Login
- Table of Contents
-
- 12-Network Management and Monitoring Configuration Guide
- 00-Preface
- 01-System maintenance and debugging configuration
- 02-NQA configuration
- 03-NTP configuration
- 04-SNMP configuration
- 05-RMON configuration
- 06-NETCONF configuration
- 07-Mirroring configuration
- 08-Sampler configuration
- 09-sFlow configuration
- 10-Information center configuration
- 11-EAA configuration
- 12-Process monitoring and maintenance configuration
- 13-Packet capture configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-Mirroring configuration | 306.22 KB |
Contents
Port mirroring classification and implementation
Configuring local port mirroring
Local port mirroring configuration task list
Creating a local mirroring group
Configuring source ports for the local mirroring group
Configuring source VLANs for the local mirroring group
Configuring the monitor port for the local mirroring group
Configuring Layer 2 remote port mirroring
Configuration restrictions and guidelines
Layer 2 remote port mirroring configuration task list
Configuring a remote destination group on the destination device
Configuring a remote source group on the source device
Displaying and maintaining port mirroring
Port mirroring configuration examples
Local port mirroring configuration example (in source port mode)
Local port mirroring configuration example (in source VLAN mode)
Layer 2 remote port mirroring configuration example (reflector port configurable)
Flow mirroring configuration task list
Configuring a traffic behavior
Applying a QoS policy to an interface
Applying a QoS policy to a VLAN
Applying a QoS policy globally
Overview
Port mirroring copies the packets passing through a port or a VLAN to the monitor port connecting to a data monitoring device for packet analysis.
Terminology
The following terms are used in port mirroring configuration.
Mirroring source
The mirroring sources can be one or more monitored ports or VLANs. The monitored ports and VLANs are called source ports or source VLANs, respectively.
Packets passing through them are copied to a port connecting to a data monitoring device for packet analysis. The copies are called mirrored packets.
Source device
The device where the mirroring sources resides is called a source device.
Mirroring destination
The mirroring destination connects to a data monitoring device and is the destination port (also known as the monitor port) of mirrored packets. Mirrored packets are sent out of the monitor port to the monitoring device.
A monitor port might receive multiple copies of a packet when it monitors multiple mirroring sources. For example, two copies of a packet are received on Port 1 when the following conditions exist:
· Port 1 is monitoring bidirectional traffic on Port 2 and Port 3 on the same device.
· The packet travels from Port 2 to Port 3.
Destination device
The device where the monitor port resides is called the destination device.
Mirroring direction
The mirroring direction specifies the direction of the traffic that is copied on a mirroring source.
· Inbound—Copies packets received.
· Outbound—Copies packets sent.
· Bidirectional—Copies packets received and sent.
Mirroring group
Port mirroring is implemented through mirroring groups, which include local, remote source, and remote destination groups. For more information about the mirroring groups, see "Port mirroring classification and implementation."
Reflector port and remote probe VLAN
Reflector ports and remote probe VLANs are used for Layer 2 remote port mirroring. The remote probe VLAN is a dedicated VLAN for transmitting mirrored packets to the destination device. The reflector port resides on a source device and sends mirrored packets to the remote probe VLAN. For more information about the reflector port, remote probe VLAN, and Layer 2 remote port mirroring, see "Port mirroring classification and implementation."
|
|
NOTE: On port mirroring devices, all ports except source, destination, and reflector ports are called common ports. |
Port mirroring classification and implementation
Port mirroring includes local port mirroring and remote port mirroring:
· Local port mirroring—The mirroring sources and the mirroring destination are on the same device.
· Remote port mirroring—The mirroring sources and the mirroring destination are on different devices.
Local port mirroring
In local port mirroring, the following conditions exist:
· The source device is directly connected to a data monitoring device.
· The source device can act as the destination device to forward mirrored packets to the data monitoring device.
A local mirroring group is a mirroring group that contains the mirroring sources and the mirroring destination on the same device.
Figure 1 Local port mirroring implementation
As shown in Figure 1, the source port GigabitEthernet 3/0/1 and the monitor port GigabitEthernet 3/0/2 reside on the same device. Packets received on GigabitEthernet 3/0/1 are copied to GigabitEthernet 3/0/2. GigabitEthernet 3/0/2 then forwards the packets to the data monitoring device for analysis.
