Fortinet Community

Description

 

This article describes using RSPAN on a Managed FortiSwitch to mirror packets to a port.

Ref Link: https://docs.fortinet.com/document/fortiswitch/7.4.0/fortilink-guide/173278/configuring-fortiswitch-...

Scope

 

FortiGate and FortiSwitch version 6.4.x and above

Solution

 

In some scenarios, the collector agent doesn't have an IP address, so we cannot use ERSPAN-auto and need to use RSPAN in such cases.

By default, FGT creates an RSPAN vlan 4092. For eg:

 

FortiGate-200E (root) # show system interface rspan
config system interface
    edit "rspan"
        set vdom "root"
        set ip 10.255.12.1 255.255.255.0
        set description "Sniffer VLAN"
        set alias "rspan.fortilink"
        set snmp-index 32
        set switch-controller-access-vlan enable
        set switch-controller-traffic-policy "sniffer"
        set switch-controller-rspan-mode enable
        set switch-controller-feature rspan
        set interface "fortilink"
        set vlanid 4092
    next
end

 

Consider the below example and the configuration:

We want to mirror FortiAP traffic connected on port3 of SW1 to port37 on SW2 where the collector agent is connected.

 

Config steps.

 

1) Configure RSPAN on SW1:

 

config switch-controller traffic-sniffer
    set mode rspan
        config target-port
            edit "SW serial#"
                set description ''
                set in-ports "port3"
                set out-ports "port3"
            next
        end
    end

 

2) (A) Create an ACL using a custom command which will redirect mirroring traffic from port3 SW1 to port37 on SW2:

 

config switch-controller custom-command
    edit "acl_to_collector"
        set command "config switch acl ingress %0a edit 1 %0a config action %0a set redirect port37 %0a end %0aconfig classifier %0a set vlan-id 4092 %0a end %0a set ingress-interface-all enable %0a next%0a end%0a "
    next
end

 

2) (B). Map the custom command on SW2:

 

config switch-controller managed-switch
    edit "SW2 serial#"
        config custom-command
            edit "1"
                set command-name "acl_to_collector"
            next
        end
    next
end

 

3) Native vlan should be the rspan vlan on port37:

 

config switch-controller managed-switch
    edit "S248EFTF18000075"
        config ports
            edit "port37"
                set poe-capable 1
                set vlan "rspan"

            end

 

4) Verify if the config is pushed to both switches by taking SSH access to the switches:

 

SW1:

 

sh switch mirror
config switch mirror
    edit "flink.sniffer"
        set status active
        set mode RSPAN
        set src-ingress "port3"
        set src-egress "port3"
        set rspan-ip 10.255.1.1
        set encap-vlan-id 4092
    next
end

 

SW2:

 

sh switch acl ingress
config switch acl ingress
    edit 1
        config action
            set redirect "port37"
        end

config classifier
    set vlan-id 4092
end

    set ingress-interface-all enable
next
end

 

sh switch interface port37
config switch interface
    edit "port37"
        set native-vlan 4092
        set allowed-vlans 4093
        set untagged-vlans 4093
        set snmp-index 37
    next
end

 

NOTE:

When RSPAN is configured for any port, the traffic from that port will also hit the FortiGate RSPAN interface which could increase the load/cpu on the FortiGate.

 

For eg: traffic from the AP is hitting the RSPAN interface on the FortiGate.

 

diagnose sniffer packet rspan "port 5246 and host 1.1.1.8" 4 0 a
interfaces=[rspan]
filters=[port 5246]
2023-05-27 07:50:27.482980 rspan -- 1.1.1.8.25246 -> 1.1.1.1.5246: udp 57