07-Port Mirroring Configuration
Chapters Download (212.38 KB)
Table of Contents
1 Port Mirroring Configuration
Introduction to Port Mirroring
Classification of Port Mirroring
Configuring Local Port Mirroring for an OLT
Configuring Remote Port Mirroring for an OLT
Configuring a Remote Source Mirroring Group (on the Source Device)
Configuring a Remote Destination Mirroring Group (on the Destination Device)
Configuring Local Port Mirroring for ONUs
Displaying and Maintaining Port Mirroring
Port Mirroring Configuration Examples
Local Port Mirroring Configuration Example for OLTs
Remote Port Mirroring Configuration Example for OLTs
Local Port Mirroring Configuration Example for ONUs
When configuring port mirroring, go to these sections for information you are interested in:
l Introduction to Port Mirroring
l Configuring Local Port Mirroring for an OLT
l Configuring Remote Port Mirroring for an OLT
l Configuring Local Port Mirroring for ONUs
l Displaying and Maintaining Port Mirroring
l Port Mirroring Configuration Examples
Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis.
You can select to port-mirror inbound, outbound, or bidirectional traffic on a port as needed.
Port mirroring can be local or remote.
l In local port mirroring, the mirroring ports and the monitor port are located on the same device.
l In remote port mirroring, the mirroring ports and the monitor port can be located on the same device or different devices. Currently, remote port mirroring can be implemented only at Layer 2.
l As a monitor port can monitor multiple ports, it may receive multiple duplicates of a packet in some cases. Suppose that port P 1 is monitoring bidirectional traffic on ports P 2 and P 3 on the same device. If a packet travels from P 2 to P 3, two duplicates of the packet will be received on P 1.
l If you configure to mirror packets in the inbound direction of a port, the tagging state (tagged or untagged) of the mirrored packets keeps unchanged, and the tag of each mirrored packet (if tagged) keeps unchanged; if you configure to mirror packets in the outbound direction of a port, the mirrored packets are always tagged.
Port mirroring is implemented through port mirroring groups. There are three types of mirroring groups: local, remote source, and remote destination.
An S3600 series EPON OLT switch supports up to four port mirroring groups.
The following subsections describe how local port mirroring and remote port mirroring are implemented.
In local port mirroring, all packets passing through a port can be mirrored. Local port mirroring is implemented through a local mirroring group.
As shown in Figure 1-1, packets on the mirroring port are mirrored to the monitor port for the data monitoring device to analyze.
Figure 1-1 Local port mirroring implementation
Remote port mirroring can mirror all packets but protocol packets.
Remote port mirroring is implemented through the cooperation of a remote source mirroring group and a remote destination mirroring group as shown in Figure 1-2.
Figure 1-2 Remote port mirroring implementation
Remote mirroring involves the following device roles:
l Source device
The source device is the device where the mirroring ports are located. On it, you must create a remote source mirroring group to hold the mirroring ports.
The source device copies the packets passing through the mirroring ports or ports in the mirroring VLANs, broadcasts the packets in the remote probe VLAN for remote mirroring, and transmits the packets to the next device, which could be an intermediate device (if any) or the destination device.
l Intermediate device
Intermediate devices are devices located in between the source device and the destination device.
An intermediate device forwards mirrored packets to the next intermediate device (if any) or the destination device.
You must ensure that the source device and the destination device can communicate at Layer 2 in the remote probe VLAN.
l Destination device
The destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group.
When receiving a packet, the destination device compares the VLAN ID carried in the packet with the ID of the probe VLAN configured in the remote destination mirroring group. If they are the same, the device forwards the packet to the monitoring device through the monitor port.
To make the port mirroring function work properly, before configuring bidirectional traffic mirroring on a port in a mirroring group, you need to use the mac-address mac-learning disable command on the source device, intermediate devices, and destination device to disable the MAC address learning function for the remote probe VLAN. For more information about the mac-address mac-learning disable command, refer to MAC Address Table Commands in the System Volume.
The configuration of local port mirroring on an OLT mainly involves the OLT port and an Ethernet port. Typically, packets received by the OLT port, that is, upstream packets sent by all ONU devices connected to this OLT port, or those sent by the OLT port are mirrored to an Ethernet port, which connects a data monitoring device that is used for packet collection and analysis.
Configuring local port mirroring is to configure local mirroring groups.
A local mirroring group comprises one or multiple mirroring ports and one monitor port. These ports must not have been assigned to any other mirroring group.
