Contents

Configuring port mirroring· 1

About port mirroring· 1

Terminology· 1

Port mirroring classification· 2

Local port mirroring (SPAN) 2

Layer 2 remote port mirroring (RSPAN) 2

Configuring local port mirroring (SPAN) 3

Restrictions and guidelines for local port mirroring configuration· 3

Local port mirroring tasks at a glance· 3

Creating a local mirroring group· 3

Configuring mirroring sources· 4

Configuring the monitor port 5

Configuring Layer 2 remote port mirroring (RSPAN) 5

Restrictions and guidelines for Layer 2 remote port mirroring configuration· 5

Layer 2 remote port mirroring with egress port configuration task list 6

Creating a remote destination group· 6

Configuring the monitor port 6

Configuring the remote probe VLAN· 7

Assigning the monitor port to the remote probe VLAN· 7

Creating a remote source group· 8

Configuring mirroring sources· 8

Configuring the egress port 9

Display and maintenance commands for port mirroring· 10

Port mirroring configuration examples· 11

Example: Configuring local port mirroring (SPAN in source port mode) 11

Example: Configuring local port mirroring (SPAN in source VLAN mode) 12

Example: Configuring local port mirroring (SPAN in source CPU mode) 13

Example: Configuring Layer 2 remote port mirroring (RSPAN with egress port) 14

Configuring flow mirroring· 17

About flow mirroring· 17

Types of flow-mirroring traffic to an interface· 17

Flow mirroring SPAN· 17

Flow mirroring ERSPAN· 18

Restrictions and guidelines: Flow mirroring configuration· 20

Flow mirroring tasks at a glance· 20

Configuring a traffic class· 21

Configuring a traffic behavior 21

Configuring a QoS policy· 22

Applying a QoS policy· 23

Applying a QoS policy to an interface· 23

Applying a QoS policy to a VLAN· 23

Applying a QoS policy globally· 24

Display and maintenance commands for flow mirroring· 24

Flow mirroring configuration examples· 25

Example: Configuring flow mirroring· 25

 

Configuring port mirroring

About port mirroring

Port mirroring copies the packets passing through a port, VLAN, or CPU to a port that connects to a data monitoring device for packet analysis.

Terminology

The following terms are used in port mirroring configuration.

Mirroring source

The mirroring sources can be one or more monitored ports (called source ports), VLANs (called source VLANs), or CPUs (called source CPUs).

Packets passing through mirroring sources are copied to a port connecting to a data monitoring device for packet analysis. The copies are called mirrored packets.

Source device

The device where the mirroring sources reside is called a source device.

Mirroring destination

The mirroring destination connects to a data monitoring device and is the destination port (also known as the monitor port) of mirrored packets. Mirrored packets are sent out of the monitor port to the data monitoring device.

A monitor port might receive multiple copies of a packet when it monitors multiple mirroring sources. For example, two copies of a packet are received on Port A when the following conditions exist:

·     Port A is monitoring bidirectional traffic of Port B and Port C on the same device.

·     The packet travels from Port B to Port C.

Destination device

The device where the monitor port resides is called the destination device.

Mirroring direction

The mirroring direction specifies the direction of the traffic that is copied on a mirroring source.

·     Inbound—Copies packets received.

·     Outbound—Copies packets sent.

·     Bidirectional—Copies packets received and sent.

Mirroring group

Port mirroring is implemented through mirroring groups. Mirroring groups can be classified into local mirroring groups, remote source groups, and remote destination groups.

Egress port and remote probe VLAN

Remote probe VLANs and egress ports are used for Layer 2 remote port mirroring. The remote probe VLAN is a dedicated VLAN for transmitting mirrored packets to the destination device. The egress port resides on a source device and send mirrored packets to the remote probe VLAN.

On port mirroring devices, all ports except source, destination, and egress ports are called common ports.

Port mirroring classification

Port mirroring includes the following types:

·     Local port mirroring—Also known as Switch Port Analyzer (SPAN). In local port mirroring, the source device is directly connected to a data monitoring device. The source device acts as the destination device to forward mirrored packets to the data monitoring device.

