Technical Tip: ERSPAN port for trunks on FortiSwitch in FortiLink mode

Description

This article describes how to monitor traffic in an ISL trunk for ERSPAN.

Scope

FortiSwitch in FortiLink mode.

Solution

One of the rules on mirror ports is that mirror sources cannot be mirror destinations.

In FortiLink mode, RSPAN and ERSPAN set all ISL trunks automatically like destination port, so a trunk monitoring throught FortiLink is not possible.

One way to get an ERSPAN port on trunks is by turning off the traffic sniffer on FortiLink with the following commands and configuring ERSPAN directly on FortiSwitch.

FortiGate commands:

config switch-controller traffic-sniffer
    set mode none
end

FortiSwitch configuration example:

config switch mirror
    edit "test"
        set status active
        set mode ERSPAN-auto
        set src-ingress "port23"
        set src-egress "port23"
        set erspan-collector-ip 192.168.254.55
    next
end

As per the rule described before, do not monitor the ISL trunk used to reach the collector IP.

Mode : ERSPAN-auto
Status : Active
Source-Ports:
Ingress: port23
Egress : port23
Used-by-ACLs : False
Auto-config-state : Nexthop switching table resolution
Last-update : 215 seconds ago
Issues : Switch interface 'GT60ETK20024394' needed to reach nexthop conflicts with 'port23' which is configured as a port mirror in this session.
Collector-IP : 192.168.254.51
Source-IP : 10.255.1.4
Source-MAC : 38:c0:ea:c9:f6:25