Follow these steps to configure a local mirroring group:
|
Use the command… |
Remarks |
||
|
Enter system view |
system-view |
— |
|
|
Create a local mirroring group |
mirroring-group groupid local |
Required |
|
|
Configure mirroring ports |
In system view |
mirroring-group groupid mirroring-port mirroring-port-list { both | inbound | outbound } |
Required In system view, you can configure a list of mirroring ports or mirroring VLANs to the mirroring group at a time. In interface view, you can assign only the current port to the mirroring group. To monitor multiple ports, repeat the step. |
|
In Ethernet port view or OLT port view |
interface interface-type interface-number |
||
|
[ mirroring-group groupid ] mirroring-port { both | inbound | outbound } |
|||
|
quit |
|||
|
Configure the monitor port |
In system view |
mirroring-group groupid monitor-port monitor-port-id |
Required Use either approach. |
|
In interface view |
interface interface-type interface-number |
||
|
[ mirroring-group groupid ] monitor-port |
|||
l You can assign Ethernet ports or OLT ports to a local mirroring group as mirroring ports and monitor ports.
l To ensure operation of your device, do not enable STP, MSTP, or RSTP on the monitor port.
l You are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.
After you configure remote port mirroring on an OLT, packets received by the OLT port, that is, upstream packets sent by all ONU devices connected to this OLT port, or those sent by the OLT port are sent through an Ethernet port to the monitor port located on a remote device (called destination device). The monitor port further connects a data monitoring device that is used for packet collection and analysis.
Configuring remote port mirroring is to configure remote mirroring groups. When doing that, configure the remote source mirroring group on the source device and the cooperating remote destination mirroring group on the destination device.
Create a static VLAN for the probe VLAN on the source and destination device. To ensure correct packet handling, ensure that the VLANs you created on the two devices use the same ID and function only for remote port mirroring.
A remote source mirroring group comprises the following:
l One or multiple mirroring ports
l A remote probe VLAN.
l An egress port.
After you assign a port to a mirroring group either as a mirroring port or as a monitor port, you cannot assign it to any other mirroring group. The same is true of probe VLANs.
Follow these steps to configure a remote port mirroring group with an egress port:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Create a remote source mirroring group |
mirroring-group groupid remote-source |
Required |
|
|
Configure mirroring ports |
In system view |
mirroring-group groupid mirroring-port mirroring-port-list { both | inbound | outbound } |
Required In system view, you can assign a list of mirroring ports to the mirroring group at a time. In interface view, you can assign only the current interface to the mirroring group. To monitor multiple ports, repeat the step. |
|
In Ethernet port view or OLT port view |
interface interface-type interface-number |
||
|
[ mirroring-group groupid ] mirroring-port { both | inbound | outbound } |
|||
|
quit |
|||
|
Configure the egress port |
In system view |
mirroring-group groupid monitor-egress monitor-egress-port-id |
Required Use either approach. |
|
In Ethernet port view or OLT port view |
interface interface-type interface-number |
||
|
mirroring-group groupid monitor-egress |
|||
|
quit |
|||
|
Configure the probe VLAN |
mirroring-group groupid remote-probe vlan rprobe-vlan-id |
Required |
|
When configuring the mirroring ports, note that:
l The mirroring ports and the egress port must be located on the same device.
l The mirroring ports can be Ethernet ports or OLT ports.
l To ensure device performance, do not assign the mirroring ports to the remote probe VLAN.
When configuring the egress port, note that:
l The port must not be a mirroring port in the mirroring group.
l To ensure operation of the device, disable these functions on the port: STP, MSTP, RSTP, IGMP Snooping, static ARP, and MAC address learning.
To remove the VLAN configured as a remote probe VLAN, you must remove the remote probe VLAN with undo mirroring-group remote-probe vlan command first. Removing the probe VLAN can invalidate the remote source mirroring group.
A remote destination mirroring group comprises a remote probe VLAN and a monitor port. You must ensure that the remote probe VLAN is the same as the one configured in the remote source mirroring group.
