Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-Mirroring configuration | 286.57 KB |
Contents
Port mirroring classification and implementation
Configuring local port mirroring
Local port mirroring configuration task list
Creating a local mirroring group
Configuring source ports for the local mirroring group
Configuring source VLANs for the local mirroring group
Configuring the monitor port for the local mirroring group
Configuring Layer 2 remote port mirroring
Layer 2 remote port mirroring with configurable reflector port configuration task list
Configuring a remote source group on the source device
Configuring a remote destination group on the destination device
Displaying and maintaining port mirroring
Port mirroring configuration examples
Local port mirroring configuration example(in source port mode)
Local port mirroring configuration example (in source VLAN mode)
Layer 2 remote port mirroring configuration example (reflector port configurable)
Traffic mirroring configuration task list
Configuring a traffic behavior
Applying a QoS policy to an interface
Applying a QoS policy to a VLAN
Applying a QoS policy globally
Traffic mirroring configuration example
The device operates in IRF or standalone (the default) mode. For information about IRF mode, see IRF Configuration Guide.
Overview
Port mirroring refers to the process of copying the packets passing through a port/VLAN to the monitor port connecting to a monitoring device for packet analysis.
Terminology
The following terms are used in port mirroring configuration.
Mirroring source
The mirroring source can be one or more monitored ports or VLANs, which are called "source ports" or "source VLANs." Packets passing through them are copied to a port connecting to a monitoring device for packet analysis. (The copies are called "mirrored packets.") The device where the mirroring source resides is called a "source device."
Mirroring destination
The mirroring destination is the destination port, also known as the monitor port, of mirrored packets and connects to the monitoring device. The device where the monitor port resides is called the "destination device." Mirrored packets are sent out of the monitor port to the monitoring device.
A monitor port might receive multiple duplicates of a packet in some networks because it can monitor multiple mirroring sources. For example, assume that Port 1 is monitoring bidirectional traffic on Port 2 and Port 3 on the same device. If a packet travels from Port 2 to Port 3, two duplicates of the packet are received on Port 1.
|
|
NOTE: · In IRF mode, the device do not support mirroring packets from the specified source VLANs to the monitor port. · You cannot configure port mirroring when the monitor port and the source port (or port of the source VLAN) are on two IRF members. |
Mirroring direction
The mirroring direction specifies that the inbound, outbound, or bidirectional traffic can be copied on a mirroring source.
· Inbound—Copies packets received on a mirroring source.
· Outbound—Copies packets sent out of a mirroring source.
· Bidirectional—Copies packets received and sent on a mirroring source.
Mirroring group
Port mirroring is implemented through mirroring groups, which fall into local, remote source, and remote destination mirroring groups. For more information about the mirroring groups, see "Port mirroring classification and implementation."
Reflector port and remote probe VLAN
A reflector port and remote probe VLAN are used for Layer 2 remote port mirroring. The remote probe VLAN specially transmits mirrored packets to the destination device. The reflector port reside on a source device and send mirrored packets to the remote probe VLAN. For more information about the reflector port, remote probe VLAN, and Layer 2 remote port mirroring, see "Port mirroring classification and implementation."
The number of monitor ports supported in each direction is:
· Two monitor ports on a 48-port GE interface board, one for the first 24 ports and the other for the remaining 24 ports.
· One monitor port for every two 10-GE ports (arranged by port number) on a 10-GE interface board (except LST1XP32REB1, LST1XP32REC1, LST1XP16LEB1, and LST1XP16LEC1).
· Four monitor ports on an LST1XP32REB1 or LST1XP32REC1 interface board.
· Eight monitor ports on an LST1XP16LEB1 or LST1XP16LEC1 interface board. One monitor port for every two 10-GE ports.
Port mirroring classification and implementation
Port mirroring falls into local port mirroring and remote port mirroring depends on whether the mirroring source and the mirroring destination are on the same device.
