- Table of Contents
-
- 11-Network Management and Monitoring Configuration Guide
- 00-Preface
- 01-System maintenance and debugging configuration
- 02-NQA configuration
- 03-NTP configuration
- 04-PTP configuration
- 05-SNMP configuration
- 06-RMON configuration
- 07-Event MIB configuration
- 08-NETCONF configuration
- 09-CWMP configuration
- 10-EAA configuration
- 11-Process monitoring and maintenance configuration
- 12-Mirroring configuration
- 13-sFlow configuration
- 14-Information center configuration
- 15-Packet capture configuration
- 16-VCF fabric configuration
- 17-Puppet configuration
- 18-Chef configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
12-Mirroring configuration | 475.30 KB |
Contents
Port mirroring classification and implementation
Restrictions and guidelines: Port mirroring configuration
Configuring local port mirroring
Local port mirroring configuration task list
Creating a local mirroring group
Configuring source ports for the local mirroring group
Configuring source CPUs for the local mirroring group
Configuring the monitor port for the local mirroring group
Configuring Layer 2 remote port mirroring
Layer 2 remote port mirroring with reflector port configuration task list
Layer 2 remote port mirroring with egress port configuration task list
Configuring a remote destination group on the destination device
Configuring a remote source group on the source device
Configuring local mirroring group with multiple monitor ports
Configuration restrictions and guidelines
Configuring Layer 3 remote port mirroring (in tunnel mode)
Layer 3 remote port mirroring configuration task list
Configuration restrictions and guidelines
Creating local mirroring groups
Configuring source ports for a local mirroring group
Configuring source CPUs for a local mirroring group
Configuring the monitor port for a local mirroring group
Configuring Layer 3 remote port mirroring (in ERSPAN mode)
Layer 3 remote port mirroring configuration task list
Configuration restrictions and guidelines
Creating a local mirroring group on the source device
Configuring source ports for the local mirroring group
Configuring source CPUs for the local mirroring group
Configuring the monitor port for the local mirroring group
Displaying and maintaining port mirroring
Port mirroring configuration examples
Local port mirroring configuration example (in source port mode)
Local port mirroring configuration example (in source CPU mode)
Layer 2 remote port mirroring configuration example (reflector port)
Layer 2 remote port mirroring configuration example (with egress port)
Local port mirroring with multiple monitor ports configuration example
Layer 3 remote port mirroring configuration example (in tunnel mode)
Layer 3 remote port mirroring configuration example (in ERSPAN mode)
Flow mirroring configuration task list
Configuring a traffic behavior
Applying a QoS policy to an interface
Applying a QoS policy to a VLAN
Applying a QoS policy globally
Applying a QoS policy to the control plane
Configuring port mirroring
Overview
Port mirroring copies the packets passing through a port or CPU to a port that connects to a data monitoring device for packet analysis.
Terminology
The following terms are used in port mirroring configuration.
Mirroring source
The mirroring sources can be one or more monitored ports or CPUs. The monitored ports and CPUs are called source ports and source CPUs, respectively.
Packets passing through mirroring sources are copied to a port connecting to a data monitoring device for packet analysis. The copies are called mirrored packets.
Source device
The device where the mirroring sources reside is called a source device.
Mirroring destination
The mirroring destination connects to a data monitoring device and is the destination port (also known as the monitor port) of mirrored packets. Mirrored packets are sent out of the monitor port to the data monitoring device.
A monitor port might receive multiple copies of a packet when it monitors multiple mirroring sources. For example, two copies of a packet are received on Port 1 when the following conditions exist:
· Port 1 is monitoring bidirectional traffic of Port 2 and Port 3 on the same device.
· The packet travels from Port 2 to Port 3.
Destination device
The device where the monitor port resides is called the destination device.
Mirroring direction
The mirroring direction specifies the direction of the traffic that is copied on a mirroring source.
· Inbound—Copies packets received.
· Outbound—Copies packets sent.
· Bidirectional—Copies packets received and sent.
|
NOTE: · For inbound traffic mirroring, the VLAN tag in the original packet is copied to the mirrored packet. · For outbound traffic mirroring, the VLAN tag in the mirrored packet identifies the VLAN to which the packet belongs before it is sent out of the source port. |
Mirroring group
Port mirroring is implemented through mirroring groups, which include local, remote source, and remote destination groups. For more information about the mirroring groups, see "Port mirroring classification and implementation."
Reflector port, egress port, and remote probe VLAN
Reflector ports, remote probe VLANs, and egress ports are used for Layer 2 remote port mirroring. The remote probe VLAN is a dedicated VLAN for transmitting mirrored packets to the destination device. Both the reflector port and egress port reside on a source device and send mirrored packets to the remote probe VLAN. For more information about the reflector port, egress port, remote probe VLAN, and Layer 2 remote port mirroring, see "Port mirroring classification and implementation."
|
NOTE: On port mirroring devices, all ports except source, destination, reflector, and egress ports are called common ports. |
Port mirroring classification and implementation
Port mirroring includes local port mirroring and remote port mirroring.
· Local port mirroring—The mirroring sources and the mirroring destination are on the same device.
· Remote port mirroring—The mirroring sources and the mirroring destination are on different devices.
Local port mirroring
In local port mirroring, the following conditions exist:
· The source device is directly connected to a data monitoring device.
· The source device acts as the destination device to forward mirrored packets to the data monitoring device.
A local mirroring group is a mirroring group that contains the mirroring sources and the mirroring destination on the same device.
Figure 1 Local port mirroring implementation
As shown in Figure 1, the source port (Ten-GigabitEthernet 1/0/1) and the monitor port (Ten-GigabitEthernet 1/0/2) reside on the same device. Packets received on Ten-GigabitEthernet 1/0/1 are copied to Ten-GigabitEthernet 1/0/2. Ten-GigabitEthernet 1/0/2 then forwards the packets to the data monitoring device for analysis.
Remote port mirroring
In remote port mirroring, the following conditions exist:
· The source device is not directly connected to a data monitoring device.
· The source device copies mirrored packets to the destination device, which forwards them to the data monitoring device.
· The mirroring sources and the mirroring destination reside on different devices and are in different mirroring groups.
A remote source group is a mirroring group that contains the mirroring sources. A remote destination group is a mirroring group that contains the mirroring destination. Intermediate devices are the devices between the source device and the destination device.
Remote port mirroring includes Layer 2 and Layer 3 remote port mirroring.
· Layer 2 remote port mirroring—The mirroring sources and the mirroring destination are located on different devices on the same Layer 2 network.
