01-S12500_Mirroring_Configuration_Examples
Chapters Download (142.93 KB)
| Title | Size | Download |
|---|---|---|
| 01-S12500_Mirroring_Configuration_Examples | 142.93 KB |
Contents
Example: Configuring local port mirroring
Configuration restrictions and guidelines
Example: Configuring remote port mirroring
Configuration restrictions and guidelines
Example: Configuring traffic mirroring
Configuration restrictions and guidelines
This document provides port mirroring and traffic mirroring configuration examples.
Port mirroring copies packets passing through a port or a VLAN to the monitor port (the port connected to a monitoring device) for packet analysis.
Port mirroring includes local port mirroring and remote port mirroring:
· Local port mirroring—The mirroring source and mirroring destination are on the same device.
· Remote port mirroring—The mirroring source and the mirroring destination are on different devices.
Traffic mirroring copies the specified packets to the specified destination for packet analysis and monitoring. It is implemented through QoS policies. First, you define traffic classes and configure match criteria to classify packets to be mirrored. Then you configure traffic behaviors to mirror matching packets to the specified destinations.
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of mirroring.
As shown in Figure 1, configure local port mirroring on the switch so the server can monitor the bidirectional traffic of the marketing department and the finance department.
This configuration example was created and verified on S12500-CMW710-R7129.
When you configure local port mirroring, follow these restrictions and guidelines:
· H3C S12500 switches do not support multichassis local port mirroring. The monitor port and source ports (or the monitor port and ports in the source VLAN) must be on the same IRF member device.
· A mirroring group can contain multiple source ports or source VLANs but only one monitor port.
· A port can belong to only one mirroring group.
· You can configure only Ethernet interfaces as source ports. You can configure either an Ethernet interface or a Layer 2 aggregate interface as the monitor port.
· Do not assign a source port to a source VLAN.
· Do not assign the monitor port to a source VLAN.
· Do not enable the spanning tree feature on the monitor port.
· Use a monitor port to make sure the data monitoring device receives and analyzes only the mirrored traffic and not a mix of mirrored traffic and correctly forwarded traffic.
· Method 1 (in source port mode):
# Create a local mirroring group.
<Switch> system-view
[Switch] mirroring-group 1 local
# Configure source ports and the monitor port for the local mirroring group.
[Switch] mirroring-group 1 mirroring-port gigabitethernet 2/0/1 gigabitethernet 2/0/2 both
[Switch] mirroring-group 1 monitor-port gigabitethernet 2/0/3
· Method 2 (in source VLAN mode):
# Create a local mirroring group.
<Switch> system-view
[Switch] mirroring-group 1 local
# Create VLAN 10, and assign GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 to VLAN 10.
[Switch] vlan 10
[Switch-vlan10] port GigabitEthernet 2/0/1 GigabitEthernet 2/0/2
[Switch-vlan10] quit
# Configure the source VLAN and the monitor port for the local mirroring group.
[Switch] mirroring-group 1 mirroring-vlan 10 both
[Switch] mirroring-group 1 monitor-port gigabitethernet 2/0/3
# Display information about all mirroring groups.
[Switch] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
GigabitEthernet2/0/1 Both
GigabitEthernet2/0/2 Both
Monitor port: GigabitEthernet2/0/3
On the server, you can monitor traffic received and sent by the finance department and the marketing department.
· Method 2:
# Display information about all mirroring groups.
[Switch] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring VLAN:
10 Both
Monitor port: GigabitEthernet2/0/3
On the server, you can monitor traffic received and sent by the finance department and the marketing department.
· Method 1:
[Switch] display current-configuration
#
mirroring-group 1 local
#
interface GigabitEthernet2/0/1
port link-mode bridge
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet2/0/2
port link-mode bridge
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet2/0/3
port link-mode bridge
mirroring-group 1 monitor-port
#
· Method 2:
[Switch] display current-configuration
#
mirroring-group 1 local
mirroring-group 1 mirroring-vlan 10 both
#
vlan 1
#
vlan 10
#
port GigabitEthernet 2/0/1 GigabitEthernet 2/0/2
#
interface GigabitEthernet2/0/3
port link-mode bridge
mirroring-group 1 monitor-port
#
As shown in Figure 2, configure remote port mirroring so the server can monitor the bidirectional traffic of the marketing department and the finance department.
This configuration example was created and verified on S12500-CMW710-R7129.
When you configure a source port and the monitor port for a remote source group, follow these restrictions and guidelines:
· H3C S12500 switches do not support multichassis remote port mirroring. The reflector port and source ports (or the reflector port and ports in the source VLAN) must be on the same IRF member device.
· A port can belong to only one mirroring group.
· Do not assign a source port to a source VLAN or the remote probe VLAN.
· Do not assign the monitor port to a source VLAN.
· Do not enable the spanning tree feature on the monitor port.
· Make sure the remote probe VLAN tag of the mirrored packet is not removed or changed so that a mirrored packet will successfully arrive at the remote destination device.
