Login
- Table of Contents
-
- H3C S9500 Operation Manual-Release2132[V2.03]-01 Access Volume
- 00-1Cover
- 01-Ethernet Interface Configuration
- 02-POS Interface Configuration
- 03-GVRP Configuration
- 04-Link Aggregation Configuration
- 05-Port Mirroring Configuration
- 06-RPR Configuration
- 07-Ethernet OAM Configuration
- 08-MSTP Configuration
- 09-VLAN Configuration
- 10-QinQ Configuration
- 11-BPDU Tunneling Configuration
- 12-Port Isolation Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Port Mirroring Configuration | 167.95 KB |
Table of Contents
Chapter 1 Port Mirroring Configuration
1.1 Introduction to Port Mirroring
1.1.2 Implementing Port Mirroring
1.2 Configuring Local Port Mirroring
1.3 Configuring Remote Port Mirroring
1.3.1 Configuring a Remote Source Mirroring Group (on the Source Device)
1.3.2 Configuring a Remote Destination Mirroring Group (on the Destination Device)
1.4 Displaying and Maintaining Port Mirroring
1.5 Port Mirroring Configuration Examples
1.5.1 Local Port Mirroring Configuration Example
1.5.2 Remote Port Mirroring Configuration Example
Chapter 1 Port Mirroring Configuration
When configuring port mirroring, go to these sections for information you are interested in:
l Introduction to Port Mirroring
l Configuring Local Port Mirroring
l Configuring Remote Port Mirroring
l Displaying and Maintaining Port Mirroring
l Port Mirroring Configuration Examples
1.1 Introduction to Port Mirroring
Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis, as shown in the following figure.
Figure 1-1 Port mirroring implementation example
You can select to port-mirror inbound, outbound, or bidirectional traffic on a port as needed.
1.1.1 Types of Port Mirroring
Port mirroring can be local or remote.
l In local port mirroring, the mirroring port or ports and the monitor port are located on the same device.
l In remote port mirroring, the mirroring port or ports and the monitor port can be located on the same device or different devices. When they are located on different devices, there should be no Layer-3 network in between.
1.1.2 Implementing Port Mirroring
Port mirroring is implemented through port mirroring groups. There are three types of mirroring groups: local, remote source, and remote destination.
The following subsections describe how local port mirroring and remote port mirroring are implemented.
I. Local port mirroring
In local port mirroring, all packets passing through a port can be mirrored. Local port mirroring is implemented through local mirroring groups.
As shown in Figure 1-2, packets on the mirroring port are mirrored to the monitor port for the data monitoring device to analyze.
Figure 1-2 Local port mirroring implementation
II. Remote port mirroring
Remote port mirroring is implemented through the cooperation of a remote source mirroring group and a remote destination mirroring group as shown in Figure 1-3.
Figure 1-3 Remote port mirroring implementation
Remote mirroring involves the following device roles:
l Source device
The source device is the device where the mirroring ports are located. On it, you must create a remote source mirroring group to hold the mirroring ports.
The source device copies the packets passing through the mirroring ports, broadcasts the packets through the reflector port in the remote probe VLAN.
l Intermediate device
Intermediate devices (if any) are devices located in between the source device and the destination device.
An intermediate device forwards mirrored packets to the next intermediate device (if any) or the destination device.
l Destination device
The destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group.
When receiving a packet, the destination device compares the VLAN ID carried in the packet with the ID of the probe VLAN configured in the remote destination mirroring group. If they are the same, the device forwards the packet to the monitoring device through the monitor port.
& Note:
l The S9500 series support inter-board mirroring, that is, the mirroring port(s) and the monitor port can be located on different boards on the same device.
l A source device can be connected to its destination device directly without any intermediate device.
l As for the four Ten-GigabitEthernet ports (TE ports) on XP4B and XP4CA boards, port mirroring can only be implemented between port 1 and 2 (for example, Ten-GigabitEthernet 2/1/1 and Ten-GigabitEthernet 2/1/2), and between port 3 and 4 (for example, Ten-GigabitEthernet 2/1/3 and Ten-GigabitEthernet 2/1/4.)
Caution:
As port mirroring conflicts with STP, RSTP, and MSTP, do not enable STP, RSTP, or MSTP on monitor ports.
