Mirroring refers to the process of copying
packets that meet the specified rules to a destination port. Generally, a destination
port is connected to a data detect device, which users can use to analyze the mirrored
packets for monitoring and troubleshooting the network.
Figure 1-1 Mirroring
Traffic mirroring refers to the process of
copying traffic flows that match specific ACLs to the specified destination
port for packet analysis and monitoring. Before configuring traffic mirroring,
you need to define ACLs required for flow identification.
Port mirroring refers to the process of
copying the packets received or sent by the specified port to the destination
port.
Caution:
When you mirror
packets sent by ports on an expansion module, the packets from a port on the
front panel to the expansion module cannot be mirrored if the monitor port is
not on the expansion module. Refer to the installation manual for the
introduction to the front panel and expansion module.
Remote switched port analyzer (RSPAN)
refers to remote port mirroring. It eliminates the limitation that the source
port and the destination port must be located on the same switch. This feature makes
it possible for the source port and the destination port to be located across
several devices in the network, and facilitates the network administrator to manage
remote switches.
The application of RSPAN is illustrated in
the following figure:
Figure 1-2 RSPAN application
There are three types of switches with the
RSPAN enabled.
l
Source switch: The monitored resident switch. Through
Layer 2 forwarding, it sends traffics to be mirrored to an intermediate switch
or destination switch over the remote-probe VLAN.
l
Intermediate switch: Switches between the source
switch and destination switch on the network. An intermediate switch forwards mirrored
traffic flows to the next intermediate switch or the destination switch. Circumstances
can occur where no intermediate switch is present, if a direct connection
exists between the source and destination switches.
l
Destination switch: The remote mirroring destination
port resident switch. It forwards mirrored traffic flows it received from the remote-probe
VLAN to the monitoring device through the destination port.
Table 1-1 describes how the ports on various switches are involved in the mirroring operation.
Table 1-1 Ports involved in the
mirroring operation
|
Switch
|
Ports involved
|
Function
|
|
Source
switch
|
Source
port
|
Port monitored.
It copies user data packets to the specified reflector port through local
port mirroring. There can be more than one source port.
|
|
Reflector
port
|
Receives
user data packets that are mirrored on a local port.
|
|
Trunk port
|
Sends
mirrored packets to the intermediate switch or the destination switch.
|
|
Intermediate
switch
|
Trunk port
|
Sends
mirrored packets to the destination switch.
Two Trunk
ports are necessary for the intermediate switch to connect the devices at the
source switch side and the destination switch side.
|
|
Destination
switch
|
Trunk port
|
Receives
remote mirrored packets.
|
|
Destination
port
|
Monitors
remote mirrored packets
|
To implement remote port mirroring, you
need to define a special VLAN, called remote-probe VLAN, on a switch. All
mirrored packets will be transferred from the source switch to the destination
ports of the destination switch through this VLAN. Thus, the destination switch
can monitor the port packets sent from the ports of the source switch. Remote-probe
VLAN requires that:
l
All ports connecting the devices in remote-probe
VLAN are configured as the trunk ports.
l
The default VLAN and management VLAN cannot be
configured as remote-probe VLAN.
l
Layer 2 interoperability must be ensured by configuration
between the source and destination switches over the remote-probe VLAN.
Caution:
To ensure the normal packet mirroring, it is not recommended to perform
any of the following operations on the remote-probe VLAN:
l
Configuring a source port to the remote-probe
VLAN that is used by the local mirroring group;
l
Configuring a Layer 3 interface for the remote-probe
VLAN;
l
Configuring to run other protocol packets, or
bear other service packets;
l
Using remote-probe VLAN as a special type of
VLAN, such as voice VLAN or protocol VLAN;
l
Configuring other VLAN-related functions.
1.2 Mirroring Functions Supported by S5600
Table 1-2 Mirroring
functions supported by S5600 and related command
For mirroring features, see section 1.1 “Mirroring Overview”.
I. Configuration prerequisites
l
ACLs for identifying traffics have been defined.