Local port mirroring
In local port mirroring, the source device is directly connected to the data monitoring device and can act as the destination device to forward mirrored packets to the data monitoring device. The mirroring source and mirroring destination are on the same device. A mirroring group that contains the mirroring source and the mirroring destination on the device is called a "local mirroring group."
|
|
NOTE: The source ports/VLANs and the monitor port in a local mirroring group can be located on different cards of a same device. |
Figure 1 Local port mirroring implementation
As shown in Figure 1, the source port GigabitEthernet 3/0/1 and monitor port GigabitEthernet 3/0/2 reside on the same device. Packets received on GigabitEthernet 3/0/1 are copied to GigabitEthernet 3/0/2, which then forwards the packets to the data monitoring device for analysis.
Remote port mirroring
In remote port mirroring, the source device is not directly connected to the data monitoring device but copies mirrored packets to the destination device, which forwards them to the data monitoring device. The mirroring source and the mirroring destination reside on different devices and in different mirroring groups. The mirroring group that contains the mirroring source or the mirroring destination is called a "remote source group" or "remote destination group", respectively. The devices between the source devices and destination device are intermediate devices.
Remote port mirroring falls into Layer 2 and Layer 3 remote port mirroring.
· Layer 2 remote port mirroring: The mirroring source and the mirroring destination are located on different devices on a same Layer 2 network.
· Layer 3 remote port mirroring: The mirroring source and the mirroring destination are separated by IP networks. The device does not support this feature.
1. Layer 2 remote port mirroring
Layer 2 remote port mirroring can be implemented when a reflector port or an egress port is available on the source device. The configuration method when the reflector or egress port is available on the source device is called "reflector port method" or "egress port method" (the egress port method is not support by the device).
As shown in Figure 2, the source device copies packets received on the source port to the reflector port. The reflector port broadcasts the packets in the remote probe VLAN and the intermediate devices in the VLAN transmit the packets to the destination device. Upon receiving the mirrored packets, the destination device determines whether their VLAN IDs are the same as the remote probe VLAN ID. If yes, the device forwards them to the data monitoring device through the monitor port.
Figure 2 Layer 2 remote port mirroring implementation through the reflector port method
A reflector port also falls into fixed and configurable reflector port. The fixed reflector port comes with the device but the later must be manually configured. The device does not support fixed reflector port.
You can use the reflector port method to implement local port mirroring by assigning a non-source port on the source device to the remote probe VLAN, because the source device broadcasts mirrored packets in the remote probe VLAN.
To make sure the source device and the destination device can communicate at Layer 2 through the remote probe VLAN, assign the intermediate devices' ports in the direction to the source and destination devices to the remote probe VLAN.
To monitor both the received and sent packets of a port in a mirroring group, you must disable MAC address learning for the remote probe VLAN on the source, intermediate, and destination devices. For more information about MAC address learning, see Layer 2—LAN Switching Configuration Guide.
Configuring local port mirroring
Local port mirroring takes effect only when the source ports or VLANs, and the monitor port are configured.
Local port mirroring configuration task list
|
Tasks at a glance |
|
1. (Required.) Creating a local mirroring group |
|
2. (Required.) Configuring source ports or/and VLANs for the local mirroring group: |
|
3. (Required.) Configuring the monitor port for the local mirroring group |
Creating a local mirroring group
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a local mirroring group. |
mirroring-group group-id local |
By default, no local mirroring group exists. |
Configuring source ports for the local mirroring group
You can configure a list of source ports for a mirroring group at a time in system view or assign a port to it as a source port in interface view. To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
Configuration restrictions and guidelines
· Do not assign a source port to a source VLAN.
· A mirroring group can contain multiple source ports.
· A port can belong to only one mirroring group. However, on devices that support mirroring groups with multiple monitor ports, a port can serve as a source port for multiple mirroring groups, but cannot be a reflector port, egress port, or monitor port at the same time.
Configuration procedure
To configure source ports in system view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source ports for the specified local mirroring group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a local mirroring group. |
To configure source ports in interface view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as a source port for the specified local mirroring group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not serve as a source port for any local mirroring group. |
Configuring source VLANs for the local mirroring group
Follow these guidelines when you configure source VLANs for a local mirroring group:
· A mirroring group can contain multiple source VLANs.
