Login
- Table of Contents
-
- 15-Network Management and Monitoring Configuration Guide
- 00-Preface
- 01-System maintenance and debugging configuration
- 02-NQA configuration
- 03-iNQA configuration
- 04-iFIT configuration
- 05-SRPM configuration
- 06-NTP configuration
- 07-PTP configuration
- 08-Network synchronization configuration
- 09-SNMP configuration
- 10-RMON configuration
- 11-NETCONF configuration
- 12-CWMP configuration
- 13-EAA configuration
- 14-Process monitoring and maintenance configuration
- 15-Sampler configuration
- 16-Mirroring configuration
- 17-NetStream configuration
- 18-IPv6 NetStream configuration
- 19-TCP connection trace configuration
- 20-Performance management configuration
- 21-Fast log output configuration
- 22-Flow log configuration
- 23-Information center configuration
- 24-Packet capture configuration
- 25-Flow monitor configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 16-Mirroring configuration | 424.03 KB |
Contents
Restrictions and guidelines: Port mirroring configuration
Configuring local port mirroring
Restrictions and guidelines for local port mirroring configuration
Local port mirroring tasks at a glance
Creating a local mirroring group
Configuring Layer 2 remote port mirroring
Restrictions and guidelines for Layer 2 remote port mirroring configuration
Layer 2 remote port mirroring with configurable reflector port configuration tasks at a glance
Layer 2 remote port mirroring with egress port configuration tasks at a glance
Creating a remote destination group
Configuring the remote probe VLAN
Assigning the monitor port to the remote probe VLAN
Creating a remote source group
Configuring the reflector port
Configuring local port mirroring with multiple monitoring devices
Configuring Layer 3 remote port mirroring
Restrictions and guidelines for Layer 3 remote port mirroring configuration
Layer 3 remote port mirroring tasks at a glance
Prerequisites for Layer 3 remote port mirroring
Configuring local mirroring groups
Configuring CAR for port mirroring
Display and maintenance commands for port mirroring
Port mirroring configuration examples
Example: Configuring local port mirroring (in source port mode)
Example: Configuring local port mirroring (in source CPU mode)
Example: Configuring Layer 2 remote port mirroring (reflector port configurable)
Example: Configuring Layer 2 remote port mirroring (with egress port)
Example: Configuring local port mirroring with multiple monitoring devices
Example: Configuring Layer 3 remote port mirroring
Restrictions and guidelines: Flow mirroring configuration
Flow mirroring tasks at a glance
Configuring a traffic behavior
Applying a QoS policy to an interface
Applying a QoS policy to a VLAN
Applying a QoS policy globally
Applying a QoS policy to the control plane
Flow mirroring configuration examples
Example: Configuring flow mirroring
Configuring port mirroring
About port mirroring
Port mirroring copies the packets passing through a port or CPU to a port that connects to a data monitoring device for packet analysis.
Terminology
The following terms are used in port mirroring configuration.
Mirroring source
The mirroring sources can be one or more monitored ports or CPUs. The monitored ports and CPUs are called source ports and source CPUs, respectively.
Packets passing through mirroring sources are copied to a port connecting to a data monitoring device for packet analysis. The copies are called mirrored packets.
Source device
The device where the mirroring sources reside is called a source device.
Mirroring destination
The mirroring destination connects to a data monitoring device and is the destination port (also known as the monitor port) of mirrored packets. Mirrored packets are sent out of the monitor port to the data monitoring device.
A monitor port might receive multiple copies of a packet when it monitors multiple mirroring sources. For example, two copies of a packet are received on Port A when the following conditions exist:
· Port A is monitoring bidirectional traffic of Port B and Port C on the same device.
· The packet travels from Port B to Port C.
Destination device
The device where the monitor port resides is called the destination device.
Mirroring direction
The mirroring direction specifies the direction of the traffic that is copied on a mirroring source.
· Inbound—Copies packets received.
· Outbound—Copies packets sent.
· Bidirectional—Copies packets received and sent.
Mirroring group
Port mirroring is implemented through mirroring groups. Mirroring groups can be classified into local mirroring groups, remote source groups, and remote destination groups.
Reflector port, egress port, and remote probe VLAN
Reflector ports, remote probe VLANs, and egress ports are used for Layer 2 remote port mirroring. The remote probe VLAN is a dedicated VLAN for transmitting mirrored packets to the destination device. Both the reflector port and egress port reside on a source device and send mirrored packets to the remote probe VLAN.
On port mirroring devices, all ports except source, destination, reflector, and egress ports are called common ports.
Port mirroring classification
Port mirroring can be classified into local port mirroring and remote port mirroring.
· Local port mirroring—The source device is directly connected to a data monitoring device. The source device also acts as the destination device and forwards mirrored packets directly to the data monitoring device.
· Remote port mirroring—The source device is not directly connected to a data monitoring device. The source device sends mirrored packets to the destination device, which forwards the packets to the data monitoring device.
Remote port mirroring can be further classified into Layer 2 and Layer 3 remote port mirroring:
¡ Layer 2 remote port mirroring—The source device and destination device are on the same Layer 2 network.
¡ Layer 3 remote port mirroring—The source device and destination device are separated by IP networks.
Local port mirroring
As shown in Figure 1, the source port (Port A) and the monitor port (Port B) reside on the same device. Packets received on Port A are copied to Port B. Port B then forwards the packets to the data monitoring device for analysis.
Figure 1 Local port mirroring implementation
Layer 2 remote port mirroring
In Layer 2 remote port mirroring, the mirroring sources and destination reside on different devices and are in different mirroring groups.
A remote source group is a mirroring group that contains the mirroring sources. A remote destination group is a mirroring group that contains the mirroring destination. Intermediate devices are the devices between the source device and the destination device.
Layer 2 remote port mirroring can be implemented through the reflector port method or the egress port method.
Reflector port method
In Layer 2 remote port mirroring that uses the reflector port method, packets are mirrored as follows:
1. The source device copies packets received on the mirroring sources to the reflector port.
2. The reflector port broadcasts the mirrored packets in the remote probe VLAN.
3. The intermediate devices transmit the mirrored packets to the destination device through the remote probe VLAN.
4. Upon receiving the mirrored packets, the destination device determines whether the ID of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs match, the destination device forwards the mirrored packets to the data monitoring device through the monitor port.
Figure 2 Layer 2 remote port mirroring implementation through the reflector port method
The reflector port can be fixed or configurable. When the reflector port is fixed, you do not need to manually specify a reflector port, and the device has a fixed one. When the reflector port is configurable, you must manually specify a reflector port. The device supports only the configurable reflector port.
Egress port method
In Layer 2 remote port mirroring that uses the egress port method, packets are mirrored as follows:
1. The source device copies packets received on the mirroring sources to the egress port.
2. The egress port forwards the mirrored packets to the intermediate devices.
3. The intermediate devices flood the mirrored packets in the remote probe VLAN and transmit the mirrored packets to the destination device.
4. Upon receiving the mirrored packets, the destination device determines whether the ID of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs match, the destination device forwards the mirrored packets to the data monitoring device through the monitor port.
Figure 3 Layer 2 remote port mirroring implementation through the egress port method
Layer 3 remote port mirroring
Layer 3 remote port mirroring is implemented through configuring a local mirroring group on both the source device and the destination device.
To implement Layer 3 remote port mirroring, perform the following tasks:
· Configure the source device:
¡ Create a local mirroring group and specify the mirroring sources for the group.
