H3C S3600 Series Ethernet Switches Operation Manual-Release 1510(V1.04)

HomeSupportSwitchesH3C S3600 Switch SeriesConfigure & DeployConfiguration GuidesH3C S3600 Series Ethernet Switches Operation Manual-Release 1510(V1.04)
28-Mirroring Operation
Title Size Download
28-Mirroring Operation 271 KB

Chapter 1  Mirroring Configuration

1.1  Mirroring Overview

Mirroring refers to the process of copying packets that meet the specified rules to a destination port. Generally, a destination port is connected to a data detect device, which users can use to analyze the mirrored packets for monitoring and troubleshooting the network.

Figure 1-1 Mirroring

1.1.1  Traffic Mirroring

Traffic mirroring refers to the process of copying traffic flows that match specific ACLs to the specified destination port for packet analysis and monitoring. Before configuring traffic mirroring, you need to define ACLs required for flow identification.

1.1.2  Port Mirroring

Port mirroring refers to the process of copying the packets received or sent by the specified port to the destination port.

1.1.3  Remote Port Mirroring — RSPAN

Remote switched port analyzer (RSPAN) refers to remote port mirroring. It eliminates the limitation that the source port and the destination port must be located on the same switch. This feature makes it possible for the source port and the destination port to be located across several devices in the network, and facilitates the network administrator to manage remote switches.

The application of RSPAN is illustrated in the following figure:

Figure 1-2 RSPAN application

There are three types of switches with the RSPAN enabled.

l           Source switch: The monitored port resident switch. Through Layer 2 forwarding, it sends traffics to be mirrored to an intermediate switch or destination switch over the remote-probe VLAN.

l           Intermediate switch: Switches between the source switch and destination switch on the network. An intermediate switch forwards mirrored traffic flows to the next intermediate switch or the destination switch. Circumstances can occur where no intermediate switch is present, if a direct connection exists between the source and destination switches.

l           Destination switch: The remote mirroring destination port resident switch. It forwards mirrored traffic flows it received from the remote-probe VLAN to the monitoring device through the destination port.

Table 1-1 describes how the ports on various switches are involved in the mirroring operation.

Table 1-1 Ports involved in the mirroring operation

Switch

Ports involved

Function

Source switch

Source port

Port monitored. It copies user data packets to the specified reflector port through local port mirroring. There can be more than one source port.

Reflector port

Receives user data packets that are mirrored on a local port.

Trunk port

Sends mirrored packets to the intermediate switch or the destination switch.

Intermediate switch

Trunk port

Sends mirrored packets to the destination switch.

Two Trunk ports are necessary for the intermediate switch to connect the devices at the source switch side and the destination switch side.

Destination switch

Trunk port

Receives remote mirrored packets.

Destination port

Monitors remote mirrored packets

 

To implement remote port mirroring, you need to define a special VLAN, called remote-probe VLAN, on a switch. All mirrored packets will be transferred from the source switch to the destination ports of the destination switch through this VLAN. Thus, the destination switch can monitor the port packets sent from the ports of the source switch. Remote-probe VLAN requires that:

l           All ports connecting the devices in remote-probe VLAN are configured as the trunk ports.

l           The default VLAN and management VLAN cannot be configured as remote-probe VLAN.

l           Layer 2 interoperability must be ensured by configuration between the source and destination switches over the remote-probe VLAN.

 

  Caution:

To ensure the normal packet mirroring, it is not recommended to perform any of the following operations on the remote-probe VLAN:

l      Configuring a source port to the remote-probe VLAN that is used by the local mirroring group;

l      Configuring a Layer 3 interface for the remote-probe VLAN;

l      Configuring to run other protocol packets, or bear other service packets;

l      Using remote-probe VLAN as a special type of VLAN, such as voice VLAN or protocol VLAN;

l      Configuring other VLAN-related functions.

 

1.2  Mirroring Functions Supported by S3600

Table 1-2 Mirroring functions supported by S3600-EI and related commands

Function

Specifications

Related command

Link

Mirroring

Supports traffic mirroring

monitor-port

mirrored-to

Section 1.3.1 

Supports port mirroring

mirroring-group

mirroring-group mirroring-port

mirroring-group monitor-port

monitor-port

mirroring-port

Section 1.3.2 

Supports remote port mirroring

mirroring-group

mirroring-group mirroring-port

mirroring-group monitor-port

mirroring-group reflector-port

mirroring-group remote-probe vlan

remote-probe vlan enable

Section 1.3.3 

 

Table 1-3 Mirroring functions supported by S3600-SI and related commands

Function

Specifications

Related command

Link

Mirroring

Supports traffic mirroring

monitor-port

mirrored-to

Section 1.3.1 

Supports port mirroring

monitor-port

mirroring-port

Section 1.4.2 

 

1.3  Mirroring Configuration for S3600-EI

For mirroring features, see section 1.1   "Mirroring Overview".

