12-Port Mirroring Configuration
Chapters Download (198.74 KB)
Table of Contents
1 Port Mirroring Configuration
Introduction to Port Mirroring
Classification of Port Mirroring
Configuring Local Port Mirroring
Configuring Remote Port Mirroring
Configuring a Remote Source Mirroring Group (on the Source Device)
Configuring a Remote Destination Mirroring Group (on the Destination Device)
Displaying and Maintaining Port Mirroring
Port Mirroring Configuration Examples
Local Port Mirroring Configuration Example
Remote Port Mirroring Configuration Example
When configuring port mirroring, go to these sections for information you are interested in:
l Introduction to Port Mirroring
l Configuring Local Port Mirroring
l Configuring Remote Port Mirroring
l Displaying and Maintaining Port Mirroring
l Port Mirroring Configuration Examples
Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis.
You can select to port-mirror inbound, outbound, or bidirectional traffic on a port/VLAN as needed.
Port mirroring can be local or remote.
l In local port mirroring, the mirroring port or ports and the monitor port are located on the same device.
l In remote port mirroring, the mirroring port or ports and the monitor port can be located on the same device or different devices. Currently, remote port mirroring can be implemented only at Layer 2.
As a monitor port can monitor multiple ports, it may receive multiple duplicates of a packet in some cases. Suppose that port P 1 is monitoring bidirectional traffic on ports P 2 and P 3 on the same device. If a packet travels from P 2 to P 3, two duplicates of the packet will be received on P 1.
Port mirroring is implemented through port mirroring groups. There are three types of mirroring groups: local, remote source, and remote destination.
The following subsections describe how local port mirroring and remote port mirroring are implemented.
In local port mirroring, all packets (including protocol packets and data packets) passing through a port can be mirrored. Local port mirroring is implemented through a local mirroring group.
As shown in Figure 1-1, packets on the mirroring port are mirrored to the monitor port for the data monitoring device to analyze.
Figure 1-1 Local port mirroring implementation
Remote port mirroring can mirror all packets but protocol packets.
Remote port mirroring is implemented through the cooperation of a remote source mirroring group and a remote destination mirroring group as shown in Figure 1-2.
Figure 1-2 Remote port mirroring implementation
Remote mirroring involves the following device roles:
l Source device
The source device is the device where the mirroring ports are located. On it, you must create a remote source mirroring group to hold the mirroring ports.
The source device copies the packets passing through the mirroring ports, broadcasts the packets in the remote probe VLAN for remote mirroring, and transmits the packets to the next device, which could be an intermediate device (if any) or the destination device.
l Intermediate device
Intermediate devices are devices located in between the source device and the destination device.
An intermediate device forwards mirrored packets to the next intermediate device (if any) or the destination device.
You must ensure that the source device and the destination device can communicate at Layer 2 in the remote probe VLAN.
l Destination device
The destination device is the device where the monitor port is located. On it, you must create the remote destination mirroring group.
When receiving a packet, the destination device compares the VLAN ID carried in the packet with the ID of the probe VLAN configured in the remote destination mirroring group. If they are the same, the device forwards the packet to the monitoring device through the monitor port.
l Because packets of the mirroring ports are broadcast in the remote probe VLAN created on the source device, you can deliver the local port mirroring function by adding the other ports on the source device to the remote probe VLAN.
l To monitor both the received and sent packets of a port in a mirroring group, you must disable MAC address learning for the remote probe VLAN on the intermediate devices. Otherwise, port mirroring may not be able to function normally.
For a mirrored packet to successfully arrive at the remote destination device, you need to ensure that the VLAN ID carried in the packet is correct (that is, the same as the probe VLAN ID). If the VLAN is removed or the VLAN ID is changed, the remote port mirroring configuration becomes invalid.
An S5810 series switch supports up to two mirroring groups. These two mirroring groups can be:
l A local mirroring group and a remote destination mirroring group.
l A remote source mirroring group and a remote destination mirroring group.
Configuring local port mirroring is to configure local mirroring groups.
A local mirroring group comprises one or multiple mirroring ports and one monitor port. These ports must not have been assigned to any other mirroring group.
Follow these steps to configure a local mirroring group:
|
Use the command… |
Remarks |
||
|
Enter system view |
system-view |
— |
|
|
Create a local mirroring group |
mirroring-group group-id local |
Required |
|
|
Configure mirroring ports |
In system view |
mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound } |
Required In system view, you can configure a list of mirroring ports to the mirroring group at a time. In interface view, you can assign only the current port to the mirroring group. To monitor multiple ports, repeat the step. |
|
In interface view |
interface interface-type interface-number |
||
|
[ mirroring-group group-id ] mirroring-port { both | inbound | outbound } |
|||
|
quit |
|||
|
Configure the monitor port |
In system view |
mirroring-group group-id monitor-port monitor-port-id |
Required Use either approach. |
|
In interface view |
interface interface-type interface-number |
||
|
[ mirroring-group group-id ] monitor-port |
|||
l A local mirroring group takes effect only after you configure a monitor port and mirroring ports for it.
l To ensure the smooth operation of your device, do not enable STP, MSTP, or RSTP on the monitor port.
l A port can belong to only one mirroring group.
l You are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.
