Port mirroring, also known as a roving analysis port, port monitoring, switched port analyzer, and the like, is a method of monitoring network traffic. For example, a switch or the like is configured to forward a copy of each incoming and/or outgoing packet from one port to another port on the same switch where the packet can be monitored. Network administrators and operators use port mirroring as a diagnostic tool or debugging feature. Port mirroring can enable the administrator to keep close track of switch performance and alter it if necessary.
Referring to FIG. 1, a network 10 includes a switch 12 connected to a local area network (LAN)/wide area network (WAN) 14. A client 16 is connected to a first port 18 on the switch 12. To monitor the first port 18, port mirroring is configured on the switch 12, and an analyzer 20 is connected to a second port 22 where the switch 12 mirrors the first port 18. The mirror port 22 is also referred to as a sink port. An administrator configures port mirroring by assigning a port (i.e., port 18) from which to copy all packets and another port (i.e., port 22) where those packets will be sent. A packet bound for (ingress) or heading away (egress) from the first port 18 is forwarded onto the second port 22 as well. The administrator places the analyzer 20 on the port 22 receiving the mirrored data to monitor each segment separately. The analyzer 20 captures and evaluates the data without affecting the client 16 on the original port 18, i.e. the monitoring is independent of the client 16 and the port 18.
Port mirroring is used on switches and the like to send a copy of all network packets seen on one switch port to a network monitoring connection on another switch port. Conventional layer two port mirroring techniques (typically applied to Ethernet ports) allow for all packets received from a port, sent from a port, or both to be copied to one or two other ports in the system (two ports in the case of simultaneous ingress and egress mirroring). As illustrated in FIG. 1, these current techniques require that the sink be a port on the same logical node as the port being mirrored, i.e. port monitoring is operated solely within the switch 12. Per this definition, a node can include multi-shelf arrangements including stacked switches. For example, switch 12 can include multiple shelves in a stacked configuration with the first and second ports 18,22 located on different shelves, i.e. within the same logical node.
Network operators use port mirroring for a variety of applications. For example, government wiretapping requirements under the Communications Assistance for Law Enforcement Act of 1994 (CALEA) regulations require such capability. Also, network operators often use port mirroring for test and problem diagnosis. Disadvantageously, the inability to sink the mirrored data to a port on any arbitrary node in the network is a serious shortcoming. Current techniques require the network operator to dedicate at least one port, and more likely at least two ports on every node in the network to act as mirror sinks. Also, every node in the network would need to connect these mirror sink ports to a test/monitor device, i.e. the analyzer 20, that is either collocated with the network element or which utilizes dedicated transport facilities to backhaul the mirrored data to the test/monitor device.
Additionally, existing port mirroring techniques mirror all traffic on a port. For example, a GbE port could include a single data flow, but to get a mirror of this flow, the entire port is mirrored. Disadvantageously, this leads to needlessly mirroring all traffic on the port, and requiring the specific flow to be access at the mirror sink.