Table of Contents

Related Documents

30-Mirroring Quick Start Configuration Guide

Title	Size	Download
30-Mirroring Quick Start Configuration Guide	638.90 KB

Mirroring Quick Start Configuration Guide

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.

Contents

Configuring local port mirroring· 1

Introduction· 1

Network configuration· 1

Restrictions and guidelines· 1

Procedure· 1

Verifying the configuration· 2

Configuration files· 3

Configuring local port mirroring

Introduction

The following information uses an example to describe the basic procedure for configuring local port mirroring.

The departments of a company use IP addresses on different subnets. The R&D department uses subnet 10.1.1.0/24, and the marketing department uses subnet 12.1.1.0/24. Configure local port mirroring, so that the data monitoring device can monitor the traffic from the R&D department and marketing department to Internet and the traffic between the two departments.

Figure 1 Network diagram

Restrictions and guidelines

· For a local mirroring group to take effect, you must configure the mirroring source ports and monitor port for the group. Make sure the monitor port is not the member port of any other mirroring group.

· A monitor port can receive both mirrored packets copied from source ports and normally forwarded packets from other ports. Use a monitor port only for port mirroring, so the data monitoring device receives and analyzes only the mirrored traffic.

Procedure

# Assign IP address 10.1.1.1/24 to GigabitEthernet 1/0/1, which connects to the device of the R&D department.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] port link-mode route

[DeviceA-GigabitEthernet1/0/1] ip address 10.1.1.1 24

[DeviceA-GigabitEthernet1/0/1] quit

# Assign IP address 12.1.1.1/24 to GigabitEthernet 1/0/2, which connects to the device of the marketing department.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] port link-mode route

[DeviceA-GigabitEthernet1/0/2] ip address 12.1.1.1 24

[DeviceA-GigabitEthernet1/0/2] quit

# Assign IP address 56.56.56.5/24 to GigabitEthernet 1/0/4.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/4

[DeviceA-GigabitEthernet1/0/4] port link-mode route

[DeviceA-GigabitEthernet1/0/4] ip address 56.56.56.5 24

[DeviceA-GigabitEthernet1/0/4] quit

# Create a local mirroring group.

[DeviceA] mirroring-group 1 local

# Configure the local mirroring group to mirror the incoming packets of interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.

[DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 gigabitethernet 1/0/2 inbound

# Configure interface GigabitEthernet 1/0/3 as the monitor port.

[DeviceA] mirroring-group 1 monitor-port gigabitethernet 1/0/3

# Disable the spanning tree protocol on the monitor port, GigabitEthernet 1/0/3.

[DeviceA] interface gigabitethernet 1/0/3

[DeviceA-GigabitEthernet1/0/3] undo stp enable

[DeviceA-GigabitEthernet1/0/3] quit

Verifying the configuration

# Display information about mirroring group 1 on Device A.

[DeviceA] display mirroring-group 1

Mirroring group 1:

Type: Local

Status: Active

Mirroring port:

GigabitEthernet1/0/1 Inbound

GigabitEthernet1/0/2 Inbound

Monitor port: GigabitEthernet1/0/3

# Ping 56.56.56.6 from a host at 10.1.1.2 in the R&D department. Capture the packets on the data monitoring device, as shown in Figure 2. In this example, use Wireshark to capture packets.

Figure 2 Packets captured by Wireshark

The captured packets show that the local port mirroring function takes effect. The data monitoring device can successfully monitor the specified traffic.

Configuration files

mirroring-group 1 local

interface GigabitEthernet1/0/1

port link-mode route

ip address 10.1.1.1 255.255.255.0

mirroring-group 1 mirroring-port inbound

interface GigabitEthernet1/0/2

port link-mode route

ip address 12.1.1.1 255.255.255.0

mirroring-group 1 mirroring-port inbound

interface GigabitEthernet1/0/3

port link-mode bridge

undo stp enable

mirroring-group 1 monitor-port

interface GigabitEthernet1/0/4

port link-mode route

ip address 56.56.56.5 255.255.255.0

Configuring local port mirroring with multiple monitor ports through a remote probe VLAN

Introduction

The following information uses an example to describe the basic procedure for configuring local port mirroring with multiple monitor ports through the remote probe VLAN method.

Network configuration

The R&D department connects to Device through interface GigabitEthernet 1/0/1. Configure mirroring, so that the data monitoring devices Server A and Server B can monitor the incoming and outgoing packets of the R&D department.