· A VLAN can be configured as a source VLAN for only one local mirroring group.
To configure source VLANs for a local mirroring group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source VLANs for the specified local mirroring group. |
mirroring-group group-id mirroring-vlan vlan-list { both | inbound | outbound } |
By default, no source VLAN is configured for a local mirroring group. |
Configuring the monitor port for the local mirroring group
You can configure the monitor port for a mirroring group in system view or assign a port to a mirroring group as the monitor port in interface view. The two modes lead to the same result.
Configuration restrictions and guidelines
· Do not assign the monitor port to a source VLAN or enable the spanning tree feature on the monitor port.
· When a Layer 2 aggregate interface is configured as the monitor port, do not configure its member interfaces as source ports or assign them to the source VLAN.
· A mirroring group contains only one monitor port.
· Use a monitor port for port mirroring only to make sure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.
Configuration procedure
To configure the monitor port in system view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the monitor port for the specified local mirroring group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a local mirroring group. |
To configure the monitor port in interface view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the monitor port for the specified mirroring group. |
mirroring-group group-id monitor-port |
By default, a port does not serve as the monitor port for any local mirroring group. |
Configuring Layer 2 remote port mirroring
Configuring Layer 2 remote port mirroring is to configure remote mirroring groups. When doing this, configure a remote source group on the source device and a cooperating remote destination group on the destination device. If intermediate devices exist, configure the intermediate devices to allow the remote probe VLAN to pass through.
When you configure Layer 2 remote port mirroring, for a mirrored packet to successfully arrive at the remote destination device, make sure the VLAN ID of the mirrored packet is not removed or changed.
Layer 2 remote port mirroring with configurable reflector port configuration task list
|
Tasks at a glance |
|
|
Configuring a remote source group: 1. (Required.) Creating a remote source group 2. (Required.) Configuring source ports or/and VLANs for the remote source group: ¡ Configuring source ports for a remote source group ¡ Configuring source VLANs for a remote source group 3. (Required.) Configuring the reflector port for a remote source group 4. (Required.) Configuring the remote probe VLAN for a remote source group |
|
|
(Required.) Configuring a remote destination group: 1. Creating a remote destination group 2. Configuring the monitor port for a remote destination group 3. Configuring the remote probe VLAN for a remote destination group |
|
Configuring a remote source group on the source device
Creating a remote source group
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a remote source group. |
mirroring-group group-id remote-source |
By default, no remote source group exists on a device. |
Configuring source ports for a remote source group
You can configure a list of source ports for a mirroring group at a time in system view or assign a port to it as a source port in interface view. To assign multiple ports to a mirroring group as source ports in interface view, repeat the operation.
When you configure source ports for a remote source group, follow these guidelines:
· Do not assign a source port to a source VLAN or the remote probe VLAN.
· A mirroring group can contain multiple source ports.
· A port can belong to only one mirroring group. However, on devices that support mirroring groups with multiple monitor ports, a port can serve as a source port for multiple mirroring groups, but cannot be a reflector port or a monitor port at the same time.
To configure source ports for a remote source group in system view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source ports for the specified remote source group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a remote source group. |
To configure a source port for a remote source group in interface view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as a source port for the specified remote source group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not serve as a source port for any remote source group. |
Configuring source VLANs for a remote source groupp
Follow these guidelines when you configure source VLANs for a remote source group:
· A mirroring group can contain multiple source VLANs.
· A VLAN can be configured as the source VLAN for only one mirroring group.
To configure source VLANs for a remote source group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source VLANs for the specified remote source group. |
mirroring-group group-id mirroring-vlan vlan-list { both | inbound | outbound } |
By default, no source VLAN is configured for a remote source group. |
Configuring the reflector port for a remote source groupp
You can configure the reflector port for a mirroring group in system view or assign a port to it as the reflector port in interface view. The two configuration modes lead to the same result.
