where the mirrored traffic is put and must always be egress.
The skip_sw flag indicates that mirroring should only take place in the hardware. Without this option, the rule is handled by the kernel and hardware.
Mirroring can be applied to multiple port by utilizing shared blocks. For example, mirror all traffic from two ports to one analyzer port:
tc qdisc add dev sw1p1 ingress_block 1 clsact
tc qdisc add dev sw1p2 ingress_block 1 clsact
tc filter add block 1 ingress matchall skip_sw action mirred egress mirror dev sw1p3
In case we have N source ports and a single D analyzer port, all ports have the same speed i.e. 10G and they are sending 100% traffic (line rate) to the same queue. The traffic distribution will be best effort, expected that D will receive ~10G/N from each port.
In case we also have F ports that are sending data traffic to port D. The distribution will be the same ~10G(N+F) from each port N, F. Data traffic will not have any priority over mirrored traffic. In other words mirrored and data traffic are fighting for the bandwidth of analyzer port (bandwidth is distributed equally).
If bandwidth(N+F) > bandwidth(D)
Losses are expected for both mirrored and data traffic
else
D should receive all mirrored and data traffic without losses (if PP resources are not exhausted).
Mirrored packets queued on an analyzer port are not subject to eVLAN/VLAN or Spanning Tree egress filtering. Thus, the traffic can be mirrored from a port which is assigned to one VLAN/Bridge and mirrored to an analyzer port which is in another VLAN/Bridge.
- Only ingress mirroring is supported.
- Up to 7 target/destination/analyzer ports are supported.
- The number of filter (rules) are limited by the number of supported port mirror combinations.
- The filter rule priority should be higher than the minimum priority of all flower rules already installed (see ACL Configuration).
matchallfilter takes precedence over flower ACL rules. - The number of filters created does not affect the maximum number of ACL rules.
- Port mirroring is supported on physical ports only (switchdev ports, lag members).
- Mirroring is possible only to switchdev ports.
- Drop counter statistic is not supported.
- Mirror source port can also be used as an analyzer port.
Network Configurations
- Switch Port
- Layer 2
- Layer 3
- Dynamic SCT
- Quality of Service (QoS)
- Access Control Lists (ACL)
- Network Address Translation (NAT)
- Debugging Tools and and Methods
- Resources and Releases
- Marvell® Switchdev Slim (Single-CPU) mode guide