¡ Configure the tunnel interface as the monitor port for the mirroring group.
· Configure the destination device:
¡ Create a local mirroring group and specify the physical port corresponding to the tunnel interface as the source port.
¡ Configure the port that connects to the data monitoring device as the monitor port.
For example, in a network as shown in Figure 4, Layer 3 remote port mirroring works as follows:
1. The source device sends one copy of a packet received on the source port (Port A) to the tunnel interface.
The tunnel interface acts as the monitor port in the local mirroring group created on the source device.
2. The tunnel interface on the source device forwards the mirrored packet to the tunnel interface on the destination device through the GRE tunnel.
3. The destination device receives the mirrored packet from the physical interface of the tunnel interface.
The tunnel interface acts as the source port in the local mirroring group created on the destination device.
4. The physical interface of the tunnel interface sends one copy of the packet to the monitor port (Port B).
5. The monitor port (Port B) forwards the packet to the data monitoring device.
For more information about GRE tunnels and tunnel interfaces, see Layer 3—IP Services Configuration Guide.
Figure 4 Layer 3 remote port mirroring implementation
Restrictions and guidelines: Port mirroring configuration
The reflector port method for Layer 2 remote port mirroring can be used to implement local port mirroring with multiple monitor ports.
In the reflector port method, the reflector port broadcasts mirrored packets in the remote probe VLAN. By assigning ports that connects to data monitoring devices to the remote probe VLAN, you can implement local port mirroring to mirror packets to multiple monitor ports. The egress port method cannot implement local port mirroring in this way.
For the mirrored packets to carry the same VLAN tag as the original packets, make sure the monitor port first removes the remote probe VLAN tag from the mirrored packets and then sends them to the data monitoring device.
Configuring local port mirroring
Restrictions and guidelines for local port mirroring configuration
A local mirroring group takes effect only after it is configured with the monitor port and mirroring sources.
A local mirroring group supports multicard mirroring.
Local port mirroring tasks at a glance
To configure local port mirroring, perform the following tasks:
1. Creating a local mirroring group
2. Configuring mirroring sources
Choose one of the following tasks:
3. Configuring the monitor port
4. Configuring CAR for port mirroring
Creating a local mirroring group
1. Enter system view.
system-view
2. Create a local mirroring group.
mirroring-group group-id local
Configuring mirroring sources
Restrictions and guidelines for mirroring source configuration
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
· A mirroring group can contain multiple source ports.
· A Layer 3 Ethernet subinterface cannot be configured as a source port for a mirroring group.
· A port can act as a source port for only one mirroring group.
· A source port cannot be configured as a reflector port, egress port, or monitor port.
· To mirror traffic of a POS interface on a MIC subcard installed in CSPEX-1104-E, CSPEX-1204, CSPC-GE16XP4L-E, CSPC-GE24L-E, CSPC-GP24GE8XP2L-E after the interface is assigned to an HDLC link bundle, follow these guidelines:
¡ If you specify the HDLC link bundle interface as a source port, only the inbound traffic of the POS interface can be mirrored, even if you enable bidirectional traffic mirroring for the HDLC link bundle interface.
¡ If you specify the POS interface as a source interface, only the outbound traffic of the POS interface can be mirrored, even if you enable bidirectional traffic mirroring for the POS interface.
· To mirror traffic of a POS interface on a PIC subcard installed in the following cards after the interface is assigned to an HDLC link bundle, specify the POS interface as a source port: CSPEX-1104-E, CSPEX-1204, CSPC-GE16XP4L-E, CSPC-GE24L-E, CSPC-GP24GE8XP2L-E.
· To mirror traffic of a POS interface on a MIC or PIC subcard installed in the following cards after the interface is assigned to an HDLC link bundle, specify the HDLC link bundle interface as a source port: CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CSPEX-1802X, CSPEX-1802XA, CSPEX-1812X-E, CSPEX-2304X-G, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ16L1, CSPEX-1502XA, RX-SPE200-E.
· Only ATM interfaces on the CSPEX-1304X, CSPEX-1404X, or CSPEX-1504X card can be configured as source ports.
· The cpu-packet keyword is supported only on the following cards: CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, RX-SPE200, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L.
When you configure source CPUs for a local mirroring group, follow these restrictions and guidelines:
· A local mirroring group can contain multiple source CPUs.
· Only inbound traffic mirroring is supported for CPUs.
Configuring source ports
· Configure source ports in system view.
a. Enter system view.
system-view
b. Configure source ports for a local mirroring group.
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound [ cpu-packet ] }
By default, no source port is configured for a local mirroring group.
· Configure source ports in interface view.
a. Enter system view.
system-view
b. Enter interface view.
interface interface-type interface-number
c. Configure the port as a source port for a local mirroring group.
mirroring-group group-id mirroring-port { both | inbound | outbound [ cpu-packet ] }
By default, a port does not act as a source port for any local mirroring groups.
Configuring source CPUs
1. Enter system view.
system-view
2. Configure source CPUs for a local mirroring group.
In standalone mode:
mirroring-group group-id mirroring-cpu slot slot-number-list { both | inbound | outbound }
In IRF mode:
mirroring-group group-id mirroring-cpu chassis chassis-number slot slot-number-list { both | inbound | outbound }
By default, no source CPU is configured for a local mirroring group.
Configuring the monitor port
Restrictions and guidelines
A port that has the spanning tree feature enabled cannot be configured as the monitor port for a mirroring group.
For a Layer 2 or Layer 3 aggregate interface configured as the monitor port of a mirroring group, do not configure its member ports as source ports of the mirroring group.
Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
If the mirroring source is an interface or CPU on CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, RX-SPE200, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L and you configure a Layer 2 aggregate interface as the monitor port, the mirrored packets sent to the monitor port carry VLAN tag 1. In this case, make sure the monitor port permits VLAN 1 and removes VLAN tag 1 when sending the packets out (for example, execute the port access vlan 1 command on the monitor port). For more information about the port access vlan command, see Layer 2—LAN Switching Command Reference.
The pop-label keyword is supported only when traffic of interfaces in the following cards is mirrored: CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, RX-SPE200, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CSPEX-1802X, CSPEX-1802XA, CSPEX-1812X-E, CSPEX-2304X-G, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ16L1, CSPEX-1502XA, RX-SPE200-E
Procedure
· Configure the monitor port in system view.
a. Enter system view.
system-view
b. Configure the monitor port for a local mirroring group.
mirroring-group group-id monitor-port interface-list [ pop-label ]
By default, no monitor port is configured for a local mirroring group.
· Configure the monitor port in interface view.
a. Enter system view.
system-view
b. Enter interface view.
interface interface-type interface-number
c. Configure the port as the monitor port for a mirroring group.
mirroring-group group-id monitor-port [ pop-label ]
By default, a port does not act as the monitor port for any local mirroring groups.
Configuring Layer 2 remote port mirroring
Restrictions and guidelines for Layer 2 remote port mirroring configuration
To ensure successful traffic mirroring, configure devices in the order of the destination device, the intermediate devices, and the source device.
If intermediate devices exist, configure the intermediate devices to allow the remote probe VLAN to pass through.
The egress port must be assigned to the remote probe VLAN. This restriction does not apply to the reflector port.
For a mirrored packet to successfully arrive at the remote destination device, make sure its VLAN ID is not removed or changed.
Do not configure both MVRP and Layer 2 remote port mirroring. Otherwise, MVRP might register the remote probe VLAN with incorrect ports, which would cause the monitor port to receive undesired copies. For more information about MVRP, see Layer 2—LAN Switching Configuration Guide.