When you configure the reflector port for a remote source group, follow these guidelines:
· Do not assign the reflector port to a source VLAN.
· Select a port not in use on the device to be configured as the reflector port. Do not connect a network cable to the reflector port.
· When a port is configured as a reflector port, all existing configuration of the port is cleared. You cannot configure other features on the reflector port.
· A mirroring group contains only one reflector port.
· On some devices, you can configure a port as a reflector port only when the port is operating with the default duplex mode, port rate, and MDI setting. In addition, you cannot change these settings after the port is configured as a reflector port.
To configure the reflector port for a remote source group in system view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the reflector port for the specified remote source group. |
mirroring-group group-id reflector-port interface-type interface-number |
By default, no reflector port is configured for a remote source group. |
To configure the reflector port for a remote source group in interface view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the reflector port for the specified remote source group. |
mirroring-group group-id reflector-port |
By default, a port does not serve as the reflector port for any remote source group. |
Configuring the remote probe VLAN for a remote source group
Before configuring a remote probe VLAN, create a static VLAN that will serve as the remote probe VLAN for the remote source group.
When you configure the remote probe VLAN for a remote source group, follow these guidelines:
· When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
· The remote mirroring groups on the source device and destination device must use the same remote probe VLAN.
· H3C recommends not configuring a VLAN that is enabled loop detection as a remote probe VLAN. Otherwise, errors may occur. For information about loop detection, see Layer 2—LAN Switching Configuration Guide.
To configure the remote probe VLAN for a remote source group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the remote probe VLAN for the specified remote source group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote source group. |
Configuring a remote destination group on the destination device
To configure a remote destination group, make the following configurations on the destination device.
Creating a remote destination group
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a remote destination group. |
mirroring-group group-id remote-destination |
By default, no remote destination group exists on a device. |
Configuring the monitor port for a remote destination group
You can configure the monitor port for a mirroring group in system view or assign a port to a mirroring group as the monitor port in interface view. The two modes lead to the same result.
When you configure the monitor port for a remote destination group, follow these guidelines:
· Do not assign the monitor port to a source VLAN or enable the spanning tree feature on the monitor port.
· When a Layer 2 aggregate interface is configured as the monitor port, do not configure its member ports as source ports or assign them to source VLANs.
· Use a monitor port only for port mirroring to make sure that the data monitoring device receives and analyzes only the mirrored traffic rather than a mix of mirrored traffic and normally forwarded traffic.
· A mirroring group contains only one monitor port.
To configure the monitor port for a remote destination group in system view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the monitor port for the specified remote destination group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a remote destination group. |
To configure the monitor port for a remote destination group in interface view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the monitor port for the specified remote destination group. |
mirroring-group group-id monitor-port |
By default, a port does not serve as the monitor port for any remote destination group. |
Configuring the remote probe VLAN for a remote destination groupp
Before configuring a remote probe VLAN, create a static VLAN that will serve as the remote probe VLAN for the remote source group.
When you configure the remote probe VLAN for a remote destination group, follow these guidelines:
· When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
· Configure the same remote probe VLAN for the remote destination groups on the source and destination devices.
· H3C recommends not configuring a VLAN that is enabled loop detection as a remote probe VLAN. Otherwise, errors may occur. For information about loop detection, see Layer 2—LAN Switching Configuration Guide.
To configure the remote probe VLAN for a remote destination group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the remote probe VLAN for the specified remote destination group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote destination group. |
Assigning the monitor port to the remote probe VLAN
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter the interface view of the monitor port. |
interface interface-type interface-number |
N/A |
|
3. Assign the port to the probe VLAN. |
·
For an access port: ·
For a trunk port: ·
For a hybrid port: |
Use one of the commands. |
For more information about the port access vlan, port trunk permit vlan, and port hybrid vlan commands, see Layer 2—LAN Switching Command Reference.
Displaying and maintaining port mirroring
Execute display commands in any view.
|
Task |
Command |
|
Display mirroring group information. |
display mirroring-group { group-id | all | local | remote-destination | remote-source } |
Port mirroring configuration examples
By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command.