· Layer 2 remote port mirroring can be implemented when a reflector port or an egress port is available on the source device. The method to use the reflector port and the method to use the egress port are called reflector port method and egress port method, respectively.
¡ Reflector port method—Packets are mirrored as follows:
- The source device copies packets received on the mirroring sources to the reflector port.
- The reflector port broadcasts the mirrored packets in the remote probe VLAN.
- The intermediate devices transmit the mirrored packets to the destination device through the remote probe VLAN.
- Upon receiving the mirrored packets, the destination device determines whether the ID of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs match, the destination device forwards the mirrored packets to the data monitoring device through the monitor port.
Figure 2 Layer 2 remote port mirroring implementation through the reflector port method
¡ Egress port method—Packets are mirrored as follows:
- The source device copies packets received on the mirroring sources to the egress port.
- The egress port forwards the mirrored packets to the intermediate devices.
- The intermediate devices flood the mirrored packets in the remote probe VLAN and transmit the mirrored packets to the destination device.
- Upon receiving the mirrored packets, the destination device determines whether the ID of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs match, the destination device forwards the mirrored packets to the data monitoring device through the monitor port.
Figure 3 Layer 2 remote port mirroring implementation through the egress port method
In the reflector port method, the reflector port broadcasts mirrored packets in the remote probe VLAN. By assigning a non-source port on the source device to the remote probe VLAN, you can use the reflector port method to implement local port mirroring. The egress port method cannot implement local port mirroring in this way.
To ensure Layer 2 forwarding of the mirrored packets, assign the ports that connect intermediate devices to the source and destination devices to the remote probe VLAN.
To monitor the bidirectional traffic of a source port, disable MAC address learning for the remote probe VLAN on the source, intermediate, and destination devices. For more information about MAC address learning, see Layer 2—LAN Switching Configuration Guide.
· Layer 3 remote port mirroring—The mirroring sources and destination are separated by IP networks.
Layer 3 remote port mirroring is implemented through creating a local mirroring group on both the source device and the destination device. For example, in a network as shown in Figure 4, Layer 3 remote port mirroring works in the following flow:
a. The source device sends one copy of a packet received on the source port (Ten-GigabitEthernet 1/0/1) to the tunnel interface.
The tunnel interface acts as the monitor port in the local mirroring group created on the source device.
b. The tunnel interface on the source device forwards the mirrored packet to the tunnel interface on the destination device through the GRE tunnel.
c. The destination device receives the mirrored packet from the physical interface of the tunnel interface.
The tunnel interface acts as the source port in the local mirroring group created on the destination device.
d. The physical interface of the tunnel interface sends one copy of the packet to the monitor port (Ten-GigabitEthernet 1/0/2).
e. Ten-GigabitEthernet 1/0/2 forwards the packet to the data monitoring device.
For more information about GRE tunnels and tunnel interfaces, see Layer 3—IP Services Configuration Guide.
Figure 4 Layer 3 remote port mirroring implementation
Restrictions and guidelines: Port mirroring configuration
To successfully mirror incoming packets of a source port in multiple MSTIs, make sure the port is in Forwarding state in each MSTI. For more information about MSTP, see spanning tree configuration in Layer 2—LAN Switching Configuration Guide.
Configuring local port mirroring
A local mirroring group takes effect only when you configure the monitor port and the source ports or source CPUs for the local mirroring group.
Local port mirroring configuration task list
Tasks at a glance |
1. (Required.) Creating a local mirroring group |
2. (Required.) Perform one or both of the following tasks: |
3. (Required.) Configuring the monitor port for the local mirroring group |
Creating a local mirroring group
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
2. Create a local mirroring group. |
mirroring-group group-id local |
By default, no local mirroring groups exist. |
Configuring source ports for the local mirroring group
To configure source ports for a local mirroring group, use one of the following methods:
· Assign a list of source ports to the mirroring group in system view.
· Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
Configuration restrictions and guidelines
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
· A mirroring group can contain multiple source ports.
· A source port cannot be configured as a reflector port, egress port, or monitor port.
· A port can be assigned to different mirroring groups as follows:
¡ When acting as a source port for unidirectional mirroring, the port can be assigned to up to four mirroring groups.
¡ When acting as a source port for bidirectional mirroring, the port can be assigned to up to two mirroring groups.
¡ When acting as a source port for unidirectional and bidirectional mirroring, the port can be assigned to up to three mirroring groups. One mirroring group is used for bidirectional mirroring and the other two for unidirectional mirroring.
Configuring source ports in system view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure source ports for a local mirroring group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a local mirroring group. |
Configuring source ports in interface view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the port as a source port for a local mirroring group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any local mirroring groups. |
Configuring source CPUs for the local mirroring group
A mirroring group can contain multiple source CPUs.
The device supports mirroring only inbound traffic of a source CPU.
To configure source CPUs for a local mirroring group:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure source CPUs for a local mirroring group. |
mirroring-group group-id mirroring-cpu slot slot-number-list inbound |
By default, no source CPU is configured for a local mirroring group. |
Configuring the monitor port for the local mirroring group
To configure the monitor port for a mirroring group, use one of the following methods:
· Configure the monitor port for the mirroring group in system view.
· Assign a port to the mirroring group as the monitor port in interface view.
Configuration restrictions and guidelines
When you configure the monitor port for a local mirroring group, follow these restrictions and guidelines:
· Do not enable the spanning tree feature on the monitor port.
· For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not configure its member ports as source ports of the mirroring group.
· A Layer 3 aggregate interface cannot be configured as the monitor port for local a mirroring group.
· Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
· A mirroring group can contain only one monitor port.
Configuring the monitor port in system view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the monitor port for a local mirroring group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a local mirroring group. |
Configuring the monitor port in interface view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the port as the monitor port for a mirroring group. |
mirroring-group group-id monitor-port |
By default, a port does not act as the monitor port for any local mirroring groups. |
Configuring Layer 2 remote port mirroring
To configure Layer 2 remote port mirroring, perform the following tasks:
· Configure a remote source group on the source device.
· Configure a cooperating remote destination group on the destination device.
· If intermediate devices exist, configure the following devices and ports to allow the remote probe VLAN to pass through.
¡ Intermediate devices.
¡ Ports connected to the intermediate devices on the source and destinations devices.
When you configure Layer 2 remote port mirroring, follow these restrictions and guidelines:
· The egress port must be assigned to the remote probe VLAN. The reflector port is not necessarily assigned to the remote probe VLAN.
