When configuring mirroring, go to these
sections for information you are interested in:
l
Mirroring Overview
l
Mirroring Configuration
l
Displaying and Maintaining
Port Mirroring
l
Mirroring Configuration
Examples
Mirroring is to duplicate packets from a
port to another port connected with a data monitoring device for network
monitoring and diagnosis.
The port where packets are duplicated is
called the source mirroring port or monitored port and the port to which
duplicated packets are sent is called the destination mirroring port or the
monitor port, as shown in the following figure.
Figure 1-1 Mirroring
The S5600 series Ethernet switches support three
types of port mirroring:
l
Local
Port Mirroring
l
Remote
Port Mirroring
l
Traffic
Mirroring
They are described in the following
sections.
In local port mirroring, packets passing
through one or more source ports of a device are copied to the destination port
on the same device for packet analysis and monitoring. In this case, the source
ports and the destination port must be located on the same device.
Remote port mirroring does not require the
source and destination ports to be on the same device. The source and destination
ports can be located on multiple devices across the network. This allows an administrator
to monitor traffic on remote devices conveniently.
To implement remote port mirroring, a special
VLAN, called remote-probe VLAN, is used. All mirrored packets are sent from the
reflector port of the source switch to the monitor port on the destination
switch through the remote-probe VLAN. Figure 1-2 illustrates the implementation of
remote port mirroring.
Figure 1-2 Remote port mirroring
application
The switches involved in remote port
mirroring function as follows:
l
Source switch
The source switch is the device where the monitored
port is located. It copies traffic passing through the monitored port to the reflector
port. The reflector port then transmits the traffic to an intermediate switch
(if any) or destination switch through the remote-probe VLAN.
l
Intermediate switch
Intermediate switches are switches between
the source switch and destination switch on the network. An intermediate switch
forwards mirrored traffic flows to the next intermediate switch or the
destination switch through the remote-probe VLAN. No intermediate switch is
present if the source and destination switches directly connect to each other.
l
Destination switch
The destination switch is where the monitor
port is located. The destination switch forwards the mirrored traffic flows it
received from the remote-probe VLAN to the monitoring device through the
destination port.
Table 1-1 describes how
the ports on various switches are involved in the mirroring operation.
Table 1-1 Ports involved in the mirroring operation
|
Switch
|
Ports involved
|
Function
|
|
Source switch
|
Source port
|
Port monitored. It copies packets to the
reflector port through local port mirroring. There can be more than one
source port.
|
|
Reflector port
|
Receives packets from the source port and
broadcasts the packets in the remote-probe VLAN.
|
|
Trunk port
|
Sends mirrored packets to the
intermediate switch or the destination switch.
|
|
Intermediate switch
|
Trunk port
|
Sends mirrored packets to the destination
switch.
Two trunk ports are necessary for the
intermediate switch to connect the devices at the source switch side and the
destination switch side.
|
|
Destination
switch
|
Trunk port
|
Receives
remote mirrored packets.
|
|
Destination port
|
Receives packets forwarded from the trunk
port and transmits the packets to the data detection device.
|
Caution:
l
Do not configure a default VLAN, a management
VLAN, or a dynamic VLAN as the remote-probe VLAN.
l
Configure all ports connecting the devices in
the remote-probe VLAN as trunk ports, and ensure the Layer 2 connectivity from
the source switch to the destination switch over the remote-probe VLAN.
l
Do not configure a Layer 3 interface for the remote-probe
VLAN, run other protocol packets, or carry other service packets on the
remote-prove VLAN and do not use the remote-prove VLAN as the voice VLAN and
protocol VLAN; otherwise, remote port mirroring may be affected.
Traffic mirroring uses ACL to monitor
traffic that matches certain criteria on a specific port. Unlike port mirroring
where all inbound/outbound traffic passing through a port is monitored, traffic
mirroring provides a finer monitoring granularity. For detailed configuration
about traffic mirroring, refer to QoS-QoS Profile Operation.
1.2 Mirroring Configuration
Complete the following tasks to configure mirroring:
l
On an S5600 series Ethernet switch, only one destination
port for local port mirroring or one reflector port for remote port mirroring
can be configured, and the two kinds of ports cannot both exist.
l
When you mirror packets sent by ports on an
expansion module, the packets from a port on the front panel to the expansion
module cannot be mirrored if the monitor port is not on the expansion module.
Refer to the installation manual for the introduction to the front panel and
expansion module.
