Mirroring refers to the process of copying
packets of one or more ports (source ports) to a destination port which is
connected to a data detection device. Users can then use the data detection
device to analyze the mirrored packets on the destination port for monitoring
and troubleshooting the network.
Figure
1-1 A port mirroring implementation
H3C S3100 series Ethernet switches support two
kinds of port mirroring: local port mirroring and remote port mirroring.
l
Local port mirroring: a device copies packets
passing through one or more source ports of the device to the destination port.
l
Remote port mirroring implements port mirroring through
the remote source mirroring group and remote destination mirroring group. The
device copies the packets of the source port to the reflector port, which then
broadcasts the packets in the remote-probe VLAN. After the remote device
receives the packets, it compares the VLAN ID of the packets with that of the
remote-probe VLAN on the remote device. If the VLAN IDs are identical, the
remote device forwards the packets to the destination port of the remote
destination mirroring group.
In local port mirroring, packets passing
through one or more source ports of a device are copied to the destination port
on the same device for packet analysis and monitoring. In this case, the source
ports and the destination port must be located on the same device.
Remote port mirroring does not require the
source and destination ports to be on the same device. The source and destination
ports can be located on multiple devices across the network. Therefore,
administrators can monitor the traffic on remote devices conveniently.
To implement remote port mirroring, a special
VLAN, called remote-probe VLAN, is needed. All mirrored packets are sent from
the reflector port of the source switch to the monitor port (destination port)
of the destination switch through the remote-probe VLAN, so as to implement the
monitoring of packets received on and sent from the source switch on the
destination switch. Figure
1-2 illustrates the implementation of remote port mirroring.
Figure 1-2 Remote port mirroring
application
The switches involved in the remote port
mirroring implementation play the following three roles.
l
Source switch: The monitored port resident switch.
It copies traffic to the reflector port, which then transmits the traffic to an
intermediate switch or destination switch through the remote-probe VLAN.
l
Intermediate switch: Switches between the source
switch and destination switch on the network. An intermediate switch forwards mirrored
traffic flows to the next intermediate switch or the destination switch through
the remote-probe VLAN. No intermediate switch is present if the source and destination
switches directly connect to each other.
l
Destination switch: The remote mirroring destination
port resident switch. It forwards mirrored traffic flows it received from the remote-probe
VLAN to the monitoring device through the destination port.
Table 1-1 describes how the
ports on various switches are involved in the mirroring operation.
Table 1-1 Ports involved in the mirroring operation
|
Switch
|
Ports involved
|
Function
|
|
Source switch
|
Source port
|
Port monitored. It copies packets to the
reflector port through local port mirroring. There can be more than one
source port.
|
|
Reflector port
|
Receives packets from the source port and
broadcasts the packets in the remote-probe VLAN.
|
|
Trunk port
|
Sends mirrored packets to the
intermediate switch or the destination switch.
|
|
Intermediate switch
|
Trunk port
|
Sends mirrored packets to the destination
switch.
Two trunk ports are necessary for the
intermediate switch to connect the devices at the source switch side and the
destination switch side.
|
|
Destination
switch
|
Trunk port
|
Receives
remote mirrored packets.
|
|
Destination port
|
Receives packets forwarded from the trunk
port and transmits the packets to the data detection device.
|
Caution:
l
Do not configure a default VLAN, a management
VLAN, or a dynamic VLAN as the remote-probe VLAN.
l
Configure all ports connecting the devices in
the remote-probe VLAN as trunk ports, and ensure the Layer 2 connectivity from
the source switch to the destination switch over the remote-probe VLAN.
l
Do not configure a Layer 3 interface for the remote-probe
VLAN, run other protocol packets, or carry other service packets on the
remote-prove VLAN and do not use the remote-prove VLAN as the voice VLAN and
protocol VLAN; otherwise, remote port mirroring may be affected.
1.2 Mirroring Configuration
Table 1-2
Mirroring configuration tasks
I. Configuration prerequisites
l
The source port is determined and the direction in
which the packets are to be mirrored is determined.
l
The destination port is determined.