· For a mirrored packet to successfully arrive at the remote destination device, make sure its VLAN ID is not removed or changed.
· Do not configure both MVRP and Layer 2 remote port mirroring. Otherwise, MVRP might register the remote probe VLAN with incorrect ports, which would cause the monitor port to receive undesired copies. For more information about MVRP, see Layer 2—LAN Switching Configuration Guide.
· As a best practice, configure devices in the order of the destination device, the intermediate devices, and the source device.
Layer 2 remote port mirroring with reflector port configuration task list
Layer 2 remote port mirroring with egress port configuration task list
Configuring a remote destination group on the destination device
Creating a remote destination group
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a remote destination group. |
mirroring-group group-id remote-destination |
By default, no remote destination groups exist. |
Configuring the monitor port for a remote destination group
To configure the monitor port for a mirroring group, use one of the following methods:
· Configure the monitor port for the mirroring group in system view.
· Assign a port to the mirroring group as the monitor port in interface view.
When you configure the monitor port for a remote destination group, follow these restrictions and guidelines:
· Do not enable the spanning tree feature on the monitor port.
· A Layer 2 or Layer 3 aggregate interface cannot be configured as the monitor port for a Layer 2 remote destination group.
· Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
· A monitor port can belong to only one mirroring group.
· A mirroring group can contain only one monitor port.
Configuring the monitor port for a remote destination group in system view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the monitor port for a remote destination group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a remote destination group. |
Configuring the monitor port for a remote destination group in interface view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the port as the monitor port for a remote destination group. |
mirroring-group group-id monitor-port |
By default, a port does not act as the monitor port for any remote destination groups. |
Configuring the remote probe VLAN for a remote destination group
When you configure the remote probe VLAN for a remote destination group, follow these restrictions and guidelines:
· Only an existing static VLAN can be configured as a remote probe VLAN.
· When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
· Configure the same remote probe VLAN for the remote groups on the source and destination devices.
To configure the remote probe VLAN for a remote destination group:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the remote probe VLAN for a remote destination group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote destination group. |
Assigning the monitor port to the remote probe VLAN
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter the interface view of the monitor port. |
interface interface-type interface-number |
N/A |
3. Assign the port to the remote probe VLAN. |
· For an access port: · For a trunk port: · For a hybrid port: |
For more information about the port access vlan, port trunk permit vlan, and port hybrid vlan commands, see Layer 2—LAN Switching Command Reference. |
Configuring a remote source group on the source device
Creating a remote source group
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a remote source group. |
mirroring-group group-id remote-source |
By default, no remote source groups exist. |
Configuring source ports for a remote source group
To configure source ports for a mirroring group, use one of the following methods:
· Assign a list of source ports to the mirroring group in system view.
· Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
When you configure source ports for a remote source group, follow these restrictions and guidelines:
· Do not assign a source port of a mirroring group to the remote probe VLAN of the mirroring group.
· A mirroring group can contain multiple source ports.
· A source port cannot be configured as a reflector port, monitor port, or egress port.
· A port can be assigned to different mirroring groups as follows:
¡ When acting as a source port for unidirectional mirroring, the port can be assigned to up to four mirroring groups.
¡ When acting as a source port for bidirectional mirroring, the port can be assigned to up to two mirroring groups.
¡ When acting as a source port for unidirectional and bidirectional mirroring, the port can be assigned to up to three mirroring groups. One mirroring group is used for bidirectional mirroring and the other two for unidirectional mirroring.
Configuring source ports for a remote source group in system view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure source ports for a remote source group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a remote source group. |
Configuring a source port for a remote source group in interface view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the port as a source port for a remote source group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any remote source groups. |
Configuring source CPUs for a remote source group
A mirroring group can contain multiple source CPUs.
The device supports mirroring only inbound traffic of a source CPU.
To configure source CPUs for a remote source group:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure source CPUs for a remote source group. |
mirroring-group group-id mirroring-cpu slot slot-number-list inbound |
By default, no source CPU is configured for a remote source group. |
Configuring the reflector port for a remote source group
To configure the reflector port for a remote source group, use one of the following methods:
· Configure the reflector port for the remote source group in system view.
· Assign a port to the remote source group as the reflector port in interface view.
When you configure the reflector port for a remote source group, follow these restrictions and guidelines:
· The port to be configured as a reflector port must be a port not in use. Do not connect a network cable to a reflector port.
· When a port is configured as a reflector port, all existing configurations of the port are cleared. You cannot configure other features on the reflector port.
· If an IRF port is bound to only one physical interface, do not configure the physical interface as a reflector port. Otherwise, the IRF might split.
· A mirroring group contains only one reflector port.
· You cannot change the duplex mode or speed for a reflector port.
Configuring the reflector port for a remote source group in system view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the reflector port for a remote source group. |
mirroring-group group-id reflector-port interface-type interface-number |
By default, no reflector port is configured for a remote source group. |
Configuring the reflector port for a remote source group in interface view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the port as the reflector port for a remote source group. |
mirroring-group group-id reflector-port |
By default, a port does not act as the reflector port for any remote source groups. |
Configuring the egress port for a remote source group
To configure the egress port for a remote source group, use one of the following methods:
· Configure the egress port for the remote source group in system view.
· Assign a port to the remote source group as the egress port in interface view.
When you configure the egress port for a remote source group, follow these restrictions and guidelines:
· Disable the following features on the egress port:
¡ Spanning tree.
¡ 802.1X.
¡ IGMP snooping.
¡ Static ARP.
¡ MAC address learning.
· A mirroring group contains only one egress port.
· A port of an existing mirroring group cannot be configured as an egress port.
Configuring the egress port for a remote source group in system view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the egress port for a remote source group. |
mirroring-group group-id monitor-egress interface-type interface-number |
By default, no egress port is configured for a remote source group. |
Configuring the egress port for a remote source group in interface view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the port as the egress port for a remote source group. |
mirroring-group group-id monitor-egress |
By default, a port does not act as the egress port for any remote source groups. |
Configuring the remote probe VLAN for a remote source group
When you configure the remote probe VLAN for a remote source group, follow these restrictions and guidelines:
· Only an existing static VLAN can be configured as a remote probe VLAN.
· When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
· The remote mirroring groups on the source device and destination device must use the same remote probe VLAN.