1.3.1  Configuring Traffic Mirroring

I. Configuration prerequisites

l           ACLs for identifying traffics have been defined. For defining ACLs, see the description in the ACL module of this manual.

l           The destination port is determined.

l           The port to be configured with traffic mirroring function and the direction of the traffic flow to be mirrored are determined.

II. Configuration procedure

Table 1-4 Configure traffic mirroring

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view of the determined destination port

interface interface-type interface-number

Define the current port as the destination port

monitor-port

Required

LACP and STP must be disabled on the destination port.

Exit current view

quit

Enter Ethernet port view of traffic mirroring configuration

interface interface-type interface-number

Invoke ACLs for identifying traffic flows and perform traffic mirroring for the packets matching the ACLs.

mirrored-to { inbound | outbound } acl-rule { monitor-interface | cpu }

Required

Display the parameter settings of traffic mirroring

display qos-interface { interface-type interface-number | unit-id } mirrored-to

Optional

These commands can be executed in any view.

Display all QoS settings of a port

display qos-interface { interface-type interface-number | unit-id } all

 

acl-rule: applied ACL rules, which can be the combination of different types of ACL sub-rules. The following table describes the combined-ACL applications.

Table 1-5 Combined-ACL applications

Combination mode

Form of acl-rule

Apply all sub-rules in an IP type ACL (either a basic or an advanced ACL) separately

ip-group acl-number

Apply one sub-rule in an IP type ACL separately

ip-group acl-number rule rule-id

Apply all sub-rules in a Layer 2 ACL separately

link-group acl-number

Apply one sub-rule in a Layer 2 ACL separately

link-group acl-number rule rule-id

Apply one sub-rule in a user-defined ACL separately

user-group acl-number

Apply all sub-rules in a user-defined ACL separately

user-group acl-number rule rule-id

Apply one sub-rule in an IP type ACL and one sub-rule in a Layer 2 ACL simultaneously

ip-group acl-number rule rule-id link-group acl-number rule rule-id

 

III. Configuration example

Network requirements:

l           GigabitEthernet 1/1/1 on the switch is connected to the 10.1.1.1/24 network segment.

l           The packets from the 10.1.1.1/24 network segment are to be mirrored to the destination port GigabitEthernet 1/1/4.

Configuration procedure:

<H3C> system-view

[H3C] acl number 2000

[H3C-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255

[H3C-acl-basic-2000] rule deny source any

[H3C-acl-basic-2000] quit

[H3C] interface gigabitEthernet 1/1/4

[H3C-GigabitEthernet1/1/4] monitor-port

[H3C-GigabitEthernet1/1/4] quit

[H3C] interface GigabitEthernet 1/1/1

[H3C-GigabitEthernet1/1/1] mirrored-to inbound ip-group 2000 monitor-interface

1.3.2  Configuring Port Mirroring

I. Configuration prerequisites

l           The source port is determined and whether the packets to be mirrored are inbound, outbound or both inbound and outbound is specified. Inbound means only to mirror the packets received by the port; outbound means only to mirror the packets sent by the port; both means to mirror the packets received and sent by the port.

l           The destination port is determined.

l           The mirroring group number is determined.

II. Configuring port mirroring in Ethernet port view

Table 1-6 Configure port mirroring in Ethernet port view (1)

Operation

Command

Description

Enter system view

system-view

Create a port mirroring group

mirroring-group group-id local

Required

Enter Ethernet port view of the determined destination port

interface interface-type interface-number

Define the current port as the destination port

monitor-port

Required

LACP and STP must be disabled on the destination port.

Exit current view

quit

Enter Ethernet port view of the determined source port

interface interface-type interface-number

Define the current port as the source port and specify the direction of the packets to be mirrored

mirroring-port { inbound | outbound | both }

Required

Display the mirroring parameter settings

display mirroring-group { all | local }

Optional

This command can be executed in any view.

 

&  Note:

If you specify the destination port and source port in Ethernet port view without creating a port mirroring group, mirroring group 1 will be created automatically.