Remote port mirroring
In remote port mirroring, the following conditions exist:
· The source device is not directly connected to a data monitoring device.
· The source device copies mirrored packets to the destination device, which forwards them to the data monitoring device.
· The mirroring sources and the mirroring destination reside on different devices and are in different mirroring groups.
A remote source group or remote destination group is a mirroring group that contains the mirroring sources or the mirroring destination, respectively. Intermediate devices are the devices between the source device and the destination device.
Remote port mirroring includes Layer 2 and Layer 3 remote port mirroring.
· Layer 2 remote port mirroring—The mirroring sources and the mirroring destination are located on different devices on a same Layer 2 network.
· Layer 3 remote port mirroring—The mirroring sources and the mirroring destination are separated by IP networks. Layer 3 remote port mirroring is not supported in the current software version and is reserved for future support.
Layer 2 remote port mirroring can be implemented when a reflector port or an egress port is available on the source device. The configuration method when the reflector or egress port is available on the source device is called reflector port method or egress port method. The egress port method is not supported in the current software version and is reserved for future support.
As shown in Figure 2, in Layer 2 remote port mirroring that uses the reflector port method, packets are processed as follows:
1. The source device copies packets received on the source port to the reflector port.
2. The reflector port broadcasts the packets in the remote probe VLAN.
3. The intermediate devices in the VLAN transmit the packets to the destination device.
4. Upon receiving the mirrored packets, the destination device determines whether the ID of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs match, the device forwards them to the data monitoring device through the monitor port.
A reflector port also includes fixed and configurable reflector port. The fixed reflector port comes with the device but the later must be manually configured. The fixed reflector port is not supported in the current software version and is reserved for future support.
Figure 2 Layer 2 remote port mirroring implementation through the reflector port method
The source device broadcasts mirrored packets in the remote probe VLAN. By assigning a non-source port on the source device to the remote probe VLAN, you can use the reflector port method to implement local port mirroring.
To ensure Layer 2 forwarding of the mirrored packets, assign the intermediate devices' ports facing the source and destination devices to the remote probe VLAN.
Configuring local port mirroring
A local mirroring group takes effect only when you configure the monitor port and the source ports or source VLANs for the local mirroring group.
Local port mirroring configuration task list
|
Tasks at a glance |
|
1. (Required.) Creating a local mirroring group |
|
2. (Required.) Perform at least one of the following tasks: |
|
3. (Required.) Configuring the monitor port for the local mirroring group |
Creating a local mirroring group
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a local mirroring group. |
mirroring-group group-id local [ sampler sampler-name ] |
By default, no local mirroring group exists. |
Configuring source ports for the local mirroring group
To configure source ports for a local mirroring group, use one of the following methods:
· Assign a list of source ports to the mirroring group in system view.
· Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
Configuration restrictions and guidelines
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
· Do not assign a source port of a mirroring group to a source VLAN of the mirroring group.
· A mirroring group can contain multiple source ports.
· Typically, a port belongs to only one mirroring group.
· Do not configure flow sampling on a source port from which the outbound packets are mirrored.
Configuring source ports in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source ports for the specified local mirroring group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a local mirroring group. |
Configuring source ports in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as a source port for the specified local mirroring group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any local mirroring groups. |
Configuring source VLANs for the local mirroring group
When you configure source VLANs for a local mirroring group, follow these restrictions and guidelines:
· A mirroring group can contain multiple source VLANs.
· A VLAN can be configured as a source VLAN for only one local mirroring group.
To configure source VLANs for a local mirroring group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source VLANs for the specified local mirroring group. |
mirroring-group group-id mirroring-vlan vlan-list { both | inbound | outbound } |
By default, no source VLAN is configured for a local mirroring group. |
Configuring the monitor port for the local mirroring group
To configure the monitor port for a mirroring group, use one of the following methods:
· Configure the monitor port for the mirroring group in system view.
· Assign a port to the mirroring group as the monitor port in interface view.
Configuration restrictions and guidelines
When you configure the monitor port for a local mirroring group, follow these restrictions and guidelines:
· Do not assign the monitor port of a mirroring group to a source VLAN of the mirroring group.