·     Remote port mirroring—In remote port mirroring, the source device is not directly connected to a data monitoring device. The source device copies mirrored packets to the destination device, which forwards them to the data monitoring device. The source device and destination device are connected through a Layer 2 network. Therefore, remote port mirroring is also called Layer 2 remote port mirroring or remote SPAN (RSPAN).

Local port mirroring (SPAN)

Figure 1 Local port mirroring implementation

‌

As shown in Figure 1, the source port (Port A) and the monitor port (Port B) reside on the same device. Packets received on Port A are copied to Port B. Port B then forwards the packets to the data monitoring device for analysis.

Layer 2 remote port mirroring (RSPAN)

In Layer 2 remote port mirroring, the mirroring sources and destination reside on different devices and are in different mirroring groups.

A remote source group is a mirroring group that contains the mirroring sources. A remote destination group is a mirroring group that contains the mirroring destination. Intermediate devices are the devices between the source device and the destination device.

Layer 2 remote port mirroring can be implemented through the egress port method.

Egress port method

In Layer 2 remote port mirroring that uses the egress port method, packets are mirrored as follows:

1.     The source device copies packets received on the mirroring sources to the egress port.

2.     The egress port forwards the mirrored packets to the intermediate devices.

3.     The intermediate devices flood the mirrored packets in the remote probe VLAN and transmit the mirrored packets to the destination device.

4.     Upon receiving the mirrored packets, the destination device determines whether the ID of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs match, the destination device forwards the mirrored packets to the data monitoring device through the monitor port.

Figure 2 Layer 2 remote port mirroring implementation through the egress port method

‌

Configuring local port mirroring (SPAN)

Restrictions and guidelines for local port mirroring configuration

A local mirroring group takes effect only after it is configured with the monitor port and mirroring sources.

For port mirroring to work correctly, do not assign a source port to a source VLAN.

Local port mirroring tasks at a glance

To configure local port mirroring, perform the following tasks:

1.     Configuring mirroring sources

Choose one of the following tasks:

¡     Configuring source ports

¡     Configuring source VLANs

¡     Configuring source CPUs

2.     Configuring the monitor port

Creating a local mirroring group

1.     Enter system view.

system-view

2.     Create a local mirroring group.

mirroring-group group-id local

Configuring mirroring sources

Restrictions and guidelines for mirroring source configuration

When you configure source ports for a local mirroring group, follow these restrictions and guidelines:

·     A mirroring group can contain multiple source ports.

·     A port can act as a source port for only one mirroring group.

·     A source port cannot be configured as an egress or monitor port.

The CPU of an MPU cannot be configured as a source CPU.

When you configure source VLANs for a local mirroring group, follow these restrictions and guidelines:

·     A mirroring group can contain multiple source VLANs.

·     A VLAN can be configured as a source VLAN for only one local mirroring group.

A local mirroring group can contain multiple source CPUs.

Configuring source ports

·     Configure source ports in system view:

a.     Enter system view.

system-view

b.     Configure source ports for a local mirroring group.

mirroring-group group-id mirroring-port interface-list { both | inbound | outbound }

By default, no source port is configured for a local mirroring group.

·     Configure source ports in interface view:

a.     Enter system view.

system-view

b.     Enter interface view.

interface interface-type interface-number

c.     Configure the port as a source port for a local mirroring group.

mirroring-group group-id mirroring-port { both | inbound | outbound }

By default, a port does not act as a source port for any local mirroring groups.

Configuring source VLANs

1.     Enter system view.

system-view

2.     Configure source VLANs for a local mirroring group.

mirroring-group group-id mirroring-vlan vlan-list { both | inbound | outbound }

By default, no source VLAN is configured for a local mirroring group.

Configuring source CPUs

1.     Enter system view.

system-view

2.     Configure source CPUs for a local mirroring group.

In standalone mode:

mirroring-group group-id mirroring-cpu slot slot-number-list { both | inbound | outbound }

In IRF mode:

mirroring-group group-id mirroring-cpu chassis chassis-number slot slot-number-list { both | inbound | outbound }

By default, no source CPU is configured for a local mirroring group.

Configuring the monitor port

Restrictions and guidelines

Do not enable the spanning tree feature on the monitor port.

For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not configure its member ports as source ports of the mirroring group.

For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not assign its member ports to a source VLAN of the mirroring group.

Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.