II. Configuration procedure
Table 1-3 Configure
local port mirroring
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a port mirroring group
|
mirroring-group group-id local
|
Required
|
|
Configure the source port for the port
mirroring group
|
In system view
|
mirroring-group group-id mirroring-port mirroring-port-list { both | inbound
| outbound }
|
Use either approach
You can configure multiple source ports
at a time in system view, or you can configure the source port in specific
port view. The configurations in the two views have the same effect.
|
|
In port view
|
interface interface-type
interface-number
|
|
mirroring-group group-id mirroring-port { both
| inbound | outbound }
|
|
quit
|
|
Configure the destination port for the
port mirroring group
|
In system view
|
mirroring-group group-id monitor-port monitor-port-id
|
Use either approach
The configurations in the two views have
the same effect.
|
|
In port view
|
interface interface-type
interface-number
|
|
mirroring-group group-id monitor-port
|
When configuring local port mirroring, note
that:
l
You need to configure the source and destination
ports for the local port mirroring to take effect.
l
The destination port cannot be a member port of
an aggregation group or a port enabled with LACP or STP.
1.2.2 Configuring Remote Port Mirroring
An S3100 series Ethernet
switch can serve as a source switch, an intermediate switch, or a destination
switch in a remote port mirroring networking environment.
I. Configuration on a switch
acting as a source switch
1)
Configuration prerequisites
l
The source port, the reflector port, and the remote-probe
VLAN are determined.
l
Layer 2 connectivity is ensured between the
source and destination switches over the remote-probe VLAN.
l
The direction of the packets to be monitored is
determined.
2)
Configuration procedure
Table 1-4 Configuration
on the source switch
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN and enter the VLAN view
|
vlan vlan-id
|
vlan-id is
the ID of the remote-probe VLAN.
|
|
Configure the current VLAN as the remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Return to system view
|
quit
|
—
|
|
Enter the view of the Ethernet port that
connects to the intermediate switch or destination switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as trunk port
|
port link-type trunk
|
Required
By default, the port type is Access.
|
|
Configure the trunk port to permit
packets from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
|
|
Return to system view
|
quit
|
—
|
|
Create a remote source mirroring group
|
mirroring-group group-id remote-source
|
Required
|
|
Configure source port(s) for the remote source
mirroring group
|
mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }
|
Required
|
|
Configure the reflector port for the
remote source mirroring group
|
mirroring-group group-id reflector-port reflector-port
|
Required
|
|
Configure the remote-probe VLAN for the
remote source mirroring group
|
mirroring-group group-id remote-probe vlan remote-probe-vlan-id
|
Required
|
When configuring the source switch, note
that:
l
All ports of a remote source mirroring group are
on the same device. Each remote source mirroring group can be configured with
only one reflector port.
l
The reflector port cannot be a member port of an
aggregation group, or a port enabled with LACP or STP. It must be an access
port and cannot be configured with the functions like VLAN-VPN, port loopback
detection, packet filtering, QoS, port security, and so on.
l
It is recommended not to configure the VLAN
mapping and the selective QinQ function on the reflector port; otherwise, port
mirroring may not function properly.
l
You cannot modify the duplex mode, port rate,
and MDI attribute of a reflector port.
l
Only an existing static VLAN can be configured
as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it
to a normal VLAN first. A remote port mirroring group gets invalid if the
corresponding remote port mirroring VLAN is removed.
l
Do not configure a port connecting the
intermediate switch or destination switch as the mirroring source port.
Otherwise, traffic disorder may occur in the network.
1)
Configuration prerequisites
l
The trunk ports and the remote-probe VLAN are
determined.
l
Layer 2 connectivity is ensured between the
source and destination switches over the remote-probe VLAN.
2)
Configuration procedure
Table 1-5 Configuration on the
intermediate switch
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Create a VLAN and enter VLAN view
|
vlan vlan-id
|
vlan-id is the ID of the remote-probe
VLAN.
|
|
Configure the current VLAN as the remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Return to system view
|
quit
|
—
|
|
Enter the view of the Ethernet port connecting
to the source switch, destination switch or other intermediate switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as trunk port
|
port link-type trunk
|
Required
By default, the port type is Access.
|
|
Configure the trunk port to permit
packets from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
|
1)
Configuration prerequisites
l
The destination port and the remote-probe VLAN
are determined.
l
Layer 2 connectivity is ensured between the
source and destination switches over the remote-probe VLAN.