· Do not enable the spanning tree feature on the monitor port.
· For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not perform any of the following tasks:
¡ Configure its member ports as source ports of the mirroring group.
¡ Assign its member ports to a source VLAN of the mirroring group.
· A mirroring group contains only one monitor port.
· Use a monitor port only for port mirroring, so the data monitoring device receive only the mirrored traffic.
· For information about selecting monitor ports on Ethernet interface cards for mirrored packets in the same direction, see Table 1.
Table 1 Supported monitor ports on Ethernet interface cards
|
Interface card type |
Number of supported monitor ports |
Interface selection range for each monitor port |
|
48-port Gigabit Ethernet interface card |
2 |
· Ports 1 to 24. · Ports 25 to 48. |
|
4-port 10-Gigabit Ethernet interface card |
2 |
· Ports 1 to 2. · Ports 3 to 4. |
|
8-port 10-Gigabit Ethernet interface card |
4 |
Every two consecutive ports, starting with port 1. |
|
16-port 10-Gigabit Ethernet interface card |
8 |
· Every two ports of consecutive odd numbers, starting with port 1. · Every two ports of consecutive even numbers, starting with port 2. |
|
20-port 10-Gigabit Ethernet interface card |
1 |
Ports 1 to 20. |
|
32-port 10-Gigabit Ethernet interface card |
4 |
· Ports 1, 3, 5, 7, 9, 11, 13, and 15. · Ports 2, 4, 6, 8, 10, 12, 14, and 16. · Ports 17, 19, 21, 23, 25, 27, 29, and 31. · Ports 18, 20, 22, 24, 26, 28, 30, and 32. |
|
40-port 10-Gigabit Ethernet interface card |
2 |
· Ports 1 to 20. · Ports 21 to 40. |
|
48-port 10-Gigabit Ethernet interface card |
4 |
· Ports 1 to 12. · Ports 13 to 24. · Ports 25 to 36. · Ports 37 to 48. |
|
16-port 40-Gigabit Ethernet interface card |
4 |
· Ports 1 to 4. · Ports 5 to 8. · Ports 9 to 12. · Ports 13 to 16. |
|
4-port 100-Gigabit Ethernet interface card |
2 |
· Ports 1 to 2. · Ports 3 to 4. |
Configuring the monitor port in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the monitor port for the specified local mirroring group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a local mirroring group. |
Configuring the monitor port in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the monitor port for the specified mirroring group. |
mirroring-group group-id monitor-port |
By default, a port does not act as the monitor port for any local mirroring groups. |
Configuring Layer 2 remote port mirroring
To configure Layer 2 remote port mirroring, perform the following tasks:
· Configure a remote source group on the source device.
· Configure a cooperating remote destination group on the destination device.
· If intermediate devices exist, configure the following devices and ports to allow the remote probe VLAN to pass through.
¡ Intermediate devices.
¡ Ports connected to the intermediate devices on the source and destinations devices.
You can configure Layer 2 remote port mirroring when a fixed reflector port or configurable reflector port is available on the source device. The switch does not support configuring Layer 2 remote port mirroring with a fixed reflector port in the current software version.
Configuration restrictions and guidelines
When you configure Layer 2 remote port mirroring, follow these restrictions and guidelines:
· For a mirrored packet to successfully arrive at the remote destination device, make sure its VLAN ID is not removed or changed.
· Do not configure both MVRP and Layer 2 remote port mirroring. Otherwise, MVRP might register the remote probe VLAN with incorrect ports, which would cause the monitor port to receive undesired copies. For more information about MVRP, see Layer 2—LAN Switching Configuration Guide.
· H3C recommends that you configure devices in the order of the destination device, the intermediate devices, and the source device.
· To monitor the bidirectional traffic of a port in a mirroring group, you must disable MAC address learning for the remote probe VLAN on the source, intermediate, and destination devices. For more information about MAC address learning, see Layer 2 — LAN Switching Configuration Guide.
Layer 2 remote port mirroring configuration task list
Configuring a remote destination group on the destination device
Creating a remote destination group
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a remote destination group. |
mirroring-group group-id remote-destination |
By default, no remote destination group exists on a device. |
Configuring the monitor port for a remote destination group
To configure the monitor port for a mirroring group, use one of the following methods:
· Configure the monitor port for the mirroring group in system view.
