Mirroring refers to the process of copying
packets that meet the specified rules to a destination port. Generally, a
destination port is connected to a data detect device, which users can use to
analyze the mirrored packets for monitoring and troubleshooting the network.
Figure 1-1 Mirroring
1.1.2 Port Mirroring
Port mirroring refers to the process of copying
the packets received or sent by the specified port to the specified local port.
Remote switched port analyzer (RSPAN)
refers to remote port mirroring. It eliminates the limitation that the source
port and the destination port must be located on the same switch. This feature
makes it possible for the source port and the destination port to be located on
different devices in the network, and facilitates the network administrator to
manage remote switches.
The application of RSPAN is illustrated in
the following figure:
Figure 1-2
RSPAN application
There are three types of switches with the
RSPAN enabled.
l
Source switch: The switch to which the monitored
port belongs. The source switch copies the mirrored traffic flows to the
remote-probe VLAN, and then through Layer 2 forwarding, the mirrored flows are
sent to an intermediate switch or destination switch.
l
Intermediate switch: Switches between the source
switch and destination switch on the network. An intermediate switch forwards
mirrored flows to the next intermediate switch or the destination switch.
Circumstances can occur where no intermediate switch is present, if a direct
connection exists between the source and destination switches.
l
Destination switch: The switch to which the
destination port for remote mirroring belongs. It forwards mirrored flows it
received from the remote-probe VLAN to the monitoring device through the
destination port.
When a switch acts
as an intermediate switch or destination switch for the remote mirroring, to
realize the data mirroring successfully, you are recommended to configure
redirection on the inbound interface and redirect all the packets in the
remote-probe VLAN to the corresponding outbound interface (intermediate switch)
or mirroring destination port (destination switch).
Table 1-1
describes how the ports on various switches are involved in the mirroring
operation.
Table 1-1 Ports involved in the mirroring operation
|
Switch
|
Ports involved
|
Function
|
|
Source switch
|
Source port
|
Port to be mirrored; copy user data
packets to the specified reflector port through local port mirroring. There
can be more than one source port.
|
|
Reflector port
|
Receive user data packets that are
mirrored on a local port.
|
|
Trunk port
|
Send mirrored packets to the intermediate
switch or the destination switch.
|
|
Intermediate switch
|
Trunk port
|
Send mirrored packets to the destination
switch.
Two Trunk ports are necessary for the
intermediate switch to be connected to devices that are connected to the
source switch and the destination switch.
|
|
Destination switch
|
Trunk port
|
Receive remote mirrored packets.
|
|
Destination port
|
Monitor remote mirrored packets
|
To implement remote port mirroring, you
need to define a special VLAN, called remote-probe VLAN, on all the three types
of switches. In this VLAN, no normal data but only mirrored packets are
transmitted. All mirrored packets will be transferred to the specified port of
the destination switch from the source switch through this VLAN. Thus, the
destination switch can monitor the port packets sent from the remote ports of
the source switch. remote-probe VLAN requires that:
l
It is recommended that you configure all ports
connecting the devices in remote-probe VLAN to the trunk type.
l
The default VLAN and management VLAN cannot be
configured as remote-probe VLAN.
l
Required configurations are performed to ensure
Layer 2 connectivity between
the source and destination switches over the remote-probe
VLAN.
Caution:
To ensure the
normal packet mirroring, you are not recommended to perform any of the
following operations on the remote-probe VLAN:
l
Configuring a source port to the remote-probe
VLAN that is used by the local mirroring group;
l
Configuring a Layer 3 interface for the
remote-probe VLAN;
l
Running other protocol packets, or bearing other
service packets;
l
Using remote-probe VLAN as a special type of
VLAN, such as voice VLAN or protocol VLAN;
l
Configuring other VLAN-related functions.
Traffic mirroring maps traffic flows that
match specific ACLs to the specified local port for packet analysis and
monitoring. Before configuring traffic mirroring, you need to define ACLs
required for flow identification.
Remote traffic mirroring copies traffic flows that match specific
ACLs to the reflector port of the specified mirroring group. Then, after
corresponding configurations of remote port mirroring, the matching traffic
flows are finally copied to the specified ports of other switches. Similar to
configuring local traffic mirroring, you need to define ACLs required for flow identification
first. Otherwise, you need to complete all configurations of remote port
mirroring (except the configuration of source port for mirroring).