Local port mirroring configuration example(in source port mode)
Network requirements
As shown in Figure 3, configure local port mirroring in source port mode to enable the server to monitor the bidirectional traffic of the marketing department and the technical department.
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 as source ports and port GigabitEthernet 4/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 mirroring-port GigabitEthernet 4/0/1 GigabitEthernet 4/0/2 both
[Device] mirroring-group 1 monitor-port GigabitEthernet 4/0/3
# Disable the spanning tree feature on the monitor port GigabitEthernet 4/0/3.
[Device] interface GigabitEthernet 4/0/3
[Device-GigabitEthernet4/0/3] undo stp enable
[Device-GigabitEthernet4/0/3] quit
Verifying the configuration
# Display information about all mirroring groups.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
GigabitEthernet4/0/1 Both
GigabitEthernet4/0/2 Both
Monitor port: GigabitEthernet4/0/3
After completing the configurations, you can monitor all packets received and sent by the marketing department and the technical department on the server.
Local port mirroring configuration example (in source VLAN mode)
Network requirements
As shown in Figure 4, assign GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 to VLAN 2 and configure local port mirroring in source VLAN mode to enable the server to monitor the bidirectional traffic of the marketing department and the technical department.
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Create VLAN 2 and assign GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 to VLAN 2.
[Device] vlan 2
[Device-vlan2] port GigabitEthernet 4/0/1 GigabitEthernet 4/0/2
[Device-vlan2] quit
# Configure VLAN 2 as a source VLAN and GigabitEthernet 4/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 mirroring-vlan 2 both
[Device] mirroring-group 1 monitor-port GigabitEthernet 4/0/3
# Disable the spanning tree feature on the monitor port GigabitEthernet 4/0/3.
[Device] interface GigabitEthernet 4/0/3
[Device-GigabitEthernet4/0/3] undo stp enable
[Device-GigabitEthernet4/0/3] quit
Verifying the configuration
# Display information about all mirroring groups.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring VLAN:
2 Both
Monitor port: GigabitEthernet4/0/3
After completing the configurations, you can monitor all packets received and sent by the marketing department and the technical department on the server.
Layer 2 remote port mirroring configuration example (reflector port configurable)
Network requirements
As shown in Figure 5, configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the marketing department.
Configuration procedure
1. Configure Device A (the source device):
# Create a remote source group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2, which is to be configured as the remote probe VLAN.
[DeviceA] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceA-vlan2] undo mac-address mac-learning enable
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN, GigabitEthernet 4/0/1 as a source port, and GigabitEthernet 4/0/3 as the reflector port in the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
[DeviceA] mirroring-group 1 mirroring-port GigabitEthernet 4/0/1 both
[DeviceA] mirroring-group 1 reflector-port GigabitEthernet 4/0/3
# Configure GigabitEthernet 4/0/2 as a trunk port to permit the packets of VLAN 2 to pass through.
[DeviceA] interface GigabitEthernet 4/0/2
[DeviceA-GigabitEthernet4/0/2] port link-type trunk
[DeviceA-GigabitEthernet4/0/2] port trunk permit vlan 2
[DeviceA-GigabitEthernet4/0/2] quit
2. Configure Device B (the intermediate device):
# Create VLAN 2, which is to be configured as the remote probe VLAN.
<DeviceB> system-view
[DeviceB] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceB-vlan2] undo mac-address mac-learning enable