I. Configuration prerequisites
l
The source port is determined and the direction in
which the packets are to be mirrored is determined.
l
The destination port is determined.
II. Configuration procedure
Follow these steps to configure port mirroring:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create a port mirroring group
|
mirroring-group group-id local
|
Required
|
|
Configure
the source port for the port mirroring group
|
In system
view
|
mirroring-group
group-id
mirroring-port mirroring-port-list { both | inbound | outbound }
|
Use either
approach
You can
configure multiple source ports at a time in system view, or you can
configure the source port in specific port view. The configurations in the
two views have the same effect.
|
|
In port
view
|
interface interface-type interface-number
|
|
mirroring-group group-id mirroring-port { both
| inbound | outbound }
|
|
quit
|
|
Configure
the destination port for the port mirroring group
|
In system
view
|
mirroring-group
group-id
monitor-port monitor-port-id
|
Use either
approach
The
configurations in the two views have the same effect.
|
|
In port view
|
interface interface-type
interface-number
|
|
mirroring-group group-id monitor-port
|
When configuring local port mirroring, note
that:
l
You need to configure the source and destination
ports for the local port mirroring to take effect.
l
The source port and the destination port cannot
be a fabric port or a member port of an existing mirroring group; besides, the
destination port cannot be a member port of an aggregation group or a port
enabled with LACP or STP.
1.2.2 Configuring
Remote Port Mirroring
An S5600 series Ethernet
switch can serve as a source switch, an intermediate switch, or a destination
switch in a remote port mirroring networking environment.
I. Configuration on a switch
acting as a source switch
1)
Configuration prerequisites
l
The source port, the reflector port, and the remote-probe
VLAN are determined.
l
Layer 2 connectivity is ensured between the
source and destination switches over the remote-probe VLAN.
l
The direction of the packets to be monitored is
determined.
2)
Configuration procedure
Follow these steps to perform configurations on the source switch:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN and enter the VLAN view
|
vlan vlan-id
|
vlan-id is
the ID of the remote-probe VLAN.
|
|
Configure the current VLAN as the remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Return to system view
|
quit
|
—
|
|
Enter the view of the Ethernet port that
connects to the intermediate switch or destination switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as trunk port
|
port link-type trunk
|
Required
By default, the port type is Access.
|
|
Configure the trunk port to permit
packets from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
|
|
Return to system view
|
quit
|
—
|
|
Create a remote source mirroring group
|
mirroring-group group-id remote-source
|
Required
|
|
Configure source port(s) for the remote source
mirroring group
|
mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }
|
Required
|
|
Configure the reflector port for the
remote source mirroring group
|
mirroring-group group-id reflector-port reflector-port
|
Required
|
|
Configure the remote-probe VLAN for the
remote source mirroring group
|
mirroring-group group-id remote-probe vlan remote-probe-vlan-id
|
Required
|
When configuring the source switch, note
that:
l
All ports of a remote source mirroring group are
on the same device. Each remote source mirroring group can be configured with
only one reflector port.
l
The reflector port cannot be a member port of an
existing mirroring group, a fabric port, a member port of an aggregation group,
or a port enabled with LACP or STP. It must be an access port and cannot be
configured with functions like VLAN-VPN, port loopback detection, packet
filtering, QoS, port security, and so on.
l
You cannot modify the duplex mode, port rate,
and MDI attribute of a reflector port.
l
Only an existing static VLAN can be configured
as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it
to a normal VLAN first. A remote port mirroring group gets invalid if the
corresponding remote port mirroring VLAN is removed.
l
Do not configure a port connecting the
intermediate switch or destination switch as the mirroring source port. Otherwise,
traffic disorder may occur in the network.
1)
Configuration prerequisites
l
The trunk ports and the remote-probe VLAN are
determined.
l
Layer 2 connectivity is ensured between the
source and destination switches over the remote-probe VLAN.
2)
Configuration procedure
Follow these steps
to perform configurations on the intermediate switch:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Create a VLAN and enter VLAN view
|
vlan vlan-id
|
vlan-id is the ID of the remote-probe
VLAN.
|
|
Configure the current VLAN as the remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Return to system view
|
quit
|
—
|
|
Enter the view of the Ethernet port connecting
to the source switch, destination switch or other intermediate switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as trunk port
|
port link-type trunk
|
Required
By default, the port type is Access.
|
|
Configure the trunk port to permit
packets from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
|
Note that an S5600 series Ethernet switch
acting as the intermediate switch in remote port mirroring networking does not
support bidirectional packet mirroring (the both keyword).