Table 1-2 Mirroring functions supported
by S7500 and related command
|
Function
|
Specifications
|
Related command
|
Related section
|
|
Mirroring
|
Support
port mirroring
|
mirroring-group
mirroring-group mirroring-port
mirroring-group monitor-port
monitor-port
mirroring-port
|
Section 1.3.1 “Configuring Port Mirroring”
|
|
Support remote port mirroring
|
mirroring-group
mirroring-group mirroring-port
mirroring-group monitor-port
mirroring-group reflector-port
mirroring-group remote-probe vlan
remote-probe vlan enable
|
Section 1.3.2
“Configuring
RSPAN”
|
|
Support traffic mirroring
|
monitor-port
mirrored-to
|
Section 1.3.3 “Configuring Traffic Mirroring”
|
|
Support remote traffic mirroring
|
mirroring-group
mirroring-group monitor-port
mirroring-group reflector-port
mirroring-group remote-probe vlan
remote-probe vlan enable
mirrored-to inbound acl-rule [ system-index ] { interface
interface-type interface-number reflector | mirroring-group
group-id }
|
Section 1.3.4 “Configuring
Remote Traffic Mirroring”
|
1.3 Mirroring Configuration
For mirroring features, see section 1.1 "Overview”.
I. Configuration
prerequisites
l
The source port is specified and whether the
packets to be mirrored are inbound or outbound is specified.
l
The destination port is specified.
II. Configuring
port mirroring in Ethernet port view
Table 1-3 Configure
port mirroring in Ethernet port view
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a port mirroring group
|
mirroring-group group-id local
|
Required
|
|
Enter Ethernet port view of the
destination port
|
interface interface-type
interface-number
|
—
|
|
Define the current port as the
destination port
|
mirroring-group group-id monitor-port
|
Required
LACP and TCP must be disabled on the
destination port
|
|
Exit current view
|
quit
|
—
|
|
Enter Ethernet port view of the source
port
|
interface interface-type
interface-number
|
—
|
|
Configure the source port and specify the
direction of the packets to be mirrored
|
mirroring-group group-id mirroring-port { both | inbound | outbound }
|
Required
|
|
Display parameter settings of the
mirroring
|
display mirroring-group { all | local }
|
Required
This command can be executed in
any view.
|
III. Configuring
port mirroring in system view
Table 1-4 Configure
port mirroring in system view
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a port mirroring group
|
mirroring-group group-id local
|
Required
|
|
Configure the destination port
|
mirroring-group group-id monitor-port monitor-port
|
Required
LACP and TCP must be disabled on the
destination port.
|
|
Configure the source port and specify the
direction of the packets to be mirrored
|
mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }
|
Required
|
|
Display parameter settings of the
mirroring
|
display mirroring-group { all | local }
|
Optional
This command can be executed in
any view.
|
IV. Configuration
Example
l
The source port is GigabitEthernet 1/0/1. Mirror
all packets received and sent via this port.
l
The destination port is GigabitEthernet 1/0/4.
1)
Configuration procedure 1:
<H3C> system-view
[H3C] mirroring-group 1 local
[H3C] interface GigabitEthernet 1/0/4
[H3C-GigabitEthernet1/0/4]
mirroring-group 1 monitor-port
[H3C-GigabitEthernet1/0/4] quit
[H3C] interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1]
mirroring-group 1 mirroring-port both
2)
Configuration procedure 2:
<H3C> system-view
[H3C] mirroring-group 1 local
[H3C] mirroring-group 1 monitor-port
GigabitEthernet 1/0/4
[H3C] mirroring-group 1
mirroring-port GigabitEthernet 1/0/1 both
1.3.2
Configuring RSPAN
I. Configuration
prerequisites
l
The source switch, intermediate switch, and the
destination switch have been determined.
l
The source port, the reflector port, the
destination port, and the remote-probe VLAN have been determined.
l
Required configurations are performed to ensure
Layer 2 connectivity between
the source and destination switches over the remote-probe
VLAN.
l
The direction of the packets to be monitored has
been determined.
l
The remote-probe VLAN is enabled.
II. Configuring RSPAN on the source
switch
Table 1-5 Configure
RSPAN on the source switch
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a VLAN and enter its VLAN view
|
vlan vlan-id
|
vlan-id is
the ID of the destination remote-probe VLAN.
|
|
Define the current VLAN as a remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Exit current view
|
quit
|
—
|
|
Enter port view of ports that connected
to the intermediate switch or destination switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as a trunk
port
|
port link-type trunk
|
Required
By default, the type of the port is
access.
|
|
Configure Trunk port to permit packets
from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
This setting is required for source
switch ports that connected with the intermediate switch or destination
switch.
|
|
Exit current view
|
quit
|
—
|
|
Configure a remote source mirroring group
|
mirroring-group group-id remote-source
|
Required
|
|
Configure a source port for remote
mirroring
|
mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }
|
Required
|
|
Configure a remote reflector port
|
mirroring-group group-id reflector-port reflector-port
|
Required
The remote reflector port must be of the
Access type. LACP and STP must be disabled on this port.