Figure 3 Network diagram

Restrictions and guidelines

When a VLAN is configured as a remote probe VLAN, use the VLAN for port mirroring exclusively.

Only a static VLAN that already exists can be configured as a remote probe VLAN. A VLAN can be configured as the remote probe VLAN for only one mirroring group.

To delete a VLAN that is configured as a remote probe VLAN, first remove the remote probe VLAN configuration.

Procedure

# Create VLAN 2.

<Device> system-view

[Device] vlan 2

[Device-vlan2] quit

# Create VLAN-interface 2, and assign an IP address to it.

[Device] interface vlan-interface 2

[Device-Vlan-interface2] ip address 10.1.1.1 24

[Device-Vlan-interface2] quit

# Create VLAN 10, which is to be used as the remote probe VLAN.

[Device] vlan 10

[Device-vlan10] quit

# Set the link type of GigabitEthernet 1/0/1 to trunk, and assign it to VLAN 2.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] port link-type trunk

[Device-GigabitEthernet1/0/1] port trunk permit vlan 2

[Device-GigabitEthernet1/0/1] quit

# Create remote source group 1.

<Device> system-view

[Device] mirroring-group 1 remote-source

# Configure GigabitEthernet 1/0/1, which connects to the R&D department, as the source port of remote source group 1.

[Device] mirroring-group 1 mirroring-port gigabitethernet1/0/1 both

# Configure an unused port (GigabitEthernet 1/0/4 in this example) as the reflector port of mirroring group 1.

[Device] mirroring-group 1 reflector-port gigabitethernet1/0/4

This operation may delete all settings made on the interface. Continue? [Y/N]:y

# Assign the interfaces connecting to data monitoring devices to VLAN 10.

[Device] vlan 10

[Device-vlan10] port gigabitethernet1/0/2 to gigabitethernet1/0/3

[Device-vlan10] quit

# Configure VLAN 10 as the remote probe VLAN of mirroring group 1.

[Device] mirroring-group 1 remote-probe vlan 10

Verifying the configuration

# Display information about mirroring group 1 on Device.

[DeviceA] display mirroring-group all

Mirroring group 1:

Type: Remote source

Status: Active

Mirroring port:

GigabitEthernet1/0/1 Both

Reflector port: GigabitEthernet1/0/4

Remote probe VLAN: 10

Configuration files

mirroring-group 1 remote-source

mirroring-group 1 remote-probe vlan 10

vlan 2

vlan 10

interface Vlan-interface2

ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet1/0/1

port link-mode bridge

port link-type trunk

port trunk permit vlan 2

mirroring-group 1 mirroring-port inbound

interface GigabitEthernet1/0/2

port link-mode bridge

port access vlan 10

interface GigabitEthernet1/0/3

port link-mode bridge

port access vlan 10

interface GigabitEthernet1/0/4

port link-mode bridge

port access vlan 10

mirroring-group 1 reflector-port

Configuring Layer 2 remote port mirroring in egress port mode

Introduction

The following information uses an example to describe the basic procedure for configuring Layer 2 remote port mirroring in egress port mode.

Network configuration

The departments of a company access the core device Device A through a Layer 2 network and these departments use IP addresses on different subnets. The R&D department uses subnet 10.1.1.0/24, and the marketing department uses subnet 12.1.1.0/24. Configure Layer 2 remote port mirroring in egress port mode, so that the data monitoring device can monitor the traffic from the R&D department.

Figure 4 Network diagram

Restrictions and guidelines

To ensure correct forwarding of mirrored packets, assign the ports that connect intermediate devices to the source and destination devices to the remote probe VLAN.

As a best practice to ensure mirrored packet forwarding, configure mirroring on devices in the order of destination device, intermediate devices, and source device.

When configuring remote port mirroring on the destination device and source device, follow these restrictions and guidelines:

· When configuring a remote probe VLAN, follow these restrictions and guidelines:

¡ Make sure the VLAN is an existing static VLAN.

¡ Use the VLAN for remote port mirroring only.

¡ The VLAN can be used by only one remote source group.

· Make sure the remote mirroring groups on the source device and destination device use the same remote probe VLAN.

When configuring remote port mirroring on the destination device, follow these restrictions and guidelines:

· Make sure the monitor port is not the member port of any other mirroring group.

· Use the monitor port for port mirroring only.