[DeviceB-vlan2] quit
# Configure GigabitEthernet 4/0/1 as a trunk port to permit the packets of VLAN 2 to pass through.
[DeviceB] interface GigabitEthernet 4/0/1
[DeviceB-GigabitEthernet4/0/1] port link-type trunk
[DeviceB-GigabitEthernet4/0/1] port trunk permit vlan 2
[DeviceB-GigabitEthernet4/0/1] quit
# Configure GigabitEthernet 4/0/2 as a trunk port to permit the packets of VLAN 2 to pass through.
[DeviceB] interface GigabitEthernet 4/0/2
[DeviceB-GigabitEthernet4/0/2] port link-type trunk
[DeviceB-GigabitEthernet4/0/2] port trunk permit vlan 2
[DeviceB-GigabitEthernet4/0/2] quit
3. Configure Device C (the destination device):
# Configure GigabitEthernet 4/0/1 as a trunk port to permit the packets of VLAN 2 to pass through.
<DeviceC> system-view
[DeviceC] interface GigabitEthernet 4/0/1
[DeviceC-GigabitEthernet4/0/1] port link-type trunk
[DeviceC-GigabitEthernet4/0/1] port trunk permit vlan 2
[DeviceC-GigabitEthernet4/0/1] quit
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2, which is to be configured as the remote probe VLAN.
[DeviceC] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceC-vlan2] undo mac-address mac-learning enable
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the mirroring group and GigabitEthernet 4/0/2 as the monitor port of the mirroring group, disable the spanning tree feature on GigabitEthernet 4/0/2, and assign the port to VLAN 2.
[DeviceC] mirroring-group 2 remote-probe vlan 2
[DeviceC] interface GigabitEthernet 4/0/2
[DeviceC-GigabitEthernet4/0/2] mirroring-group 2 monitor-port
[DeviceC-GigabitEthernet4/0/2] undo stp enable
[DeviceC-GigabitEthernet4/0/2] port access vlan 2
[DeviceC-GigabitEthernet4/0/2] quit
Verifying the configuration
# Display information about all mirroring groups on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
GigabitEthernet4/0/1 Both
Reflector port: GigabitEthernet4/0/3
Remote probe VLAN: 2
# Display information about all mirroring groups on Device C.
[DeviceC] display mirroring-group all
Mirroring group 2:
Type: Remote destination
Status: Active
Monitor port: GigabitEthernet4/0/2
Remote probe VLAN: 2
After completing the configurations, you can monitor all packets received and sent by the marketing department on the server.
Traffic mirroring copies the specified packets to the specified destination for packet analyzing and monitoring. It is implemented through QoS policies. In other words, you define traffic classes and configure match criteria to classify packets to be mirrored and then configure traffic behaviors to mirror packets that fit the match criteria to the specified destination. Traffic mirroring allows you to flexibly classify packets to be analyzed by defining match criteria. For more information about QoS policies, traffic classes, and traffic behaviors, see ACL and QoS Configuration Guide.
You can configure the traffic to be mirrored to the following destinations:
· Interface—Mirroring traffic to an interface copies the matching packets to an interface connecting to a data monitoring device, which analyzes the packets received on the interface.
· VLAN—Mirroring traffic to a VLAN copies the matching packets to a VLAN where the packets are broadcast.
· CPU—Mirroring traffic to a CPU copies the matching packets to a CPU, whose card is configured with traffic mirroring, to analyze the packets or deliver the packets to upper layers.
Traffic mirroring configuration task list
|
Tasks at a glance |
|
(Required.) Configuring match criteria |
|
(Required.) Configuring a traffic behavior |
|
(Required.) Configuring a QoS policy |
|
(Required.) Applying a QoS policy: · Applying a QoS policy to an interface |
For more information about the following commands except the mirror-to command, see ACL and QoS Command Reference.
Configuring match criteria
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a class and enter class view. |
traffic classifier tcl-name [ operator { and | or } ] |
By default, no traffic class exists. |
|
3. Configure match criteria. |
if-match match-criteria |
By default, no match criterion is configured in a traffic class. |
Configuring a traffic behavior
To configure a traffic behavior:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a traffic behavior and enter traffic behavior view. |
traffic behavior behavior-name |
By default, no traffic behavior exists. |
|
3. Specify a mirroring destination for the traffic behavior. |
·
Mirror traffic to an interface: ·
Mirror traffic to a VLAN: ·
Mirror traffic to a CPU: |
Use one of the commands. By default, no mirroring destination is configured for a traffic behavior. |
Traffic can be mirrored to a non-existent VLAN. When the VLAN is created and is assigned interfaces, the configuration automatically takes effect on the VLAN.