2)
Configuration procedure
Table 1-6 Configure remote port mirroring
on the destination switch
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN and enter VLAN view
|
vlan vlan-id
|
vlan-id is the ID of the remote-probe
VLAN.
|
|
Configure the current VLAN as a remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Return to system view
|
quit
|
—
|
|
Enter the view of the Ethernet port connecting
to the source switch or an intermediate switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as trunk port
|
port link-type trunk
|
Required
By default, the port type is Access.
|
|
Configure trunk port to permit packets
from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
|
|
Return to system view
|
quit
|
—
|
|
Create a remote destination mirroring
group
|
mirroring-group group-id remote-destination
|
Required
|
|
Configure the destination port for the remote
destination mirroring group
|
mirroring-group group-id monitor-port monitor-port
|
Required
|
|
Configure the remote-probe VLAN for the remote
destination mirroring group
|
mirroring-group group-id remote-probe vlan remote-probe-vlan-id
|
Required
|
When configuring a destination switch, note
that:
l
The destination port of remote port mirroring
cannot be a member port of an aggregation group, or a port enabled with LACP or
STP.
l
Only an existing static VLAN can be configured
as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it
to a normal VLAN first. A remote port mirroring group gets invalid if the
corresponding remote port mirroring VLAN is removed.
After the above configurations, you can
execute the display commands in any view to view the mirroring running information,
so as to verify your configurations.
Table 1-7
Display configuration of mirroring
|
Operation
|
Command
|
Description
|
|
Display port mirroring configuration
|
display mirroring-group { group-id | all | local | remote-destination
| remote-source }
|
Available in any view
|
I. Network requirements
The departments of a company connect to
each other through S3100 Ethernet switches:
l
Research and Development (R&D) department is
connected to Switch C through Ethernet 1/0/1.
l
Marketing department is connected to Switch C
through Ethernet 1/0/2.
l
Data detection device is connected to Switch C
through Ethernet 1/0/3
The administrator wants to monitor the
packets received on and sent from the R&D department and the marketing
department through the data detection device.
Use the local port mirroring function to
meet the requirement. Perform the following configurations on Switch C.
l
Configure Ethernet 1/0/1 and Ethernet 1/0/2 as mirroring
source ports.
l
Configure Ethernet 1/0/3 as the mirroring
destination port.
II. Network diagram
Figure
1-3 Network diagram for local port mirroring
III. Configuration procedure
Configure Switch C:
# Create a local mirroring group.
<Sysname> system-view
[Sysname] mirroring-group 1 local
# Configure the source ports and
destination port for the local mirroring group.
[Sysname] mirroring-group 1
mirroring-port Ethernet 1/0/1 Ethernet 1/0/2 both
[Sysname] mirroring-group 1
monitor-port Ethernet 1/0/3
# Display configuration information about
local mirroring group 1.
[Sysname] display mirroring-group 1
mirroring-group 1:
type: local
status: active
mirroring port:
Ethernet1/0/1 both
Ethernet1/0/2 both
monitor port: Ethernet1/0/3
After the configurations, you can monitor
all packets received on and sent from the R&D department and the marketing
department on the data detection device.
I. Network requirements
The departments of a company connect to
each other through S3100 Ethernet switches:
l
Switch A, Switch B, and Switch C are S3100
series switches.
l
Department 1 is connected to Ethernet 1/0/1 of
Switch A.
l
Department 2 is connected to Ethernet 1/0/2 of
Switch A.
l
Ethernet 1/0/3 of Switch A connects to Ethernet
1/0/1 of Switch B.
l
Ethernet 1/0/2 of Switch B connects to Ethernet
1/0/1 of Switch C.
l
The data detection device is connected to
Ethernet 1/0/2 of Switch C.
The administrator wants to monitor the
packets sent from Department 1 and 2 through the data detection device.