Configuring remote port mirroring is to configure remote mirroring groups. When doing that, configure the remote source mirroring group on the source device and the cooperating remote destination mirroring group on the destination device.
If GVRP is enabled, GVRP may register the remote probe VLAN to unexpected ports, resulting in undesired duplicates. For information on GVRP, refer to GVRP Configuration in the Access Volume.
Create a static VLAN for the probe VLAN on the source and destination device. To ensure correct packet handling, ensure that the VLANs you created on the two devices use the same ID and function only for remote port mirroring.
A remote source mirroring group comprises the following:
l One or multiple mirroring ports.
l A remote probe VLAN.
l A reflector port.
After you assign a port to a mirroring group either as a mirroring port or as a monitor port, you cannot assign it to any other mirroring group. The same is true of probe VLANs.
Follow these steps to configure a remote port mirroring group:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Create a remote source mirroring group |
mirroring-group groupid remote-source |
Required |
|
|
Configure mirroring ports |
In system view |
mirroring-group groupid mirroring-port mirroring-port-list { both | inbound | outbound } |
Required In system view, you can configure a list of mirroring ports to the mirroring group at a time. In interface view, you can assign only the current interface to the mirroring group. To monitor multiple ports, repeat the step. |
|
In interface view |
interface interface-type interface-number |
||
|
[ mirroring-group groupid ] mirroring-port { both | inbound | outbound } |
|||
|
quit |
|||
|
Configure the reflector port |
In system view |
mirroring-group groupid reflector-port reflector-port-id |
Required Use either approach. |
|
In interface view |
interface interface-type interface-number |
||
|
mirroring-group groupid reflector-port |
|||
|
quit |
|||
|
Configure the remote probe VLAN |
mirroring-group groupid remote-probe vlan rprobe-vlan-id |
Required |
|
When configuring the mirroring ports, note that:
l The mirroring ports and the reflector port must be located on the same device.
l To ensure device performance, do not assign the mirroring ports to the remote probe VLAN.
When configuring the reflector port, note that:
l The port must not be a mirroring port in the mirroring group or a monitor port for traffic mirroring.
l The port must be an access port that belongs to the default VLAN.
l Do not configure port loopback on the port.
l You can configure a port as a reflector port only when the port is operating with the default duplex mode, port rate, and MDI setting. In addition, you cannot change these settings after the port is configured as a reflector port.
l To ensure operation of the device, do not connect a network cable to the port, and disable these functions on the port: STP, MSTP, RSTP, IGMP Snooping, static ARP, and MAC address learning.
l For a remote source mirroring group, you can configure multiple mirroring ports; however, you can configure only one reflector port.
l To remove the VLAN configured as a remote probe VLAN, you must remove the remote probe VLAN with undo mirroring-group remote-probe vlan command first. Removing the probe VLAN can invalidate the remote source mirroring group.
l You are recommended to use a remote probe VLAN exclusively for the mirroring purpose.
l A port can belong to only one mirroring group.
A remote destination mirroring group comprises a remote probe VLAN and a monitor port. You must ensure that the remote probe VLAN is the same as the one configured in the remote source mirroring group.
Follow these steps to configure a remote destination port mirroring group:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Create a remote destination mirroring group |
mirroring-group groupid remote-destination |
Required |
|
|
Configure the remote probe VLAN |
mirroring-group groupid remote-probe vlan rprobe-vlan-id |
Required |
|
|
Configure the monitor port |
In system view |
mirroring-group groupid monitor-port monitor-port-id |
Required Use either approach. |
|
In interface view |
interface interface-type interface-number |
||
|
[ mirroring-group groupid ] monitor-port |
|||
|
quit |
|||
|
Enter the interface view of the monitor port |
interface interface-type interface-number |
— |
|
|
Assign the port to the probe VLAN |
For an access port |
port access vlan rprobe-vlan-id |
Required Use one of the commands depending on the link type of the monitor port. |
|
For a trunk port |
port trunk permit vlan rprobe-vlan-id |
||
|
For a hybrid port |
port hybrid vlan rprobe-vlan-id { tagged | untagged } |
||
When configuring the probe VLAN, use the following guidelines:
l A VLAN can be the remote probe VLAN of only one port mirroring group.
l You are recommended to use a remote probe VLAN exclusively for the mirroring purpose.
l To remove the VLAN configured as the remote probe VLAN, you must remove the remote probe VLAN with undo mirroring-group remote-probe vlan command first. Removing the probe VLAN can invalidate the remote source mirroring group.
