Login
- Table of Contents
-
- 11-Network Management and Monitoring Configuration Guide
- 00-Preface
- 01-System maintenance and debugging configuration
- 02-NTP configuration
- 03-Information center configuration
- 04-SNMP configuration
- 05-RMON configuration
- 06-Sampler configuration
- 07-Mirroring configuration
- 08-sFlow configuration
- 09-EAA configuration
- 10-NQA configuration
- 11-NETCONF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-Mirroring configuration | 351.83 KB |
Contents
Port mirroring classification and implementation
Configuring local port mirroring
Local port mirroring configuration task list
Creating a local mirroring group
Configuring source ports for the local mirroring group
Configuring source CPUs for the local mirroring group
Configuring the monitor port for the local mirroring group
Configure local port mirroring with monitor ports
Configuring Layer 2 remote port mirroring
Layer 2 remote port mirroring configuration task list
Configuring a remote destination group on the destination device
Configuring a remote source group on the source device
Displaying and maintaining port mirroring
Port mirroring configuration examples
Local port mirroring configuration example (in source port mode)
Local port mirroring configuration example (in source CPU mode)
Local port mirroring with multiple monitor ports configuration example
Layer 2 remote port mirroring configuration example
Flow mirroring configuration task list
Configuring a traffic behavior
Applying a QoS policy to an interface
Applying a QoS policy to a VLAN
Applying a QoS policy globally
Configuring port mirroring
The port mirroring feature is available on both Layer 2 and Layer 3 Ethernet interfaces. The term "interface" in this chapter collectively refers to these two types of interfaces. You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3 interface (see Layer 2—LAN Switching Configuration Guide).
Overview
Port mirroring copies the packets passing through a port or CPU to the monitor port that connects to a data monitoring device for packet analysis.
Terminology
The following terms are used in port mirroring configuration.
Mirroring source
The mirroring sources can be one or more monitored ports or CPUs. The monitored ports and CPUs are called source ports and source CPUs, respectively.
Packets passing through mirroring sources are copied to a port connecting to a data monitoring device for packet analysis. The copies are called mirrored packets.
Source device
The device where the mirroring sources reside is called a source device.
Mirroring destination
The mirroring destination connects to a data monitoring device and is the destination port (also known as the monitor port) of mirrored packets. Mirrored packets are sent out of the monitor port to the data monitoring device.
A monitor port might receive multiple copies of a packet when it monitors multiple mirroring sources. For example, two copies of a packet are received on Port 1 when the following conditions exist:
· Port 1 is monitoring bidirectional traffic of Port 2 and Port 3 on the same device.
· The packet travels from Port 2 to Port 3.
Destination device
The device where the monitor port resides is called the destination device.
Mirroring direction
The mirroring direction specifies the direction of the traffic that is copied on a mirroring source.
· Inbound—Copies packets received.
· Outbound—Copies packets sent.
· Bidirectional—Copies packets received and sent.
Mirroring group
Port mirroring is implemented through mirroring groups, which include local, remote source, and remote destination groups. For more information about the mirroring groups, see "Port mirroring classification and implementation."
Reflector port, egress port, and remote probe VLAN
Reflector ports, remote probe VLANs, and egress ports are used for Layer 2 remote port mirroring. The remote probe VLAN is a dedicated VLAN for transmitting mirrored packets to the destination device. Both the reflector port and egress port reside on a source device and send mirrored packets to the remote probe VLAN.
For more information about the reflector port, egress port, remote probe VLAN, and Layer 2 remote port mirroring, see "Port mirroring classification and implementation."
|
|
NOTE: On port mirroring devices, all ports except source, destination, reflector, and egress ports are called common ports. |
Port mirroring classification and implementation
Port mirroring includes local port mirroring and remote port mirroring.
· Local port mirroring—The mirroring sources and the mirroring destination are on the same device.
· Remote port mirroring—The mirroring sources and the mirroring destination are on different devices.
Local port mirroring
In local port mirroring, the following conditions exist:
· The source device is directly connected to a data monitoring device.