· Assign a port to the mirroring group as the monitor port in interface view.
When you configure the monitor port for a remote destination group, follow these restrictions and guidelines:
· Do not assign the monitor port of a mirroring group to a source VLAN of the mirroring group.
· Do not enable the spanning tree feature on the monitor port.
· For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not perform any of the following tasks:
¡ Configure its member ports as source ports of the mirroring group.
¡ Assign its member ports to a source VLAN of the mirroring group.
· Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
· A mirroring group must contain only one monitor port.
· A monitor port cannot be in multiple mirroring groups.
Configuring the monitor port for a remote destination group in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the monitor port for the specified remote destination group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a remote destination group. |
Configuring the monitor port for a remote destination group in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the monitor port for the specified remote destination group. |
mirroring-group group-id monitor-port |
By default, a port does not act as the monitor port for any remote destination groups. |
Configuring the remote probe VLAN for a remote destination group
When you configure the remote probe VLAN for a remote destination group, follow these restrictions and guidelines:
· Only an existing static VLAN can be configured as a remote probe VLAN.
· When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
· Configure the same remote probe VLAN for the remote groups on the source and destination devices.
To configure the remote probe VLAN for a remote destination group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the remote probe VLAN for the specified remote destination group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote destination group. |
Assigning the monitor port to the remote probe VLAN
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter the interface view of the monitor port. |
interface interface-type interface-number |
N/A |
|
3. Assign the port to the remote probe VLAN. |
· For an access port: · For a trunk port: · For a hybrid port: |
For more information about the port access vlan, port trunk permit vlan, and port hybrid vlan commands, see Layer 2—LAN Switching Command Reference. |
Configuring a remote source group on the source device
Creating a remote source group
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a remote source group. |
mirroring-group group-id remote-source [ sampler sampler-name ] |
By default, no remote source group exists on a device. |
Configuring source ports for a remote source group
To configure source ports for a mirroring group, use one of the following methods:
· Assign a list of source ports to the mirroring group in system view.
· Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the remote source group as source ports in interface view, repeat the operation.
When you configure source ports for a remote source group, follow these restrictions and guidelines:
· Do not assign a source port of a mirroring group to a source VLAN or the remote probe VLAN of the mirroring group.
· A mirroring group can contain multiple source ports.
· Typically, a port can belong to only one mirroring group.
· Do not configure flow sampling on a source port from which the outbound packets are mirrored.
Configuring source ports for a remote source group in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source ports for the specified remote source group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a remote source group. |
Configuring a source port for a remote source group in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as a source port for the specified remote source group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any remote source groups. |
Configuring source VLANs for a remote source group
When you configure source VLANs for a remote source group, follow these restrictions and guidelines:
· A mirroring group can contain multiple source VLANs.
· A VLAN can be configured as the source VLAN for only one mirroring group.
To configure source VLANs for a remote source group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source VLANs for the specified remote source group. |
mirroring-group group-id mirroring-vlan vlan-list { both | inbound | outbound } |
By default, no source VLAN is configured for a remote source group. |
Configuring the reflector port for a remote source group
To configure the reflector port for a remote source group, use one of the following methods:
· Configure the reflector port for the remote source group in system view.
· Assign a port to the remote source group as the reflector port in interface view.
When you configure the reflector port for a remote source group, follow these restrictions and guidelines:
· Do not assign the reflector port of a mirroring group to a source VLAN of the mirroring group.
· The port to be configured as a reflector port must be a port not in use. Do not connect a network cable to a reflector port.
· When a port is configured as a reflector port, all existing configurations of the port are cleared. You cannot configure other features on the reflector port.
· A mirroring group contains only one reflector port.
· You can configure a port as a reflector port only when the port is operating with the default duplex mode, speed, and MDI settings. You cannot change these settings for a reflector port.
Configuring the reflector port for a remote source group in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the reflector port for the specified remote source group. |
mirroring-group group-id reflector-port interface-type interface-number |
By default, no reflector port is configured for a remote source group. |
Configuring the reflector port for a remote source group in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the reflector port for the specified remote source group. |
mirroring-group group-id reflector-port |
By default, a port does not act as the reflector port for any remote source groups. |
Configuring the remote probe VLAN for a remote source group
When you configure the remote probe VLAN for a remote source group, follow these restrictions and guidelines:
· Only an existing static VLAN can be configured as a remote probe VLAN.