For defining ACLs, see the description in the ACL module of this manual.
l
The destination port is determined.
l
The port to be configured with traffic mirroring
function and the direction of the traffic flow to be mirrored are determined.
II. Configuration procedure
Table 1-3 Configure
traffic mirroring
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view of the determined
destination port
|
interface interface-type
interface-number
|
—
|
|
Define the current port as the
destination port
|
monitor-port
|
Required
LACP and STP must be disabled on the
destination port.
|
|
Exit current view
|
quit
|
—
|
|
Enter Ethernet port view of traffic
mirroring configuration
|
interface interface-type
interface-number
|
—
|
|
Invoke ACLs for identifying traffic flows
and perform traffic mirroring for the packets matching the ACLs.
|
mirrored-to inbound acl-rule { monitor-interface | cpu
}
|
Required
|
|
Display the parameter settings of traffic
mirroring
|
display qos-interface { interface-type interface-number | unit-id } mirrored-to
|
Optional
These commands can be executed in
any view.
|
|
Display all QoS settings of a port
|
display qos-interface { interface-type interface-number | unit-id } all
|
acl-rule:
applied ACL rules, which can be the combination of different types of ACL sub-rules.
The following table describes the combined-ACL applications.
Table 1-4 Combined-ACL
applications
|
Combination mode
|
Form of acl-rule
|
|
Apply all sub-rules in an IP type ACL (either
a basic or an advanced ACL) separately
|
ip-group acl-number
|
|
Apply one sub-rule in an IP type ACL
separately
|
ip-group acl-number rule rule-id
|
|
Apply all sub-rules in a Layer 2 ACL
separately
|
link-group acl-number
|
|
Apply one sub-rule in a Layer 2 ACL
separately
|
link-group acl-number rule rule-id
|
|
Apply one sub-rule in a user-defined ACL
separately
|
user-group acl-number
|
|
Apply all sub-rules in a user-defined ACL
separately
|
user-group acl-number rule rule-id
|
|
Apply one sub-rule in an IP type ACL and
one sub-rule in a Layer 2 ACL simultaneously
|
ip-group acl-number rule rule-id
link-group acl-number rule rule-id
|
III. Configuration example
1)
Network requirements:
l
GigabitEthernet 1/0/1 on the switch is connected
to the 10.1.1.1/24 network segment.
l
The packets from the 10.1.1.1/24 network segment
are to be mirrored to the destination port GigabitEthernet 1/0/4.
2)
Configuration procedure:
<H3C> system-view
[H3C] acl number 2000
[H3C-acl-basic-2000] rule permit
source 10.1.1.1 0.0.0.255
[H3C-acl-basic-2000] rule deny source
any
[H3C-acl-basic-2000] quit
[H3C] interface gigabitEthernet 1/0/4
[H3C-GigabitEthernet1/0/4]
monitor-port
[H3C-GigabitEthernet1/0/4] quit
[H3C] interface gigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]
mirrored-to inbound ip-group 2000 monitor-interface
I. Configuration prerequisites
l
The source port is determined and whether the
packets to be mirrored are inbound, outbound or both inbound and outbound is
specified. Inbound means only to mirror the packets received by the port;
outbound means only to mirror the packets sent by the port; both
means to mirror the packets received and sent by the port.
l
The destination port is determined.
l
The mirroring group number is determined.
II. Configuring port mirroring in
Ethernet port view
Table 1-5 Configure port mirroring in Ethernet port view (1)
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a port mirroring group
|
mirroring-group group-id local
|
Required
|
|
Enter Ethernet port view of the
determined destination port
|
interface interface-type
interface-number
|
—
|
|
Define the current port as the
destination port
|
monitor-port
|
Required
LACP and STP must be disabled on the
destination port.
|
|
Exit current view
|
quit
|
—
|
|
Enter Ethernet port view of the
determined source port
|
interface interface-type
interface-number
|
—
|
|
Define the current port as the source
port and specify the direction of the packets to be mirrored
|
mirroring-port { inbound | outbound | both }
|
Required
|
|
Display the mirroring parameter settings
|
display mirroring-group { all | local }
|
Optional
This command can be executed in
any view.
|
If you specify the
destination port and source port in Ethernet port view without creating a port mirroring
group, mirroring group 1 will be created automatically.