1)
Configuration prerequisites
l
The destination port and the remote-probe VLAN
are determined.
l
Layer 2 connectivity is ensured between the
source and destination switches over the remote-probe VLAN.
2)
Configuration procedure
Follow these steps
to configure remote port mirroring on the destination switch:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN and enter VLAN view
|
vlan vlan-id
|
vlan-id is the ID of the remote-probe
VLAN.
|
|
Configure the current VLAN as a remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Return to system view
|
quit
|
—
|
|
Enter the view of the Ethernet port connecting
to the source switch or an intermediate switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as trunk port
|
port link-type trunk
|
Required
By default, the port type is Access.
|
|
Configure trunk port to permit packets
from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
|
|
Return to system view
|
quit
|
—
|
|
Create a remote destination mirroring
group
|
mirroring-group group-id remote-destination
|
Required
|
|
Configure the destination port for the remote
destination mirroring group
|
mirroring-group group-id monitor-port monitor-port
|
Required
|
|
Configure the remote-probe VLAN for the remote
destination mirroring group
|
mirroring-group group-id remote-probe vlan remote-probe-vlan-id
|
Required
|
When configuring a destination switch, note
that:
l
An S5600 series Ethernet switch acting as the
destination switch in remote port mirroring networking does not support
bidirectional packet mirroring (the both keyword).
l
The destination port of remote port mirroring
cannot be a member port of an existing mirroring group, a fabric port, a member
port of an aggregation group, or a port enabled with LACP or STP.
l
Only an existing static VLAN can be configured
as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it
to a normal VLAN first. A remote port mirroring group gets invalid if the
corresponding remote port mirroring VLAN is removed.
|
To do…
|
Use the command…
|
Remarks
|
|
Display port mirroring configuration
|
display mirroring-group { group-id | all | local | remote-destination
| remote-source }
|
Available in any view
|
I. Network requirements
The departments of a company connect to
each other through S5600 Ethernet switches:
l
Research and Development (R&D) department is
connected to Switch C through GigabitEthernet 1/0/1.
l
Marketing department is connected to Switch C
through GigabitEthernet 1/0/2.
l
Data detection device is connected to Switch C
through GigabitEthernet 1/0/3
The administrator wants to monitor the
packets received on and sent from the R&D department and the marketing department
through the data detection device.
Use the local port mirroring function to
meet the requirement. Perform the following configurations on Switch C.
l
Configure GigabitEthernet 1/0/1 and GigabitEthernet
1/0/2 as mirroring source ports.
l
Configure GigabitEthernet 1/0/3 as the mirroring
destination port.
II. Network diagram
Figure
1-3 Network diagram for local port mirroring
III. Configuration procedure
Configure Switch C:
# Create a local mirroring group.
<Sysname> system-view
[Sysname] mirroring-group 1 local
# Configure the source ports and
destination port for the local mirroring group.
[Sysname] mirroring-group 1
mirroring-port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 both
[Sysname] mirroring-group 1
monitor-port GigabitEthernet 1/0/3
# Display configuration information about
local mirroring group 1.
[Sysname] display mirroring-group 1
mirroring-group 1:
type: local
status: active
mirroring port:
GigabitEthernet1/0/1 both
GigabitEthernet1/0/2 both
monitor port: GigabitEthernet1/0/3
After the configurations, you can monitor
all packets received on and sent from the R&D department and the marketing
department on the data detection device.
I. Network requirements
The departments of a company connect to
each other through S5600 Ethernet switches:
l
Switch A, Switch B, and Switch C are S5600
series switches.
l
Department 1 is connected to GigabitEthernet
1/0/1 of Switch A.
l
Department 2 is connected to GigabitEthernet
1/0/2 of Switch A.
l
GigabitEthernet 1/0/3 of Switch A connects to GigabitEthernet
1/0/1 of Switch B.
l
GigabitEthernet 1/0/2 of Switch B connects to GigabitEthernet
1/0/1 of Switch C.
l
The data detection device is connected to GigabitEthernet
1/0/2 of Switch C.
The administrator wants to monitor the
packets sent from Department 1 and 2 through the data detection device.