· When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
· The remote mirroring groups on the source device and destination device must use the same remote probe VLAN.
To configure the remote probe VLAN for a remote source group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the remote probe VLAN for the specified remote source group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote source group. |
Displaying and maintaining port mirroring
Execute display commands in any view.
|
Task |
Command |
|
Display mirroring group information. |
display mirroring-group { group-id | all | local | remote-destination | remote-source } |
Port mirroring configuration examples
By default, Ethernet, VLAN, and aggregate interfaces are shut down. You must use the undo shutdown command to bring them up. These examples assume that all these interfaces are already up.
Local port mirroring configuration example (in source port mode)
Network requirements
As shown in Figure 3, configure local port mirroring in source port mode to enable the server to monitor the bidirectional traffic of the two departments.
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 as source ports for local mirroring group 1.
[Device] mirroring-group 1 mirroring-port GigabitEthernet 3/0/1 GigabitEthernet 3/0/2 both
# Configure GigabitEthernet 3/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 monitor-port GigabitEthernet 3/0/3
# Disable the spanning tree feature on the monitor port GigabitEthernet 3/0/3.
[Device] interface GigabitEthernet 3/0/3
[Device-GigabitEthernet3/0/3] undo stp enable
[Device-GigabitEthernet3/0/3] quit
Verifying the configuration
# Verify the mirroring group configuration.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
GigabitEthernet3/0/1 Both
GigabitEthernet3/0/2 Both
Monitor port: GigabitEthernet3/0/3
Local port mirroring configuration example (in source VLAN mode)
Network requirements
As shown in Figure 4, configure local port mirroring in source VLAN mode to enable the server to monitor the bidirectional traffic of the two departments:
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Create VLAN 2, and assign GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 to VLAN 2.
[Device] vlan 2
[Device-vlan2] port GigabitEthernet 3/0/1 GigabitEthernet 3/0/2
[Device-vlan2] quit
# Configure VLAN 2 as a source VLAN for local mirroring group 1.
[Device] mirroring-group 1 mirroring-vlan 2 both
# Configure GigabitEthernet 3/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 monitor-port GigabitEthernet 3/0/3
# Disable the spanning tree feature on the monitor port GigabitEthernet 3/0/3.
[Device] interface GigabitEthernet 3/0/3
[Device-GigabitEthernet3/0/3] undo stp enable
[Device-GigabitEthernet3/0/3] quit
Verifying the configuration
# Verify the mirroring group configuration.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring VLAN:
2 Both
Monitor port: GigabitEthernet3/0/3
Layer 2 remote port mirroring configuration example (reflector port configurable)
Network requirements
As shown in Figure 5, configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing department.
Configuration procedure
1. Configure Device C (the destination device):
# Configure GigabitEthernet 3/0/1 as a trunk port to permit the packets from VLAN 2 to pass through.
<DeviceC> system-view
[DeviceC] interface GigabitEthernet 3/0/1
[DeviceC-GigabitEthernet3/0/1] port link-type trunk
[DeviceC-GigabitEthernet3/0/1] port trunk permit vlan 2
[DeviceC-GigabitEthernet3/0/1] quit
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2, which is to be configured as the remote probe VLAN.
[DeviceC] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceC-vlan2] undo mac-address mac-learning enable
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceC] mirroring-group 2 remote-probe vlan 2