Table 1-6 Configure port mirroring in Ethernet port view (2)
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a port mirroring group
|
mirroring-group group-id local
|
Required
|
|
Enter Ethernet port view of the determined
destination port
|
interface interface-type
interface-number
|
—
|
|
Define the current port as the
destination port
|
mirroring-group group-id monitor-port
|
Required
LACP and STP must be disabled on the
destination port
|
|
Exit current view
|
quit
|
—
|
|
Enter Ethernet port view of the
determined source port
|
interface interface-type
interface-number
|
—
|
|
Define the current port as the source
port and specify the direction of the packets to be mirrored
|
mirroring-group group-id mirroring-port { both | inbound | outbound }
|
Required
|
|
Display the mirroring parameter settings
|
display mirroring-group { all | local }
|
Required
This command can be executed in
any view.
|
III. Configuring port mirroring in
system view
Table 1-7 Configure port mirroring in system view
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a port mirroring group
|
mirroring-group group-id local
|
Required
|
|
Define the determined destination port
|
mirroring-group group-id monitor-port monitor-port
|
Required
LACP and STP must be disabled on the
destination port.
|
|
Define the determined source port and
specify the direction of the packets to be mirrored
|
mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }
|
Required
|
|
Display the mirroring parameter settings
|
display mirroring-group { all | local }
|
Optional
This command can be executed in
any view.
|
l
Configurations listed in Table 1-5 do not involve specifying a mirroring group. Therefore these mirroring
settings made in Ethernet port view applies to mirroring group 1 only.
l
Configurations listed in Table 1-6 can be used to add mirroring settings for any defined mirroring
group in Ethernet port view.
l
Configurations listed in Table 1-7 are performed in system view. Therefore the mirroring group ID and
port number must be specified.
IV. Configuration Example
l
The source port is GigabitEthernet 1/0/1. All
packets received and sent by this port are to be mirrored.
l
The destination port is GigabitEthernet 1/0/4.
1)
Configuration procedure 1:
<H3C> system-view
[H3C] mirroring-group 1 local
[H3C] interface gigabitEthernet 1/0/4
[H3C-GigabitEthernet1/0/4]
monitor-port
[H3C-GigabitEthernet1/0/4] quit
[H3C] interface gigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1] mirroring-port
both
2)
Configuration procedure 2:
<H3C> system-view
[H3C] mirroring-group 1 local
[H3C] interface GigabitEthernet 1/0/4
[H3C-GigabitEthernet1/0/4]
mirroring-group 1 monitor-port
[H3C-GigabitEthernet1/0/4] quit
[H3C] interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]
mirroring-group 1 mirroring-port both
3)
Configuration procedure 3:
<H3C> system-view
[H3C] mirroring-group 1 local
[H3C] mirroring-group 1 monitor-port GigabitEthernet
1/0/4
[H3C] mirroring-group 1
mirroring-port GigabitEthernet 1/0/1 both
1.3.3 Configuring RSPAN
I. Configuration prerequisites
l
The source switch, intermediate switch, and the
destination switch are determined.
l
The source port, the reflector port, the
destination port, and the remote-probe VLAN are determined.
l
Layer 2 interoperability is ensured by configuration
between the source and destination switches over the remote-probe VLAN
l
The direction of the packets to be monitored is
determined.
l
The remote-probe VLAN is enabled.