Follow these steps to configure a remote destination port mirroring group:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Create a remote destination mirroring group |
mirroring-group groupid remote-destination |
Required |
|
|
Configure the remote probe VLAN |
mirroring-group groupid remote-probe vlan rprobe-vlan-id |
Required |
|
|
Configure the monitor port |
In system view |
mirroring-group groupid monitor-port monitor-port-id |
Required Use either approach. |
|
In Ethernet port view or OLT port view |
interface interface-type interface-number |
||
|
[ mirroring-group groupid ] monitor-port |
|||
|
quit |
|||
|
Enter the interface view of the monitor port |
interface interface-type interface-number |
— |
|
|
Assign the port to the probe VLAN |
For an access port |
port access vlan rprobe-vlan-id |
Required Use one of the commands depending on the link type of the monitor port. |
|
For a trunk port |
port trunk permit vlan rprobe-vlan-id |
||
|
For a hybrid port |
port hybrid vlan rprobe-vlan-id { tagged | untagged } |
||
When configuring the probe VLAN, use the following guidelines:
l A VLAN can be the remote probe VLAN of only one port mirroring group.
l To remove the VLAN configured as the remote probe VLAN, you must remove the remote probe VLAN with undo mirroring-group remote-probe vlan command first. Removing the probe VLAN can invalidate the remote source mirroring group.
When configuring the monitor port, use the following guidelines:
l The port can belong to only the current mirroring group.
l Disable these functions on the port: STP, MSTP, and RSTP.
l You are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.
In an EPON system, an OLT can remotely manage and maintain ONUs. An S3600 series EPON OLT switch can configure local port mirroring for ONUs to mirror the incoming or outgoing traffic on an UNI of an ONU to another UNI of the ONU.
Follow these steps to configure local port mirroring for UNIs:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter ONU port view |
interface interface-type interface-number |
— |
|
Configure a mirroring port and the traffic direction to be monitored |
uni uni-number mirroring-port { both | inbound | outbound } |
Required |
|
Configure the monitor port |
uni uni-number monitor-port |
Required Once a port is configured to be the monitor port for port mirroring, the port no longer forwards normal traffic; instead, it starts to forward only the copied traffic. |
When a UNI is configured as the monitor port for port mirroring, it is recommended that you set the VLAN operation mode of the port to transparent so that it will forward packet without making any change. For details, refer to EPON-OLT Configuration.
|
To do… |
Use the command… |
Remarks |
|
Display the configuration of port mirroring groups |
display mirroring-group { groupid | all | local | remote-destination | remote-source } |
Available in any view |
On the network shown in Figure 1-3:
l OLT port OLT 1/0/1 of Device A (an S3600 EPON OLT switch) connects a POS device, which further connects multiple ONUs. Each ONU has end users connected.
l A data monitoring device, Server in the network diagram, is connected to Switch A through GigabitEthernet 1/1/1.
l Configure local port mirroring on Device A to mirror all packets received by OLT 1/0/1 to GigabitEthernet 1/1/1, so that the network administrator can monitor and analyze the uplink data of all ONUs on Server.
Figure 1-3 Network diagram for local port mirroring configuration on an OLT
# Enter system view.
<DeviceA> system-view
# Create a local mirroring group.
[DeviceA] mirroring-group 1 local
# Configure port OLT 1/0/1 as a mirroring port and port GigabitEthernet 1/1/1 as the monitor port in the mirroring group, and specify that packets received by port OLT 1/0/1 be mirrored.
[DeviceA] mirroring-group 1 mirroring-port Olt 1/0/1 inbound
[DeviceA] mirroring-group 1 monitor-port GigabitEthernet 1/1/1
# Display the configuration of all port mirroring groups.
[DeviceA] display mirroring-group all
mirroring-group 1:
type: local
status: active
mirroring port:
Olt1/0/1 inbound
monitor port: GigabitEthernet1/1/1
After the above configurations are completed, you can monitor on Server the uplink data of all ONUs connected to OLT 1/0/1.
On the network shown in Figure 1-4,
l OLT port OLT 1/0/1 of Device A (an S3600 EPON OLT switch) connects a POS device, which further connects multiple ONUs. Each ONU has end users connected.
l The trunk port GigabitEthernet 1/1/1 on Device A connects to the trunk port GigabitEthernet 1/1/1 on Device B.
l The trunk port GigabitEthernet 1/1/3 on Device B connects to the trunk port GigabitEthernet 1/1/1 on Device C.
l Server connects to port GigabitEthernet 1/1/3 of Device C.
To monitor the packets received or sent by port OLT 1/0/1 on Server, configure remote port mirroring as follows:
l On Device A, create a remote source mirroring group, use VLAN 2 as the remote probe VLAN, configure port OLT 1/0/1 as a mirroring port, and configure port GigabitEthernet 1/1/1 as the egress port.
l Configure port GigabitEthernet1/1/1 on Device A, ports GigabitEthernet 1/1/1 and GigabitEthernet 1/1/3 on Device B, and port GigabitEthernet 1/1/1 on Device C as trunk ports and configure them to permit the packets of VLAN 2 to pass through.
l Create a remote destination mirroring group on Device C. Configure VLAN 2 as the remote probe VLAN and port GigabitEthernet 1/1/3, to which the server is connected as the monitor port.
Figure 1-4 Network diagram for remote port mirroring configuration on an OLT
1) Configure Device A (the source device)
# Enter system view.
<DeviceA> system-view
# Create a remote source mirroring group.
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the mirroring group. Configure port OLT 1/0/1 as a mirroring port and port GigabitEthernet 1/1/1 as the egress port in the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
[DeviceA] mirroring-group 1 mirroring-port Olt 1/0/1 both
[DeviceA] mirroring-group 1 monitor-egress GigabitEthernet 1/1/1
# Configure port GigabitEthernet 1/1/1 as a trunk port that permits the packets of VLAN 2 to pass through.
[DeviceA] interface GigabitEthernet 1/1/1
[DeviceA-GigabitEthernet1/1/1] port link-type trunk
[DeviceA-GigabitEthernet1/1/1] port trunk permit vlan 2
2) Configure Device B (the intermediate device)
# Enter system view.
<DeviceB> system-view
# Configure port GigabitEthernet 1/1/1 as a trunk port that permits the packets of VLAN 2 to pass through.
[DeviceB] interface GigabitEthernet 1/1/1
[DeviceB-GigabitEthernet1/1/1] port link-type trunk
[DeviceB-GigabitEthernet1/1/1] port trunk permit vlan 2
# Configure port GigabitEthernet 1/1/3 as a trunk port that permits the packets of VLAN 2 to pass through.
[DeviceB-GigabitEthernet1/1/1] interface GigabitEthernet 1/1/3
[DeviceB-GigabitEthernet1/1/3] port link-type trunk
[DeviceB-GigabitEthernet1/1/3] port trunk permit vlan 2
3) Configure Device C (the destination device)
# Enter system view.
<DeviceC> system-view
# Configure port GigabitEthernet 1/1/1 as a trunk port that permits the packets of VLAN 2 to pass through.
[DeviceC] interface GigabitEthernet 1/1/1
[DeviceC-GigabitEthernet1/1/1] port link-type trunk
[DeviceC-GigabitEthernet1/1/1] port trunk permit vlan 2
[DeviceC-GigabitEthernet1/1/1] quit
# Create a remote destination mirroring group.
[DeviceC] mirroring-group 1 remote-destination
# Create VLAN 2.
[DeviceC] vlan 2
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the mirroring group. Assign port GigabitEthernet 1/1/3 to the mirroring group as the monitor port.
[DeviceC] mirroring-group 1 remote-probe vlan 2
[DeviceC] interface GigabitEthernet 1/1/3
[DeviceC-GigabitEthernet1/1/3] mirroring-group 1 monitor-port
[DeviceC-GigabitEthernet1/1/3] port access vlan 2
After the above configurations are completed, you can monitor all the packets received and sent by port OLT 1/0/1 of Device A on Server.
On the network shown in Figure 1-5:
l OLT 1/0/1 of Device A (an S3600 EPON OLT switch) is connected to Onu 1/0/1:1 of an ONU. The ONU is connected to hosts and a server (a data monitoring device).
l Host A, Host B, and Server are connected to UNI 1, UNI 2, and UNI 3 of the ONU respectively.
l On Device A, remotely configure local port mirroring for the ONU to mirror the traffic received on UNI 1 to UNI 3, so that Server can collect all traffic sent by Host A.
Figure 1-5 Network diagram for local port mirroring configuration on an ONU
# Enter system view.
<DeviceA> system-view
# Enter ONU port view.
[DeviceA] interface Onu 1/0/1:1
# Configure UNI 1 as a mirroring port for local port mirroring and specify that traffic received on UNI 1 be mirrored.
[DeviceA] uni 1 mirroring-port inbound
# Configure UNI 3 as the monitor port for local port mirroring.
[DeviceA] uni 3 monitor-port
After the configuration above, you can monitor all the packets that Host A sends on Server.