When configuring the monitor port, use the following guidelines:
l To ensure operation of your device, do not enable STP, MSTP, or RSTP on the monitor port.
l You are recommended to use a monitor port only for port mirroring. This is to ensure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.
l A port can belong to only one mirroring group.
|
To do… |
Use the command… |
Remarks |
|
Display the configuration of port mirroring groups |
display mirroring-group { group-id | all | local | remote-destination | remote-source } |
Available in any view |
The departments of a company connect to each other through Ethernet switches:
l Research and Development (R&D) department is connected to Switch C through GigabitEthernet 1/0/1.
l Marketing department is connected to Switch C through GigabitEthernet 1/0/2.
l Data monitoring device is connected to Switch C through GigabitEthernet 1/0/3
As shown in Figure 1-3, the administrator wants to monitor the packets received on and sent from the R&D department and the marketing department through the data monitoring device.
Use the local port mirroring function to meet the requirement. Perform the following configurations on Switch C.
l Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as mirroring source ports.
l Configure GigabitEthernet 1/0/3 as the mirroring destination port.
Figure 1-3 Network diagram for local port mirroring configuration
Configure Switch C.
# Create a local port mirroring group.
<SwitchC> system-view
[SwitchC] mirroring-group 1 local
# Add port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the port mirroring group as source ports. Add port GigabitEthernet 1/0/3 to the port mirroring group as the destination port.
[SwitchC] mirroring-group 1 mirroring-port GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 both
[SwitchC] mirroring-group 1 monitor-port GigabitEthernet 1/0/3
# Display the configuration of all the port mirroring groups.
[SwitchC] display mirroring-group all
mirroring-group 1:
type: local
status: active
mirroring port:
GigabitEthernet1/0/1 both
GigabitEthernet1/0/2 both
monitor port: GigabitEthernet1/0/3
After finishing the configuration, you can monitor all the packets received and sent by R&D department and Marketing department on the Data monitoring device.
On the network shown in Figure 1-4,
l Department 1 is connected to port GigabitEthernet 1/0/1 of Device A.
l Department 2 is connected to port GigabitEthernet 1/0/2 of Device A.
l The trunk port GigabitEthernet 1/0/3 on Device A connects to the trunk port GigabitEthernet 1/0/1 on Device B.
l The trunk port GigabitEthernet 1/0/2 on Device B connects to the trunk port GigabitEthernet 1/0/1 on Device C.
l The Server connects to port GigabitEthernet 1/0/2 on Device C.
To monitor the inbound/outbound packets of Department 1 and Department 2 on the Server, configure remote port mirroring as follows:
l On Device A, create a remote source mirroring group. For the mirroring group, configure VLAN 2 as the remote probe VLAN, ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as mirroring ports, and port GigabitEthernet 1/0/4 as the reflector port.
l Configure port GigabitEthernet 1/0/3 on Device A, ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on Device B, and port GigabitEthernet 1/0/1 on Device C as trunk ports that permit the packets of VLAN 2 to pass through.
l Create a remote destination mirroring group on Device C. Configure VLAN 2 as the remote probe VLAN and port GigabitEthernet 1/0/2, to which the server is connected, as the monitor port.
Figure 1-4 Network diagram for remote port mirroring configuration
1) Configure Device A (the source device)
# Create a remote source mirroring group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN, ports GigabitEthernet 1/0/1 and GigabitEthernet1/0/2 as mirroring ports, and port Ethernet 1/0 as the reflector port in the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
[DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 gigabitethernet 1/0/2 both
[DeviceA] mirroring-group 1 reflector-port Ethernet gigabitethernet 1/0/4
# Configure port GigabitEthernet 1/0/3 as a trunk port that permits the packets of VLAN 2 to pass through.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-GigabitEthernet1/0/3] port trunk permit vlan 2
2) Configure Device B (the intermediate device)
# Configure port GigabitEthernet 1/0/1 as a trunk port that permits the packets of VLAN 2 to pass through.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 2
# Configure port GigabitEthernet 1/0/2 as a trunk port that permits the packets of VLAN 2 to pass through.
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 2
3) Configure Device C (the destination device)
# Configure port GigabitEthernet 1/0/1 as a trunk port that permits the packets of VLAN 2 to pass through.
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceC-GigabitEthernet1/0/1] quit
# Create a remote destination mirroring group.
[DeviceC] mirroring-group 1 remote-destination
# Create VLAN 2.
[DeviceC] vlan 2
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the mirroring group. Assign port GigabitEthernet 1/0/2 to the mirroring group as the monitor port.
[DeviceC] mirroring-group 1 remote-probe vlan 2
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] mirroring-group 1 monitor-port
[DeviceC-GigabitEthernet1/0/2] port access vlan 2
After finishing the configuration, you can monitor all the packets received and sent by Department 1 and Department 2 on the Server.