· The source device acts as the destination device to forward mirrored packets to the data monitoring device.
A local mirroring group is a mirroring group that contains the mirroring sources and the mirroring destination on the same device.
In a local mirroring group, the source ports or source CPUs, and the monitor port can be located on different cards of the same device.
Figure 1 Local port mirroring implementation
As shown in Figure 1, the source port FortyGigE 1/0/1 and the monitor port FortyGigE 1/0/2 reside on the same device. Packets received on FortyGigE 1/0/1 are copied to FortyGigE 1/0/2. FortyGigE 1/0/2 then forwards the packets to the data monitoring device for analysis.
Remote port mirroring
In remote port mirroring, the following conditions exist:
· The source device is not directly connected to a data monitoring device.
· The source device copies mirrored packets to the destination device, which forwards them to the data monitoring device.
· The mirroring sources and the mirroring destination reside on different devices and are in different mirroring groups.
A remote source group is a mirroring group that contains the mirroring sources. A remote destination group is a mirroring group that contains the mirroring destination. Intermediate devices are the devices between the source device and the destination device.
In Layer 2 remote port mirroring, the mirroring source and the mirroring destination are located on different devices on a same Layer 2 network.
In Layer 2 remote port mirroring, packets are mirrored as follows:
1. The source device copies packets received on the mirroring sources to the egress port.
2. The egress port forwards the mirrored packets to the intermediate devices.
3. The intermediate devices then flood the mirrored packets in the remote probe VLAN and transmit the packets to the destination device.
4. Upon receiving the mirrored packets, the destination device checks whether the ID of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs match, the destination device forwards the mirrored packets to the data monitoring device through the monitor port.
Figure 2 Layer 2 remote port mirroring implementation
To ensure Layer 2 forwarding of the mirrored packets, assign the intermediate devices' ports facing the source and destination devices to the remote probe VLAN.
In Layer 2 remote port mirroring, the switch does not support bidirectional mirroring on the same port in a mirroring group.
Configuring local port mirroring
A local mirroring group takes effect only when you configure the source ports or source CPUs, and the monitor port for the local mirroring group.
On an IRF fabric, mirroring traffic between IRF member devices is not supported.
Local port mirroring configuration task list
|
Tasks at a glance |
|
1. (Required.) Creating a local mirroring group |
|
2. (Required.) Perform at least one of the following tasks: |
|
3. (Required.) Configuring the monitor port for the local mirroring group |
Creating a local mirroring group
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a local mirroring group. |
mirroring-group group-id local [ sampler sampler-name ] |
By default, no local mirroring group exists. |
Configuring source ports for the local mirroring group
To configure source ports for a local mirroring group, use one of the following methods:
· Assign a list of source ports to a mirroring group in system view.
· Assign a port to it as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
Configuration restrictions and guidelines
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
· A mirroring group can contain multiple source ports.
· A source port can belong to only one mirroring group.
· A source port cannot be configured as a reflector port, egress port, or monitor port.
Configuring source ports in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source ports for the specified local mirroring group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a local mirroring group. |
Configuring source ports in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as a source port for the specified local mirroring group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any local mirroring group. |
Configuring source CPUs for the local mirroring group
A mirroring group can contain multiple source CPUs.
To configure source CPUs for a local mirroring group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source CPUs for the specified local mirroring group. |
mirroring-group group-id mirroring-cpu slot slot-number-list { both | inbound | outbound } |
By default, no source CPU is configured for a local mirroring group. |
Configuring the monitor port for the local mirroring group
To configure the monitor port for a local mirroring group, use one of the following methods:
· Configure the monitor port for the local mirroring group in system view.
· Assign a port to the mirroring group as the monitor port in interface view.
Configuration restrictions and guidelines
When you configure the monitor port for a mirroring group, follow these restrictions and guidelines:
· For the mirroring function to operate correctly, disable the spanning tree feature on the monitor port.
· For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not configure its member interfaces as source ports of the mirroring group.