To monitor the bidirectional traffic of a source port, disable MAC address learning for the remote probe VLAN on the source, intermediate, and destination devices. For more information about MAC address learning, see Layer 2—LAN Switching Configuration Guide.
Layer 2 remote port mirroring with configurable reflector port configuration tasks at a glance
Configuring the destination device
To configure Layer 2 remote port mirroring with configurable reflector port, perform the following tasks on the destination device:
1. Creating a remote destination group
2. Configuring the monitor port
3. Configuring the remote probe VLAN
4. Assigning the monitor port to the remote probe VLAN
Configuring the source device
To configure Layer 2 remote port mirroring with configurable reflector port, perform the following tasks on the source device:
1. Creating a remote source group
2. Configuring mirroring sources
Choose one of the following tasks:
3. Configuring the reflector port
4. Configuring the remote probe VLAN
Layer 2 remote port mirroring with egress port configuration tasks at a glance
Configuring the destination device
To configure Layer 2 remote port mirroring with an egress port, perform the following tasks on the destination device:
1. Creating a remote destination group
2. Configuring the monitor port
3. Configuring the remote probe VLAN
4. Assigning the monitor port to the remote probe VLAN
Configuring the source device
To configure Layer 2 remote port mirroring with an egress port, perform the following tasks on the source device:
1. Creating a remote source group
2. Configuring mirroring sources
Choose one of the following tasks:
3. Configuring the egress port
4. Configuring the remote probe VLAN
Creating a remote destination group
Restrictions and guidelines
Perform this task on the destination device only.
Procedure
1. Enter system view.
system-view
2. Create a remote destination group.
mirroring-group group-id remote-destination
Configuring the monitor port
Restrictions and guidelines for monitor port configuration
Perform this task on the destination device only.
For mirroring to operate properly, do not enable the spanning tree feature on a monitor port.
A Layer 2 aggregate interface cannot be configured as the monitor port of a mirroring group for Layer 2 remote port mirroring.
Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
A monitor port can belong to only one mirroring group.
Configuring the monitor port in system view
1. Enter system view.
system-view
2. Configure the monitor port for a remote destination group.
mirroring-group group-id monitor-port interface-type interface-number
By default, no monitor port is configured for a remote destination group.
Configuring the monitor port in interface view
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port as the monitor port for a remote destination group.
mirroring-group group-id monitor-port
By default, a port does not act as the monitor port for any remote destination groups.
Configuring the remote probe VLAN
Restrictions and guidelines
This task is required on the both the source and destination devices.
Only an existing static VLAN can be configured as a remote probe VLAN.
When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
Configure the same remote probe VLAN for the remote source group and the remote destination group.
To implement Layer 2 remote port mirroring with the configurable reflector port method, make sure the remote probe VLAN ID is different from any subinterface IDs configured for the following interfaces:
· Physical interfaces on the card where the reflector port resides.
· Layer 3 aggregate interfaces that contain physical interfaces on the card where the reflector port resides.
Procedure
1. Enter system view.
system-view
2. Configure the remote probe VLAN for the remote source or destination group.
mirroring-group group-id remote-probe vlan vlan-id
By default, no remote probe VLAN is configured for a remote source or destination group.
Assigning the monitor port to the remote probe VLAN
Restrictions and guidelines
Perform this task on the destination device only.
Procedure
1. Enter system view.
system-view
2. Enter the interface view of the monitor port.
interface interface-type interface-number
3. Assign the port to the remote probe VLAN.
¡ Assign an access port to the remote probe VLAN.
port access vlan vlan-id
¡ Assign a trunk port to the remote probe VLAN.
port trunk permit vlan vlan-id
¡ Assign a hybrid port to the remote probe VLAN.
port hybrid vlan vlan-id { tagged | untagged }
For more information about the port access vlan, port trunk permit vlan, and port hybrid vlan commands, see Layer 2—LAN Switching Command Reference.
Creating a remote source group
Restrictions and guidelines
Perform this task on the source device only.
Procedure
1. Enter system view.
system-view
2. Create a remote source group.
mirroring-group group-id remote-source
Configuring mirroring sources
Restrictions and guidelines for mirroring source configuration
Perform this task on the source device only.
When you configure source ports for a remote source group, follow these restrictions and guidelines:
Do not assign a source port of a mirroring group to the remote probe VLAN of the mirroring group.
· A mirroring group can contain multiple source ports.
· A source port cannot be configured as a reflector port, monitor port, or egress port.
· A Layer 3 Ethernet subinterface cannot be configured as a source port for a mirroring group.
A mirroring group can contain multiple source CPUs.
Configuring source ports
· Configure source ports in system view.
a. Enter system view.
system-view
b. Configure source ports for a remote source group.
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound [ cpu-packet ] }
By default, no source port is configured for a remote source group.
· Configure source ports in interface view.
a. Enter system view.
system-view
b. Enter interface view.
interface interface-type interface-number
c. Configure the port as a source port for a remote source group.
mirroring-group group-id mirroring-port { both | inbound | outbound [ cpu-packet ] }
By default, a port does not act as a source port for any remote source groups.
Configuring source CPUs
1. Enter system view.
system-view
2. Configure source CPUs for a remote source group.
In standalone mode:
mirroring-group group-id mirroring-cpu slot slot-number-list { both | inbound | outbound }
In IRF mode:
mirroring-group group-id mirroring-cpu chassis chassis-number slot slot-number-list { both | inbound | outbound }
By default, no source CPU is configured for a remote source group.
Configuring the reflector port
Restrictions and guidelines for reflector port configuration
Perform this task on the source device only.
If you need to configure a subinterface for a physical interface on the card where the reflector port resides, make sure the subinterface ID is different from the remote probe VLAN ID. This restriction also applies when you configure subinterfaces for Layer 3 aggregate interfaces that contain physical interfaces on the card where the reflector port resides.
A remote source group supports only one reflector port.
A port can be configured as a reflector port only when it is operating with the default setting of the following parameters:
· Duplex mode.
· Speed.
· MDI settings.
Configuring the reflector port in system view
1. Enter system view.
system-view
2. Configure the reflector port for a remote source group.
mirroring-group group-id reflector-port interface-type interface-number
|
|
CAUTION: · The port to be configured as a reflector port must be a port not in use. Do not connect a network cable to a reflector port. · When a port is configured as a reflector port, the port restores to the factory default settings. You cannot configure other features on a reflector port. · If an IRF port is bound to only one physical interface, do not configure the physical interface as a reflector port. Otherwise, the IRF might split. |
By default, no reflector port is configured for a remote source group.
Configuring the reflector port in interface view
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port as the reflector port for a remote source group.
mirroring-group group-id reflector-port
|
|
CAUTION: · The port to be configured as a reflector port must be a port not in use. Do not connect a network cable to a reflector port. · When a port is configured as a reflector port, the port restores to the factory default settings. You cannot configure other features on a reflector port. · If an IRF port is bound to only one physical interface, do not configure the physical interface as a reflector port. Otherwise, the IRF might split. |
By default, a port does not act as the reflector port for any remote source groups.
Configuring the egress port
Restrictions and guidelines for egress port configuration
Perform this task on the source device only.
Disable the following features on the egress port:
· Spanning tree.
· IGMP snooping.
· Static ARP.
· MAC address learning.
An egress, monitor, or reflector port of an existing mirroring group cannot be configured as an egress port.
A mirroring group supports only one egress port.