The CPU resides in the card configured with traffic mirroring.
Configuring port mirroring to the specified VLAN is not supported on LST1XP16LEB1 or LST1XP16LEC1 card.
|
|
NOTE: After you configure a traffic behavior, you can use the display traffic behavior command in any view to view traffic behavior configuration. |
Configuring a QoS policy
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a QoS policy and enter the QoS policy view. |
qos policy policy-name |
By default, no QoS policy exists. |
|
3. Associate a class with a traffic behavior in the QoS policy. |
classifier tcl-name behavior behavior-name |
By default, no traffic behavior is associated with a class. |
|
|
NOTE: After the preceding configuration, you can use the display qos policy command in any view to view QoS policy configuration. |
Applying a QoS policy
|
|
NOTE: Only the incoming destination to which a QoS policy can be applied on Ethernet interface cards. |
Applying a QoS policy to an interface
By applying a QoS policy to an interface, you can mirror the traffic in a specific direction on the interface. A policy can be applied to multiple interfaces, but in one direction (inbound or outbound) of an interface, only one policy can be applied.
To apply a QoS policy to an interface:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter interface view. |
interface interface-type interface-number |
|
3. Apply a policy to the interface. |
qos apply policy policy-name { inbound | outbound } |
Applying a QoS policy to a VLAN
You can apply a QoS policy to a VLAN to mirror the traffic in a specific direction on all ports in the VLAN.
To apply the QoS policy to a VLAN:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Apply a QoS policy to a VLAN. |
qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound } |
Applying a QoS policy globally
You can apply a QoS policy globally to mirror the traffic in a specific direction on all ports.
To apply a QoS policy globally:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Apply a QoS policy globally. |
qos apply policy policy-name global { inbound | outbound } |
Traffic mirroring configuration example
Network requirements
As shown in Figure 6, different departments of a company use IP addresses on different subnets. The marketing and technical departments use the IP addresses on subnets 192.168.1.0/24 and 192.168.2.0/24, respectively. The working hour of the company is from 8:00 to 18:00 on weekdays.
Configure traffic mirroring so that the server can monitor the traffic that the technical department sends to access the Internet and IP traffic that the technical department sends to the marketing department.
Configuration procedure
# Create a working hour range named work, in which the working hour is from 8:00 to 18:00 on weekdays.
<DeviceA> system-view
[DeviceA] time-range work 8:00 to 18:00 working-day
# Create ACL 3000 to allow packets from the technical department to access the Internet and to the marketing department during working hours.
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www
[DeviceA-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range work
[DeviceA-acl-adv-3000] quit
# Create traffic class tech_c and configure the match criterion as ACL 3000.
[DeviceA] traffic classifier tech_c
[DeviceA-classifier-tech_c] if-match acl 3000
[DeviceA-classifier-tech_c] quit
# Create traffic behavior tecn_b and configure the action of mirroring traffic to port GigabitEthernet 4/0/3.
[DeviceA] traffic behavior tech_b
[DeviceA-behavior-tech_b] mirror-to interface GigabitEthernet 4/0/3
[DeviceA-behavior-tech_b] quit
# Create QoS policy tech_p and associate traffic class tech_c with traffic behavior tech_b in the QoS policy.
[DeviceA] qos policy tech_p
[DeviceA-qospolicy-tech_p] classifier tech_c behavior tech_b
[DeviceA-qospolicy-tech_p] quit
# Apply QoS policy tech_p to the incoming packets of GigabitEthernet 4/0/4.
[DeviceA] interface GigabitEthernet 4/0/4
[DeviceA-GigabitEthernet4/0/4] qos apply policy tech_p inbound
[DeviceA-GigabitEthernet4/0/4] quit
Verifying the configuration
Through the server, you can monitor all traffic sent by the technical department to access the Internet and the IP traffic that the technical department sends to the marketing department during working hours.