· A mirroring group contains only one monitor port.
· Use a monitor port for port mirroring only, so the data monitoring device receives only the mirrored traffic.
· In source CPU mode, directly connect the monitor port to the data monitoring device. Disable the following features on the monitor port:
¡ IGMP snooping.
¡ MAC address learning.
¡ Spanning tree.
¡ Static ARP.
Configuring the monitor port in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the monitor port for the specified local mirroring group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a local mirroring group. |
Configuring the monitor port in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the monitor port for the specified mirroring group. |
mirroring-group group-id monitor-port |
By default, a port does not act as the monitor port for any local mirroring group. |
Configure local port mirroring with monitor ports
Typically, you can configure only one monitor port in a local mirroring group. To configure local port mirroring to support multiple monitor ports, use the remote probe VLAN.
In Layer 2 remote port mirroring, mirrored packets are broadcast within the remote probe VLAN.
To broadcast mirrored packets to multiple monitor ports through the remote probe VLAN, perform the following tasks:
1. Configure a remote source group on the local device.
2. Specify the reflector port for this mirroring group.
3. Configure a remote probe VLAN for this mirroring group.
4. Assign the ports connecting the data monitoring devices to the remote probe VLAN.
Configuration restrictions and guidelines
When you configure local port mirroring to support multiple monitor ports, follow these restrictions and guidelines:
· Do not configure a Layer 2 aggregate interface as the reflector port.
· As a best practice, configure an unused port as the reflector port of a remote source group, and do not connect a cable to the reflector port.
· A mirroring group can contain multiple source ports.
· For the port mirroring function to operate correctly, do not assign a source port to the remote probe VLAN.
· If you have already configured a reflector port for a remote source group, do not configure an egress port for it.
· A VLAN can act as the remote probe VLAN for only one remote source group. As a best practice, use the remote probe VLAN for port mirroring exclusively. Do not create a VLAN interface for the VLAN or configure any other features for the VLAN.
· A remote probe VLAN must be a static VLAN. To delete this static VLAN, you must first remove the remote probe VLAN configuration by using the undo mirroring-group remote-probe vlan command.
· If the remote probe VLAN of a remote mirroring group is removed, the remote mirroring group will become invalid.
Configuration procedure
To configure local port mirroring with multiple monitor ports:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a remote source group. |
mirroring-group group-id remote-source [ sampler sampler-name ] |
By default, no mirroring group exists on a device. |
|
3. Configure source ports for the remote source group. |
· In system view: · In interface view: a. interface interface-type interface-number b. mirroring-group group-id mirroring-port { both | inbound | outbound } c. quit |
By default, no source port is configured for a mirroring group. |
|
4. Configure the reflector port for the remote source group. |
mirroring-group group-id reflector-port reflector-port |
By default, no reflector port is configured for a mirroring group. |
|
5. Create the remote probe VLAN and enter VLAN view. |
vlan vlan-id |
By default, no remote probe VLAN is configured for a mirroring group. |
|
6. Assign monitor ports to the remote probe VLAN. |
port interface-list |
By default, a newly-created VLAN does not have any member port. |
|
7. Return to system view. |
quit |
N/A |
|
8. Configure the remote probe VLAN for the remote source group. |
mirroring-group group-id remote-probe vlan rprobe-vlan-id |
By default, no remote probe VLAN is configured for a mirroring group. |
Configuring Layer 2 remote port mirroring
To configure Layer 2 remote port mirroring, perform the following tasks:
· Configure a remote source group on the source device.
· Configure a cooperating remote destination group on the destination device.
· If intermediate devices exist, configure the following devices and ports to allow the remote probe VLAN to pass through:
¡ Intermediate devices.
¡ Ports connected to the intermediate devices on the source and destinations devices.
When you configure Layer 2 remote port mirroring, follow these restrictions and guidelines:
· For a mirrored packet to successfully arrive at the remote destination device, make sure the VLAN ID of the mirrored packet is not removed or changed.
· Layer 2 remote port mirroring does not support using Layer 2 aggregate interfaces as source ports or monitor ports.