Use the remote port mirroring function to
meet the requirement. Perform the following configurations:
l
Use Switch A as the source switch, Switch B as
the intermediate switch, and Switch C as the destination switch.
l
On Switch A, create a remote source mirroring
group, configure VLAN 10 as the remote-probe VLAN, ports Ethernet 1/0/1 and
Ethernet 1/0/2 as the source ports, and port Ethernet 1/0/4 as the reflector
port.
l
On Switch B, configure VLAN 10 as the
remote-probe VLAN.
l
Configure Ethernet 1/0/3 of Switch A, Ethernet
1/0/1 and Ethernet 1/0/2 of Switch B, and Ethernet 1/0/1 of Switch C as trunk
ports, allowing packets of VLAN 10 to pass.
l
On Switch C, create a remote destination
mirroring group, configure VLAN 10 as the remote-probe VLAN, and configure
Ethernet 1/0/2 connected with the data detection device as the destination
port.
II. Network diagram
Figure
1-4 Network diagram for remote port mirroring
III. Configuration procedure
1)
Configure the source switch (Switch A)
# Create remote source mirroring group 1.
<Sysname> system-view
[Sysname] mirroring-group 1
remote-source
# Configure VLAN 10 as the remote-probe
VLAN.
[Sysname] vlan 10
[Sysname-vlan10] remote-probe vlan
enable
[Sysname-vlan10] quit
# Configure the source ports, reflector
port, and remote-probe VLAN for the remote source mirroring group.
[Sysname] mirroring-group 1
mirroring-port Ethernet 1/0/1 Ethernet 1/0/2 inbound
[Sysname] mirroring-group 1 reflector-port
Ethernet 1/0/4
[Sysname] mirroring-group 1 remote-probe
vlan 10
# Configure Ethernet 1/0/3 as trunk port,
allowing packets of VLAN 10 to pass.
[Sysname] interface Ethernet 1/0/3
[Sysname-Ethernet1/0/3] port
link-type trunk
[Sysname-Ethernet1/0/3] port trunk
permit vlan 10
[Sysname-Ethernet1/0/3] quit
# Display configuration information about
remote source mirroring group 1.
[Sysname] display mirroring-group 1
mirroring-group 1:
type: remote-source
status: active
mirroring port:
Ethernet1/0/1 inbound
Ethernet1/0/2 inbound
reflector port: Ethernet1/0/4
remote-probe vlan: 10
2)
Configure the intermediate switch (Switch B)
# Configure VLAN 10 as the remote-probe
VLAN.
<Sysname> system-view
[Sysname] vlan 10
[Sysname-vlan10] remote-probe vlan
enable
[Sysname-vlan10] quit
# Configure Ethernet 1/0/1 as the trunk
port, allowing packets of VLAN 10 to pass.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port
link-type trunk
[Sysname-Ethernet1/0/1] port trunk
permit vlan 10
[Sysname-Ethernet1/0/1] quit
# Configure Ethernet 1/0/2 as the trunk
port, allowing packets of VLAN 10 to pass.
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] port
link-type trunk
[Sysname-Ethernet1/0/2] port trunk
permit vlan 10
3)
Configure the destination switch (Switch C)
# Create remote destination mirroring group
1.
<Sysname> system-view
[Sysname] mirroring-group 1
remote-destination
# Configure VLAN 10 as the remote-probe
VLAN.
[Sysname] vlan 10
[Sysname-vlan10] remote-probe vlan
enable
[Sysname-vlan10] quit
# Configure the destination port and
remote-probe VLAN for the remote destination mirroring group.
[Sysname] mirroring-group 1 monitor-port
Ethernet 1/0/2
[Sysname] mirroring-group 1 remote-probe
vlan 10
# Configure Ethernet 1/0/1 as the trunk
port, allowing packets of VLAN 10 to pass.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port
link-type trunk
[Sysname-Ethernet1/0/1] port trunk
permit vlan 10
[Sysname-Ethernet1/0/1] quit
# Display configuration information about
remote destination mirroring group 1.
[Sysname] display mirroring-group 1
mirroring-group 1:
type: remote-destination
status: active
monitor port: Ethernet1/0/2
remote-probe vlan: 10
After the configurations, you can monitor
all packets sent from Department 1 and 2 on the data detection device.