1.2 Configuring Local Port Mirroring
Configuring local port mirroring is to configure local mirroring groups.
A local mirroring group comprises one or multiple mirroring ports and one monitor port. These ports must not have been assigned to any other mirroring group.
Follow these steps to configure local port mirroring:
|
Use the command… |
Remarks |
||
|
Enter system view |
system-view |
— |
|
|
Create a local mirroring group |
mirroring-group groupid local |
Required |
|
|
Assign ports to the port mirroring group as mirroring ports |
In system view |
mirroring-group groupid mirroring-port mirroring-port-list { inbound | outbound | both } |
Required Use either approach. In system view, you can assign a list of ports to the mirroring group at a time. In interface view, you can assign only the current port to the mirroring group. To monitor multiple ports, repeat the step. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
[ mirroring-group groupid ] mirroring-port { inbound | outbound | both } |
|||
|
quit |
|||
|
Assign a port to the mirroring group as the monitor port |
In system view |
mirroring-group groupid monitor-port monitor-port-id |
Required Use either approach. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
[ mirroring-group groupid ] monitor-port |
|||
& Note:
l After you configure a port as a monitor port, you are recommended not to use it for any other purposes. This is to ensure that the data monitoring device receives only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.
l To have a local mirroring group take effect, you must configure a monitor port and at least one mirroring ports in it.
1.3 Configuring Remote Port Mirroring
Configuring remote port mirroring is to configure remote mirroring groups. When doing that, configure the remote source mirroring group on the source device and the cooperating remote destination mirroring group on the destination device.
The two mirroring groups must be configured with the same remote probe VLAN. If intermediate devices are involved, you must configure these devices to permit the probe VLAN to pass through.
1.3.1 Configuring a Remote Source Mirroring Group (on the Source Device)
A remote source mirroring group comprises one or multiple mirroring ports, a remote probe VLAN, and a reflector port. The ports and the probe VLAN must not have been assigned to any other mirroring groups.
Follow these steps to configure a remote source port mirroring group on the source device:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Create a remote probe VLAN |
vlan vlan-id |
Required |
|
|
Return to system view |
quit |
— |
|
|
Create a remote source mirroring group |
mirroring-group groupid remote-source |
Required |
|
|
Assign ports to the mirroring group as mirroring ports |
In system view |
mirroring-group groupid mirroring-port mirroring-port-list { inbound | outbound | both } |
Required Use either approach. In system view, you can assign a list of ports to the mirroring group at a time. In interface view, you can assign only the current interface to the mirroring group. To monitor multiple ports, repeat the step. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
[ mirroring-group groupid ] mirroring-port { inbound | outbound | both } |
|||
|
quit |
|||
|
Assign a port to the mirroring group as the reflector port |
In system view |
mirroring-group groupid reflector-port reflector-port-id |
Required Use either approach. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
mirroring-group groupid reflector-port |
|||
|
quit |
|||
|
Configure the remote probe VLAN for the mirroring group |
mirroring-group groupid remote-probe vlan rprobe-vlan-id |
Required |
|
& Note:
l To ensure device performance, do not assign mirroring ports to a remote probe VLAN.
l To configure a port as a reflector port, you must ensure that its link type is access, it belongs to the default VLAN (that is, VLAN 1), and it is neither a destination port for traffic mirroring nor a member of any other port mirroring group.
l You are recommended not to connect a network cable to a reflector port. On a reflector port, you must disable these features: 802.1x, QinQ, port loopback, and service loopback. To ensure normal operation of the device, you are recommended to disable static ARP and MAC address learning on the reflector port as well.
l The outgoing port for a mirrored packet must not be the same as the reflector port.
l You are recommended to use a remote probe VLAN for port mirroring only.
l Only existing static VLANs can be configured as remote probe VLANs. To remove the VLAN operating as a remote probe VLAN, you need to remove the VLAN from the remote mirroring group first with the undo mirroring-group remote-probe vlan command. Removing the probe VLAN can invalidate the remote source mirroring group.
l To ensure the functionality of remote port mirroring, disable MAC address learning in a remote probe VLAN on the intermediate devices, if any.
l Ensure that the mirrored packets leave the source device with the tag of the remote probe VLAN.