If the remote source group contains a source interface or CPU on the mirroring source card, the following ports must be configured as trunk ports that permit all VLANs and use the remote probe VLAN as the PVID for Layer 2 remote port mirroring to operate correctly:
· Egress port on the source device.
· Ports on intermediate devices directly connected to the source and destination devices.
· Port that receives mirrored packets on the destination device.
· Monitor port on the destination device.
If the mirroring source is on an interface or CPU on CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, RX-SPE200, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L and you configure a Layer 2 aggregate interface as the egress port, the mirrored packets sent to the egress port carry VLAN tag 1. In this case, make sure the egress port permits VLAN 1 and removes VLAN tag 1 when sending the packets out (for example, execute the port access vlan 1 command on the egress port). Additionally, the following ports must be configured as trunk ports that permit all VLANs and use the remote probe VLAN as the PVID for Layer 2 remote port mirroring to operate correctly:
· Ports on intermediate devices directly connected to the source and destination devices.
· Port that receives mirrored packets on the destination device.
· Monitor port on the destination device.
Configuring the egress port in system view
1. Enter system view.
system-view
2. Configure the egress port for a remote source group.
mirroring-group group-id monitor-egress interface-type interface-number
By default, no egress port is configured for a remote source group.
3. Enter the egress port view.
interface interface-type interface-number
4. Assign the egress port to the remote probe VLAN.
¡ Assign a trunk port to the remote probe VLAN.
port trunk permit vlan vlan-id
¡ Assign a hybrid port to the remote probe VLAN.
port hybrid vlan vlan-id { tagged | untagged }
For more information about the port trunk permit vlan and port hybrid vlan commands, see Layer 2—LAN Switching Command Reference.
Configuring the egress port in interface view
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port as the egress port for a remote source group.
mirroring-group group-id monitor-egress
By default, a port does not act as the egress port for any remote source groups.
Configuring local port mirroring with multiple monitoring devices
About this task
To monitor interesting traffic passing through a device on multiple directly connected data monitoring devices, configure local port mirroring with a remote probe VLAN as follows:
1. Configure a remote source group on the device.
2. Configure mirroring sources and a reflector port for the remote source group.
3. Specify a VLAN as the remote probe VLAN and assign the ports connecting to the data monitoring devices to the VLAN.
This configuration enables the device to copy packets received on the mirroring sources to the reflector port, which broadcasts the packets in the remote probe VLAN. The packets are then sent out of the member ports of the remote probe VLAN to the data monitoring devices.
Restrictions and guidelines
The reflector port must be a port not in use. Do not connect a network cable to the reflector port.
When a port is configured as a reflector port, the port restores to the factory default settings. You cannot configure other features on the reflector port.
Do not assign a source port of a mirroring group to the remote probe VLAN of the mirroring group.
A VLAN can act as the remote probe VLAN for only one remote source group. As a best practice, use the VLAN for port mirroring exclusively. Do not create a VLAN interface for the VLAN or configure other features for the VLAN.
The remote probe VLAN must be a static VLAN. To delete a VLAN that has been configured as the remote probe VLAN in a mirroring group, remove the remote probe VLAN from the mirroring group first.
Procedure
1. Enter system view.
system-view
2. Create a remote source group.
mirroring-group group-id remote-source
3. Configure mirroring sources for the remote source group. Choose one option as needed:
¡ Configure mirroring ports in system view.
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound [ cpu-packet ] }
By default, no mirroring ports are configured for a remote source group.
¡ Execute the following commands in sequence to enter interface view and then configure the interface as a source port.
interface interface-type interface-number
mirroring-group group-id mirroring-port { both | inbound | outbound [ cpu-packet ] }
quit
By default, an interface is not configured as a mirroring port for a remote source group.
4. Configure the reflector port for the remote source group.
¡ Configure the reflector ports in system view.
mirroring-group group-id reflector-port reflector-port
By default, no reflector port is configured for a remote source group.
¡ Execute the following commands in sequence to enter interface view and then configure the interface as a reflector port.
interface interface-type interface-number
mirroring-group group-id reflector-port
quit
By default, an interface is not configured as the reflector port for a remote source group.
5. Create a VLAN and enter its view.
vlan vlan-id
6. Assign the ports that connect to the data monitoring devices to the VLAN.
port interface-list
By default, a VLAN does not contain any ports.
7. Return to system view.
quit
8. Specify the VLAN as the remote probe VLAN for the remote source group.
mirroring-group group-id remote-probe vlan vlan-id
By default, no remote probe VLAN is configured for a remote source group.
Configuring Layer 3 remote port mirroring
Restrictions and guidelines for Layer 3 remote port mirroring configuration
To implement Layer 3 remote port mirroring, you must configure a unicast routing protocol on the intermediate devices to ensure Layer 3 reachability between the source and destination devices.
To perform Layer 3 remote port mirroring for packets on the following cards, make sure the cards are in the source device: CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, RX-SPE200, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CSPEX-1802X, CSPEX-1802XA, CSPEX-1812X-E, CSPEX-2304X-G, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ16L1, CSPEX-1502XA, RX-SPE200-E.
Layer 3 remote port mirroring tasks at a glance
Configuring the source device
To configure Layer 3 remote port mirroring, perform the following tasks on the source device:
1. Configuring local mirroring groups
2. Configuring mirroring sources
Choose one of the following tasks:
3. Configuring the monitor port
Configuring the destination device
To configure Layer 3 remote port mirroring, perform the following tasks on the destination device:
1. Configuring local mirroring groups
2. Configuring mirroring sources
Choose one of the following tasks:
3. Configuring the monitor port
Prerequisites for Layer 3 remote port mirroring
Before configuring Layer 3 remote mirroring, complete the following tasks:
· Create a tunnel interface and a GRE tunnel.
· Configure the source and destination addresses of the tunnel interface as the IP addresses of the physical interfaces on the source and destination devices, respectively.
For more information about tunnel interfaces, see Layer 3—IP Services Configuration Guide.
Configuring local mirroring groups
Restrictions and guidelines
Configure a local mirroring group on both the source device and the destination device.
Procedure
1. Enter system view.
system-view
2. Create a local mirroring group.
mirroring-group group-id local
Configuring mirroring sources
Restrictions and guidelines for source port configuration
On the source device, configure the ports you want to monitor as the source ports. On the destination device, configure the physical interface corresponding to the tunnel interface as the source port.
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
· A source port cannot be configured as a reflector port, egress port, or monitor port.
· A Layer 3 Ethernet subinterface cannot be configured as a source port for a mirroring group.
When you configure source CPUs for a local mirroring group, follow these restrictions and guidelines:
· Perform this task on the source device only.
· A mirroring group can contain multiple source CPUs.
Configuring source ports
· Configure source ports in system view.
a. Enter system view.
system-view
b. Configure source ports for a local mirroring group.
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound [ cpu-packet ] }
By default, no source port is configured for a local mirroring group.
· Configure source ports in interface view.
a. Enter system view.
system-view
b. Enter interface view.
interface interface-type interface-number
c. Configure the port as a source port for a local mirroring group.
mirroring-group group-id mirroring-port { both | inbound | outbound [ cpu-packet ] }
By default, a port does not act as a source port for any local mirroring groups.
Configuring source CPUs
1. Enter system view.
system-view
2. Configure source CPUs for a local mirroring group.
In standalone mode:
mirroring-group group-id mirroring-cpu slot slot-number-list { both | inbound | outbound }
In IRF mode:
mirroring-group group-id mirroring-cpu chassis chassis-number slot slot-number-list { both | inbound | outbound }
By default, no source CPU is configured for a local mirroring group.