Table 1-8 Configure RSPAN on the source switch
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN and enter the VLAN view
|
vlan vlan-id
|
vlan-id is
the ID of the remote-probe VLAN to be defined.
|
|
Define the current VLAN as the
remote-probe VLAN
|
remote-probe vlan enable
|
Required
|
|
Exit the current view
|
quit
|
—
|
|
Enter the port view of the port that
connects to the intermediate switch or destination switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as Trunk port
|
port link-type trunk
|
Required
By default, the port type is Access.
|
|
Configure Trunk port to permit packets
from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
This setting is required for the source
switch port that connects to the intermediate switch or destination switch.
|
|
Exit current view
|
quit
|
—
|
|
Configure a remote source mirroring group
|
mirroring-group group-id remote-source
|
Required
|
|
Configure a source port for remote
mirroring
|
mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }
|
Required
|
|
Configure a remote reflector port
|
mirroring-group group-id reflector-port reflector-port
|
Required
The remote reflector port must be of the
Access type. LACP and STP must be disabled on this port.
After a port is configured as a reflector
port, the switch does not allow you to perform any of the following
configurations:
l
Changing the port type or its default VLAN ID
l
Add the port to another VLAN
|
|
Configure the remote-probe VLAN for the
remote source mirroring group
|
mirroring-group group-id remote-probe vlan remote-probe-vlan-id
|
Required
|
|
Display the configuration of the remote
source mirroring group
|
display mirroring-group remote-source
|
Optional
This command can be executed in
any view.
|
l
The reflector port cannot forward traffics as a
normal port. In this scenario, it is recommended that you use an idle and down
port as the reflector port, and do not perform other configuration on this
port.
l
If the mac-address max-mac-count
0 command is executed on a port in a VLAN, it is recommended not to configure
this VLAN as the remote-probe VLAN. Otherwise, remote mirroring may not work
properly.
l
Do not configure a port connecting the
intermediate switch or destination switch as the mirroring source port.
Otherwise, traffic disorder may occur in the network.
Table 1-9 Configure
RSPAN on the intermediate switch
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Create a VLAN and enter VLAN view
|
vlan vlan-id
|
vlan-id is the ID of the remote-probe
VLAN to be defined.
|
|
Define the current VLAN as a remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Exit the current view
|
quit
|
—
|
|
Enter Ethernet port view of the port connecting
to the source switch, destination switch or other intermediate switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as Trunk port
|
port link-type trunk
|
Required
By default, the port type is Access.
|
|
Configure Trunk port to permit packets
from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
This configuration is necessary for ports
on the intermediate switch that are connected to the source switch, the
destination switch or other intermediate switch.
|
Table 1-10 Configure RSPAN on the destination switch
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN and enter VLAN view
|
vlan vlan-id
|
vlan-id is the ID of the
remote-probe VLAN to be defined.
|
|
Define the current VLAN as a remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Exit the current view
|
quit
|
—
|
|
Enter Ethernet port view of the port connecting
to the source switch or an intermediate switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as Trunk port
|
port link-type trunk
|
Required
By default, the port type is Access.
|
|
Configure Trunk port to permit packets
from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
This configuration is necessary for ports
through which the destination switch is connected to the source switch or an
intermediate switch.
|
|
Exit the current view
|
quit
|
—
|
|
Configure a remote destination mirroring
group
|
mirroring-group group-id remote-destination
|
Required
|
|
Configure the destination port for remote
mirroring
|
mirroring-group group-id monitor-port monitor-port
|
Required
The destination port for remote mirroring
must be of the Access type. LACP and STP must be disabled on this port.
After you configure a port as the
destination port for remote mirroring, the switch does not allow you to
change the port type or its default VLAN ID.
|
|
Configure the remote-probe VLAN for the
remote destination mirroring group
|
mirroring-group group-id remote-probe vlan remote-probe-vlan-id
|
Required
|
|
Display the configuration of the remote
destination mirroring group
|
display mirroring-group
remote-destination
|
Optional
This command can be executed in
any view.
|
If the mac-address
max-mac-count 0 command is executed on a port in a VLAN, it
is recommended not to configure this VLAN as the remote-probe VLAN. Otherwise,
remote mirroring may not work properly.
V. Configuration example
1)
Network requirements:
l
Switch A is connected to the data detect device through
GigabitEthernet 1/0/2.
l
GigabitEthernet 1/0/1, the Trunk port of Switch
A, is conn
