I love these switches – specifically the SX1024. They’re cheap on eBay, and have lots of 10GbE and 40GbE ports available. Plus they’re infinitely configurable, and I have lots of experience with them since I was at NVIDIA when they acquired Mellanox ¯_(ツ)_/¯

Note!: They’re loud. I have a three rack enclosed data center in my house, heavily insulated and well cooled. That isn’t normal. However, I know I’m not the only nerd out there doing this stuff. So here’s to my fellow home data center masochists!

Configuration via Web UI Management Interface

On my switch, I have the first 12 10GbE SFP ports (1-12) and the first 4 40GbE QSFP ports (49-52) for my general traffic VLAN (2). I want to mirror all traffic on all those ports, minus port 52. This will be my monitor port – the one I connect to a system with a NIC setup for Trend Micro VNS, Wireshark, Splunk Stream, Snort – whatever. In my case, it’s an old PowerEdge R620 filled with ConnectX-4 40GbE NICs.

Open the web management interface in your browser, login as admin, and click on Ports in the top navigation menu. You should see a graphical representation of your switch as shown above.

Click on the port that will be your traffic destination interface. Mine is 52. We need to disable this port, because you cannot add enabled ports to a Monitor Session. So uncheck Enabled under Port Configuration and hit Apply:

Now click on Monitor Session in the left panel navigation menu.

Select a Monitor Session ID from the drop-down menu. I already have two setup, so my new one will be 3. Then click Apply.

Now you have a new session available to configure:

Click on the number for the session you want to configure. That will populate your info/config fields for that specific session:

Select your destination monitor interface, enable the Monitor Session, then click Apply:

Logistical Considerations

There is a easy way and a messy way to do this. The easy way is to only add the port going to your firewall (in my case, Eth1/49) for the VLAN to the destination port (in my case, Eth1/52). However! This means you will miss intra-VLAN traffic, since when two hosts in the same VLAN communicate (Host A to Host B), their traffic is switched locally by the switch and does not traverse the gateway/firewall.

I say this is the easy way, because neither the web management interface or CLI has any method to monitor the whole VLAN. To do this, you need to add each port of the VLAN you wish to mirror to the destination port one by one. Which is a horrific exercise depending on the size of your VLAN (thanks to the slooooow management UI page response).

Because I want full visibility (botnet/malware activity within the VLAN systems, etc), I’m going to do this the hard way. Under Monitor Session # source interfaces, add each source interface in the VLAN with “both” selected for ingress/egress direction one at a time, and hit Apply until they’re all there. Don’t add your monitor destination interface… just in case you get carried away with the clicking.

Behold – my full Monitor Session 3 source interfaces list:

Now go back to the Ports section of the left navigation menu. Click on the port that is your traffic destination interface (ex. 52). We need to enable this port now since the Monitor Session is setup. So check Enabled under Port Configuration and hit Apply:

Alert! Remember to click the red Save button on the header navigation menu. Your changes are active, but not saved. Which means all this effort is lost if you reboot without saving.

That’s it! Now connect your network monitor of choice to this port. May I suggest Deploying Trend Micro Virtual Network Sensor on Proxmox VE?

Helpful Links

• Mellanox SwitchX and SwitchX®-2 1U Switch Systems Hardware User Manual for Models SX1012/SX1012X/SX1016/SX1024/SX1036/SX1400 (PDF)