To configure the remote probe VLAN for a remote source group:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the remote probe VLAN for a remote source group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote source group. |
Configuring local mirroring group with multiple monitor ports
In typical local port mirroring configuration, you can configure only one monitor port in a local mirroring group. As a result, you cannot monitor traffic of a local device on multiple data monitoring devices. To do that, you can take advantage of the remote probe VLAN used in Layer 2 remote port mirroring.
In Layer 2 remote port mirroring, a remote probe VLAN is configured, and the mirrored packets are broadcast within the remote probe VLAN. By connecting multiple data monitoring devices to the remote probe VLAN member ports, you can monitor traffic of the local device on multiple data monitoring devices.
The configuration flow is as follows:
1. Configure a remote source group on the device.
2. Configure source ports for the remote source group.
3. Configure a remote probe VLAN for the remote source group.
4. Assign the ports connecting the data monitoring devices to the remote probe VLAN.
In this way, mirrored packets on the source ports are broadcast in the remote probe VLAN. Then, they will be sent out of the ports connecting the data monitoring devices, and the data monitoring devices can receive these mirrored packets.
Configuration restrictions and guidelines
When you configure this feature, follow these restrictions and guidelines:
· The port to be configured as a reflector port must be a port not in use. Do not connect a network cable to a reflector port.
· When a port is configured as a reflector port, the port restores to the factory default settings. You cannot configure other features on a reflector port.
· Do not assign a source port of a mirroring group to the remote probe VLAN of the mirroring group.
· A VLAN can act as the remote probe VLAN for only one remote source group. As a best practice, use the VLAN for port mirroring exclusively. Do not create a VLAN interface for the VLAN or configure any other features for the VLAN.
· A remote probe VLAN must be a static VLAN.
· To delete a VLAN that has been configured as the remote probe VLAN for a mirroring group, remove the remote probe VLAN from the mirroring group first.
Configuration procedure
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a remote source group. |
mirroring-group group-id remote-source |
By default, no remote source groups exist. |
3. Configure source ports for the remote source group. |
· (Method 1) In system view: · (Method 2) In interface view: a. interface interface-type interface-number b. mirroring-group group-id mirroring-port { both | inbound | outbound } c. quit |
Use either method. By default, no source ports are configured for a remote source group. |
4. Configure the reflector port for the remote source group. |
mirroring-group group-id reflector-port interface-type interface-number |
By default, no reflector port is configured for a remote source group. |
5. Create a VLAN and enter VLAN view. |
vlan vlan-id |
N/A |
6. Assign monitor ports to the VLAN. |
port interface-list |
By default, a VLAN does not contain any ports. |
7. Return to system view. |
quit |
N/A |
8. Specify the VLAN as the remote probe VLAN for the remote source group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote source group. |
Configuring Layer 3 remote port mirroring (in tunnel mode)
To configure Layer 3 remote port mirroring, perform the following tasks:
· Create a local mirroring group on both the source device and the destination device.
· Configure the monitor port and source ports or source CPUs for each mirroring group.
The source and destination devices are connected by a tunnel. If intermediate devices exist, configure a unicast routing protocol on the intermediate devices to ensure Layer 3 reachability between the source and destination devices.
On the source device, perform the following tasks:
· Configure source ports or source CPUs you want to monitor.
· Configure the tunnel interface as the monitor port.
On the destination device, perform the following tasks:
· Configure the physical interface corresponding to the tunnel interface as the source port. Configure the port that connects to the data monitoring device as the monitor port.
Layer 3 remote port mirroring configuration task list
Tasks at a glance |
|
(Required.) Configuring the source device: 1. Creating local mirroring groups 2. Perform one or both of the following tasks: ¡ Configuring source ports for a local mirroring group |
|
(Required.) Configuring the destination device: 1. Creating local mirroring groups 2. Perform one or both of the following tasks: ¡ Configuring source ports for a local mirroring group |
|
Configuration restrictions and guidelines
In Layer 3 remote port mirroring, the mirrored packets sent to the data monitoring device through the monitor port on the destination device carry the tunnel encapsulation. The data monitoring device can analyze the original mirrored packets only if it can decapsulate the tunnel encapsulation.
Configuration prerequisites
Before configuring Layer 3 remote mirroring, complete the following tasks:
· Create a tunnel interface and a GRE tunnel.
· Configure the source and destination addresses of the tunnel interface as the IP addresses of the physical interfaces on the source and destination devices, respectively.
For more information about tunnel interfaces, see Layer 3—IP Services Configuration Guide.
Creating local mirroring groups
Create a local mirroring group on both the source device and the destination device.
To create a local mirroring group:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a local mirroring group. |
mirroring-group group-id local |
By default, no local mirroring groups exist. |
Configuring source ports for a local mirroring group
On the source device, configure the ports you want to monitor as the source ports. On the destination device, configure the physical interface corresponding to the tunnel interface as the source port.
To configure source ports for a mirroring group, use one of the following methods:
· Assign a list of source ports to the mirroring group in system view.
· Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
Configuration restrictions and guidelines
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
· A source port cannot be configured as a reflector port, egress port, or monitor port.
· A port can be assigned to different mirroring groups as follows:
¡ When acting as a source port for unidirectional mirroring, the port can be assigned to up to four mirroring groups.
¡ When acting as a source port for bidirectional mirroring, the port can be assigned to up to two mirroring groups.
¡ When acting as a source port for unidirectional and bidirectional mirroring, the port can be assigned to up to three mirroring groups. One mirroring group is used for bidirectional mirroring and the other two for unidirectional mirroring.
Configuring source ports in system view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure source ports for a local mirroring group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a local mirroring group. |
Configuring source ports in interface view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the port as a source port for a local mirroring group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any local mirroring groups. |
Configuring source CPUs for a local mirroring group
The destination device does not support source CPU configuration.
A mirroring group can contain multiple source CPUs.
The device supports mirroring only inbound traffic of a source CPU.
To configure source CPUs for a local mirroring group:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure source CPUs for a local mirroring group. |
mirroring-group group-id mirroring-cpu slot slot-number-list inbound |
By default, no source CPU is configured for a local mirroring group. |
Configuring the monitor port for a local mirroring group
On the source device, configure the tunnel interface as the monitor port. On the destination device, configure the port that connects to a data monitoring device as the monitor port.
To configure the monitor port for a mirroring group, use one of the following methods:
· Configure the monitor port for the mirroring group in system view.
· Assign a port to a mirroring group as the monitor port in interface view.
Configuration restrictions and guidelines
When you configure the monitor port for a local mirroring group, follow these restrictions and guidelines:
· Do not enable the spanning tree feature on the monitor port.
· Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
· A mirroring group can contain only one monitor port.
Configuring the monitor port in system view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the monitor port for a local mirroring group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a local mirroring group. |
Configuring the monitor port in interface view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the port as the monitor port for a local mirroring group. |
mirroring-group group-id monitor-port |
By default, a port does not act as the monitor port for any local mirroring groups. |
Configuring Layer 3 remote port mirroring (in ERSPAN mode)
Layer 3 remote port mirroring in Encapsulated Remote Switch Port Analyzer (ERSPAN) mode is supported only in Release 2612 and later.
To implement Layer 3 remote port mirroring in ERSPAN mode, perform the following tasks:
1. On the source device, create a local mirroring group and configure the mirroring sources, the monitor port, and the encapsulation parameters for mirrored packets.
The mirrored packet sent to the monitor port is first encapsulated in a GRE packet with a protocol number of 0x88BE. The GRE packet is then encapsulated in a delivery protocol by using the encapsulation parameters and routed to the destination data monitoring device.
2. On all devices from source to destination, configure a unicast routing protocol to ensure Layer 3 reachability between the devices.
Layer 3 remote port mirroring configuration task list
Tasks at a glance |
|
1. Creating a local mirroring group on the source device 2. Perform one or both of the following tasks: ¡ Configuring source ports for the local mirroring group ¡ Configuring source CPUs for the local mirroring group 3. Configuring the monitor port for the local mirroring group |
|
Configuration restrictions and guidelines
Creating a local mirroring group on the source device
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a local mirroring group. |
mirroring-group group-id local |
By default, no local mirroring groups exist. |
Configuring source ports for the local mirroring group
On the source device, configure the ports you want to monitor as the source ports.
To configure source ports for a mirroring group, use one of the following methods:
· Assign a list of source ports to the mirroring group in system view.
· Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
Configuration restrictions and guidelines
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
· A source port cannot be configured as a reflector port, egress port, or monitor port.
· A port can be assigned to different mirroring groups as follows:
¡ When acting as a source port for unidirectional mirroring, the port can be assigned to up to four mirroring groups.
¡ When acting as a source port for bidirectional mirroring, the port can be assigned to up to two mirroring groups.
¡ When acting as a source port for unidirectional and bidirectional mirroring, the port can be assigned to up to three mirroring groups. One mirroring group is used for bidirectional mirroring and the other two for unidirectional mirroring.
Configuring source ports in system view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure source ports for the local mirroring group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a local mirroring group. |
Configuring source ports in interface view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the port as a source port for the local mirroring group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any local mirroring groups. |
Configuring source CPUs for the local mirroring group
A mirroring group can contain multiple source CPUs.
The device supports mirroring only inbound traffic of a source CPU.
To configure source CPUs for a local mirroring group:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure source CPUs for the local mirroring group. |
mirroring-group group-id mirroring-cpu slot slot-number-list inbound |
By default, no source CPU is configured for a local mirroring group. |
Configuring the monitor port for the local mirroring group
On the source device, configure the egress port of the mirrored packets as the monitor port and configure the encapsulation parameters for the packets.
To configure the monitor port for a mirroring group, use one of the following methods:
· Configure the monitor port for the mirroring group in system view.
· Assign a port to a mirroring group as the monitor port in interface view.
Configuration restrictions and guidelines
When you configure the monitor port for a local mirroring group, follow these restrictions and guidelines:
· Do not enable the spanning tree feature on the monitor port.
· Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
· A mirroring group can contain only one monitor port.
Configuring the monitor port in system view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the monitor port the encapsulation parameters for mirrored packets. |
mirroring-group group-id monitor-port interface-type interface-number [ destination-ip destination-ip-address source-ip source-ip-address [ dscp dscp-value | vlan vlan-id | vrf-instance vrf-name ] * ] |
By default, no monitor port is configured for a local mirroring group. |
Configuring the monitor port in interface view
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Configure the port as the monitor port for the local mirroring group and configure the encapsulation parameters for mirrored packets sent to the port. |
mirroring-group group-id monitor-port [ destination-ip destination-ip-address source-ip source-ip-address [ dscp dscp-value | vlan vlan-id | vrf-instance vrf-name ] * ] |
By default, a port does not act as the monitor port for any local mirroring groups. |
Displaying and maintaining port mirroring
Execute display commands in any view.
Task |
Command |
Display mirroring group information. |
display mirroring-group { group-id | all | local | remote-destination | remote-source } |
Port mirroring configuration examples
Local port mirroring configuration example (in source port mode)
Network requirements
As shown in Figure 5, configure local port mirroring in source port mode to enable the server to monitor the bidirectional traffic of the two departments.
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 as source ports for local mirroring group 1.
[Device] mirroring-group 1 mirroring-port ten-gigabitethernet 1/0/1 ten-gigabitethernet 1/0/2 both
# Configure Ten-GigabitEthernet 1/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 monitor-port ten-gigabitethernet 1/0/3
# Disable the spanning tree feature on the monitor port (Ten-GigabitEthernet 1/0/3).
[Device] interface ten-gigabitethernet 1/0/3
[Device-Ten-GigabitEthernet1/0/3] undo stp enable
[Device-Ten-GigabitEthernet1/0/3] quit
Verifying the configuration
# Verify the mirroring group configuration.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
Ten-GigabitEthernet1/0/1 Both
Ten-GigabitEthernet1/0/2 Both
Monitor port: Ten-GigabitEthernet1/0/3
Local port mirroring configuration example (in source CPU mode)
Network requirements
As shown in Figure 6, Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 are located on slot 1.
Configure local port mirroring in source CPU mode to enable the server to monitor all packets matching the following criteria:
· Sent by the Marketing Department and the Technical Department.
· Processed by the CPU of the device.
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure the CPU in slot 1 of the device as a source CPU for local mirroring group 1.
[Device] mirroring-group 1 mirroring-cpu slot 1 inbound
# Configure Ten-GigabitEthernet 1/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 monitor-port ten-gigabitethernet 1/0/3
# Disable the spanning tree feature on the monitor port (Ten-GigabitEthernet 1/0/3).
[Device] interface ten-gigabitethernet 1/0/3
[Device-Ten-GigabitEthernet1/0/3] undo stp enable
[Device-Ten-GigabitEthernet1/0/3] quit
Verifying the configuration
# Verify the mirroring group configuration.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring CPU:
Slot 1 Inbound
Monitor port: Ten-GigabitEthernet1/0/3
Layer 2 remote port mirroring configuration example (reflector port)
Network requirements
As shown in Figure 7, configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing Department.