· As a best practice, configure devices in the order of the destination device, the intermediate devices, and the source device.
· On an IRF fabric, mirroring traffic between IRF member devices is not supported.
Layer 2 remote port mirroring configuration task list
Configuring a remote destination group on the destination device
Creating a remote destination group
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a remote destination group. |
mirroring-group group-id remote-destination [ sampler sampler-name ] |
By default, no remote destination group exists on a device. |
Configuring the monitor port for a remote destination group
To configure the monitor port for a mirroring group, use one of the following methods:
· Configure the monitor port for the mirroring group in system view.
· Assign a port to the mirroring group as the monitor port in interface view.
When you configure the monitor port for a remote destination group, follow these restrictions and guidelines:
· Do not enable the spanning tree feature on the monitor port.
· Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
· A mirroring group must contain only one monitor port.
· In source CPU mode, directly connect the monitor port to the data monitoring device. Disable the following features on the monitor port:
¡ IGMP snooping.
¡ MAC address learning.
¡ Spanning tree.
¡ Static ARP.
Configuring the monitor port for a remote destination group in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the monitor port for the specified remote destination group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a remote destination group. |
Configuring the monitor port for a remote destination group in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the monitor port for the specified remote destination group. |
mirroring-group group-id monitor-port |
By default, a port does not act as the monitor port for any remote destination group. |
Configuring the remote probe VLAN for a remote destination group
When you configure the remote probe VLAN for a remote destination group, follow these restrictions and guidelines:
· Only an existing static VLAN can be configured as a remote probe VLAN.
· When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
· Configure the same remote probe VLAN for the remote mirroring groups on the source and destination devices.
To configure the remote probe VLAN for a remote destination group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the remote probe VLAN for the specified remote destination group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote destination group. |
Assigning the monitor port to the remote probe VLAN
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter the interface view of the monitor port. |
interface interface-type interface-number |
N/A |
|
3. Assign the port to the remote probe VLAN. |
·
For an access port: ·
For a trunk port: ·
For a hybrid port: |
For more information about the port access vlan, port trunk permit vlan, and port hybrid vlan commands, see Layer 2—LAN Switching Command Reference. |
Configuring a remote source group on the source device
Creating a remote source group
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a remote source group. |
mirroring-group group-id remote-source [ sampler sampler-name ] |
By default, no remote source group exists on a device. |
Configuring source ports for a remote source group
To configure source ports for a mirroring group, use one of the following methods:
· Assign a list of source ports to the mirroring group in system view.
· Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
When you configure source ports for a remote source group, follow these restrictions and guidelines:
· Do not assign a source port of a mirroring group to the remote probe VLAN of the mirroring group.
· A mirroring group can contain multiple source ports.
· A source port can belong to only one mirroring group.
· A source port cannot be configured as a reflector port, monitor port, or egress port.
Configuring source ports for a remote source group in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source ports for the specified remote source group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a remote source group. |
Configuring a source port for a remote source group in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as a source port for the specified remote source group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any remote source group. |
Configuring source CPUs for a remote source group
A mirroring group can contain multiple source CPUs.
To configure source CPUs for a remote source group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source CPUs for the specified remote source group. |
·
In standalone mode: ·
In IRF mode: |
By default, no source CPU is configured for a remote source group. |
Configuring the egress port for a remote source group
To configure the egress port for a remote source group, use one of the following tasks:
· Configure the egress port for the remote source group in system view.
· Assign a port to the remote source group as the egress port in interface view.
When you configure the egress port for a remote source group, follow these restrictions and guidelines:
· Disable the following features on the egress port:
¡ Spanning tree.
¡ IGMP snooping.
¡ Static ARP.
¡ MAC address learning.
· A mirroring group contains only one egress port.
· A port of an existing mirroring group cannot be configured as an egress port.