When configuring remote port mirroring on the source device, follow these restrictions and guidelines:

· For mirroring to operate correctly, do not assign source ports to the remote probe VLAN.

· For mirroring to operate properly, do not configure any of the following features on the egress port:

¡ Spanning tree protocols.

¡ 802.1X.

¡ IGMP snooping.

¡ Static ARP.

¡ MAC address learning.

· Make sure the egress port is not the member port of any other mirroring group.

· A mirroring group supports only one egress port.

· When source ports are Layer 3 interfaces, you can implement Layer 2 remote mirroring only in egress port mode.

Procedures

Configuring Device A (destination device)

# Create VLANs 2 and 3.

<DeviceA> system-view

[DeviceA] vlan 2 to 3

# Create VLAN 5, which is to be used as the remote probe VLAN.

[DeviceA] vlan 5

[DeviceA-vlan5] quit

# Create VLAN-interface 2, and assign an IP address to it, which is to be used as the gateway for the VLAN. Configure VLAN-interface 3 in the same way.

[DeviceA] interface vlan-interface 2

[DeviceA-Vlan-interface2] ip address 10.1.1.1 24

[DeviceA-Vlan-interface2] quit

[DeviceA] interface vlan-interface 3

[DeviceA-Vlan-interface3] ip address 12.1.1.1 24

[DeviceA-Vlan-interface3] quit

# Set the link type of GigabitEthernet 1/0/1 to trunk, and assign it to VLANs 2, 3, and 5.

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] port link-type trunk

[DeviceA-GigabitEthernet1/0/1] port trunk permit vlan 2 3 5

[DeviceA-GigabitEthernet1/0/1] quit

# Create remote destination group 1.

[DeviceA] mirroring-group 1 remote-destination

# Configure VLAN 5 as the remote probe VLAN for the remote destination group. Configure GigabitEthernet 1/0/2, which connects to the data monitoring device, as the monitor port of remote destination group 1.

[DeviceA] mirroring-group 1 remote-probe vlan 5

[DeviceA] mirroring-group 1 monitor-port gigabitethernet 1/0/2

# Add the monitor port to the remote probe VLAN. When the mirrored packets are sent to the data monitoring device, they do not carry the tag of the remote probe VLAN. Therefore, set the link type of the interface to access.

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] port access vlan 5

# Disable the spanning tree protocol on the monitor port, GigabitEthernet 1/0/2.

[DeviceA-GigabitEthernet1/0/2] undo stp enable

[DeviceA-GigabitEthernet1/0/2] quit

Configuring Device B (intermediate device)

# Create VLANs 2 and 3.

<DeviceB> system-view

[DeviceB] vlan 2 to 3

# Create VLAN 5, which is to be used as the remote probe VLAN.

[DeviceB] vlan 5

[DeviceB-vlan5] quit

# Set the link type of GigabitEthernet 1/0/1 to trunk, and assign it to VLANs 2, 3, and 5.

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] port link-type trunk

[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 2 3 5

[DeviceB-GigabitEthernet1/0/1] quit

# Set the link type of GigabitEthernet 1/0/2 to trunk, and assign it to VLANs 2, 3, and 5.

[DeviceB] interface gigabitethernet 1/0/2

[DeviceB-GigabitEthernet1/0/2] port link-type trunk

[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 2 3 5

[DeviceB-GigabitEthernet1/0/2] quit

Configuring Device C (source device)

# Create VLANs 2 and 3.

<DeviceC> system-view

[DeviceC] vlan 2 to 3

# Assign GigabitEthernet 1/0/1 to VLAN 2.

[DeviceC] interface gigabitethernet 1/0/1

[DeviceC-GigabitEthernet1/0/1] port access vlan 2

[DeviceC-GigabitEthernet1/0/1] quit

# Assign GigabitEthernet 1/0/2 to VLAN 3.

[DeviceC] interface gigabitethernet 1/0/2

[DeviceC-GigabitEthernet1/0/2] port access vlan 3

[DeviceC-GigabitEthernet1/0/2] quit

# Create remote source group 1.

[DeviceC] mirroring-group 1 remote-source

# Create VLAN 5, which is to be used as the remote probe VLAN.

[DeviceC] vlan 5

[DeviceC-vlan5] quit

# Configure VLAN 5 as the remote probe VLAN, configure GigabitEthernet 1/0/1 as the source port, and configure GigabitEthernet 1/0/3 as the egress port for remote source group 1.