 

Table 1-7 Configure port mirroring in Ethernet port view (2)

Operation

Command

Description

Enter system view

system-view

Create a port mirroring group

mirroring-group group-id local

Required

Enter Ethernet port view of the determined destination port

interface interface-type interface-number

Define the current port as the destination port

mirroring-group group-id monitor-port

Required

LACP and STP must be disabled on the destination port

Exit current view

quit

Enter Ethernet port view of the determined source port

interface interface-type interface-number

Define the current port as the source port and specify the direction of the packets to be mirrored

mirroring-group group-id mirroring-port { both | inbound | outbound }

Required

Display the mirroring parameter settings

display mirroring-group { all | local }

Required

This command can be executed in any view.

 

III. Configuring port mirroring in system view

Table 1-8 Configure port mirroring in system view

Operation

Command

Description

Enter system view

system-view

Create a port mirroring group

mirroring-group group-id local

Required

Define the determined destination port

mirroring-group group-id monitor-port monitor-port

Required

LACP and STP must be disabled on the destination port.

Define the determined source port and specify the direction of the packets to be mirrored

mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }

Required

Display the mirroring parameter settings

display mirroring-group { all | local }

Optional

This command can be executed in any view.

 

&  Note:

l      Configurations listed in Table 1-6 do not involve specifying a mirroring group. Therefore these mirroring settings made in Ethernet port view applies to mirroring group 1 only.

l      Configurations listed in Table 1-7 can be used to add mirroring settings for any defined mirroring group in Ethernet port view.

l      Configurations listed in Table 1-8 are performed in system view. Therefore the mirroring group ID and port number must be specified.

 

IV. Configuration Example

Network requirements:

l           The source port is GigabitEthernet 1/1/1. All packets received and sent by this port are to be mirrored.

l           The destination port is GigabitEthernet 1/1/4.

Configuration procedure 1:

<H3C> system-view

[H3C] mirroring-group 1 local

[H3C] interface gigabitEthernet 1/1/4

[H3C-GigabitEthernet1/1/4] monitor-port

[H3C-GigabitEthernet1/1/4] quit

[H3C] interface gigabitEthernet 1/1/1

[H3C-GigabitEthernet1/1/1] mirroring-port both

Configuration procedure 2:

<H3C> system-view

[H3C] mirroring-group 1 local

[H3C] interface GigabitEthernet 1/1/4

[H3C-GigabitEthernet1/1/4] mirroring-group 1 monitor-port

[H3C-GigabitEthernet1/1/4] quit

[H3C] interface GigabitEthernet 1/1/1

[H3C-GigabitEthernet1/1/1] mirroring-group 1 mirroring-port both

Configuration procedure 3:

<H3C> system-view

[H3C] mirroring-group 1 local

[H3C] mirroring-group 1 monitor-port GigabitEthernet 1/1/4

[H3C] mirroring-group 1 mirroring-port GigabitEthernet 1/1/1 both

1.3.3  Configuring RSPAN

I. Configuration prerequisites

l           The source switch, intermediate switch, and the destination switch are determined.

l           The source port, the reflector port, the destination port, and the remote-probe VLAN are determined.

l           Layer 2 interoperability is ensured by configuration between the source and destination switches over the remote-probe VLAN

l           The direction of the packets to be monitored is determined.

l           The remote-probe VLAN is enabled.

II. Configuring RSPAN on the source switch

Table 1-9 Configure RSPAN on the source switch

Operation

Command

Description

Enter system view

system-view

Create a VLAN and enter the VLAN view

vlan vlan-id

vlan-id is the ID of the remote-probe VLAN to be defined.

Define the current VLAN as the remote-probe VLAN

remote-probe vlan enable

Required

Exit the current view

quit

Enter the port view of the port that connects to the intermediate switch or destination switch

interface interface-type interface-number

Configure the current port as Trunk port

port link-type trunk

Required

By default, the port type is Access.

Configure Trunk port to permit packets from the remote-probe VLAN

port trunk permit vlan remote-probe-vlan-id

Required

This setting is required for the source switch port that connects to the intermediate switch or destination switch.

Exit current view

quit

Configure a remote source mirroring group

mirroring-group group-id remote-source

Required

Configure a source port for remote mirroring

mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }

Required

Configure a remote reflector port

mirroring-group group-id reflector-port reflector-port

Required

The remote reflector port must be of the Access type. LACP and STP must be disabled on this port.

After a port is configured as a reflector port, the switch does not allow you to perform any of the following configurations:

l      Changing the port type or its default VLAN ID

l      Add the port to another VLAN

Configure the remote-probe VLAN for the remote source mirroring group

mirroring-group group-id remote-probe vlan remote-probe-vlan-id

Required

Display the configuration of the remote source mirroring group

display mirroring-group remote-source

Optional

This command can be executed in any view.

