Multiple switches - RSPAN or ERSPAN

Hello Spartan_67,

In the 'config target-port' section of the configuration, you can specify multiple switches by listing them with the 'edit' command for each switch. You are not limited to configuring just one switch in this section.

The FortiSwitch unit can send a copy of any ingress or egress packet on a port to egress on another port of the same FortiSwitch unit. The original traffic is unaffected. This process is known as port-based mirroring and is typically used for external analysis and capture.

Using remote SPAN (RSPAN) or encapsulated RSPAN (ERSPAN) allows you to send the collected packets across layer-2 domains for analysis. You can have one RSPAN session or one ERSPAN session.

In RSPAN mode, traffic is encapsulated in VLAN 4092 and sent toward the FortiGate device, where it can be captured using packet capture. The FortiSwitch unit assigns the uplink port and the dst port. The switching functionality is enabled on the dst interface when mirroring.

In ERSPAN mode, traffic is encapsulated in Ethernet, IPv4, and generic routing encapsulation (GRE) headers. By focusing on traffic to and from specified ports and traffic to a specified MAC or IP address, ERSPAN reduces the amount of traffic being mirrored. The ERSPAN traffic is sent to a specified IP address, which is the device acting as an ERSPAN collector. The collector must be reachable by the FortiSwitch unit using IPv4 ICMP ping (NOTE: A firewall policy might be required on the FortiGate device.). If the collector IP address is not specified, the traffic is not mirrored.

NOTE: ERSPAN cannot be used with SPAN or RSPAN.

Please refer to the below documents for more information:

https://docs.fortinet.com/document/fortiswitch/7.6.0/fortilink-guide/173278/configuring-fortiswitch-port-mirroring
https://docs.fortinet.com/document/fortigate/7.2.3/cli-reference/250620/config-switch-controller-traffic-sniffer

If you have found a solution, please like and accept it to make it easily accessible to others.