Configuring the monitor port
Restrictions and guidelines for monitor port configuration
On the source device:
· Configure a tunnel interface as a monitor port.
· A tunnel interface can be configured as a monitor port only when traffic of interfaces on the following cards is mirrored: CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, RX-SPE200, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CSPEX-1802X, CSPEX-1802XA, CSPEX-1812X-E, CSPEX-2304X-G, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ16L1, CSPEX-1502XA, RX-SPE200-E.
On the destination device:
· Configure the port that connects to a data monitoring device as a monitor port.
· Do not enable the spanning tree feature on a monitor port.
· When a Layer 2 or Layer 3 aggregate interface is configured as the monitor port of a mirroring group, do not configure its member ports as source ports.
· Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
Procedure
· Configure the monitor port in system view.
a. Enter system view.
system-view
b. Configure the monitor port for a local mirroring group.
mirroring-group group-id monitor-port interface-type interface-number
By default, no monitor port is configured for a local mirroring group.
· Configure the monitor port in interface view.
a. Enter system view.
system-view
b. Enter interface view.
interface interface-type interface-number
c. Configure the port as the monitor port for a local mirroring group.
mirroring-group group-id monitor-port
By default, a port does not act as the monitor port for any local mirroring groups.
Configuring CAR for port mirroring
About this task
In the port mirroring scenario, the monitor port might monitor the traffic of multiple mirroring sources at the same time. If the speed of packets received or sent by the mirroring sources are too high, the monitor port might be congested and drop packets. In this case, you can configure this feature on the device where the mirroring sources reside. This feature rate-limits mirrored packets and avoid congestion on the port mirroring network.
Only the following cards support this feature:
· CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, RX-SPE200, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L: On these cards, the maximum CIR supported is 50000000 kbps.
· CSPEX-1802X, CSPEX-1802XA, CSPEX-1812X-E, CSPEX-2304X-G, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ16L1, CSPEX-1502XA, RX-SPE200-E: On these cards, the maximum CIR supported is 100000000 kbps.
The CAR configuration in this feature takes effect on the per-forwarding-chip basis on a card.
Procedure
1. Enter system view.
system-view
2. Configure CAR for port mirroring.
In standalone mode:
mirroring-group car { inbound | outbound } cir committed-information-rate [ cbs committed-burst-size ] slot slot-number [ cpu cpu-number ]
In IRF mode:
mirroring-group car { inbound | outbound } cir committed-information-rate [ cbs committed-burst-size ] chassis chassis-number slot slot-number [ cpu cpu-number ]
By default, the CIR is 10000000 kbps and the CBS is 16384 bytes for the packets received or sent by mirroring sources.
Display and maintenance commands for port mirroring
Execute display commands in any view.
|
Task |
Command |
|
Display mirroring group information. |
display mirroring-group { group-id | all | local | remote-destination | remote-source } |
|
Display the CAR information about port mirroring. |
display mirroring-group car |
Port mirroring configuration examples
Example: Configuring local port mirroring (in source port mode)
Network configuration
As shown in Figure 5, configure local port mirroring in source port mode to enable the server to monitor the bidirectional traffic of the two departments.
Procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure Ten-GigabitEthernet 3/1/1 and Ten-GigabitEthernet 3/1/2 as source ports for local mirroring group 1.
[Device] mirroring-group 1 mirroring-port ten-gigabitethernet 3/1/1 ten-gigabitethernet 3/1/2 both
# Configure Ten-GigabitEthernet 3/1/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 monitor-port ten-gigabitethernet 3/1/3
# Disable the spanning tree feature on the monitor port (Ten-GigabitEthernet 3/1/3). Perform this task only when the monitor port operates in Layer 2 mode.
[Device] interface ten-gigabitethernet 3/1/3
[Device-Ten-GigabitEthernet3/1/3] undo stp enable
[Device-Ten-GigabitEthernet3/1/3] quit
Verifying the configuration
# Verify the mirroring group configuration.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port: Ten-GigabitEthernet3/1/1 Both
Ten-GigabitEthernet3/1/2 Both
Monitor port: Ten-GigabitEthernet3/1/3
Example: Configuring local port mirroring (in source CPU mode)
Network configuration
As shown in Figure 6, configure local port mirroring in source CPU mode to enable the server to monitor all packets matching the following criteria:
· Received and sent by the Marketing Department and the Technical Department.
· Processed by the CPU of the card in slot 3 of the device.
Procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure the CPU of the card in slot 3 of the device as a source CPU for local mirroring group 1.
[Device] mirroring-group 1 mirroring-cpu slot 3 both
# Configure Ten-GigabitEthernet 3/1/3 as the monitor port for local mirroring group 1. Perform this task only when the monitor port operates in Layer 2 mode.
[Device] mirroring-group 1 monitor-port ten-gigabitethernet 3/1/3
# Disable the spanning tree feature on the monitor port (Ten-GigabitEthernet 3/1/3).
[Device] interface ten-gigabitethernet 3/1/3
[Device-Ten-GigabitEthernet3/1/3] undo stp enable
[Device-Ten-GigabitEthernet3/1/3] quit
Verifying the configuration
# Verify the mirroring group configuration.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring CPU:
Slot 3 Both
Monitor port: Ten-GigabitEthernet3/1/3
Example: Configuring Layer 2 remote port mirroring (reflector port configurable)
Network configuration
As shown in Figure 7, configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing Department.
Procedure
1. Configure Device C (the destination device):
# Configure Ten-GigabitEthernet 3/1/1 as a trunk port, and assign the port to VLAN 2.
<DeviceC> system-view
[DeviceC] interface ten-gigabitethernet 3/1/1
[DeviceC-Ten-GigabitEthernet3/1/1] port link-mode bridge
[DeviceC-Ten-GigabitEthernet3/1/1] port link-type trunk
[DeviceC-Ten-GigabitEthernet3/1/1] port trunk permit vlan 2
[DeviceC-Ten-GigabitEthernet3/1/1] quit
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2.
[DeviceC] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceC-vlan2] undo mac-address mac-learning enable
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceC] mirroring-group 2 remote-probe vlan 2
# Configure Ten-GigabitEthernet 3/1/2 as the monitor port for the mirroring group.
[DeviceC] interface ten-gigabitethernet 3/1/2
[DeviceC-Ten-GigabitEthernet3/1/2] port link-mode bridge
[DeviceC-Ten-GigabitEthernet3/1/2] mirroring-group 2 monitor-port
# Disable the spanning tree feature on Ten-GigabitEthernet 3/1/2.
[DeviceC-Ten-GigabitEthernet3/1/2] undo stp enable
# Assign Ten-GigabitEthernet 3/1/2 to VLAN 2.
[DeviceC-Ten-GigabitEthernet3/1/2] port access vlan 2
[DeviceC-Ten-GigabitEthernet3/1/2] quit
2. Configure Device B (the intermediate device):
# Create VLAN 2.
<DeviceB> system-view
[DeviceB] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceB-vlan2] undo mac-address mac-learning enable
[DeviceB-vlan2] quit
# Configure Ten-GigabitEthernet 3/1/1 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface ten-gigabitethernet 3/1/1
[DeviceB-Ten-GigabitEthernet3/1/1] port link-mode bridge
[DeviceB-Ten-GigabitEthernet3/1/1] port link-type trunk
[DeviceB-Ten-GigabitEthernet3/1/1] port trunk permit vlan 2
[DeviceB-Ten-GigabitEthernet3/1/1] quit
# Configure Ten-GigabitEthernet 3/1/2 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface ten-gigabitethernet 3/1/2
[DeviceB-Ten-GigabitEthernet3/1/2] port link-mode bridge
[DeviceB-Ten-GigabitEthernet3/1/2] port link-type trunk
[DeviceB-Ten-GigabitEthernet3/1/2] port trunk permit vlan 2
[DeviceB-Ten-GigabitEthernet3/1/2] quit
3. Configure Device A (the source device):
# Create a remote source group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceA-vlan2] undo mac-address mac-learning enable
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
# Configure Ten-GigabitEthernet 3/1/1 as a source port for the mirroring group.
[DeviceA] mirroring-group 1 mirroring-port ten-gigabitethernet 3/1/1 both
# Configure an unused port (Ten-GigabitEthernet 3/1/3 in this example) as the reflector port for the mirroring group.
[DeviceA] interface ten-gigabitethernet 3/1/3
[DeviceA-Ten-GigabitEthernet3/1/3] port link-mode bridge
[DeviceA-Ten-GigabitEthernet3/1/3] mirroring-group 1 reflector-port
This operation may delete all settings made on the interface. Continue? [Y/N]: y
[DeviceA-Ten-GigabitEthernet3/1/3] quit
# Configure Ten-GigabitEthernet 3/1/2 as a trunk port, and assign the port to VLAN 2.
[DeviceA] interface ten-gigabitethernet 3/1/2
[DeviceA-Ten-GigabitEthernet3/1/2] port link-mode bridge
[DeviceA-Ten-GigabitEthernet3/1/2] port link-type trunk
[DeviceA-Ten-GigabitEthernet3/1/2] port trunk permit vlan 2
[DeviceA-Ten-GigabitEthernet3/1/2] quit
Verifying the configuration
# Verify the mirroring group configuration on Device C.
[DeviceC] display mirroring-group all
Mirroring group 2:
Type: Remote destination
Status: Active
Monitor port: Ten-GigabitEthernet3/1/2
Remote probe VLAN: 2
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port: Ten-GigabitEthernet3/1/1 Both
Reflector port: Ten-GigabitEthernet3/1/3
Remote probe VLAN: 2
Example: Configuring Layer 2 remote port mirroring (with egress port)
Network configuration
On the Layer 2 network shown in Figure 8, configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing Department.
Procedure
1. Configure Device C (the destination device):
# Configure Ten-GigabitEthernet 3/1/1 as a trunk port, configure its PVID as VLAN 2, and assign it to all VLANs.
<DeviceC> system-view
[DeviceC] interface ten-gigabitethernet 3/1/1
[DeviceC-Ten-GigabitEthernet3/1/1] port link-mode bridge
[DeviceC-Ten-GigabitEthernet3/1/1] port link-type trunk
[DeviceC-Ten-GigabitEthernet3/1/1] port trunk pvid vlan 2
[DeviceC-Ten-GigabitEthernet3/1/1] port trunk permit vlan all
[DeviceC-Ten-GigabitEthernet3/1/1] quit
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2.
[DeviceC] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceC-vlan2] undo mac-address mac-learning enable
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceC] mirroring-group 2 remote-probe vlan 2
# Configure Ten-GigabitEthernet 3/1/2 as the monitor port for the mirroring group. Disable the spanning tree feature on Ten-GigabitEthernet 3/1/2. Set its link type to trunk, configure its PVID as VLAN 2, and assign it to all VLANs.
[DeviceC] interface ten-gigabitethernet 3/1/2
[DeviceC-Ten-GigabitEthernet3/1/2] port link-mode bridge
[DeviceC-Ten-GigabitEthernet3/1/2] mirroring-group 2 monitor-port
[DeviceC-Ten-GigabitEthernet3/1/2] undo stp enable
[DeviceC-Ten-GigabitEthernet3/1/2] port trunk pvid vlan 2
[DeviceC-Ten-GigabitEthernet3/1/2] port trunk permit vlan all
[DeviceC-Ten-GigabitEthernet3/1/2] quit
2. Configure Device B (the intermediate device):
# Create VLAN 2.
<DeviceB> system-view
[DeviceB] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceB-vlan2] undo mac-address mac-learning enable
[DeviceB-vlan2] quit
# Configure Ten-GigabitEthernet 3/1/1 as a trunk port, configure its PVID as VLAN 2, and assign it to all VLANs.
[DeviceB] interface ten-gigabitethernet 3/1/1
[DeviceB-Ten-GigabitEthernet3/1/1] port link-mode bridge
[DeviceB-Ten-GigabitEthernet3/1/1] port link-type trunk
[DeviceB-Ten-GigabitEthernet3/1/1] port trunk pvid vlan 2
[DeviceB-Ten-GigabitEthernet3/1/1] port trunk permit vlan all
[DeviceB-Ten-GigabitEthernet3/1/1] quit
# Configure Ten-GigabitEthernet 3/1/2 as a trunk port, configure its PVID as VLAN 2, and assign it to all VLANs.
[DeviceB] interface ten-gigabitethernet 3/1/2
[DeviceB-Ten-GigabitEthernet3/1/2] port link-mode bridge
[DeviceB-Ten-GigabitEthernet3/1/2] port link-type trunk
[DeviceB-Ten-GigabitEthernet3/1/2] port trunk pvid vlan 2
[DeviceB-Ten-GigabitEthernet3/1/2] port trunk permit vlan all
[DeviceB-Ten-GigabitEthernet3/1/2] quit
3. Configure Device A (the source device):
# Create a remote source group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceA-vlan2] undo mac-address mac-learning enable
[DeviceA-vlan2] quit
# Configure Ten-GigabitEthernet 3/1/2 as a trunk port, configure VLAN 2 as its PVID, and assign the port to all VLANs. Disable the spanning tree feature on the port.
[DeviceA] interface ten-gigabitethernet 3/1/2
[DeviceA-Ten-GigabitEthernet3/1/2] port link-type trunk
[DeviceA-Ten-GigabitEthernet3/1/2] port trunk pvid vlan 2
[DeviceA-Ten-GigabitEthernet3/1/2] port trunk permit vlan all
[DeviceA-Ten-GigabitEthernet3/1/2] undo stp enable
[DeviceA-Ten-GigabitEthernet3/1/2] quit
# Configure VLAN 2 as the remote probe VLAN of the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
# Configure Ten-GigabitEthernet 3/1/1 as a source port for the mirroring group.
[DeviceA] mirroring-group 1 mirroring-port ten-gigabitethernet 3/1/1 both
# Configure Ten-GigabitEthernet 3/1/2 as the egress port for the mirroring group.
[DeviceA] mirroring-group 1 monitor-egress ten-gigabitethernet 3/1/2
Verifying the configuration
# Verify the mirroring group configuration on Device C.
[DeviceC] display mirroring-group all
Mirroring group 2:
Type: Remote destination
Status: Active
Monitor port: Ten-GigabitEthernet3/1/2
Remote probe VLAN: 2
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port: Ten-GigabitEthernet3/1/1 Both
Monitor egress port: Ten-GigabitEthernet3/1/2
Remote probe VLAN: 2
Example: Configuring local port mirroring with multiple monitoring devices
Network configuration
As shown in Figure 9, Dept. A, Dept. B, and Dept. C are connected to the device through Ten-GigabitEthernet3/1/1 through Ten-GigabitEthernet3/1/3, respectively.
Configure port mirroring to enable data monitoring devices Server A and Server B to monitor the incoming and outgoing traffic of departments A, B, and C.
Procedure
# Create remote source group 1.
<Device> system-view
[Device] mirroring-group 1 remote-source
# Configure ports connecting to Dept. A, Dept. B, and Dept. C as source ports of remote source group 1.
[Device] mirroring-group 1 mirroring-port ten-gigabitethernet 3/1/1 to ten-gigabitethernet 3/1/3 both
# Configure an unused port (Ten-GigabitEthernet3/1/6 in this example) as the reflector port of remote source group 1.
[Device] interface ten-gigabitethernet 3/1/6
[Device-Ten-GigabitEthernet3/1/6] port link-mode bridge
[Device-Ten-GigabitEthernet3/1/6] mirroring-group 1 reflector-port
This operation may delete all settings made on the interface. Continue? [Y/N]: y
[Device-Ten-GigabitEthernet3/1/6] quit
# Create VLAN 10 as the remote mirroring VLAN.
[Device] vlan 10
# Enable MAC address learning in VLAN 10.
[Device-vlan10] undo mac-address mac-learning enable
[Device-vlan10] quit
# Configure VLAN 10 as the remote probe VLAN of remote source group 1.
[Device] mirroring-group 1 remote-probe vlan 10
# Assign the ports connecting the data monitoring devices to VLAN 10.
[Device] interface range ten-gigabitethernet 3/1/4 ten-gigabitethernet 3/1/5
[Device-if-range] port link-mode bridge
[Device-if-range] port access vlan 10
[Device-if-range] quit
Verifying the configuration
# Verify the mirroring group configuration on the device.
[Device] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
Mirroring port: Ten-GigabitEthernet3/1/1 Both
Ten-GigabitEthernet3/1/2 Both
Ten-GigabitEthernet3/1/3 Both
Reflector port: Ten-GigabitEthernet3/1/6
Remote probe VLAN: 10
Example: Configuring Layer 3 remote port mirroring
Network configuration
On a Layer 3 network shown in Figure 10, configure Layer 3 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing Department.
Procedure
1. Configure IP addresses for the tunnel interfaces and related ports on the devices. (Details not shown.)
2. Configure Device A (the source device):
# Create tunnel interface Tunnel 0 that operates in GRE mode, and configure an IP address and subnet mask for the interface.
<DeviceA> system-view
[DeviceA] interface tunnel 0 mode gre
[DeviceA-Tunnel0] ip address 50.1.1.1 24
# Configure source and destination IP addresses for Tunnel 0.
[DeviceA-Tunnel0] source 20.1.1.1
[DeviceA-Tunnel0] destination 30.1.1.2
[DeviceA-Tunnel0] quit
# Enable the OSPF protocol.
[DeviceA] ospf 1
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
# Create local mirroring group 1.
[DeviceA] mirroring-group 1 local
# Configure Ten-GigabitEthernet 3/1/1 as a source port and Tunnel 0 as the monitor port of local mirroring group 1.
[DeviceA] mirroring-group 1 mirroring-port ten-gigabitethernet 3/1/1 both
[DeviceA] mirroring-group 1 monitor-port tunnel 0
3. Enable the OSPF protocol on Device B (the intermediate device).
<DeviceB> system-view
[DeviceB] ospf 1
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
4. Configure Device C (the destination device):
# Create tunnel interface Tunnel 0 that operates in GRE mode, and configure an IP address and subnet mask for the interface.
<DeviceC> system-view
[DeviceC] interface tunnel 0 mode gre
[DeviceC-Tunnel0] ip address 50.1.1.2 24
# Configure source and destination IP addresses for Tunnel 0.
[DeviceC-Tunnel0] source 30.1.1.2
[DeviceC-Tunnel0] destination 20.1.1.1
[DeviceC-Tunnel0] quit
# Enable the OSPF protocol.
[DeviceC] ospf 1
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
# Create local mirroring group 1.
[DeviceC] mirroring-group 1 local
# Configure Ten-GigabitEthernet 3/1/1 as a source port for local mirroring group 1.
[DeviceC] mirroring-group 1 mirroring-port ten-gigabitethernet 3/1/1 inbound
# Configure Ten-GigabitEthernet 3/1/2 as the monitor port for local mirroring group 1.
[DeviceC] mirroring-group 1 monitor-port ten-gigabitethernet 3/1/2
Verifying the configuration
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port: Ten-GigabitEthernet3/1/1 Both
Monitor port: Tunnel0
# Display information about all mirroring groups on Device C.
[DeviceC] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port: Ten-GigabitEthernet3/1/1 Inbound
Monitor port: Ten-GigabitEthernet3/1/2
Configuring flow mirroring
About flow mirroring
Flow mirroring copies packets matching a class to a destination for packet analyzing and monitoring. It is implemented through QoS policies.
To configure flow mirroring, perform the following tasks:
· Define traffic classes and configure match criteria to classify packets to be mirrored. Flow mirroring allows you to flexibly classify packets to be analyzed by defining match criteria.
· Configure traffic behaviors to mirror the matching packets to the specified destination.
You can configure an action to mirror the matching packets to one of the following destinations:
· Interface—The matching packets are copied to an interface and then forwarded to a data monitoring device for analysis.
· (In standalone mode.) (In IRF mode.) CPU—The matching packets are copied to the CPU of the card where they are received. The CPU analyzes the packets or delivers them to upper layers.
· (In standalone mode.) (In IRF mode.) Card—The matching packets are copied to a card for processing.
· (In standalone mode.) (In IRF mode.) Local—The matching packets are copied to the slot to which the interface where the packets were captured belongs.
For more information about QoS policies, traffic classes, and traffic behaviors, see ACL and QoS Configuration Guide.
Restrictions and guidelines: Flow mirroring configuration
For information about the configuration commands except the mirror-to command, see ACL and QoS Command Reference.
To use the mirror-to slot command to successfully mirror traffic received or sent on a device to the specified slot, you must specify the sampler keyword.
When you flow-mirror traffic to the specified tunnel interfaces, follow these restrictions and guidelines:
· In the current software version, the tunnel interfaces must be GRE over IPv4, GRE over IPv6, or MPLS TE tunnel interfaces, and you can flow-mirror traffic to up to four tunnel interfaces.
· A QoS policy with a flow mirroring action can be applied to only interfaces on CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, RX-SPE200, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CSPEX-1802X, CSPEX-1802XA, CSPEX-1812X-E, CSPEX-2304X-G, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ16L1, CSPEX-1502XA, RX-SPE200-E.
The pop-label keyword is supported only when traffic on interfaces on the following cards is mirrored: CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, RX-SPE200, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CSPEX-1802X, CSPEX-1802XA, CSPEX-1812X-E, CSPEX-2304X-G, CEPC-CQ8L, CEPC-CQ8LA, CEPC-CQ16L1, CSPEX-1502XA, RX-SPE200-E.
The following cards have mirroring resource limits: CSPEX-1304X, CSPEX-1404X, CSPEX-1502X, CSPEX-1504X, CSPEX-1504XA, CSPEX-1602X, CSPEX-1602XA, CSPEX-1804X, CSPEX-1512X, CSPEX-1612X, CSPEX-1812X, RX-SPE200, CEPC-XP4LX, CEPC-XP24LX, CEPC-XP48RX, CEPC-CP4RX, CEPC-CP4RXA, CEPC-CP4RX-L, CSPEX-1104-E, CSPEX-1204, CSPC-GE16XP4L-E, CSPC-GE24L-E, CSPC-GP24GE8XP2L-E.
To conserve mirroring resources for mirroring configuration, use the display resource-monitor resource flow_mirror_chipid command to check the mirroring resource usage before configuration. The mirroring resource allocation rules are as follows:
· If a QoS policy is applied to global flow mirroring, each chip on a card uses a mirroring resource.
· If a QoS policy is applied to flow mirroring on a per aggregate interface or aggregate subinterface basis, each chip on a card that hosts an aggregation member port uses a mirroring resource.
· If a QoS policy is applied to flow mirroring on a per Ethernet interface or Ethernet subinterface basis, each chip on the card that hosts the Ethernet interface uses a mirroring resource.
· If the mirror-to interface command is executed multiple times to flow mirror traffic to multiple interfaces, each destination interface uses a mirroring resource on the chips of the source card where a QoS policy is applied for flow mirroring.
Flow mirroring tasks at a glance
To configure flow mirroring, perform the following tasks:
1. Configuring a traffic class
A traffic class defines the criteria that filters the traffic to be mirrored.
2. Configuring a traffic behavior
A traffic behavior specifies mirroring destinations.
Choose one of the following tasks:
¡ Applying a QoS policy to an interface
¡ Applying a QoS policy to a VLAN
¡ Applying a QoS policy globally
¡ Applying a QoS policy to the control plane
Configuring a traffic class
1. Enter system view.
system-view
2. Create a class and enter class view.
traffic classifier classifier-name [ operator { and | or } ]
3. Configure match criteria.
if-match match-criteria
By default, no match criterion is configured in a traffic class.
4. (Optional.) Execute the display traffic classifier command in any view to display traffic class information.
Configuring a traffic behavior
1. Enter system view.
system-view
2. Create a traffic behavior and enter traffic behavior view.
traffic behavior behavior-name
3. Configure mirroring destinations for the traffic behavior. Choose the following tasks as needed:
¡ Mirror traffic to an interface.
mirror-to interface interface-type interface-number [ sampler sampler-name ] [ pop-label ]
By default, no mirroring actions exist to mirror traffic to interfaces.
¡ Mirror traffic to the CPU.
mirror-to cpu
By default, no mirroring actions exist to mirror traffic to the CPU.
¡ Mirror traffic to a card.
In standalone mode:
mirror-to slot slot-number [ sampler sampler-name ]
In IRF mode:
mirror-to chassis chassis-number slot slot-number [ sampler sampler-name ]
By default, no mirroring actions exist to mirror traffic to cards.
Support for the backup chassis chassis-number slot slot-number option in the command depends on the device model.
¡ Mirror traffic to the slot where the traffic was received or sent out.
mirror-to local [ sampler sampler-name ]
By default, no mirroring actions exist to mirror traffic to the slot where the traffic was received or sent out.
4. (Optional.) Execute the display traffic behavior command in any view to display traffic behavior configuration.
Configuring a QoS policy
1. Enter system view.
system-view
2. Create a QoS policy and enter QoS policy view.
qos policy policy-name
3. Associate a class with a traffic behavior in the QoS policy.
classifier classifier-name behavior behavior-name
By default, no traffic behavior is associated with a class.
4. (Optional.) Execute the display qos policy command in any view to display QoS policy configuration.
Applying a QoS policy
Applying a QoS policy to an interface
Restrictions and guidelines
You can apply a QoS policy to an interface to mirror the traffic of the interface.
A policy can be applied to multiple interfaces.
In one traffic direction of an interface, only one QoS policy can be applied.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply a policy to the interface.
qos apply policy policy-name { inbound | outbound }
4. (Optional.) Execute the display qos policy interface command in any view to display the QoS policy applied to the interface.
Applying a QoS policy to a VLAN
Restrictions and guidelines
You can apply a QoS policy to a VLAN to mirror the traffic on all ports in the VLAN.
Procedure
1. Enter system view.
system-view
2. Apply a QoS policy to a VLAN.
qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound }
3. (Optional.) Execute the display qos vlan-policy command in any view to display the QoS policy applied to the VLAN..
Applying a QoS policy globally
Restrictions and guidelines
You can apply a QoS policy globally to mirror the traffic on all ports.
Procedure
1. Enter system view.
system-view
2. Apply a QoS policy globally.
qos apply policy policy-name global { inbound | outbound }
3. (Optional.) Execute the display qos policy global command in any view to display global QoS policies.
Applying a QoS policy to the control plane
Restrictions and guidelines
You can apply a QoS policy to the control plane to mirror the traffic of all ports on the control plane.
Procedure
1. Enter system view.
system-view
2. Enter control plane view.
In standalone mode:
control-plane slot slot-number
In IRF mode:
control-plane chassis chassis-number slot slot-number
3. Apply a QoS policy to the control plane.
qos apply policy policy-name { inbound | outbound }
4. (Optional.) Execute the display qos policy control-plane command in any view to display QoS policies applied to the control plane.
Flow mirroring configuration examples
Example: Configuring flow mirroring
Network configuration
As shown in Figure 11, configure flow mirroring and sampling so that the server can monitor the following traffic:
· All traffic that the Technical Department sends to access the Internet.
· IP traffic that the Technical Department sends to the Marketing Department during working hours (8:00 to 18:00) on weekdays.
Procedure
# Create sampler samp1 in fixed sampling mode, and set the rate to 8. The first packet of 256 (2 to the 8th power) packets is selected.
<Device> system-view
[Device] sampler samp1 mode fixed packet-interval n-power 8
# Create working hour range work, in which working hours are from 8:00 to 18:00 on weekdays.
[Device] time-range work 8:00 to 18:00 working-day
# Create IPv4 advanced ACL 3000 to allow packets from the Technical Department to access the Internet and the Marketing Department during working hours.
[DeviceA] acl advanced 3000
[DeviceA-acl-ipv4-adv-3000] rule permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www
[DeviceA-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range work
[DeviceA-acl-ipv4-adv-3000] quit
# Create traffic class tech_c, and configure the match criterion as ACL 3000.
[DeviceA] traffic classifier tech_c
[DeviceA-classifier-tech_c] if-match acl 3000
[DeviceA-classifier-tech_c] quit
# Create traffic behavior tech_b, configure the action of mirroring traffic to Ten-GigabitEthernet 3/1/3 by using sampler samp1.
[Device] traffic behavior tech_b
[Device-behavior-tech_b] mirror-to interface ten-gigabitethernet 3/1/3 sampler samp1
[Device-behavior-tech_b] quit
# Create QoS policy tech_p, and associate traffic class tech_c with traffic behavior tech_b in the QoS policy.
[DeviceA] qos policy tech_p
[DeviceA-qospolicy-tech_p] classifier tech_c behavior tech_b
[DeviceA-qospolicy-tech_p] quit
# Apply QoS policy tech_p to the incoming packets of Ten-GigabitEthernet 3/1/4.
[DeviceA] interface ten-gigabitethernet 3/1/4
[DeviceA-Ten-GigabitEthernet3/1/4] qos apply policy tech_p inbound
[DeviceA-Ten-GigabitEthernet3/1/4] quit
Verifying the configuration
# Verify that the server can monitor the following traffic:
· All traffic sent by the Technical Department to access the Internet.
· IP traffic that the Technical Department sends to the Marketing Department during working hours on weekdays.
(Details not shown.)