 

&  Note:

l      The reflector port cannot forward traffics as a normal port. In this scenario, it is recommended that you use an idle and down port as the reflector port, and do not perform other configuration on this port.

l      If the mac-address max-mac-count 0 command is executed on a port in a VLAN, it is recommended not to configure this VLAN as the remote-probe VLAN. Otherwise, remote mirroring may not work properly.

l      Do not configure a port connecting the intermediate switch or destination switch as the mirroring source port. Otherwise, traffic disorder may occur in the network.

 

III. Configuring RSPAN on the intermediate switch

Table 1-10 Configure RSPAN on the intermediate switch

Operation

Command

Description

Enter system view

system-view

Create a VLAN and enter VLAN view

vlan vlan-id

vlan-id is the ID of the remote-probe VLAN to be defined.

Define the current VLAN as a remote-probe VLAN

remote-probe vlan enable

Required

Exit the current view

quit

Enter Ethernet port view of the port connecting to the source switch, destination switch or other intermediate switch

interface interface-type interface-number

Configure the current port as Trunk port

port link-type trunk

Required

By default, the port type is Access.

Configure Trunk port to permit packets from the remote-probe VLAN

port trunk permit vlan remote-probe-vlan-id

Required

This configuration is necessary for ports on the intermediate switch that are connected to the source switch, the destination switch or other intermediate switch.

 

IV. Configuring RSPAN on the destination switch

Table 1-11 Configure RSPAN on the destination switch

Operation

Command

Description

Enter system view

system-view

Create a VLAN and enter VLAN view

vlan vlan-id

vlan-id is the ID of the remote-probe VLAN to be defined.

Define the current VLAN as a remote-probe VLAN

remote-probe vlan enable

Required

Exit the current view

quit

Enter Ethernet port view of the port connecting to the source switch or an intermediate switch

interface interface-type interface-number

Configure the current port as Trunk port

port link-type trunk

Required

By default, the port type is Access.

Configure Trunk port to permit packets from the remote-probe VLAN

port trunk permit vlan remote-probe-vlan-id

Required

This configuration is necessary for ports through which the destination switch is connected to the source switch or an intermediate switch.

Exit the current view

quit

Configure a remote destination mirroring group

mirroring-group group-id remote-destination

Required

Configure the destination port for remote mirroring

mirroring-group group-id monitor-port monitor-port

Required

The destination port for remote mirroring must be of the Access type. LACP and STP must be disabled on this port.

After you configure a port as the destination port for remote mirroring, the switch does not allow you to change the port type or its default VLAN ID.

Configure the remote-probe VLAN for the remote destination mirroring group

mirroring-group group-id remote-probe vlan remote-probe-vlan-id

Required

Display the configuration of the remote destination mirroring group

display mirroring-group remote-destination

Optional

This command can be executed in any view.

 

&  Note:

If the mac-address max-mac-count 0 command is executed on a port in a VLAN, it is recommended not to configure this VLAN as the remote-probe VLAN. Otherwise, remote mirroring may not work properly.

 

V. Configuration example

Network requirements:

l           Switch A is connected to the data detect device through GigabitEthernet 1/1/2.

l           GigabitEthernet 1/1/1, the Trunk port of Switch A, is connected to GigabitEthernet 1/1/1, the Trunk port of Switch B.

l           GigabitEthernet 1/1/2, the Trunk port of Switch B, is connected to GigabitEthernet 1/1/1, the Trunk port of Switch C.

l           GigabitEthernet 1/1/2, the port of Switch C, is connected to PC1.

The purpose is to use the data detect device to monitor and analyze the packets sent by PC1.

To meet the above purpose by using the RSPAN function, perform the following configuration:

l           Define VLAN10 as the remote-probe VLAN.

l           Define Switch A as the destination switch; configure GigabitEthernet 1/1/2, the port that is connected to the data detect device, as the destination port for remote mirroring. Set GigabitEthernet1/1/2 to an Access port, with STP and LACP functions disabled.

l           Define Switch B as the intermediate switch.

l           Define Switch C as the source switch, GigabitEthernet 1/1/2 as the source port for remote mirroring, and GigabitEthernet 1/1/3 as the reflector port. Set GigabitEthernet 1/1/3 to an Access port, with STP and LACP disabled.