Procedure

·     Configure the monitor port in system view:

a.     Enter system view.

system-view

b.     Configure the monitor port for a local mirroring group.

mirroring-group group-id monitor-port interface-list

By default, no monitor port is configured for a local mirroring group.

·     Configure the monitor port in interface view:

a.     Enter system view.

system-view

b.     Enter interface view.

interface interface-type interface-number

c.     Configure the port as the monitor port for a mirroring group.

mirroring-group group-id monitor-port

By default, a port does not act as the monitor port for any local mirroring groups.

Configuring Layer 2 remote port mirroring (RSPAN)

Restrictions and guidelines for Layer 2 remote port mirroring configuration

To ensure successful traffic mirroring, configure devices in the order of the destination device, the intermediate devices, and the source device.

If intermediate devices exist, configure the intermediate devices to allow the remote probe VLAN to pass through.

For a mirrored packet to successfully arrive at the remote destination device, make sure its VLAN ID is not removed or changed.

Do not configure both MVRP and Layer 2 remote port mirroring. Otherwise, MVRP might register the remote probe VLAN with incorrect ports, which would cause the monitor port to receive undesired copies. For more information about MVRP, see Layer 2—LAN Switching Configuration Guide.

To monitor the bidirectional traffic of a source port, disable MAC address learning for the remote probe VLAN on the source, intermediate, and destination devices. For more information about MAC address learning, see Layer 2—LAN Switching Configuration Guide.

Layer 2 remote port mirroring with egress port configuration task list

Configuring the destination device

1.     Creating a remote destination group

2.     Configuring the monitor port

3.     Configuring the remote probe VLAN

4.     Assigning the monitor port to the remote probe VLAN

Configuring the source device

1.     Creating a remote source group

2.     Configuring mirroring sources

Choose one of the following tasks:

¡     Configuring source ports

¡     Configuring source VLANs

¡     Configuring source CPUs

3.     Configuring the egress port

4.     Configuring the remote probe VLAN

Creating a remote destination group

Restrictions and guidelines

Perform this task on the destination device only.

Procedure

1.     Enter system view.

system-view

2.     Create a remote destination group.

mirroring-group group-id remote-destination

Configuring the monitor port

Restrictions and guidelines for monitor port configuration

Perform this task on the destination device only.

Do not enable the spanning tree feature on the monitor port.

For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not configure its member ports as source ports of the mirroring group.

For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not assign its member ports to a source VLAN of the mirroring group.

Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.

A monitor port can belong to only one mirroring group.

Configuring the monitor port in system view

1.     Enter system view.

system-view

2.     Configure the monitor port for a remote destination group.

mirroring-group group-id monitor-port interface-list

By default, no monitor port is configured for a remote destination group.

Configuring the monitor port in interface view

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the port as the monitor port for a remote destination group.

mirroring-group group-id monitor-port

By default, a port does not act as the monitor port for any remote destination groups.

Configuring the remote probe VLAN

Restrictions and guidelines

This task is required on the both the source and destination devices.

Only an existing static VLAN can be configured as a remote probe VLAN.

When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.

Configure the same remote probe VLAN for the remote source group and the remote destination group.

Procedure

1.     Enter system view.

system-view

2.     Configure the remote probe VLAN for the remote source or destination group.

mirroring-group group-id remote-probe vlan vlan-id

By default, no remote probe VLAN is configured for a remote source or destination group.

Assigning the monitor port to the remote probe VLAN

Restrictions and guidelines

Perform this task on the destination device only.

Procedure

1.     Enter system view.

system-view

2.     Enter the interface view of the monitor port.

interface interface-type interface-number

3.     Assign the port to the remote probe VLAN.

¡     Assign an access port to the remote probe VLAN.

port access vlan vlan-id

¡     Assign a trunk port to the remote probe VLAN.

port trunk permit vlan vlan-id

¡     Assign a hybrid port to the remote probe VLAN.

port hybrid vlan vlan-id { tagged | untagged }

For more information about the port access vlan, port trunk permit vlan, and port hybrid vlan commands, see Layer 2—LAN Switching Command Reference.

Creating a remote source group

Restrictions and guidelines

Perform this task on the source device only.

Procedure

1.     Enter system view.

system-view

2.     Create a remote source group.

mirroring-group group-id remote-source

Configuring mirroring sources

Restrictions and guidelines for mirroring source configuration

Perform this task on the source device only.