Configuring the egress port for a remote source group in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the egress port for the specified remote source group. |
mirroring-group group-id monitor-egress interface-type interface-number |
By default, no egress port is configured for a remote source group. |
Configuring the egress port for a remote source group in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the egress port for the specified remote source group. |
mirroring-group group-id monitor-egress |
By default, a port does not act as the egress port for any remote source group. |
Configuring the remote probe VLAN for a remote source group
When you configure the remote probe VLAN for a remote source group, follow these restrictions and guidelines:
· Only an existing static VLAN can be configured as a remote probe VLAN.
· When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
· The remote mirroring groups on the source device and destination device must use the same remote probe VLAN.
To configure the remote probe VLAN for a remote source group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the remote probe VLAN for the specified remote source group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote source group. |
Displaying and maintaining port mirroring
Execute display commands in any view.
|
Task |
Command |
|
Display mirroring group information. |
display mirroring-group { group-id | all | local | remote-destination | remote-source } |
Port mirroring configuration examples
Local port mirroring configuration example (in source port mode)
Network requirements
As shown in Figure 3, configure local port mirroring in source port mode to enable the server to monitor the bidirectional traffic of the Marketing department and the Technical department.
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure FortyGigE 1/0/1 and FortyGigE 1/0/2 as source ports for local mirroring group 1.
[Device] mirroring-group 1 mirroring-port fortygige 1/0/1 fortygige 1/0/2 both
# Configure FortyGigE 1/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 monitor-port fortygige 1/0/3
# Disable the spanning tree feature on the monitor port FortyGigE 1/0/3.
[Device] interface fortygige 1/0/3
[Device-FortyGigE1/0/3] undo stp enable
[Device-FortyGigE1/0/3] quit
Verifying the configuration
# Display information about all mirroring groups.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
FortyGigE1/0/1 Both
FortyGigE1/0/2 Both
Monitor port: FortyGigE1/0/3
Local port mirroring configuration example (in source CPU mode)
Network requirements
As shown in Figure 4, FortyGigE 1/0/1 and FortyGigE 1/0/2 are located on the card in slot 1.
Configure local port mirroring in source CPU mode to enable the server to monitor all packets matching the following criteria:
· Received and sent by the Marketing department and the Technical department.
· Processed by the CPU of the card in slot 1 of the device.
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure the CPU of the card in slot 1 of the device as a source CPU for local mirroring group 1.
[Device] mirroring-group 1 mirroring-cpu slot 1 both
# Configure FortyGigE 1/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 monitor-port fortygige 1/0/3
# Disable the spanning tree feature on the monitor port FortyGigE 1/0/3.
[Device] interface fortygige 1/0/3
[Device-FortyGigE1/0/3] undo stp enable
[Device-FortyGigE1/0/3] quit
Verifying the configuration
# Display information about all mirroring groups.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring CPU:
Slot 1 Both
Monitor port: FortyGigE1/0/3
Local port mirroring with multiple monitor ports configuration example
Network requirements
As shown in Figure 5, configure port mirroring to enable all data monitoring devices (Server A, Server B, and Server C) to monitor the bidirectional traffic of the three departments.
Configuration procedure
# Create remote source group 1.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Configure FortyGigE 1/0/1 through FortyGigE 1/0/3 as source ports of remote source group 1.
[DeviceA] mirroring-group 1 mirroring-port fortygige 1/0/1 to fortygige 1/0/3 both
# Configure an unused port (FortyGigE 1/0/5, for example) of Device A as the reflector port of remote source group 1.
[DeviceA] mirroring-group 1 reflector-port fortygige 1/0/5
# Create VLAN 10 and assign the FortyGigE 1/0/11 through FortyGigE 1/0/13 to VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] port fortygige 1/0/11 to fortygige 1/0/13
[DeviceA-vlan10] quit
# Configure VLAN 10 as the remote probe VLAN of remote source group 1.
[DeviceA] mirroring-group 1 remote-probe vlan 10
Layer 2 remote port mirroring configuration example
Network requirements
As shown in Figure 6, configure Layer 2 remote port mirroring to enable the server to monitor the outbound traffic from the Marketing department.
