Description

This article explains how to setup SPAN (Port Mirroring) using ports associated to underlying switch.

Scope

FortiGate.

Solution

The Switch Port Analyzer (SPAN) feature is available only when interface type is switch. Port spanning echoes traffic seen on a switch's SPAN source port(s) to the SPAN span destination port. Port Spanning is disabled by default.

Software Switch

SPAN for software switch can be enabled in the CLI:

config system switch-interface

        edit <new-switch-name>
            set vdom <vdom-name> --> Enter the name of the VDOM, if no VDOMS are configured it will be root.
            set member <interface1> <interface2> --> interfaces to echo traffic from and to.
            set span enable
            set span-source-port <interface1>
            set span-dest-port port <interface2> --> traffic on the span-source-port is echoed to the span-dest-port
            set span-direction {Tx | Rx | both} --> echo Transmitted traffic, Received traffic, or both.
        end
    end

 To remove/disable SPAN configuration:

Note:

For SPAN on software switch, the default setting 'intra-switch-policy implicit' is required. This cannot be changed after switch creation, see the article Technical Tip: Software switch policy

Example using software switch:

The software switch should be created first. See the article Technical Tip: Configuring software switch

Note:

An interface can only be added to a software switch if the interface has no IP configuration or references. Update firewall policies and any other references to refer to the software switch rather than the old interface, then add the interface to the software switch interface.

• Create the Software switch under Network -> Interfaces, select 'Create New', select type 'Software Switch', and add the interfaces as members.

Once the software switch is created use the CLI to enable SPAN on the interfaces.

config system switch-interface
    edit "Test"
        set vdom "root"
        set member "port5" "port6"
        set span enable
        set span-dest-port "port6"
        set span-source-port "port5"
    next
end

Hardware Switch:

For some platforms, SPAN can be configured using a Hardware switch, which can have better performance for heavy traffic. SPAN on hardware switch is not supported for platforms using NP7 or NP7XLite.

Example using Hardware Switch:

The Hardware switch should be created first.

• Create the Hardware switch under Network -> Interfaces, select 'Create New', select type 'Hardware switch', and add the interfaces as members.

Once created SPAN can be enabled from GUI as below:

CLI configuration:

config system interface
    edit "PortMirror"
        set vdom "root"
        set ip 192.168.2.1 255.255.255.0
        set type hard-switch
        set device-identification enable
        set lldp-transmission enable
        set role lan
        set snmp-index 36
    next
end

config system virtual-switch
    edit "PortMirror"
        set physical-switch "sw0"
        set span enable
        config port
            edit "internal1"
            next
            edit "internal2"
            next
        end
        set span-source-port "internal1"
        set span-dest-port "internal2"
   next

end

Port mirroring for NP7:
All platforms support SPAN for software switches, as demonstrated earlier in this article. NP7 platforms also support a hardware-based port mirroring feature, see v7.4.7 Hardware Acceleration: Mirroring packets offloaded by NP7 processors