· To monitor both the received and sent packets of a port in a mirroring group, you must disable MAC address learning. Use the undo mac-address mac-learning command for the remote probe VLAN on the source, intermediate, and destination devices.
· Do not enable MVRP. If MVRP is enabled, MVRP might register the remote probe VLAN to unexpected ports, resulting in undesired duplicates.
When you configure the reflector port for a remote source group, follow these restrictions and guidelines:
· A mirroring group contains only one reflector port.
· Do not assign a reflector port to a source VLAN.
· You can configure only a port of the access type as a reflector port. A port of an existing mirroring group or the destination port for traffic mirroring cannot be configured as a reflector port.
· Do not connect a network cable to a reflector port. Do not configure the following on a reflector port: spanning tree, 802.1X, IGMP snooping, static ARP, MAC address learning, QinQ, or interface loopback.
· You can configure a port as a reflector port only when the port is operating with the default duplex mode, port rate, and MDI settings. In addition, you cannot change these settings for a reflector port.
# Enter system view.
<SwitchA> system-view
# Create a remote source group.
[SwitchA] mirroring-group 1 remote-source
# Create VLAN 2.
[SwitchA] vlan 2
# Disable MAC address learning for VLAN 2.
[SwitchA-vlan2] undo mac-address mac-learning enable
[SwitchA-vlan2] quit
# Configure the remote probe VLAN, mirroring ports, and the reflector port for the remote source group.
[SwitchA] mirroring-group 1 remote-probe vlan 2
[SwitchA] mirroring-group 1 mirroring-port gigabitethernet2/0/3
gigabitethernet2/0/4 both
[SwitchA] mirroring-group 1 reflector-port gigabitethernet 2/0/2
# Configure GigabitEthernet 2/0/1 as a trunk port and assign the port to VLAN 2.
[SwitchA] interface gigabitethernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] undo shutdown
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
[SwitchA-GigabitEthernet2/0/1] port trunk permit vlan 2
[SwitchA-GigabitEthernet2/0/1] quit
# Enter system view.
<SwitchB> system-view
# Create VLAN 2.
[SwitchB] vlan 2
# Disable MAC address learning for VLAN 2.
[SwitchB-vlan2] undo mac-address mac-learning enable
[SwitchB-vlan2] quit
# Configure GigabitEthernet 2/0/1 as a trunk port and assign the port to VLAN 2.
[SwitchB] interface gigabitethernet 2/0/1
[SwitchB-GigabitEthernet2/0/1] undo shutdown
[SwitchB-GigabitEthernet2/0/1] port link-type trunk
[SwitchB-GigabitEthernet2/0/1] port trunk permit vlan 2
[SwitchB-GigabitEthernet2/0/1] quit
# Configure GigabitEthernet 2/0/2 as a trunk port and assign the port to VLAN 2.
[SwitchB-GigabitEthernet2/0/2] interface gigabitethernet 2/0/2
[SwitchB-GigabitEthernet2/0/2] undo shutdown
[SwitchB-GigabitEthernet2/0/2] port link-type trunk
[SwitchB-GigabitEthernet2/0/2] port trunk permit vlan 2
[SwitchB-GigabitEthernet2/0/2] quit
# Enter system view.
<SwitchC> system-view
# Create VLAN 2.
[SwitchC] vlan 2
# Disable MAC address learning for VLAN 2.
[SwitchC-vlan2] undo mac-address mac-learning enable
[SwitchC-vlan2] quit
# Configure GigabitEthernet 3/0/1 as a trunk port and assign the port to VLAN 2.
[SwitchC] interface gigabitethernet 3/0/1
[SwitchC-GigabitEthernet3/0/1] undo shutdown
[SwitchC-GigabitEthernet3/0/1] port link-type trunk
[SwitchC-GigabitEthernet3/0/1] port trunk permit vlan 2
[SwitchC-GigabitEthernet3/0/1] quit
# Create a remote destination group.
[SwitchC] mirroring-group 1 remote-destination
# Configure VLAN 2 as the remote probe VLAN, and GigabitEthernet 3/0/2 as the monitor port for the remote destination group.
[SwitchC] mirroring-group 1 remote-probe vlan 2
[SwitchC] interface gigabitethernet 3/0/2
[SwitchC-GigabitEthernet3/0/2] undo shutdown
[SwitchC-GigabitEthernet3/0/2] mirroring-group 1 monitor-port
[SwitchC-GigabitEthernet3/0/2] port access vlan 2
[SwitchC-GigabitEthernet3/0/2] quit
# Display information about all mirroring groups on Switch A.
[SwitchA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
GigabitEthernet2/0/3 Both
GigabitEthernet2/0/4 Both
Reflector port: GigabitEthernet2/0/2
Remote probe VLAN: 2
# Display information about all mirroring groups on Switch C.
[SwitchC] display mirroring-group all
Mirroring group 1:
Type: Remote destination
Status: Active
Monitor port: GigabitEthernet3/0/2
Remote probe VLAN: 2
On the server, you can monitor traffic received and sent by the finance department and the marketing department.