1.3.2 Configuring a Remote Destination Mirroring Group (on the Destination Device)
A remote destination mirroring group comprises a remote probe VLAN and a monitor port. The port and the probe VLAN must not have been assigned to any other mirroring groups. In addition, you must ensure that the remote probe VLAN is the same as the one configured in the remote source mirroring group.
Follow these steps to configure a remote destination port mirroring group on the destination device:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Create a VLAN and enter the VLAN view |
vlan vlan-id |
Required |
|
|
Disable MAC address learning in the VLAN by assigning 0 to the count argument |
mac-address max-mac-count count |
Required |
|
|
Return to system view |
quit |
— |
|
|
Create a remote destination port mirroring group |
mirroring-group groupid remote-destination |
Required |
|
|
Assign the VLAN you created to the port mirroring group |
mirroring-group groupid remote-probe vlan rprobe-vlan-id |
Required |
|
|
Assign a port to the port mirroring group as the monitor port |
In system view |
mirroring-group groupid monitor-port monitor-port-id |
Required Use either approach. In Ethernet interface view, if no destination mirroring group is specified, group 1 is used by default. |
|
In Ethernet interface view |
interface interface-type interface-number |
||
|
[ mirroring-group groupid ] monitor-port |
|||
|
quit |
|||
|
Enter the interface view of the monitor port |
interface interface-type interface-number |
— |
|
|
Assign the monitor port to the remote probe VLAN |
If the port is an access port |
port access vlan rprobe-vlan-id |
Required Use one of the commands depending on the link type of the monitor port. |
|
If the port is a trunk port |
port trunk permit vlan rprobe-vlan-id |
||
|
If the port is a hybrid port |
port hybrid vlan rprobe-vlan-id { tagged | untagged } |
||
& Note:
l After you configure a port as a monitor port, you are recommended not to use it for any other purposes. This is to ensure that the data monitoring device receives only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.
l Only existing static VLANs can be configured as remote probe VLANs. To remove the VLAN operating as a remote probe VLAN, you need to remove the VLAN from the remote mirroring group first with the undo mirroring-group remote-probe vlan command. Removing the probe VLAN can invalidate the remote source mirroring group.
l You are recommended to use a remote probe VLAN for port mirroring only.
l To ensure the functionality of remote port mirroring, disable MAC address learning in the remote probe VLAN on the source, intermediate, and destination devices.
1.4 Displaying and Maintaining Port Mirroring
|
To do… |
Use the command… |
Remarks |
|
Display the configuration of port mirroring groups |
display mirroring-group { groupid | local | remote-source | remote-destination | all } |
Available in any view |
1.5 Port Mirroring Configuration Examples
1.5.1 Local Port Mirroring Configuration Example
I. Network requirements
On a network shown in Figure 1-4,
l Host A is connected to port Ethernet 1/1/1 of Switch C through Switch A.
l Host B is connected to port Ethernet 1/1/2 of Switch C through Switch B.
l A data monitoring server is connected to port Ethernet 1/1/3 of Switch C.
To monitor the packets of Host A and Host B on the server, you can configure a local port mirroring group on Switch C by:
l Configuring ports Ethernet 1/1/1 and Ethernet 1/1/2 as mirroring ports.
l Configuring port Ethernet 1/1/3 as the monitor port.
II. Network diagram
Figure 1-4 Network diagram for local port mirroring configuration
III. Configuration procedure
1) Configure Switch C.
# Enter system view.
<Sysname> system-view
# Create a local port mirroring group.
[Sysname] mirroring-group 1 local
# Assign port Ethernet 1/1/1 and Ethernet 1/1/2 to the port mirroring group as mirroring ports. Assign port Ethernet 1/1/3 to the port mirroring group as the monitor port.
[Sysname] mirroring-group 1 mirroring-port ethernet 1/1/1 ethernet 1/1/2 both
[Sysname] mirroring-group 1 monitor-port ethernet 1/1/3
# Display the configuration of all the port mirroring groups.
[Sysname] display mirroring-group all
mirroring-group 1:
type: local
status: active
mirroring port:
Ethernet1/1/1 both
Ethernet1/1/2 both
monitor port: Ethernet1/1/3
After finishing the configuration, you can monitor all the packets received and sent by Host A and Host B on the server.
