Arista 7050 - Mirror MLAG-Port

[Stril]

Hi!

I am using Arista 7050s in MLAG-config. On my firewall, there is one LACP-bond configured with one link to each of the two Aristas.

Now, I need to setup a monitor-port/port-mirror with an IDS-system attached to it.
Is there any possibility to mirror a MLAG?

I did not find anything about this.

Thank you for your help!
Stril

 

[bobbyd]

I looked around in documentation but I don't think there is a secret answer to this. You would need to mirror the PortChannel on each switch. One option might be to mirror the Port-Channel on one switch to a random port on the other switch and then mirror both of those ports to the IDS. You can have multiple source ports but only 1 destination port.

 

[Stril]

Hi!

Thank you for your answer. Your idea sounds good, but how can I avoid a loop or spanning-tree-problems?
Given the setup:

I mirror the LAG (production LAG) to port 1 of each switch.
- Now, I connect port 1 of switch 2 to port 2 of switch 1
- ...and mirror port 2 to port 1

--> How do I need to setup port 2 of switch one, that incoming packets are note forwarded to ANY other port?

Thank you for your help!

 

[oddball]

You can't mirror (span) a port in an mlag. Bobbyd is correct.

Create span ports on the port-channel, it moves them into a special mode. Then setup another switch 7124 or 7050s both handle this nicely as a tap aggregator and plug from spans into this.

When in span/tap mode spanning-tree is turned off on those ports. You won't have any issues, it's a supported configuration.