I'm searching for a switch that would allow me to bridge a VoIP network and data network (using VLANs) but also port mirror across the VLANs to packet sniff the VoiP network, aside from this, I would need the destination port of the mirror to still be usable, so I could still send data over the network to the internet.
Could this be achieved using a RouterOS router? I've seen the great switch creation tools available, but I'm not sure if the VLAN tagging would work in the way I need* or if I could still use the destination port of the mirror.
Here''s an example usage:
Port 1 - Computer
Port 2 - Rest of the network / internet
Port 3 - IP phone
Port 4 - Rest of VoIP network
A mirror would be set up from Port 3 with the destination port set as Port 1. I would like to then be able to access the internet from the computer on Port 1, as well as sniff the mirrored VoIP packets.
Port 1 and Port 2 would be in VLAN 1 and ports 3 and 4 would be in VLAN 2.
VLAN tags would be applied on packets entering the switch on all ports; VLAN-ID 1 for ports 1 and 2; VLAN-ID 2 for ports 3 and 4.
The VLAN tags could then be stripped when leaving all ports (the devices connected would not be VLAN aware).
The overall aim here is to sniff the VoIP packets without physically bridging the two networks.
Any advice would be greatly appreciated.
*I've read ( http://blog.butchevans.com/2010/02/to-t ... /#more-176 ) that routerOS will always add the VLAN tag corresponding to the VLAN-ID of the port that the packet left. I would need the tags to be applied when the packets entered, and stripped as they left.
Re: Port mirroring with VLAN to prevent bridging
Been investigating into this further, and I think I should be able to do this with any RB with an Atheros 8316 switch chip inside (probably the RB750G).
I've read on the wiki http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features and here http://forum.mikrotik.com/viewtopic.php?f=2&t=50066 that this should be possible using rules. So, would the following rules give me the correct functionality? Ie. ether 1 should only be able to ping devices on ether 2, while not being able to ping devices on ether 3 or 4, but the packets arriving on ether 3 should be passed on to ether 2.
Does anyone know if this would work the way I need?
I've read on the wiki http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features and here http://forum.mikrotik.com/viewtopic.php?f=2&t=50066 that this should be possible using rules. So, would the following rules give me the correct functionality? Ie. ether 1 should only be able to ping devices on ether 2, while not being able to ping devices on ether 3 or 4, but the packets arriving on ether 3 should be passed on to ether 2.
Code: Select all
switch=switch1 ports=ether1 vlan-header=not-present copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=ether2
switch=switch1 ports=ether2 vlan-header=not-present copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=ether1
switch=switch1 ports=ether3 vlan-header=not-present copy-to-cpu=no redirect-to-cpu=no mirror=yes mirror-target=ether1 new-dst-ports=ether4
switch=switch1 ports=ether4 vlan-header=not-present copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=ether3