1.5.2 Remote Port Mirroring Configuration Example
I. Network requirements
On a network shown in Figure 1-5,
l Host A is connected to port Ethernet 1/1/1 of Switch A.
l Host B is connected to port Ethernet 1/1/2 of Switch A.
l Port Ethernet 1/1/3 of Switch A is connected to port Ethernet 1/1/1 of Switch B. Both ports are trunk ports.
l Port Ethernet 1/1/2 of Switch B is connected to port Ethernet 1/1/1 of Switch C. Both ports are trunk ports.
l A server is connected to port Ethernet 1/1/2 of Switch C.
To monitor packets of Host A and Host B on the server, you can configure remote port mirroring groups on the switches as follows:
l On Switch A, create a remote source mirroring group; create VLAN 2 and configure it as the remote probe VLAN; assign ports Ethernet 1/1/1 and Ethernet 1/1/2 to the port mirroring group as mirroring ports and port Ethernet 1/1/4 as the reflector port.
l Configure port Ethernet 1/1/3 of Switch A, ports Ethernet 1/1/1 and Ethernet 1/1/2 of Switch B, and port Ethernet 1/1/1 of Switch C as trunk ports and configure them to permit packets of VLAN 2.
l Create a remote destination mirroring group on Switch C. Configure VLAN 2 as the remote probe VLAN and port Ethernet 1/1/2, to which the server is connected, as the monitor port.
II. Network diagram
Figure 1-5 Network diagram for remote port mirroring configuration
III. Configuration procedure
1) Configure Switch A (the source device)
# Enter system view.
<Sysname> system-view
# Create a remote source port mirroring group.
[Sysname] mirroring-group 1 remote-source
# Create VLAN 2.
[Sysname] vlan 2
[Sysname-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the remote port mirroring group. Add port Ethernet 1/1/1 and Ethernet1/1/2 to the remote port mirroring group as mirroring ports. Configure port Ethernet 1/1/4 as the reflector port.
[Sysname] mirroring-group 1 remote-probe vlan 2
[Sysname] mirroring-group 1 mirroring-port ethernet 1/1/1 ethernet 1/1/2 both
[Sysname] mirroring-group 1 reflector-port Ethernet ethernet 1/1/4
# Configure port Ethernet 1/1/3 as a trunk port and configure the port to permit the packets of VLAN 2.
[Sysname] interface ethernet 1/1/3
[Sysname-Ethernet1/1/3] port link-type trunk
[Sysname-Ethernet1/1/3] port trunk permit vlan 2
2) Configure Switch B (an intermediate device)
# Create VLAN 2 and disable MAC address learning in it.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] mac-address max-mac-count 0
[Sysname-vlan2] quit
# Configure port Ethernet 1/1/1 as a trunk port and configure the port to permit the packets of VLAN 2.
[Sysname] interface ethernet 1/1/1
[Sysname-Ethernet1/1/1] port link-type trunk
[Sysname-Ethernet1/1/1] port trunk permit vlan 2
# Configure port Ethernet 1/1/2 as a trunk port and configure the port to permit the packets of VLAN 2.
[Sysname-Ethernet1/1/1] interface ethernet 1/1/2
[Sysname-Ethernet1/1/2] port link-type trunk
[Sysname-Ethernet1/1/2] port trunk permit vlan 2
3) Configure Switch C (the destination device)
# Enter system view.
<Sysname> system-view
# Configure port Ethernet 1/1/1 as a trunk port and configure the port to permit the packets of VLAN 2.
[Sysname] interface ethernet 1/1/1
[Sysname-Ethernet1/1/1] port link-type trunk
[Sysname-Ethernet1/1/1] port trunk permit vlan 2
[Sysname-Ethernet1/1/1] quit
# Create a remote destination port mirroring group.
[Sysname] mirroring-group 1 remote-destination
# Create VLAN 2 and disable MAC address learning in it. Assign port Ethernet1/1/2 to it.
[Sysname] vlan 2
[Sysname-vlan2] mac-address max-mac-count 0
[Sysname-vlan2] port ethernet 1/1/2
[Sysname-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the remote destination port mirroring group. Assign port Ethernet 1/1/2 to the remote destination port mirroring group as the monitor port.
[Sysname] mirroring-group 1 remote-probe vlan 2
[Sysname] mirroring-group 1 monitor-port ethernet 1/1/2
After finishing the configuration, you can monitor all the packets received and sent by Host A and Host B on the Server.