# Configure GigabitEthernet 3/0/2 as the monitor port for the mirroring group.
[DeviceC] interface GigabitEthernet 3/0/2
[DeviceC-GigabitEthernet3/0/2] mirroring-group 2 monitor-port
# Disable the spanning tree feature on GigabitEthernet 3/0/2.
[DeviceC-GigabitEthernet3/0/2] undo stp enable
# Assign GigabitEthernet 3/0/2 to VLAN 2 as an access port.
[DeviceC-GigabitEthernet3/0/2] port access vlan 2
[DeviceC-GigabitEthernet3/0/2] quit
2. Configure Device B (the intermediate device):
# Create VLAN 2.
<DeviceB> system-view
[DeviceB] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceB-vlan2] undo mac-address mac-learning enable
[DeviceB-vlan2] quit
# Configure GigabitEthernet 3/0/1 as a trunk port to permit the packets from VLAN 2 to pass through.
[DeviceB] interface GigabitEthernet 3/0/1
[DeviceB-GigabitEthernet3/0/1] port link-type trunk
[DeviceB-GigabitEthernet3/0/1] port trunk permit vlan 2
[DeviceB-GigabitEthernet3/0/1] quit
# Configure GigabitEthernet 3/0/2 as a trunk port to permit the packets from VLAN 2 to pass through.
[DeviceB] interface GigabitEthernet 3/0/2
[DeviceB-GigabitEthernet3/0/2] port link-type trunk
[DeviceB-GigabitEthernet3/0/2] port trunk permit vlan 2
[DeviceB-GigabitEthernet3/0/2] quit
3. Configure Device A (the source device):
# Create a remote source group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceA-vlan2] undo mac-address mac-learning enable
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
# Configure GigabitEthernet 3/0/1 as a source port for the mirroring group.
[DeviceA] mirroring-group 1 mirroring-port GigabitEthernet 3/0/1 both
# Configure GigabitEthernet 3/0/3 as the reflector port for the mirroring group.
[DeviceA] mirroring-group 1 reflector-port GigabitEthernet 3/0/3
This operation may delete all settings made on the interface. Continue? [Y/N]: y
# Configure GigabitEthernet 3/0/2 as a trunk port to permit the packets from VLAN 2 to pass through.
[DeviceA] interface GigabitEthernet 3/0/2
[DeviceA-GigabitEthernet3/0/2] port link-type trunk
[DeviceA-GigabitEthernet3/0/2] port trunk permit vlan 2
[DeviceA-GigabitEthernet3/0/2] quit
Verifying the configuration
# Verify the mirroring group configuration on Device C.
[DeviceC] display mirroring-group all
Mirroring group 2:
Type: Remote destination
Status: Active
Monitor port: GigabitEthernet3/0/2
Remote probe VLAN: 2
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
GigabitEthernet3/0/1 Both
Reflector port: GigabitEthernet3/0/3
Remote probe VLAN: 2
Flow mirroring copies packets matching a class to a destination for packet analyzing and monitoring. It is implemented through QoS policies.
To configure flow mirroring, perform the following tasks:
· Define traffic classes and configure match criteria to classify packets to be mirrored. Flow mirroring allows you to flexibly classify packets to be analyzed by defining match criteria.
· Configure traffic behaviors to mirror packets that fit the match criteria to the specified destination.
You can configure an action to mirror the matching packets to the following destinations:
· Interface—The matching packets are copied to an interface connecting to a data monitoring device. The data monitoring device analyzes the packets received on the interface.
· VLAN—The matching packets are copied a VLAN where the packets are broadcast.
· CPU—The matching packets are copied to the CPU of the card where they are received. The CPU analyzes the packets or deliver them to upper layers.
For more information about QoS policies, traffic classes, and traffic behaviors, see ACL and QoS Configuration Guide.
Hardware compatibility
The interface cards LST1XP16LEB1, LST1XP16LEC1, and LST1XP16LEC2 do not support mirroring traffic to VLANs.
Flow mirroring configuration task list
|
Tasks at a glance |
|
(Required.) Configuring match criteria |
|
(Required.) Configuring a traffic behavior |
|
(Required.) Configuring a QoS policy |
|
(Required.) Applying a QoS policy: · Applying a QoS policy to an interface |
For more information about the following commands except the mirror-to command, see ACL and QoS Command Reference.