Use the remote port mirroring function to
meet the requirement. Perform the following configurations:
l
Use Switch A as the source switch, Switch B as
the intermediate switch, and Switch C as the destination switch.
l
On Switch A, create a remote source mirroring
group, configure VLAN 10 as the remote-probe VLAN, ports GigabitEthernet 1/0/1
and GigabitEthernet 1/0/2 as the source ports, and port GigabitEthernet 1/0/4
as the reflector port.
l
On Switch B, configure VLAN 10 as the
remote-probe VLAN.
l
Configure GigabitEthernet 1/0/3 of Switch A, GigabitEthernet
1/0/1 and GigabitEthernet 1/0/2 of Switch B, and GigabitEthernet 1/0/1 of
Switch C as trunk ports, allowing packets of VLAN 10 to pass.
l
On Switch C, create a remote destination
mirroring group, configure VLAN 10 as the remote-probe VLAN, and configure GigabitEthernet
1/0/2 connected with the data detection device as the destination port.
II. Network diagram
Figure
1-4 Network diagram for remote port mirroring
III. Configuration procedure
1)
Configure the source switch (Switch A)
# Create remote source mirroring group 1.
<Sysname> system-view
[Sysname] mirroring-group 1
remote-source
# Configure VLAN 10 as the remote-probe
VLAN.
[Sysname] vlan 10
[Sysname-vlan10] remote-probe vlan
enable
[Sysname-vlan10] quit
# Configure the source ports, reflector
port, and remote-probe VLAN for the remote source mirroring group.
[Sysname] mirroring-group 1
mirroring-port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 inbound
[Sysname] mirroring-group 1 reflector-port
GigabitEthernet 1/0/4
[Sysname] mirroring-group 1 remote-probe
vlan 10
# Configure GigabitEthernet 1/0/3 as trunk
port, allowing packets of VLAN 10 to pass.
[Sysname] interface GigabitEthernet 1/0/3
[Sysname-GigabitEthernet1/0/3] port
link-type trunk
[Sysname-GigabitEthernet1/0/3] port
trunk permit vlan 10
[Sysname-GigabitEthernet1/0/3] quit
# Display configuration information about
remote source mirroring group 1.
[Sysname] display mirroring-group 1
mirroring-group 1:
type: remote-source
status: active
mirroring port:
GigabitEthernet1/0/1 inbound
GigabitEthernet1/0/2 inbound
reflector port: GigabitEthernet1/0/4
remote-probe vlan: 10
2)
Configure the intermediate switch (Switch B)
# Configure VLAN 10 as the remote-probe
VLAN.
<Sysname> system-view
[Sysname] vlan 10
[Sysname-vlan10] remote-probe vlan
enable
[Sysname-vlan10] quit
# Configure GigabitEthernet 1/0/1 as the
trunk port, allowing packets of VLAN 10 to pass.
[Sysname] interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet1/0/1] port
link-type trunk
[Sysname-GigabitEthernet1/0/1] port
trunk permit vlan 10
[Sysname-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as the
trunk port, allowing packets of VLAN 10 to pass.
[Sysname] interface GigabitEthernet
1/0/2
[Sysname-GigabitEthernet1/0/2] port
link-type trunk
[Sysname-GigabitEthernet1/0/2] port
trunk permit vlan 10
3)
Configure the destination switch (Switch C)
# Create remote destination mirroring group
1.
<Sysname> system-view
[Sysname] mirroring-group 1
remote-destination
# Configure VLAN 10 as the remote-probe
VLAN.
[Sysname] vlan 10
[Sysname-vlan10] remote-probe vlan
enable
[Sysname-vlan10] quit
# Configure the destination port and
remote-probe VLAN for the remote destination mirroring group.
[Sysname] mirroring-group 1 monitor-port
GigabitEthernet 1/0/2
[Sysname] mirroring-group 1 remote-probe
vlan 10
# Configure GigabitEthernet 1/0/1 as the
trunk port, allowing packets of VLAN 10 to pass.
[Sysname] interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet1/0/1] port
link-type trunk
[Sysname-GigabitEthernet1/0/1] port
trunk permit vlan 10
[Sysname-GigabitEthernet1/0/1] quit
# Display configuration information about
remote destination mirroring group 1.
[Sysname] display mirroring-group 1
mirroring-group 1:
type: remote-destination
status: active
monitor port: GigabitEthernet1/0/2
remote-probe vlan: 10
After the configurations, you can monitor
all packets sent from Department 1 and 2 on the data detection device.