[DeviceC] mirroring-group 1 remote-probe vlan 5

[DeviceC] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 inbound

[DeviceC] mirroring-group 1 monitor-egress gigabitethernet 1/0/3

# Set the link type of GigabitEthernet 1/0/3 to trunk, and assign it to VLANs 2, 3, and 5.

[DeviceC] interface gigabitethernet 1/0/3

[DeviceC-GigabitEthernet1/0/3] port link-type trunk

[DeviceC-GigabitEthernet1/0/3] port trunk permit vlan 2 3 5

[DeviceC-GigabitEthernet1/0/3] quit

# Disable the spanning tree protocol on the egress port, GigabitEthernet 1/0/3.

[DeviceC-GigabitEthernet1/0/3] undo stp enable

[DeviceC-GigabitEthernet1/0/3] quit

Verifying the configuration

# Display information about mirroring group 1 on Device C.

[DeviceC] display mirroring-group 1

Mirroring group 1:

Type: Remote source

Status: Active

Mirroring port:

GigabitEthernet1/0/1 Inbound

Monitor egress port: GigabitEthernet1/0/3

Remote probe VLAN: 5

# Display information about mirroring group 1 on Device A.

[DeviceA] display mirroring-group 1

Mirroring group 1:

Type: Remote destination

Status: Active

Monitor port: GigabitEthernet1/0/2

Remote probe VLAN: 5

# Ping a host at 12.1.1.2 in the marketing department from a host at 10.1.1.2 in the R&D department. Capture the packets on the data monitoring device, as shown in Figure 5. In this example, use Wireshark to capture packets.

Figure 5 Packets captured by Wireshark

The captured packets show that the Layer 2 remote port mirroring function takes effect. The data monitoring device can monitor the packets sent by the R&D department.

Configuration files

· Device A:

mirroring-group 1 remote-destination

mirroring-group 1 remote-probe vlan 5

vlan 2 to 3

vlan 5

interface Vlan-interface2

ip address 10.1.1.1 255.255.255.0

interface Vlan-interface3

ip address 12.1.1.1 255.255.255.0

interface GigabitEthernet1/0/1

port link-mode bridge

port link-type trunk

port trunk permit vlan 1 to 3 5

interface GigabitEthernet1/0/2

port link-mode bridge

port access vlan 5

undo stp enable

mirroring-group 1 monitor-port

· Device B:

vlan 2 to 3

vlan 5

interface GigabitEthernet1/0/1

port link-mode bridge

port link-type trunk

port trunk permit vlan 1 to 3 5

interface GigabitEthernet1/0/2

port link-mode bridge

port link-type trunk

port trunk permit vlan 1 to 3 5

· Device C:

mirroring-group 1 remote-source

mirroring-group 1 remote-probe vlan 5

vlan 2 to 3

vlan 5

interface GigabitEthernet1/0/1

port link-mode bridge

port access vlan 2

mirroring-group 1 mirroring-port inbound

interface GigabitEthernet1/0/2

port link-mode bridge

port access vlan 3

interface GigabitEthernet1/0/3

port link-mode bridge

port link-type trunk

port trunk permit vlan 1 to 3 5

mirroring-group 1 monitor-egress

Configuring Layer 2 remote port mirroring in reflector port mode

Introduction

The following information uses an example to describe the basic procedure for configuring Layer 2 remote port mirroring in reflector port mode.

Network configuration

The marketing department of a company connects to the core device Device A through a Layer 2 network, and uses the subnet 10.1.1.0/24. Configure Layer 2 remote port mirroring in reflector port mode, so that the data monitoring device can monitor the traffic from the marketing department.

Figure 6 Network diagram

Restrictions and guidelines

To ensure correct forwarding of mirrored packets, assign the ports that connect intermediate devices to the source and destination devices to the remote probe VLAN.

As a best practice to ensure mirrored packet forwarding, configure mirroring on devices in the order of destination device, intermediate devices, and source device.

When configuring remote port mirroring on the destination device and source device, follow these restrictions and guidelines:

· When configuring a remote probe VLAN, follow these restrictions and guidelines:

¡ Make sure the VLAN is an existing static VLAN.

¡ Use the VLAN for remote port mirroring only.

¡ The VLAN can be used by only one remote source group.

· Make sure the remote mirroring groups on the source device and destination device use the same remote probe VLAN.