Configuration procedure
1. Configure Device C (the destination device):
# Configure FortyGigE 1/0/1 as a trunk port, and assign the port to VLAN 2.
<DeviceC> system-view
[DeviceC] interface fortygige 1/0/1
[DeviceC-FortyGigE1/0/1] port link-type trunk
[DeviceC-FortyGigE1/0/1] port trunk permit vlan 2
[DeviceC-FortyGigE1/0/1] quit
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2.
[DeviceC] vlan 2
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceC] mirroring-group 2 remote-probe vlan 2
# Configure FortyGigE 1/0/2 as the monitor port for the mirroring group.
[DeviceC] interface fortygige 1/0/2
[DeviceC-FortyGigE1/0/2] mirroring-group 2 monitor-port
# Disable the spanning tree feature on FortyGigE 1/0/2.
[DeviceC-FortyGigE1/0/2] undo stp enable
# Assign FortyGigE 1/0/2 to VLAN 2.
[DeviceC-FortyGigE1/0/2] port access vlan 2
[DeviceC-FortyGigE1/0/2] quit
2. Configure Device B (the intermediate device):
# Create VLAN 2.
<DeviceB> system-view
[DeviceB] vlan 2
[DeviceB-vlan2] quit
# Configure FortyGigE 1/0/1 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface fortygige 1/0/1
[DeviceB-FortyGigE1/0/1] port link-type trunk
[DeviceB-FortyGigE1/0/1] port trunk permit vlan 2
[DeviceB-FortyGigE1/0/1] quit
# Configure FortyGigE 1/0/2 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface fortygige 1/0/2
[DeviceB-FortyGigE1/0/2] port link-type trunk
[DeviceB-FortyGigE1/0/2] port trunk permit vlan 2
[DeviceB-FortyGigE1/0/2] quit
3. Configure Device A (the source device):
# Create a remote source group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
# Configure FortyGigE 1/0/1 as a source port for the mirroring group.
[DeviceA] mirroring-group 1 mirroring-port fortygige 1/0/1 outbound
# Configure FortyGigE 1/0/2 as the egress port for the mirroring group.
[DeviceA] mirroring-group 1 monitor-egress fortygige 1/0/2
# Configure FortyGigE 1/0/2 as a trunk port, and assign the port to VLAN 2.
[DeviceA] interface fortygige 1/0/2
[DeviceA-FortyGigE1/0/2] port link-type trunk
[DeviceA-FortyGigE1/0/2] port trunk permit vlan 2
# Disable the spanning tree feature on FortyGigE 1/0/2.
[DeviceA-FortyGigE1/0/2] undo stp enable
[DeviceA-FortyGigE1/0/2] quit
Verifying the configuration
# Display information about all mirroring groups on Device C.
[DeviceC] display mirroring-group all
Mirroring group 2:
Type: Remote destination
Status: Active
Monitor port: FortyGigE1/0/2
Remote probe VLAN: 2
# Display information about all mirroring groups on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
FortyGigE1/0/1 Outbound
Remote probe VLAN: 2
Configuring flow mirroring
Overview
Flow mirroring copies packets matching a class to a destination for packet analysis and monitoring. It is implemented through QoS policies.
To configure flow mirroring, perform the following tasks:
· Define traffic classes and configure match criteria to classify packets to be mirrored. Flow mirroring allows you to flexibly classify packets to be analyzed by defining match criteria.
· Configure traffic behaviors to mirror the matching packets to the specified destination.
You can configure an action to mirror the matching packets to one of the following destinations:
· Interface—The matching packets are copied to an interface connecting to a data monitoring device. The data monitoring device analyzes the packets received on the interface.
· CPU—The matching packets are copied to the CPU of the card where they are received, The CPU analyzes the packets or deliver the packets to upper layers.
For more information about QoS policies, traffic classes, and traffic behaviors, see ACL and QoS Configuration Guide.