Configuration procedure
1. Configure Device C (the destination device):
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 2.
<DeviceC> system-view
[DeviceC] interface ten-gigabitethernet 1/0/1
[DeviceC-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-Ten-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceC-Ten-GigabitEthernet1/0/1] quit
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2.
[DeviceC] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceC-vlan2] undo mac-address mac-learning enable
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceC] mirroring-group 2 remote-probe vlan 2
# Configure Ten-GigabitEthernet 1/0/2 as the monitor port for the mirroring group.
[DeviceC] interface ten-gigabitethernet 1/0/2
[DeviceC-Ten-GigabitEthernet1/0/2] mirroring-group 2 monitor-port
# Disable the spanning tree feature on Ten-GigabitEthernet 1/0/2.
[DeviceC-Ten-GigabitEthernet1/0/2] undo stp enable
# Assign Ten-GigabitEthernet 1/0/2 to VLAN 2.
[DeviceC-Ten-GigabitEthernet1/0/2] port access vlan 2
[DeviceC-Ten-GigabitEthernet1/0/2] quit
2. Configure Device B (the intermediate device):
# Create VLAN 2.
<DeviceB> system-view
[DeviceB] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceB-vlan2] undo mac-address mac-learning enable
[DeviceB-vlan2] quit
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceB-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/2] port trunk permit vlan 2
[DeviceB-Ten-GigabitEthernet1/0/2] quit
3. Configure Device A (the source device):
# Create a remote source group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceA-vlan2] undo mac-address mac-learning enable
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
# Configure Ten-GigabitEthernet 1/0/1 as a source port for the mirroring group.
[DeviceA] mirroring-group 1 mirroring-port ten-gigabitethernet 1/0/1 both
# Configure Ten-GigabitEthernet 1/0/3 as the reflector port for the mirroring group.
[DeviceA] mirroring-group 1 reflector-port ten-gigabitethernet 1/0/3
This operation may delete all settings made on the interface. Continue? [Y/N]: y
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 2
[DeviceA-Ten-GigabitEthernet1/0/2] quit
Verifying the configuration
# Verify the mirroring group configuration on Device C.
[DeviceC] display mirroring-group all
Mirroring group 2:
Type: Remote destination
Status: Active
Monitor port: Ten-GigabitEthernet1/0/2
Remote probe VLAN: 2
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
Ten-GigabitEthernet1/0/1 Both
Reflector port: Ten-GigabitEthernet1/0/3
Remote probe VLAN: 2
Layer 2 remote port mirroring configuration example (with egress port)
Network requirements
On the Layer 2 network shown in Figure 8, configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing Department.
Configuration procedure
1. Configure Device C (the destination device):
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 2.
<DeviceC> system-view
[DeviceC] interface ten-gigabitethernet 1/0/1
[DeviceC-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-Ten-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceC-Ten-GigabitEthernet1/0/1] quit
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2.
[DeviceC] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceC-vlan2] undo mac-address mac-learning enable
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceC] mirroring-group 2 remote-probe vlan 2
# Configure Ten-GigabitEthernet 1/0/2 as the monitor port for the mirroring group.
[DeviceC] interface ten-gigabitethernet 1/0/2
[DeviceC-Ten-GigabitEthernet1/0/2] mirroring-group 2 monitor-port
# Disable the spanning tree feature on Ten-GigabitEthernet 1/0/2.
[DeviceC-Ten-GigabitEthernet1/0/2] undo stp enable
# Assign Ten-GigabitEthernet 1/0/2 to VLAN 2 as an access port.
[DeviceC-Ten-GigabitEthernet1/0/2] port access vlan 2
[DeviceC-Ten-GigabitEthernet1/0/2] quit
2. Configure Device B (the intermediate device):
# Create VLAN 2.
<DeviceB> system-view
[DeviceB] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceB-vlan2] undo mac-address mac-learning enable
[DeviceB-vlan2] quit
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceB-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/2] port trunk permit vlan 2
[DeviceB-Ten-GigabitEthernet1/0/2] quit
3. Configure Device A (the source device):
# Create a remote source group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceA-vlan2] undo mac-address mac-learning enable
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
# Configure Ten-GigabitEthernet 1/0/1 as a source port for the mirroring group.
[DeviceA] mirroring-group 1 mirroring-port ten-gigabitethernet 1/0/1 both
# Configure Ten-GigabitEthernet 1/0/2 as the egress port for the mirroring group.
[DeviceA] mirroring-group 1 monitor-egress ten-gigabitethernet 1/0/2
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 2
# Disable the spanning tree feature on the port.
[DeviceA-Ten-GigabitEthernet1/0/2] undo stp enable
[DeviceA-Ten-GigabitEthernet1/0/2] quit
Verifying the configuration
# Verify the mirroring group configuration on Device C.
[DeviceC] display mirroring-group all
Mirroring group 2:
Type: Remote destination
Status: Active
Monitor port: Ten-GigabitEthernet1/0/2
Remote probe VLAN: 2
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
Ten-GigabitEthernet1/0/1 Both
Monitor egress port: Ten-GigabitEthernet1/0/2
Remote probe VLAN: 2
Local port mirroring with multiple monitor ports configuration example
Network requirements
As shown in Figure 9, Dept. A, Dept. B, and Dept. C are connected to the device through Ten-GigabitEthernet 1/0/1, Ten-GigabitEthernet 1/0/2, and Ten-GigabitEthernet 1/0/3, respectively.
Configure port mirroring to enable data monitoring devices Server A and Server B to monitor both the incoming and outgoing traffic of the three departments.
Configuration procedure
# Create remote source group 1.
<Device> system-view
[Device] mirroring-group 1 remote-source
# Configure Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet 1/0/3 as source ports of remote source group 1.
[Device] mirroring-group 1 mirroring-port ten-gigabitethernet 1/0/1 to ten-gigabitethernet 1/0/3 both
# Configure an unused port (Ten-GigabitEthernet 1/0/6 in this example) as the reflector port of remote source group 1.
[Device] mirroring-group 1 reflector-port ten-gigabitethernet 1/0/6
This operation may delete all settings made on the interface. Continue? [Y/N]:y
# Create VLAN 10 and assign the ports (Ten-GigabitEthernet 1/0/4 and Ten-GigabitEthernet 1/0/5) connecting the data monitoring devices to the VLAN.