When configuring remote port mirroring on the destination device, follow these restrictions and guidelines:

· Make sure the monitor port is not the member port of any other mirroring group.

· Use the monitor port for port mirroring only.

When configuring remote port mirroring on the source device, follow these restrictions and guidelines:

· For mirroring to operate correctly, do not assign source ports to the remote probe VLAN.

· The port to be configured as a reflector port must be a port not in use. Do not connect a network cable to a reflector port.

· When a port is configured as a reflector port, the port restores to the factory default settings. You cannot configure other features on a reflector port.

· If an IRF port is bound to only one physical interface, do not configure the physical interface as a reflector port. If you do that, the IRF might split.

Procedures

Configuring Device A (destination device)

# Create VLAN 2.

<DeviceA> system-view

[DeviceA] vlan 2

# Create VLAN 5, which is to be used as the remote probe VLAN.

[DeviceA] vlan 5

[DeviceA-vlan5] quit

# Create VLAN-interface 2, and assign an IP address to it, which is to be used as the gateway for the VLAN.

[DeviceA] interface vlan-interface 2

[DeviceA-Vlan-interface2] ip address 10.1.1.1 24

[DeviceA-Vlan-interface2] quit

# Set the link type of GigabitEthernet 1/0/1 to trunk, and assign it to VLANs 2 and 5.

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] port link-type trunk

[DeviceA-GigabitEthernet1/0/1] port trunk permit vlan 2 5

[DeviceA-GigabitEthernet1/0/1] quit

# Create remote destination group 1.

[DeviceA] mirroring-group 1 remote-destination

[DeviceA] mirroring-group 1 remote-probe vlan 5

[DeviceA] mirroring-group 1 monitor-port gigabitethernet 1/0/2

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] port access vlan 5

# Disable the spanning tree protocol on the monitor port, GigabitEthernet 1/0/2.

[DeviceA-GigabitEthernet1/0/2] undo stp enable

[DeviceA-GigabitEthernet1/0/2] quit

Configuring Device B (intermediate device)

# Create VLAN 2.

<DeviceB> system-view

[DeviceB] vlan 2

# Create VLAN 5, which is to be used as the remote probe VLAN.

[DeviceB] vlan 5

[DeviceB-vlan5] quit

# Set the link type of GigabitEthernet 1/0/1 to trunk, and assign it to VLANs 2 and 5.

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] port link-type trunk

[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 2 5

[DeviceB-GigabitEthernet1/0/1] quit

# Set the link type of GigabitEthernet 1/0/2 to trunk, and assign it to VLANs 2 and 5.

[DeviceB] interface gigabitethernet 1/0/2

[DeviceB-GigabitEthernet1/0/2] port link-type trunk

[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 2 5

[DeviceB-GigabitEthernet1/0/2] quit

Configuring Device C (source device)

# Create VLAN 2.

<DeviceC> system-view

[DeviceC] vlan 2

# Assign GigabitEthernet 1/0/1 to VLAN 2.

[DeviceC] interface gigabitethernet 1/0/1

[DeviceC-GigabitEthernet1/0/1] port access vlan 2

[DeviceC-GigabitEthernet1/0/1] quit

# Create remote source group 1.

[DeviceC] mirroring-group 1 remote-source

# Create VLAN 5, which is to be used as the remote probe VLAN.

[DeviceC] vlan 5

[DeviceC-vlan5] quit

# Configure VLAN 5 as the remote probe VLAN, configure GigabitEthernet 1/0/1 as the source port, and configure GigabitEthernet 1/0/2 as the reflector port for remote source group 1.

[DeviceC] mirroring-group 1 remote-probe vlan 5

[DeviceC] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 inbound

[DeviceC] mirroring-group 1 reflector-port gigabitethernet 1/0/2

# Set the link type of GigabitEthernet 1/0/3 to trunk, and assign it to VLANs 2 and 5.

[DeviceC] interface gigabitethernet 1/0/3

[DeviceC-GigabitEthernet1/0/3] port link-type trunk

[DeviceC-GigabitEthernet1/0/3] port trunk permit vlan 2

[DeviceC-GigabitEthernet1/0/3] quit

Verifying the configuration

# Display configuration information of all mirroring groups on Device A.

[DeviceA] display mirroring-group all

Mirroring group 1:

Type: Remote destination

Status: Active

Monitor port: GigabitEthernet1/0/2

Remote probe VLAN: 5

# Display configuration information of all mirroring groups on Device C.

[DeviceC] display mirroring-group all

Mirroring group 1:

Type: Remote source

Status: Active

Mirroring port:

GigabitEthernet1/0/1 inbound

Reflector port: GigabitEthernet1/0/2

Remote probe VLAN: 5

Configuration files

· Device A:

mirroring-group 1 remote-destination

mirroring-group 1 remote-probe vlan 5

vlan 2

vlan 5

interface Vlan-interface2

ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet1/0/1

port link-mode bridge

port link-type trunk

port trunk permit vlan 1 to 2 5

interface GigabitEthernet1/0/2

port link-mode bridge

port access vlan 5

undo stp enable

mirroring-group 1 monitor-port

· Device B:

vlan 2

vlan 5

interface GigabitEthernet1/0/1

port link-mode bridge

port link-type trunk

port trunk permit vlan 1 to 2 5

interface GigabitEthernet1/0/2

port link-mode bridge

port link-type trunk

port trunk permit vlan 1 to 2 5

· Device C:

mirroring-group 1 remote-source

mirroring-group 1 remote-probe vlan 5

vlan 2

vlan 5

interface GigabitEthernet1/0/1

port link-mode bridge

port access vlan 2

mirroring-group 1 mirroring-port inbound

interface GigabitEthernet1/0/2

port link-mode bridge

mirroring-group 1 reflector-port

interface GigabitEthernet1/0/3

port link-mode bridge

port link-type trunk

port trunk permit vlan 2 5

Configuring Layer 3 remote port mirroring in encapsulation parameter mode

Introduction

The following information uses an example to describe the basic procedure for configuring Layer 3 remote port mirroring in encapsulation parameter mode.

Network configuration

The R&D department uses the subnet 10.1.1.0/24. Configure Layer 3 remote port mirroring, so that the data monitoring device can monitor the traffic from the R&D department to Internet.

Figure 7 Network diagram

Restrictions and guidelines

If intermediate devices exist between the source device and the destination device, configure a unicast routing protocol on the intermediate devices to ensure that the source device and the destination device can reach each other at Layer 3.

Procedures

Configuring Device A

# Assign IP address 10.1.1.1 to interface GigabitEthernet 1/0/1.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] port link-mode route

[DeviceA-GigabitEthernet1/0/1] ip address 10.1.1.1 24

[DeviceA-GigabitEthernet1/0/1] quit

# Assign IP address 20.1.1.1 to interface GigabitEthernet 1/0/2.

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] port link-mode route

[DeviceA-GigabitEthernet1/0/2] ip address 20.1.1.1 24

[DeviceA-GigabitEthernet1/0/2] quit

# Assign IP address 100.1.1.1 to interface GigabitEthernet 1/0/3.

[DeviceA] interface gigabitethernet 1/0/3

[DeviceA-GigabitEthernet1/0/3] port link-mode route

[DeviceA-GigabitEthernet1/0/3] ip address 100.1.1.1 24

[DeviceA-GigabitEthernet1/0/3] quit

# Configure OSPF.

<DeviceB> system-view

[DeviceB] ospf 1

[DeviceB-ospf-1] area 0

[DeviceB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] quit

[DeviceB-ospf-1] quit

# Create local mirroring group 1.

[DeviceA] mirroring-group 1 local

# Configure a source port for local mirroring group 1.

[DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 inbound

# Configure the monitor port and encapsulation parameters of mirrored packets for local mirroring group 1.

[DeviceA] mirroring-group 1 monitor-port gigabitethernet 1/0/2 destination-ip 40.1.1.2 source-ip 20.1.1.1

Configuring Device B

# Assign IP address 20.1.1.2 to interface GigabitEthernet 1/0/1.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] port link-mode route

[DeviceA-GigabitEthernet1/0/1] ip address 20.1.1.2 24

[DeviceA-GigabitEthernet1/0/1] quit

# Assign IP address 40.1.1.1 to interface GigabitEthernet 1/0/2.

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] port link-mode route

[DeviceA-GigabitEthernet1/0/2] ip address 40.1.1.1 24

[DeviceA-GigabitEthernet1/0/2] quit

# Configure OSPF.

<DeviceB> system-view

[DeviceB] ospf 1

[DeviceB-ospf-1] area 0

[DeviceB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] network 40.1.1.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] quit