Network diagram:

Figure 1-3 Network diagram for RSPAN

Configuration procedure:

# Configure Switch C.

<H3C> system-view

[H3C] vlan 10

[H3C-vlan10] remote-probe vlan enable

[H3C-vlan10] quit

[H3C] interface GigabitEthernet 1/1/1

[H3C-GigabitEthernet1/1/1] port link-type trunk

[H3C-GigabitEthernet1/1/1] port trunk permit vlan 10

[H3C-GigabitEthernet1/1/1] quit

[H3C] mirroring-group 1 remote-source

[H3C] mirroring-group 1 mirroring-port GigabitEthernet 1/1/2 inbound

[H3C] mirroring-group 1 reflector-port GigabitEthernet 1/1/3

[H3C] mirroring-group 1 remote-probe vlan 10

[H3C] display mirroring-group remote-source

mirroring-group 1:

    type: remote-source

    status: active

    mirroring port:

        GigabitEthernet1/1/2  outbound

    reflector port: GigabitEthernet1/1/3

    remote-probe vlan: 10

# Configure Switch B.

<H3C> system-view

[H3C] vlan 10

[H3C-vlan10] remote-probe vlan enable

[H3C-vlan10] quit

[H3C] interface GigabitEthernet 1/1/1

[H3C-GigabitEthernet1/1/1] port link-type trunk

[H3C-GigabitEthernet1/1/1] port trunk permit vlan 10

[H3C-GigabitEthernet1/1/1] quit

[H3C] interface GigabitEthernet 1/1/2

[H3C-GigabitEthernet1/1/2] port link-type trunk

[H3C-GigabitEthernet1/1/2] port trunk permit vlan 10

# Configure Switch A.

<H3C> system-view

[H3C] vlan 10

[H3C-vlan10] remote-probe vlan enable

[H3C-vlan10] quit

[H3C] interface GigabitEthernet 1/1/1

[H3C-GigabitEthernet1/1/1] port link-type trunk

[H3C-GigabitEthernet1/1/1] port trunk permit vlan 10

[H3C-GigabitEthernet1/1/1] quit

[H3C] mirroring-group 1 remote-destination

[H3C] mirroring-group 1 monitor-port GigabitEthernet 1/1/2

[H3C] mirroring-group 1 remote-probe vlan 10

[H3C] display mirroring-group remote-destination

mirroring-group 1:

    type: remote-destination

    status: active

    monitor port: GigabitEthernet1/1/2

    remote-probe vlan: 10

1.3.4  Displaying Mirroring Parameter Settings

After the above configuration, you can use the display command in any view to view the mirroring running information, so as to verify the configurations you made.

Table 1-12 Display mirroring parameter settings

Operation

Command

Description

Display parameter settings of a mirroring group

display mirroring-group { group-id | all | local | remote-destination | remote-source }

The command can be executed in any view.

Display parameter settings of traffic mirroring

display qos-interface { interface-type interface-number | unit-id } mirrored-to

 

1.4  Mirroring Configuration for S3600-SI

For mirroring features, refer to section 1.1   "Mirroring Overview".

1.4.1  Configuring Traffic Mirroring

The traffic mirroring configurations for S3600-SI are the same as those for S3600-EI. Refer to section 1.3.1  Configuring Traffic Mirroring” for details.

1.4.2  Configuring Port Mirroring

I. Configuration prerequisites

l           The source port is determined and whether the packets to be mirrored are inbound, outbound or both inbound and outbound is specified. Inbound means only to mirror the packets received by the port; outbound means only to mirror the packets sent by the port; both means to mirror the packets received and sent by the port.

l           The destination port is determined.

II. Configuration procedure

Table 1-13 Configure port mirroring

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view of the determined destination port

interface interface-type interface-number

Define the current port as the destination port

monitor-port

Required

LACP and STP must be disabled on the destination port.

Exit the current view

quit

Enter Ethernet port view of the determined source port

interface interface-type interface-number

Define the current port as the source port and specify the direction of the packets to be mirrored

mirroring-port { inbound | outbound | both }

Required

Display parameter settings of the mirroring

display mirror

Optional

This command can be executed in any view.

 

III. Configuration Example

l           The source port is GigabitEthernet 1/1/1. Mirror all packets received and sent by this port.

l           The destination port is GigabitEthernet 1/1/4.

Configuration procedure:

<H3C> system-view

[H3C] interface gigabitEthernet 1/1/4

[H3C-GigabitEthernet1/1/4] monitor-port

[H3C-GigabitEthernet1/1/4] quit

[H3C] interface gigabitEthernet 1/1/1

[H3C-GigabitEthernet1/1/1] mirroring-port both

1.4.3  Displaying Mirroring Parameter Settings

After the above configuration, you can use the display command in any view to view the mirroring running information, so as to verify the configurations you made..

Table 1-14 Display mirroring parameter settings

Operation

Command

Description

Display parameter settings of a mirroring group

display mirror

This command can be executed in any view.

Display parameter settings of traffic mirroring

display qos-interface { interface-type interface-number | unit-id } mirrored-to

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网