After a port is configured as a reflector
port, the switch does not allow you to perform any of the following
configurations:
l
Changing the port type and its default VLAN ID
l
Add it to another VLAN
|
|
Configure the remote-probe VLAN for the
remote source mirroring group
|
mirroring-group group-id remote-probe vlan remote-probe-vlan-id
|
Required
|
|
Display the configuration of the remote
source mirroring group
|
display mirroring-group remote-source
|
Optional
This command can be executed in
any view.
|
l To mirror tagged packets, you need to configure VLAN VPN on the
reflector port.
l The reflector port cannot forward traffics as a normal port.
Therefore, it is recommended that you use a idle and in-down-state port as the
reflector port, and be careful to not add other settings on this port.
l Be sure not to configure a port used to connect the intermediate and
destination switches as the mirroring source port. Otherwise traffic disorder
may occur in the network.
III. Configuring RSPAN on the
intermediate switch
Table 1-6 Configure RSPAN on the
intermediate switch
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Create a remote-probe VLAN and enter VLAN
view
|
vlan vlan-id
|
vlan-id is the ID of the
remote-probe VLAN.
|
|
Define the current VLAN as a remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Exit current view
|
quit
|
—
|
|
Enter Ethernet port view of the port
through which the intermediate switch is connected to the source switch,
destination switch or another intermediate switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as a trunk
port
|
port link-type trunk
|
Required
By default, the type of the port is
access.
|
|
Configure Trunk port to permit packets
from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
This configuration is necessary for ports
on the intermediate switch that are connected to the source switch or the
destination switch.
|
IV. Configuring RSPAN on the
destination switch
Table 1-7 Configure RSPAN on the
destination switch
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a remote-probe VLAN and enter VLAN
view
|
vlan vlan-id
|
vlan-id is the ID of the
remote-probe VLAN.
|
|
Define the current VLAN as a remote-probe
VLAN
|
remote-probe vlan enable
|
Required
|
|
Exit the current view
|
quit
|
—
|
|
Enter Ethernet port view of the port
through which the destination switch is connected to the source switch or an
intermediate switch
|
interface interface-type interface-number
|
—
|
|
Configure the current port as a trunk
port
|
port link-type trunk
|
Required
By default, the type of the port is
access.
|
|
Configure Trunk port to permit packets
from the remote-probe VLAN
|
port trunk permit vlan remote-probe-vlan-id
|
Required
This configuration is necessary for ports
through which the destination switch is connected to the source switch or an
intermediate switch.
|
|
Exit current view
|
quit
|
—
|
|
Configure the remote destination
mirroring group
|
mirroring-group group-id remote-destination
|
Required
|
|
Configure the destination port for remote
mirroring
|
mirroring-group group-id monitor-port monitor-port
|
Required
The destination port for remote mirroring
must be of the Access type. LACP and STP must be disabled on this port.
After you configure a port as the
destination port for remote mirroring, the switch does not allow you to
change the port type or default VLAN ID of the port.
|
|
Configure the remote-probe VLAN for the
remote destination mirroring group
|
mirroring-group group-id remote-probe vlan remote-probe-vlan-id
|
Required
|
|
Display the configuration of the remote
destination mirroring group
|
display mirroring-group
remote-destination
|
Optional
This command can be executed in
any view.
|
V. Configuration
example
1)
Network requirements:
l
Switch A is connected to the data detect device
via GigabitEthernet 1/0/2.
l
GigabitEthernet 1/0/1, the Trunk port of Switch
A, is connected to GigabitEthernet 1/0/1, the Trunk port of Switch B.
l
GigabitEthernet 1/0/2, the Trunk port of Switch
B, is connected to GigabitEthernet 1/0/1, the Trunk port of Switch C.
l
GigabitEthernet 1/0/2, the port of Switch C, is
connected to PC1.
The purpose is to monitor and analyze the
packets sent to PC1 via the data detect device.
To meet the requirement above by using the
RSPAN function, perform the following configuration:
l
Define VLAN10 as remote-probe VLAN.
l
Define Switch A as the destination switch;
configure GigabitEthernet 1/0/2, the port that is connected to the data detect
device, as the destination port for remote mirroring. Set GigabitEthernet1/0/2
to an Access port, with STP and LACP functions disabled.
l
Define Switch B as the intermediate switch.
l
Define Switch C as the source switch,
GigabitEthernet 1/0/2 as the source port for remote mirroring, and
GigabitEthernet 1/0/3 as the reflector port. Set GigabitEthernet 1/0/3 to an
Access port, with STP and LACP disabled.