[DeviceB-ospf-1] quit

Verifying the configuration

# Display information about mirroring group 1 on Device A.

[DeviceA] display mirroring-group 1

Mirroring group 1:

Type: Local

Status: Active

Mirroring port:

GigabitEthernet1/0/1 Inbound

Monitor port: GigabitEthernet1/0/2

Encapsulation: Destination IP address 40.1.1.2

Source IP address 20.1.1.1

Destination MAC address 1025-4125-412b

Configuration files

· Device A:

ospf 1

area 0.0.0.0

network 10.1.1.0 0.0.0.255

network 20.1.1.0 0.0.0.255

interface GigabitEthernet1/0/1

port link-mode route

ip address 10.1.1.1 255.255.255.0

mirroring-group 1 mirroring-port inbound

interface GigabitEthernet1/0/2

port link-mode route

ip address 20.1.1.1 255.255.255.0

mirroring-group 1 monitor-port destination-ip 40.1.1.2 source-ip 20.1.1.1

interface GigabitEthernet1/0/3

port link-mode route

ip address 100.1.1.1 255.255.255.0

· Device B:

ospf 1

area 0.0.0.0

network 20.1.1.0 0.0.0.255

network 40.1.1.0 0.0.0.255

interface GigabitEthernet1/0/1

port link-mode route

ip address 20.1.1.2 255.255.255.0

interface GigabitEthernet1/0/2

port link-mode route

ip address 40.1.1.1 255.255.255.0

Configuring local flow mirroring

Introduction

The following information uses an example to describe the basic procedure for configuring local flow mirroring.

Network configuration

The R&D department of a company uses the 10.1.1.1/24 subnet. Configure local flow mirroring to enable the data monitoring device to monitor the WWW traffic from hosts in the R&D department to Internet.

Figure 8 Network diagram

Procedure

# Assign IP address 10.1.1.1/24 to GigabitEthernet 1/0/1, which connects to the device of the R&D department.

<Device> system-view

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] port link-mode route

[Device-GigabitEthernet1/0/1] ip address 10.1.1.0 24

[Device-GigabitEthernet1/0/1] quit

# Create ACL 3000, and configure a rule to match the traffic from the R&D department to Internet.

[Device] acl number 3000

[Device-acl-adv-3000] rule permit tcp destination-port eq www source 10.1.1.0 0.0.0.255

[Device-acl-adv-3000] quit

# Create traffic class classifier_research, and use ACL 3000 as a match criterion.

[Device] traffic classifier classifier_research

[Device-classifier-classifier_research] if-match acl 3000

[Device-classifier-classifier_research] quit

# Create traffic behavior behavior_research, and configure an action of mirroring traffic to interface GigabitEthernet 1/0/2.

[Device] traffic behavior behavior_research

[Device-behavior-behavior_research] mirror-to interface gigabitethernet 1/0/2

[Device-behavior-behavior_research] quit

# Create QoS policy policy_research. Associate traffic class classifier_research with traffic behavior behavior_research.

[Device] qos policy policy_research

[Device-qospolicy-policy_research] classifier classifier_research behavior behavior_research

[Device-qospolicy-policy_research] quit

# Apply QoS policy policy_research to the inbound direction of interface GigabitEthernet 1/0/1.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] qos apply policy policy_research inbound

[Device-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display the flow mirroring configuration information on Device.

[Device] display qos policy interface

Interface: GigabitEthernet1/0/1

Direction: Inbound

Policy: policy_research

Classifier: classifier_research

Operator: AND

Rule(s) :

If-match acl 3000

Behavior: behavior_research

Mirroring:

Mirror to the interface: GigabitEthernet1/0/2

Configuration files

acl number 3000

rule 0 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www

traffic classifier classifier_research operator and

if-match acl 3000

traffic behavior behavior_research

mirror-to interface GigabitEthernet1/0/2

qos policy policy_research

classifier classifier_research behavior behavior_research

interface GigabitEthernet1/0/1

port link-mode route

ip address 10.1.1.0 0.0.0.255

qos apply policy policy_research inbound

H3C Campus Fixed-Port Switches CLI-Based Quick Start Configuration Guide-6W101

Configuring Device A (destination device)

Configuring Device B (intermediate device)

Configuring Device C (source device)

Configuring Device A (destination device)

Configuring Device B (intermediate device)

Configuring Device C (source device)

Configuring Device A

Configuring Device B

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us