7100 access port mirror
-
Hi this is a quick question whether I can configure SPAN ports on the regular access ports (ETH1-ETH8) on the 71001U machine? I ask because I got other hardware that I can't configure a SPAN/mirror on because the port is involved with a LAGG. Please beg my pardon if these LAGG scenarios are apples and oranges; I'm not very knowledgable. I've never used pfSense before, but I just bought a 7100 and I am hoping I can configure what I'm describing. It's not a deal-breaker though. Thanks.
-
No, not easily. As you say those interfaces are all VLANs on an internal LAGG by default which means asking them to carry other tagged traffic will fail.
The internal switch itself technically support span ports but there is no way to enable that in pfSense. At least not yet. And even if you did it would only span to another switch port so you would need to break the internal LAGG to see the real traffic on it. Not really feasible
Steve
-
@stephenw10 Thanks for the reply. I don't think I'll make use of those ports then, just the SFP+ ones. I find this kind of an unfortunate feature of the 7100; it's too bad those ports have such limited capability. Hopefully I'll still like this thing. I probably will if I'm happy with pfSense.
-
The only way you can create a span ports in pfSense is by using a bridge:
https://docs.netgate.com/pfsense/en/latest/bridges/create.html#span-portSo you could use some of the other interfaces to create one if you need to. But, yes, it won't work well on VLAN interfaces.
Steve
-
@stephenw10 Well the way I understand you, I can't carve these ports up with my own VLANs at all, which makes them sorta useless to me, just sort of like an on-board unmanaged switch at an underpowered 5/8th duplex throughput. Hmm, maybe I made a mistake. I got the 7100 because the rack mount is convenient and the RAM of the 6100 is so low, but maybe the 6100 is more useful to me in the short term and I can use the savings to budget an upgrade to the 6100 in the more-near future than I would with the 7100.
-
@tomatopizza You can put VLANs on the ports through the Switches configuration page (documentation) but what you can't do is the port mirroring.
I have a 7100 that pulls double-duty. One half hosts 10Gb SFP+ connection to my datacenter rack and the onboard switch does all the 'home' devices - wireless APs, printers, IPVS, UPS monitors, etc.
When I've done port mirroring I make sure that's offloaded to another switch (like the Netgear I have in my lab for configuration and software testing).
As for the 6100 rack mount situation... https://twitter.com/NetgateUSA/status/1527711025994387456
-
@rcoleman-netgate Right well "home" devices are starting to become multi-gig more and more e.g. I have a Netgear WAX630E AP that uses 2.5 Gb ethernet. I just think that having never run pfSense before, that I probably don't have the imagination yet to make use of an expanded 24 GB of RAM on the 7100, whereas I have immediate use of an four 2.5 Gbe access ports. Unless there's more fine print I'm missing.
-
@rcoleman-netgate I forgot to thank you for the reply. Thanks. Yes you did give me some pause for thought. I guess "useless" isn't correct then, but I find those ports sort of bizarre. I'd prefer if they were just two independent 2.5 Gbe ports.
-
Yes, you can divide up the switched ports in whatever way you want, it's managed switch.
You can even use port VLAN mode to effectively couple the two internal interfaces to two Eth ports directly. That allows you to treat them as real NIC ports and see all traffic on them. But obviously only at 1G.
Steve