2)
Network diagram
Figure 1-3 Network diagram for RSPAN
3)
Configuration procedure
# Configure Switch C.
<H3C> system-view
[H3C] vlan 10
[H3C-vlan10] remote-probe vlan enable
[H3C-vlan10] quit
[H3C] interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1] port link-type
trunk
[H3C-GigabitEthernet1/0/1] port trunk
permit vlan 10
[H3C-GigabitEthernet1/0/1] quit
[H3C] mirroring-group 1 remote-source
[H3C] mirroring-group 1
mirroring-port GigabitEthernet 1/0/2 inbound
[H3C] mirroring-group 1
reflector-port GigabitEthernet 1/0/3
[H3C] mirroring-group 1 remote-probe
vlan 10
[H3C] display mirroring-group
remote-source
mirroring-group 1:
type: remote-source
status: active
mirroring port:
GigabitEthernet1/0/2 inbound
reflector port:
GigabitEthernet1/0/3
remote-probe vlan: 10
# Configure Switch B.
<H3C> system-view
[H3C] vlan 10
[H3C-vlan10] remote-probe vlan enable
[H3C-vlan10] quit
[H3C] interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1] port
link-type trunk
[H3C-GigabitEthernet1/0/1] port trunk
permit vlan 10
[H3C-GigabitEthernet1/0/1] quit
[H3C] interface GigabitEthernet 1/0/2
[H3C-GigabitEthernet1/0/2] port
link-type trunk
[H3C-GigabitEthernet1/0/2] port trunk
permit vlan 10
# Configure Switch A.
<H3C> system-view
[H3C] vlan 10
[H3C-vlan10] remote-probe vlan enable
[H3C-vlan10] quit
[H3C] interface GigabitEthernet 1/0/1
[H3C-GigabitEthernet1/0/1] port
link-type trunk
[H3C-GigabitEthernet1/0/1] port trunk
permit vlan 10
[H3C-GigabitEthernet1/0/1] quit
[H3C] mirroring-group 1
remote-destination
[H3C] mirroring-group 1 monitor-port
GigabitEthernet 1/0/2
[H3C] mirroring-group 1 remote-probe
vlan 10
[H3C] display mirroring-group
remote-destination
mirroring-group 1:
type: remote-destination
status: active
monitor port:
GigabitEthernet1/0/2
remote-probe vlan: 10
I. Configuration
prerequisites
l
ACLs for identifying traffics have been defined.
For defining ACLs, see the description on the ACL module in this manual.
l
The destination port has been defined.
l
The port on which to perform traffic mirroring
configuration and the direction of traffic mirroring has been determined.
II. Configuration
procedure
Table 1-8
Configure traffic mirroring in Ethernet port view
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create a mirroring group
|
mirroring-group group-id local
|
Required
|
|
Define the destination port
|
mirroring-group group-id monitor-port monitor-port
|
Required
LACP and STP cannot be enabled on the
destination port.
|
|
Enter Ethernet port view of the source
port
|
interface interface-type
interface-number
|
—
|
|
Enter QoS view
|
qos
|
—
|
|
Reference ACLs for identifying traffic
flows and perform traffic mirroring for packets that match.
|
mirrored-to inbound acl-rule [ system-index ] { interface
interface-type interface-number | mirroring-group group-id
}
|
Required
|
|
Display the parameter settings of traffic
mirroring
|
display qos-interface [ interface-type interface-number ] mirrored-to
|
Optional
These commands can be executed in
any view.
|
|
Display all QoS settings of a port
|
display qos-interface [ interface-type interface-number ] all
|
acl-rule:
Applied ACL rules, which can be the combination of different types of ACL
rules. The following table describes the ACL combinations.
Table 1-9 Combined application of ACLs
on service board of A type.
|
Combination mode
|
Form of acl-rule
|
|
Apply all rules in an IP type ACL
separately
|
ip-group {
acl-number | acl-name }
|
|
Apply one rule in an IP type ACL
separately
|
ip-group {
acl-number | acl-name } rule rule-id
|
|
Apply all rules in a link type ACL
separately
|
link-group { acl-number | acl-name }
|
|
Apply one rule in a link type separately
|
link-group { acl-number | acl-name } rule rule-id
|
|
Apply one rule in an IP type ACL and one
rule in a link type ACL simultaneously
|
ip-group {
acl-number | acl-name } rule rule-id
link-group { acl-number | acl-name } rule rule-id
|
Table 1-10 Combined application of ACLs
on service board other than A type.
|
Combination mode
|
Form of acl-rule
|
|
Apply all rules in an IP type ACL
separately
|
ip-group {
acl-number | acl-name }
|
|
Apply one rule in an IP type ACL
separately
|
ip-group {
acl-number | acl-name } rule rule-id
|
|
Apply all rules in a link type ACL
separately
|
link-group { acl-number | acl-name }
|
|
Apply one rule in a link type separately
|
link-group { acl-number | acl-name } rule rule-id
|
|
Apply all rules in a user-defined ACL
separately
|
user-group { acl-number | acl-name }
|
|
Apply one rule in a user-defined ACL
separately
|