[Device] vlan 10
[Device-vlan10] port ten-gigabitethernet 1/0/4 to ten-gigabitethernet 1/0/5
[Device-vlan10] quit
# Configure VLAN 10 as the remote probe VLAN of remote source group 1.
[Device] mirroring-group 1 remote-probe vlan 10
Layer 3 remote port mirroring configuration example (in tunnel mode)
Network requirements
On a Layer 3 network shown in Figure 10, configure Layer 3 remote port mirroring in tunnel mode to enable the server to monitor the bidirectional traffic of the Marketing Department.
Configuration procedure
1. Configure IP addresses for the tunnel interfaces and related ports on the devices. (Details not shown.)
2. Configure Device A (the source device):
# Create service loopback group 1 and specify the unicast tunnel service for the group.
<DeviceA> system-view
[DeviceA] service-loopback group 1 type tunnel
# Assign Ten-GigabitEthernet 1/0/3 to the service loopback group 1.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
[DeviceA-Ten-GigabitEthernet1/0/3] quit
# Create tunnel interface Tunnel 0 that operates in GRE mode, and configure an IP address and subnet mask for the interface.
[DeviceA] interface tunnel 0 mode gre
[DeviceA-Tunnel0] ip address 50.1.1.1 24
# Configure source and destination IP addresses for Tunnel 0.
[DeviceA-Tunnel0] source 20.1.1.1
[DeviceA-Tunnel0] destination 30.1.1.2
[DeviceA-Tunnel0] quit
# Enable the OSPF protocol.
[DeviceA] ospf 1
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
# Create local mirroring group 1.
[DeviceA] mirroring-group 1 local
# Configure Ten-GigabitEthernet 1/0/1 as a source port and Tunnel 0 as the monitor port of local mirroring group 1.
[DeviceA] mirroring-group 1 mirroring-port ten-gigabitethernet 1/0/1 both
[DeviceA] mirroring-group 1 monitor-port tunnel 0
3. Enable the OSPF protocol on Device B (the intermediate device).
<DeviceB> system-view
[DeviceB] ospf 1
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
4. Configure Device C (the destination device):
# Create service loopback group 1 and specify the unicast tunnel service for the group.
<DeviceC> system-view
[DeviceC] service-loopback group 1 type tunnel
# Assign Ten-GigabitEthernet 1/0/3 to service loopback group 1.
[DeviceC] interface ten-gigabitethernet 1/0/3
[DeviceC-Ten-GigabitEthernet1/0/3] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
[DeviceC-Ten-GigabitEthernet1/0/3] quit
# Create tunnel interface Tunnel 0 that operates in GRE mode, and configure an IP address and subnet mask for the interface.
[DeviceC] interface tunnel 0 mode gre
[DeviceC-Tunnel0] ip address 50.1.1.2 24
# Configure source and destination IP addresses for Tunnel 0.
[DeviceC-Tunnel0] source 30.1.1.2
[DeviceC-Tunnel0] destination 20.1.1.1
[DeviceC-Tunnel0] quit
# Enable the OSPF protocol.
[DeviceC] ospf 1
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
# Create local mirroring group 1.
[DeviceC] mirroring-group 1 local
# Configure Ten-GigabitEthernet 1/0/1 as a source port for local mirroring group 1.
[DeviceC] mirroring-group 1 mirroring-port ten-gigabitethernet 1/0/1 inbound
# Configure Ten-GigabitEthernet 1/0/2 as the monitor port for local mirroring group 1.
[DeviceC] mirroring-group 1 monitor-port ten-gigabitethernet 1/0/2
Verifying the configuration
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
Ten-GigabitEthernet1/0/1 Both
Monitor port: Tunnel0
# Display information about all mirroring groups on Device C.
[DeviceC] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
Ten-GigabitEthernet1/0/1 Inbound
Monitor port: Ten-GigabitEthernet1/0/2
Layer 3 remote port mirroring configuration example (in ERSPAN mode)
Layer 3 remote port mirroring in ERSPAN mode is supported only in Release 2612 and later.
Network requirements
On a Layer 3 network shown in Figure 11, configure Layer 3 remote port mirroring in ERSPAN mode to enable the server to monitor the bidirectional traffic of the Marketing Department.
Configuration procedure
1. Configure IP addresses for the interfaces as shown in Figure 11. (Details not shown.)
2. Configure Device A (the source device):
# Enable the OSPF protocol.
[DeviceA] ospf 1
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
# Create local mirroring group 1.
[DeviceA] mirroring-group 1 local
# Configure Ten-GigabitEthernet 1/0/1 as a source port.
[DeviceA] mirroring-group 1 mirroring-port ten-gigabitethernet 1/0/1 both
# Configure Ten-GigabitEthernet 1/0/2 as a monitor port. Specify the destination and source IP addresses for mirrored packets as 40.1.1.2 and 20.1.1.1, respectively.
[DeviceA] mirroring-group 1 monitor-port ten-gigabitethernet 1/0/2 destination-ip 40.1.1.2 source-ip 20.1.1.1
3. Enable the OSPF protocol on Device B.
<DeviceB> system-view
[DeviceB] ospf 1
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
4. Enable the OSPF protocol on Device C.
[DeviceC] ospf 1
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
Verifying the configuration
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
Ten-GigabitEthernet1/0/1 Both
Monitor port: Ten-GigabitEthernet1/0/2
Encapsulation: Destination IP address 40.1.1.2
Source IP address 20.1.1.1
Destination MAC address 000f-e241-5e5b
Configuring flow mirroring
Flow mirroring copies packets matching a class to a destination for packet analyzing and monitoring. It is implemented through QoS policies.
To configure flow mirroring, perform the following tasks:
· Define traffic classes and configure match criteria to classify packets to be mirrored. Flow mirroring allows you to flexibly classify packets to be analyzed by defining match criteria.
· Configure traffic behaviors to mirror the matching packets to the specified destination.
You can configure an action to mirror the matching packets to one of the following destinations:
· Interface—The matching packets are copied to an interface and then forwarded to a data monitoring device for analysis.
· CPU—The matching packets are copied to the CPU of an IRF member device. The CPU analyzes the packets or delivers them to upper layers.
For more information about QoS policies, traffic classes, and traffic behaviors, see ACL and QoS Configuration Guide.
Flow mirroring configuration task list
Tasks at a glance |
(Required.) Configuring match criteria |
(Required.) Configuring a traffic behavior |
(Required.) Configuring a QoS policy |
(Required.) Applying a QoS policy: · Applying a QoS policy to an interface · Applying a QoS policy to a VLAN |
For more information about the following commands except the mirror-to command, see ACL and QoS Command Reference.