· Switch A:
[SwitchA] display current-configuration
#
mirroring-group 1 remote-source
mirroring-group 1 remote-probe vlan 2
#
vlan 2
#
undo mac-address mac-learning enable
#
interface GigabitEthernet2/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 to 2
#
interface GigabitEthernet2/0/2
port link-mode bridge
mirroring-group 1 reflector-port
#
interface GigabitEthernet2/0/3
port link-mode bridge
mirroring-group 1 mirroring-port both
#
interface GigabitEthernet2/0/4
port link-mode bridge
mirroring-group 1 mirroring-port both
· Switch B:
[SwitchB] display current-configuration
#
vlan 2
#
undo mac-address mac-learning enable
#
interface GigabitEthernet2/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 to 2
#
interface GigabitEthernet2/0/2
port link-type trunk
port trunk permit vlan 1 to 2
· Switch C:
[SwitchC] display current-configuration
#
mirroring-group 1 remote-destination
mirroring-group 1 remote-probe vlan 2
#
vlan 2
#
undo mac-address mac-learning enable
#
interface GigabitEthernet3/0/1
port link-mode bridge
port link-type trunk
port trunk permit vlan 1 to 2
#
interface GigabitEthernet3/0/2
port link-mode bridge
port access vlan 2
mirroring-group 1 monitor-port
#
As shown in Figure 3, configure traffic mirroring on GigabitEthernet 2/0/1 so the server can monitor the traffic that users send to access the data server.
This configuration example was created and verified on S12500-CMW710-R7129.
When you configure traffic mirroring, follow these restrictions and guidelines:
· H3C S12500 switches do not support multichassis traffic mirroring. The monitored port and the mirroring destination (an interface, a VLAN, or a CPU) must be on the same IRF member device. However, you can configure multichassis traffic mirroring to mirror traffic to a port of the OAA card.
· You can mirror traffic only to an interface, a VLAN, or a CPU for a traffic behavior.
· Traffic can be mirrored to a non-existent VLAN. When the VLAN is created and is assigned interfaces, the configuration automatically takes effect on the VLAN.
# Enter system view.
<Switch> system-view
# Create ACL 3000, and configure a rule to permit packets with destination IP address 10.0.0.1.
[Switch] acl number 3000
[Switch-acl-adv-3000] rule permit ip destination 10.0.0.1 0.0.0.255
[Switch-acl-adv-3000] quit
# Create traffic class TC_mirror and configure the match criterion as ACL 3000.
[Switch] traffic classifier TC_mirror
[Switch-classifier-TC_mirror] if-match acl 3000
[Switch-classifier-TC_mirror] quit
# Create traffic behavior TB_mirror.
[Switch] traffic behavior TB_mirror
# Configure the action of mirroring traffic to GigabitEthernet 2/0/2 for traffic behavior TB_mirror.
[Switch-behavior-TB_mirror] mirror-to interface GigabitEthernet 2/0/2
[Switch-behavior-TB_mirror] quit
# Create QoS policy TP_mirror.
[Switch] qos policy TP_mirror
# Associate class TC_mirror with traffic behavior TB_mirror in the QoS policy.
[Switch-qospolicy-TP_mirror] classifier TC_mirror behavior TB_mirror
[Switch-qospolicy-TP_mirror] quit
# Apply the QoS policy to the incoming packets of GigabitEthernet 2/0/1.
[Switch] interface GigabitEthernet 2/0/1
[Switch-GigabitEthernet2/0/1] undo shutdown
[Switch-GigabitEthernet2/0/1] qos apply policy TP_mirror inbound
[Switch-GigabitEthernet2/0/1] quit
# Display information about the QoS policy applied to GigabitEthernet 2/0/1 on the switch.
[Switch] display qos policy interface GigabitEthernet 2/0/1
Interface: GigabitEthernet2/0/1
Direction: Inbound
Policy: TP_mirror
Classifier: TC_mirror
Operator: AND
Rule(s) : If-match acl 3000
Behavior: TB_mirror
Mirror enable:
Mirror type: interface
Mirror destination: GigabitEthernet2/0/2
On the server, you can monitor all traffic sent by users to the data server.
[Switch] display current-configuration
#
acl number 3000
rule 0 permit ip destination 10.0.0.1 0.0.0.255
#
traffic classifier TC_mirror operator and
if-match acl 3000
#
traffic behavior TB_mirror
mirror-to interface GigabitEthernet2/0/2
#
qos policy TP_mirror
classifier TC_mirror behavior TB_mirror
#
interface GigabitEthernet2/0/1
port link-mode bridge
qos apply policy TP_mirror inbound
· H3C S12500 Routing Switch Series Layer 2—LAN Switching Configuration Guide
· H3C S12500 Routing Switch Series Network Management and Monitoring Configuration Guide
· H3C S12500 Routing Switch Series Network Management and Monitoring Command Reference