Configuring match criteria
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a class and enter class view. |
traffic classifier tcl-name [ operator { and | or } ] |
By default, no traffic class exists. |
|
3. Configure match criteria. |
if-match match-criteria |
By default, no match criterion is configured in a traffic class. |
Configuring a traffic behavior
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a traffic behavior and enter traffic behavior view. |
traffic behavior behavior-name |
By default, no traffic behavior exists. |
|
3. Specify a mirroring destination for the traffic behavior. |
· Mirror traffic to an interface: · Mirror traffic to a VLAN: · Mirror traffic to a CPU: |
By default, no mirroring destination is configured for a traffic behavior. Traffic can be mirrored to a nonexistent VLAN. When the VLAN is created and is assigned interfaces, the configuration automatically takes effect on the VLAN. |
|
4. (Optional.) Display the traffic behavior configuration. |
display traffic behavior |
Available in any view. |
Configuring a QoS policy
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a QoS policy and enter the QoS policy view. |
qos policy policy-name |
By default, no QoS policy exists. |
|
3. Associate a class with a traffic behavior in the QoS policy. |
classifier tcl-name behavior behavior-name |
By default, no traffic behavior is associated with a class. |
|
4. (Optional.) Display QoS policy configuration. |
display qos policy |
Available in any view. |
Applying a QoS policy
Applying a QoS policy to an interface
By applying a QoS policy to an interface, you can mirror the traffic in the specified direction on the interface. A policy can be applied to multiple interfaces, but only one policy can be applied in the specified direction of an interface.
To apply a QoS policy to an interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Apply a policy to the interface. |
qos apply policy policy-name { inbound | outbound } |
You can apply the QoS policy to the incoming and outgoing traffic on an interface, but only the incoming traffic can be mirrored. |
Applying a QoS policy to a VLAN
You can apply a QoS policy to a VLAN to mirror the traffic in the specified direction on all ports in the VLAN.
To apply the QoS policy to a VLAN:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Apply a QoS policy to a VLAN. |
qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound } |
You can apply the QoS policy to the incoming and outgoing traffic on all ports in the VLAN, but only the incoming traffic can be mirrored. |
Applying a QoS policy globally
You can apply a QoS policy globally to mirror the traffic in the specified direction on all ports.
To apply a QoS policy globally:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Apply a QoS policy globally. |
qos apply policy policy-name global { inbound | outbound } |
You can apply the QoS policy to the incoming and outgoing traffic on all ports, but only the incoming traffic can be mirrored. |
Flow mirroring configuration example
By default, Ethernet, VLAN, and aggregate interfaces are shut down. You must use the undo shutdown command to bring them up. This example assumes that all these interfaces are already up.
Network requirements
As shown in Figure 6, configure flow mirroring so that the server can monitor the following traffic:
· All traffic that the Technical department sends to access the Internet.
· IP traffic that the Technical department sends to the Marketing department during working hours (8:00 to 18:00) on weekdays.
Configuration procedure
# Create a working hour range work, in which the working hour is from 8:00 to 18:00 on weekdays.
<DeviceA> system-view
[DeviceA] time-range work 8:00 to 18:00 working-day
# Create ACL 3000 to allow packets from the Technical department to access the Internet and to the Marketing department during working hours.
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www
[DeviceA-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range work
[DeviceA-acl-adv-3000] quit
# Create traffic class tech_c, and configure the match criterion as ACL 3000.
[DeviceA] traffic classifier tech_c
[DeviceA-classifier-tech_c] if-match acl 3000
[DeviceA-classifier-tech_c] quit
# Create traffic behavior tech_b, configure the action of mirroring traffic to port GigabitEthernet 4/0/3.
[DeviceA] traffic behavior tech_b
[DeviceA-behavior-tech_b] mirror-to interface GigabitEthernet 4/0/3
[DeviceA-behavior-tech_b] quit
# Create QoS policy tech_p, and associate traffic class tech_c with traffic behavior tech_b in the QoS policy.
[DeviceA] qos policy tech_p
[DeviceA-qospolicy-tech_p] classifier tech_c behavior tech_b
[DeviceA-qospolicy-tech_p] quit
# Apply QoS policy tech_p to the incoming packets of GigabitEthernet 4/0/4.
[DeviceA] interface GigabitEthernet 4/0/4
[DeviceA-GigabitEthernet4/0/4] qos apply policy tech_p inbound
[DeviceA-GigabitEthernet4/0/4] quit
Verifying the configuration
# Verify that the server can monitor the following traffic:
· All traffic sent by the Technical department to access the Internet.
· IP traffic that the Technical department sends to the Marketing department during working hours on weekdays.
(Details not shown.)
