Specifications
Chapter 2. IBM System Networking Switch 10Gb Ethernet switch features 75
For example, an intrusion detection system (IDS) server or other traffic sniffer device or
analyzer can be connected to the monitoring port to detect intruders that attack the network.
IBM System Networking switches support a “many to one” mirroring model. As shown in
Figure 2-11, selected traffic for ports 1 and 2 is being monitored by port 3. In the example,
both ingress traffic and egress traffic on port 2 are copied and forwarded to the monitor.
However, port 1 mirroring is configured so that only ingress traffic is copied and forwarded to
the monitor. A device attached to port 3 can analyze the resulting
mirrored traffic.
Figure 2-11 Mirroring ports
2.6.2 ACL-based mirroring
For regular ACLs (see 2.8.6, “Access control lists” on page 97) and VMaps (see 2.8.7, “VLAN
maps” on page 100), packets that match an ACL on a specific port can be mirrored to another
switch port for network diagnosis and monitoring.
The source port for the mirrored packets cannot be a portchannel, but may be a member of
a portchannel.
The destination port to which packets are mirrored must be a physical port.
If the ACL or VMap has an action (permit, drop, and so on) assigned, it cannot be used to
mirror packets for that ACL.
2.6.3 sFlow
IBM System Networking switches support sFlow technology for monitoring traffic in data
networks. The switch includes an embedded sFlow agent that can be configured to provide
continuous monitoring information of IPv4 traffic to a central sFlow analyzer.
The switch is responsible only for forwarding sFlow information. A separate sFlow analyzer is
required elsewhere on the network to interpret sFlow data.
sFlow statistical counters
IBM System Networking switch can be configured to send network statistics to an sFlow
analyzer at regular intervals. For each port, a polling interval of 5 - 60 seconds can be
configured, or 0 (the default) can be set to disable this feature.