Configuring match criteria
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a class and enter class view. |
traffic classifier classifier-name [ operator { and | or } ] |
By default, no traffic classes exist. |
3. Configure match criteria. |
if-match match-criteria |
By default, no match criterion is configured in a traffic class. |
Configuring a traffic behavior
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a traffic behavior and enter traffic behavior view. |
traffic behavior behavior-name |
By default, no traffic behaviors exist. A maximum of four traffic behaviors can be configured for flow mirroring. If more than four traffic behaviors are configured for flow mirroring, only the first four traffic behaviors take effect. |
3. Configure a mirroring action for the traffic behavior. |
· Mirror traffic to an interface: · Mirror traffic to the CPU: |
By default, no mirroring actions exist in a traffic behavior. You can mirror traffic to a maximum of four Ethernet interfaces or Layer 2 aggregate interfaces. If you execute this command for a traffic behavior multiple times, only the first four configured interfaces take effect. The output interface for the destination address specified in the mirror-to interface command does not support ECMP. If you configure the mirror-to interface command with the loopback keyword, the mirrored packets will be forwarded by the interface to the destination device through the GRE tunnel. The destination device decapsulates the packets and forwards them to the data monitoring device. If you configure the mirror-to interface command with the destination-ip destination-ip-address source-ip source-ip-address options, the mirrored packets will be tunneled to the data monitoring device with the tunnel encapsulation. The data monitoring device can analyze the mirrored packets only if it can decapsulate the tunnel encapsulation. |
4. (Optional.) Display traffic behavior configuration. |
display traffic behavior |
Available in any view. |
Configuring a QoS policy
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Create a QoS policy and enter QoS policy view. |
qos policy policy-name |
By default, no QoS policies exist. |
3. Associate a class with a traffic behavior in the QoS policy. |
classifier classifier-name behavior behavior-name |
By default, no traffic behavior is associated with a class. |
4. (Optional.) Display QoS policy configuration. |
display qos policy |
Available in any view. |
Applying a QoS policy
Applying a QoS policy to an interface
By applying a QoS policy to an interface, you can mirror the traffic in the specified direction of the interface. A policy can be applied to multiple interfaces. In one direction (inbound or outbound) of an interface, only one policy can be applied.
To apply a QoS policy to the outbound traffic of an interface, make sure the traffic behavior used by the policy contains only traffic mirroring actions. If non-traffic-mirroring actions are configured, all actions configured in the traffic behavior become invalid.
In a VXLAN network, support for mirroring underlay or overlay traffic in the outbound direction of an interface depends on the VXLAN hardware resource mode:
· In Layer 2 or Layer 3 gateway mode, only underlay traffic can be mirrored. Mirroring overlay traffic is not supported.
· In border mode, neither overlay nor underlay traffic can be mirrored.
To apply a QoS policy to an interface:
Step |
Command |
1. Enter system view. |
system-view |
2. Enter interface view. |
interface interface-type interface-number |
3. Apply a policy to the interface. |
qos apply policy policy-name { inbound | outbound } |
Applying a QoS policy to a VLAN
You can apply a QoS policy to a VLAN to mirror the traffic in the inbound direction on all ports in the VLAN.
The device does not support mirroring outbound traffic.
To apply the QoS policy to a VLAN:
Step |
Command |
1. Enter system view. |
system-view |
2. Apply a QoS policy to a VLAN. |
qos vlan-policy policy-name vlan vlan-id-list inbound |
Applying a QoS policy globally
You can apply a QoS policy globally to mirror the traffic in the inbound direction on all ports.
The device does not support mirroring outbound traffic.
To apply a QoS policy globally:
Step |
Command |
1. Enter system view. |
system-view |
2. Apply a QoS policy globally. |
qos apply policy policy-name global inbound |
Applying a QoS policy to the control plane
You can apply a QoS policy to the control plane to mirror the traffic in the inbound direction of all ports on the control plane.
To apply a QoS policy to the control plane:
Step |
Command |
1. Enter system view. |
system-view |
2. Enter control plane view. |
control-plane slot slot-number |
3. Apply a QoS policy to the control plane. |
qos apply policy policy-name inbound |
Flow mirroring configuration example
Network requirements
As shown in Figure 12, configure flow mirroring so that the server can monitor the following traffic:
· All traffic that the Technical Department sends to access the Internet.
· IP traffic that the Technical Department sends to the Marketing Department during working hours (8:00 to 18:00) on weekdays.
Configuration procedure
# Create working hour range work, in which working hours are from 8:00 to 18:00 on weekdays.
<DeviceA> system-view
[DeviceA] time-range work 8:00 to 18:00 working-day
# Create IPv4 advanced ACL 3000 to allow packets from the Technical Department to access the Internet and the Marketing Department during working hours.
[DeviceA] acl advanced 3000
[DeviceA-acl-ipv4-adv-3000] rule permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www
[DeviceA-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range work
[DeviceA-acl-ipv4-adv-3000] quit
# Create traffic class tech_c, and configure the match criterion as ACL 3000.
[DeviceA] traffic classifier tech_c
[DeviceA-classifier-tech_c] if-match acl 3000
[DeviceA-classifier-tech_c] quit
# Create traffic behavior tech_b, configure the action of mirroring traffic to Ten-GigabitEthernet 1/0/3.
[DeviceA] traffic behavior tech_b
[DeviceA-behavior-tech_b] mirror-to interface ten-gigabitethernet 1/0/3
[DeviceA-behavior-tech_b] quit
# Create QoS policy tech_p, and associate traffic class tech_c with traffic behavior tech_b in the QoS policy.
[DeviceA] qos policy tech_p
[DeviceA-qospolicy-tech_p] classifier tech_c behavior tech_b
[DeviceA-qospolicy-tech_p] quit
# Apply QoS policy tech_p to the incoming packets of Ten-GigabitEthernet 1/0/4.
[DeviceA] interface ten-gigabitethernet 1/0/4
[DeviceA-Ten-GigabitEthernet1/0/4] qos apply policy tech_p inbound
[DeviceA-Ten-GigabitEthernet1/0/4] quit
Verifying the configuration
# Verify that the server can monitor the following traffic:
· All traffic sent by the Technical Department to access the Internet.
· IP traffic that the Technical Department sends to the Marketing Department during working hours on weekdays.
(Details not shown.)