Flow mirroring configuration task list
|
Tasks at a glance |
|
(Required.) Configuring match criteria |
|
(Required.) Configuring a traffic behavior |
|
(Required.) Configuring a QoS policy |
|
(Required.) Applying a QoS policy: · Applying a QoS policy to an interface |
For more information about the following commands except the mirror-to command, see ACL and QoS Command Reference.
Configuring match criteria
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a class and enter class view. |
traffic classifier tcl-name [ operator { and | or } ] |
By default, no traffic class exists. |
|
3. Configure match criteria. |
if-match match-criteria |
By default, no match criterion is configured in a traffic class. |
Configuring a traffic behavior
Configuring a QoS policy
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a QoS policy and enter QoS policy view. |
qos policy policy-name |
By default, no QoS policy exists. |
|
3. Associate a class with a traffic behavior in the QoS policy. |
classifier tcl-name behavior behavior-name |
By default, no traffic behavior is associated with a class. |
|
4. (Optional.) Display QoS policy configuration. |
display qos policy |
Available in any view. |
Applying a QoS policy
Applying a QoS policy to an interface
By applying a QoS policy to an interface, you can mirror the traffic in the specified direction of the interface. A policy can be applied to multiple interfaces. In one direction (inbound or outbound) of an interface, only one policy can be applied.
To apply a QoS policy to an interface:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter interface view. |
interface interface-type interface-number |
|
3. Apply a policy to the interface. |
qos apply policy policy-name { inbound | outbound } |
Applying a QoS policy to a VLAN
You can apply a QoS policy to a VLAN to mirror the traffic in the specified direction on all ports in the VLAN.
To apply the QoS policy to a VLAN:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Apply a QoS policy to a VLAN. |
qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound } |
Applying a QoS policy globally
You can apply a QoS policy globally to mirror the traffic in the specified direction on all ports.
To apply a QoS policy globally:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Apply a QoS policy globally. |
qos apply policy policy-name global { inbound | outbound } |
Flow mirroring configuration example
Network requirements
As shown in Figure 7, different departments use IP addresses on different subnets.
Configure flow mirroring so that the server can monitor the following traffic:
· Traffic that the Technical department sends to access the Internet.
· IP traffic that the Technical department sends to the Marketing department during working hours (8:00 to 18:00) on weekdays.
Configuration procedure
# Create a working hour range work, in which the working hour is from 8:00 to 18:00 on weekdays.
<DeviceA> system-view
[DeviceA] time-range work 8:00 to 18:00 working-day
# Create ACL 3000 to allow packets from the Technical department to access the Internet and to the Marketing department during working hours.
[DeviceA] acl number 3000
[DeviceA-acl-adv-3000] rule permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www
[DeviceA-acl-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range work
[DeviceA-acl-adv-3000] quit
# Create traffic class tech_c, and configure the match criterion as ACL 3000.
[DeviceA] traffic classifier tech_c
[DeviceA-classifier-tech_c] if-match acl 3000
[DeviceA-classifier-tech_c] quit
# Create traffic behavior tech_b, configure the action of mirroring traffic to port FortyGigE 1/0/3.
[DeviceA] traffic behavior tech_b
[DeviceA-behavior-tech_b] mirror-to interface fortygige 1/0/3
[DeviceA-behavior-tech_b] quit
# Create QoS policy tech_p, and associate traffic class tech_c with traffic behavior tech_b in the QoS policy.
[DeviceA] qos policy tech_p
[DeviceA-qospolicy-tech_p] classifier tech_c behavior tech_b
[DeviceA-qospolicy-tech_p] quit
# Apply QoS policy tech_p to the incoming packets of FortyGigE 1/0/4.
[DeviceA] interface fortygige 1/0/4
[DeviceA-FortyGigE1/0/4] qos apply policy tech_p inbound
[DeviceA-FortyGigE1/0/4] quit
Verifying the configuration
# Verify that you can monitor the following traffic through the server:
· All traffic sent by the Technical department to access the Internet.
· IP traffic that the Technical department sends to the Marketing department during working hours on weekdays.
(Details not shown.)
