I'm running an ICX 6610 as my core switch and L3 router on my home network. Trying to dive deep into figuring out what my Chinese IP cameras are trying to send out (literally, I have a bunch of ACL entries in the switch logs from these things that are beyond suspicious), I've been packet tracing lately. I've packet traced before, but only on a device that traffic is actually being consumed by (i.e. laptop or desktop and just monitoring standard data passing through the NIC). This is the first time I'm using mirror ports.
Here's how I have my switch setup for port mirroring and monitoring:
VLAN 3 is the VLAN for all of my cameras and an NVR with strict ACL access to other VLANs.
Port 1/1/46 is on the default-VLAN 1 and no IP is assigned on the monitoring device running tcpdump. I also tried running the port as untagged VLAN 3 with the same results.
My question comes down to this....
I'm seeing a ton of ARP messages for global IP addresses not associated with my network and all of which are 802.1q tagged as VLAN 195, which is the VLAN used for modem <--> Proxmox servers (virtualized OPNSense WAN). It doesn't seem like ARP traffic tagged with VLAN 195 should be on a a port that is untagged as VLAN 3, right? Why is it doing this?
An example of what I see:
Here's how I have my switch setup for port mirroring and monitoring:
Code:
vlan 3 name cams
monitor ethernet 1/1/46
mirror-port ethernet 1/1/46Port 1/1/46 is on the default-VLAN 1 and no IP is assigned on the monitoring device running tcpdump. I also tried running the port as untagged VLAN 3 with the same results.
My question comes down to this....
I'm seeing a ton of ARP messages for global IP addresses not associated with my network and all of which are 802.1q tagged as VLAN 195, which is the VLAN used for modem <--> Proxmox servers (virtualized OPNSense WAN). It doesn't seem like ARP traffic tagged with VLAN 195 should be on a a port that is untagged as VLAN 3, right? Why is it doing this?
An example of what I see: