Table of Contents

1 Mirroring Configuration· 1-1

Mirroring Overview· 1-1

Local Port Mirroring· 1-1

Remote Port Mirroring· 1-2

Traffic Mirroring· 1-3

Mirroring Configuration· 1-3

Configuring Local Port Mirroring· 1-4

Configuring Remote Port Mirroring· 1-5

Displaying and Maintaining Port Mirroring· 1-8

Mirroring Configuration Examples· 1-8

Local Port Mirroring Configuration Example· 1-8

Remote Port Mirroring Configuration Example· 1-9

 

When configuring mirroring, go to these sections for information you are interested in:

l          Mirroring Overview

l          Mirroring Configuration

l          Displaying and Maintaining Port Mirroring

l          Mirroring Configuration Examples

Mirroring Overview

Mirroring is to duplicate packets from a port to another port connected with a data monitoring device for network monitoring and diagnosis.

The port where packets are duplicated is called the source mirroring port or monitored port and the port to which duplicated packets are sent is called the destination mirroring port or the monitor port, as shown in the following figure.

Figure 1-1 Mirroring

 

The S3600 series Ethernet switches support three types of port mirroring:

l          Local Port Mirroring

l          Remote Port Mirroring

l          Traffic Mirroring

They are described in the following sections.

Local Port Mirroring

In local port mirroring, packets passing through one or more source ports of a device are copied to the destination port on the same device for packet analysis and monitoring. In this case, the source ports and the destination port must be located on the same device.

Remote Port Mirroring

Remote port mirroring does not require the source and destination ports to be on the same device. The source and destination ports can be located on multiple devices across the network. This allows an administrator to monitor traffic on remote devices conveniently.

To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is used. All mirrored packets are sent from the reflector port of the source switch to the monitor port on the destination switch through the remote-probe VLAN. Figure 1-2 illustrates the implementation of remote port mirroring.

Figure 1-2 Remote port mirroring application

 

The switches involved in remote port mirroring function as follows:

l          Source switch

The source switch is the device where the monitored port is located. It copies traffic passing through the monitored port to the reflector port. The reflector port then transmits the traffic to an intermediate switch (if any) or destination switch through the remote-probe VLAN.

l          Intermediate switch

Intermediate switches are switches between the source switch and destination switch on the network. An intermediate switch forwards mirrored traffic flows to the next intermediate switch or the destination switch through the remote-probe VLAN. No intermediate switch is present if the source and destination switches directly connect to each other.

l          Destination switch

The destination switch is where the monitor port is located. The destination switch forwards the mirrored traffic flows it received from the remote-probe VLAN to the monitoring device through the destination port.

Table 1-1 describes how the ports on various switches are involved in the mirroring operation.

Table 1-1 Ports involved in the mirroring operation

Switch	Ports involved	Function
Source switch	Source port	Port monitored. It copies packets to the reflector port through local port mirroring. There can be more than one source port.
	Reflector port	Receives packets from the source port and broadcasts the packets in the remote-probe VLAN.
	Trunk port	Sends mirrored packets to the intermediate switch or the destination switch.
Intermediate switch	Trunk port	Sends mirrored packets to the destination switch. Two trunk ports are necessary for the intermediate switch to connect the devices at the source switch side and the destination switch side.
Destination switch	Trunk port	Receives remote mirrored packets.
	Destination port	Receives packets forwarded from the trunk port and transmits the packets to the data detection device.

 

 

Traffic Mirroring

Traffic mirroring uses ACL to monitor traffic that matches certain criteria on a specific port. Unlike port mirroring where all inbound/outbound traffic passing through a port is monitored, traffic mirroring provides a finer monitoring granularity. For detailed configuration about traffic mirroring, refer to QoS-QoS Profile Operation.

Mirroring Configuration

Complete the following tasks to configure mirroring:

Task	Remarks
Configuring Local Port Mirroring	Optional
Configuring Remote Port Mirroring	Optional

 

 

Configuring Local Port Mirroring

Configuration prerequisites

l          The source port is determined and the direction in which the packets are to be mirrored is determined.

l          The destination port is determined.

Configuration procedure

Follow these steps to configure port mirroring on S3600-EI series Ethernet switches:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Create a port mirroring group		mirroring-group group-id local	Required
Configure the source port for the port mirroring group	In system view	mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }	Use either approach You can configure multiple source ports at a time in system view, or you can configure the source port in specific port view. The configurations in the two views have the same effect.
	In port view	interface interface-type interface-number
		mirroring-group group-id mirroring-port { both | inbound | outbound }
		quit
Configure the destination port for the port mirroring group	In system view	mirroring-group group-id monitor-port monitor-port-id	Use either approach The configurations in the two views have the same effect.
	In port view	interface interface-type interface-number
		mirroring-group group-id monitor-port

 

Follow these steps to configure local port mirroring on S3600-SI series Ethernet switches:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Configuring the source port for port mirroring	Enter Ethernet port view	interface interface-type interface-number	—
	Configure the current port as the source port	mirroring-port { both | inbound | outbound }	Required
	Return to system view	quit	—
Configure the destination port for port mirroring	Enter Ethernet port view	interface interface-type interface-number	—
	Configure the current port as the destination port	monitor-port	Required

 

When configuring local port mirroring, note that:

l          You need to configure the source and destination ports for the local port mirroring to take effect.

l          The source port and the destination port cannot be a fabric port or a member port of an existing mirroring group; besides, the destination port cannot be a member port of an aggregation group or a port enabled with LACP or STP.

Configuring Remote Port Mirroring

 

 

Configuration on a switch acting as a source switch

1)        Configuration prerequisites

l          The source port, the reflector port, and the remote-probe VLAN are determined.

l          Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN.

l          The direction of the packets to be monitored is determined.

2)        Configuration procedure

Follow these steps to perform configurations on the source switch:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a VLAN and enter the VLAN view	vlan vlan-id	vlan-id is the ID of the remote-probe VLAN.
Configure the current VLAN as the remote-probe VLAN	remote-probe vlan enable	Required
Return to system view	quit	—
Enter the view of the Ethernet port that connects to the intermediate switch or destination switch	interface interface-type interface-number	—
Configure the current port as trunk port	port link-type trunk	Required By default, the port type is Access.
Configure the trunk port to permit packets from the remote-probe VLAN	port trunk permit vlan remote-probe-vlan-id	Required
Return to system view	quit	—
Create a remote source mirroring group	mirroring-group group-id remote-source	Required
Configure source port(s) for the remote source mirroring group	mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound }	Required
Configure the reflector port for the remote source mirroring group	mirroring-group group-id reflector-port reflector-port	Required
Configure the remote-probe VLAN for the remote source mirroring group	mirroring-group group-id remote-probe vlan remote-probe-vlan-id	Required

 

When configuring the source switch, note that:

l          All ports of a remote source mirroring group are on the same device. Each remote source mirroring group can be configured with only one reflector port.

l          The reflector port cannot be a member port of an existing mirroring group, a fabric port, a member port of an aggregation group, or a port enabled with LACP or STP. It must be an access port and cannot be configured with functions like VLAN-VPN, port loopback detection, packet filtering, QoS, port security, and so on.

l          You cannot modify the duplex mode, port rate, and MDI attribute of a reflector port.

l          Only an existing static VLAN can be configured as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it to a normal VLAN first. A remote port mirroring group gets invalid if the corresponding remote port mirroring VLAN is removed.

l          Do not configure a port connecting the intermediate switch or destination switch as the mirroring source port. Otherwise, traffic disorder may occur in the network.

Configuration on a switch acting as an intermediate switch

1)        Configuration prerequisites

l          The trunk ports and the remote-probe VLAN are determined.

l          Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN.

2)        Configuration procedure

Follow these steps to perform configurations on the intermediate switch:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a VLAN and enter VLAN view	vlan vlan-id	vlan-id is the ID of the remote-probe VLAN.
Configure the current VLAN as the remote-probe VLAN	remote-probe vlan enable	Required
Return to system view	quit	—
Enter the view of the Ethernet port connecting to the source switch, destination switch or other intermediate switch	interface interface-type interface-number	—
Configure the current port as trunk port	port link-type trunk	Required By default, the port type is Access.
Configure the trunk port to permit packets from the remote-probe VLAN	port trunk permit vlan remote-probe-vlan-id	Required

 

Note that an S3600 series Ethernet switch acting as the intermediate switch in remote port mirroring networking does not support bidirectional packet mirroring (the both keyword).

Configuration on a switch acting as a destination switch

1)        Configuration prerequisites

l          The destination port and the remote-probe VLAN are determined.

l          Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN.

2)        Configuration procedure

Follow these steps to configure remote port mirroring on the destination switch:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create a VLAN and enter VLAN view	vlan vlan-id	vlan-id is the ID of the remote-probe VLAN.
Configure the current VLAN as a remote-probe VLAN	remote-probe vlan enable	Required
Return to system view	quit	—
Enter the view of the Ethernet port connecting to the source switch or an intermediate switch	interface interface-type interface-number	—
Configure the current port as trunk port	port link-type trunk	Required By default, the port type is Access.
Configure trunk port to permit packets from the remote-probe VLAN	port trunk permit vlan remote-probe-vlan-id	Required
Return to system view	quit	—
Create a remote destination mirroring group	mirroring-group group-id remote-destination	Required
Configure the destination port for the remote destination mirroring group	mirroring-group group-id monitor-port monitor-port	Required
Configure the remote-probe VLAN for the remote destination mirroring group	mirroring-group group-id remote-probe vlan remote-probe-vlan-id	Required

 

When configuring a destination switch, note that:

l          An S3600 series Ethernet switch acting as the destination switch in remote port mirroring networking does not support bidirectional packet mirroring (the both keyword).

l          The destination port of remote port mirroring cannot be a member port of an existing mirroring group, a fabric port, a member port of an aggregation group, or a port enabled with LACP or STP.

l          Only an existing static VLAN can be configured as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it to a normal VLAN first. A remote port mirroring group gets invalid if the corresponding remote port mirroring VLAN is removed.

Displaying and Maintaining Port Mirroring

To do…	Use the command…	Remarks
Display port mirroring configuration on an S3600-EI series Ethernet switch	display mirroring-group { group-id | all | local | remote-destination | remote-source }	Available in any view
Display port mirroring configuration on an S3600-SI series Ethernet switch	display mirror

 

Mirroring Configuration Examples

Local Port Mirroring Configuration Example

Network requirements

The departments of a company connect to each other through S3600-EI Ethernet switches:

l          Research and Development (R&D) department is connected to Switch C through Ethernet 1/0/1.

l          Marketing department is connected to Switch C through Ethernet 1/0/2.

l          Data detection device is connected to Switch C through Ethernet 1/0/3

The administrator wants to monitor the packets received on and sent from the R&D department and the marketing department through the data detection device.

Use the local port mirroring function to meet the requirement. Perform the following configurations on Switch C.

l          Configure Ethernet 1/0/1 and Ethernet 1/0/2 as mirroring source ports.

l          Configure Ethernet 1/0/3 as the mirroring destination port.

Network diagram

Figure 1-3 Network diagram for local port mirroring

 

Configuration procedure

Configure Switch C:

# Create a local mirroring group.

<Sysname> system-view

[Sysname] mirroring-group 1 local

# Configure the source ports and destination port for the local mirroring group.

[Sysname] mirroring-group 1 mirroring-port Ethernet 1/0/1 Ethernet 1/0/2 both

[Sysname] mirroring-group 1 monitor-port Ethernet 1/0/3

# Display configuration information about local mirroring group 1.

[Sysname] display mirroring-group 1

mirroring-group 1:

    type: local

    status: active

    mirroring port:

        Ethernet1/0/1  both

        Ethernet1/0/2  both

    monitor port: Ethernet1/0/3

After the configurations, you can monitor all packets received on and sent from the R&D department and the marketing department on the data detection device.

Remote Port Mirroring Configuration Example

Network requirements

The departments of a company connect to each other through S3600-EI Ethernet switches:

l          Switch A, Switch B, and Switch C are S3600-EI series switches.

l          Department 1 is connected to Ethernet 1/0/1 of Switch A.

l          Department 2 is connected to Ethernet 1/0/2 of Switch A.

l          Ethernet 1/0/3 of Switch A connects to Ethernet 1/0/1 of Switch B.

l          Ethernet 1/0/2 of Switch B connects to Ethernet 1/0/1 of Switch C.

l          The data detection device is connected to Ethernet 1/0/2 of Switch C.

The administrator wants to monitor the packets sent from Department 1 and 2 through the data detection device.

Use the remote port mirroring function to meet the requirement. Perform the following configurations:

l          Use Switch A as the source switch, Switch B as the intermediate switch, and Switch C as the destination switch.

l          On Switch A, create a remote source mirroring group, configure VLAN 10 as the remote-probe VLAN, ports Ethernet 1/0/1 and Ethernet 1/0/2 as the source ports, and port Ethernet 1/0/4 as the reflector port.

l          On Switch B, configure VLAN 10 as the remote-probe VLAN.

l          Configure Ethernet 1/0/3 of Switch A, Ethernet 1/0/1 and Ethernet 1/0/2 of Switch B, and Ethernet 1/0/1 of Switch C as trunk ports, allowing packets of VLAN 10 to pass.

l          On Switch C, create a remote destination mirroring group, configure VLAN 10 as the remote-probe VLAN, and configure Ethernet 1/0/2 connected with the data detection device as the destination port.

Network diagram

Figure 1-4 Network diagram for remote port mirroring

 

Configuration procedure

1)        Configure the source switch (Switch A)

# Create remote source mirroring group 1.

<Sysname> system-view

[Sysname] mirroring-group 1 remote-source

# Configure VLAN 10 as the remote-probe VLAN.

[Sysname] vlan 10

[Sysname-vlan10] remote-probe vlan enable

[Sysname-vlan10] quit

# Configure the source ports, reflector port, and remote-probe VLAN for the remote source mirroring group.

[Sysname] mirroring-group 1 mirroring-port Ethernet 1/0/1 Ethernet 1/0/2 inbound

[Sysname] mirroring-group 1 reflector-port Ethernet 1/0/4

[Sysname] mirroring-group 1 remote-probe vlan 10

# Configure Ethernet 1/0/3 as trunk port, allowing packets of VLAN 10 to pass.

[Sysname] interface Ethernet 1/0/3

[Sysname-Ethernet1/0/3] port link-type trunk

[Sysname-Ethernet1/0/3] port trunk permit vlan 10

[Sysname-Ethernet1/0/3] quit

# Display configuration information about remote source mirroring group 1.

[Sysname] display mirroring-group 1

mirroring-group 1:

    type: remote-source

    status: active

    mirroring port:

        Ethernet1/0/1  inbound

        Ethernet1/0/2  inbound

    reflector port: Ethernet1/0/4

    remote-probe vlan: 10

2)        Configure the intermediate switch (Switch B)

# Configure VLAN 10 as the remote-probe VLAN.

<Sysname> system-view

[Sysname] vlan 10

[Sysname-vlan10] remote-probe vlan enable

[Sysname-vlan10] quit

# Configure Ethernet 1/0/1 as the trunk port, allowing packets of VLAN 10 to pass.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] port link-type trunk

[Sysname-Ethernet1/0/1] port trunk permit vlan 10

[Sysname-Ethernet1/0/1] quit

# Configure Ethernet 1/0/2 as the trunk port, allowing packets of VLAN 10 to pass.

[Sysname] interface Ethernet 1/0/2

[Sysname-Ethernet1/0/2] port link-type trunk

[Sysname-Ethernet1/0/2] port trunk permit vlan 10

3)        Configure the destination switch (Switch C)

# Create remote destination mirroring group 1.

<Sysname> system-view

[Sysname] mirroring-group 1 remote-destination

# Configure VLAN 10 as the remote-probe VLAN.

[Sysname] vlan 10

[Sysname-vlan10] remote-probe vlan enable

[Sysname-vlan10] quit

# Configure the destination port and remote-probe VLAN for the remote destination mirroring group.

[Sysname] mirroring-group 1 monitor-port Ethernet 1/0/2

[Sysname] mirroring-group 1 remote-probe vlan 10

# Configure Ethernet 1/0/1 as the trunk port, allowing packets of VLAN 10 to pass.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] port link-type trunk

[Sysname-Ethernet1/0/1] port trunk permit vlan 10

[Sysname-Ethernet1/0/1] quit

# Display configuration information about remote destination mirroring group 1.

[Sysname] display mirroring-group 1

mirroring-group 1:

    type: remote-destination

    status: active

    monitor port: Ethernet1/0/2

    remote-probe vlan: 10

After the configurations, you can monitor all packets sent from Department 1 and 2 on the data detection device.