When you configure source ports for a remote source group, follow these restrictions and guidelines:

·     Do not assign a source port of a mirroring group to the remote probe VLAN of the mirroring group.

·     A mirroring group can contain multiple source ports.

·     A port can act as a source port for only one mirroring group.

·     A source port cannot be configured as a monitor port, or egress port.

The CPU of an MPU cannot be configured as a source CPU.

When you configure source VLANs for a remote source group, follow these restrictions and guidelines:

·     A remote source group can contain multiple source VLANs.

·     A VLAN can be configured as the source VLAN for only one mirroring group.

A mirroring group can contain multiple source CPUs.

Configuring source ports

·     Configure source ports in system view:

a.     Enter system view.

system-view

b.     Configure source ports for a remote source group.

mirroring-group group-id mirroring-port interface-list { both | inbound | outbound }

By default, no source port is configured for a remote source group.

·     Configure source ports in interface view:

a.     Enter system view.

system-view

b.     Enter interface view.

interface interface-type interface-number

c.     Configure the port as a source port for a remote source group.

mirroring-group group-id mirroring-port { both | inbound | outbound }

By default, a port does not act as a source port for any remote source groups.

Configuring source VLANs

1.     Enter system view.

system-view

2.     Configure source VLANs for a remote source group.

mirroring-group group-id mirroring-vlan vlan-list { both | inbound | outbound }

By default, no source VLAN is configured for a remote source group.

Configuring source CPUs

1.     Enter system view.

system-view

2.     Configure source CPUs for a remote source group.

In standalone mode:

mirroring-group group-id mirroring-cpu slot slot-number-list { both | inbound | outbound }

In IRF mode:

mirroring-group group-id mirroring-cpu chassis chassis-number slot slot-number-list { both | inbound | outbound }

By default, no source CPU is configured for a remote source group.

Configuring the egress port

Restrictions and guidelines for egress port configuration

Perform this task on the source device only.

Disable the following features on the egress port:

·     Spanning tree.

·     802.1X.

·     IGMP snooping.

·     Static ARP.

·     MAC address learning.

When configuring an egress port, follow these restrictions and guidelines:

·     If the mirroring source is a source port, the egress port must be in the same slot as the source port.

·     If the mirroring source is a source CPU, the egress port must be in the same slot as the source CPU.

A port of an existing mirroring group cannot be configured as an egress port.

A mirroring group supports only one egress port.

Configuring the egress port in system view

1.     Enter system view.

system-view

2.     Configure the egress port for a remote source group.

mirroring-group group-id monitor-egress interface-type interface-number

By default, no egress port is configured for a remote source group.

3.     Enter the egress port view.

interface interface-type interface-number

4.     Assign the egress port to the remote probe VLAN.

¡     Assign a trunk port to the remote probe VLAN.

port trunk permit vlan vlan-id

¡     Assign a hybrid port to the remote probe VLAN.

port hybrid vlan vlan-id { tagged | untagged }

For more information about the port trunk permit vlan and port hybrid vlan commands, see Layer 2—LAN Switching Command Reference.

Configuring the egress port in interface view

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Configure the port as the egress port for a remote source group.

mirroring-group group-id monitor-egress

By default, a port does not act as the egress port for any remote source groups.

Display and maintenance commands for port mirroring

Execute display commands in any view.

 

Task	Command
Display mirroring group information.	display mirroring-group { group-id | all | local | remote-destination | remote-source }

‌

Port mirroring configuration examples

Example: Configuring local port mirroring (SPAN in source port mode)

Network configuration

As shown in Figure 3, configure local port mirroring in source port mode to enable the server to monitor the bidirectional traffic of the two departments.

Figure 3 Network diagram

‌

Procedure

# Create local mirroring group 1.

<Device> system-view

[Device] mirroring-group 1 local

# Configure Ten-GigabitEthernet 3/0/1 and Ten-GigabitEthernet 3/0/2 as source ports for local mirroring group 1.

[Device] mirroring-group 1 mirroring-port ten-gigabitethernet 3/0/1 ten-gigabitethernet 3/0/2 both

# Configure Ten-GigabitEthernet 3/0/3 as the monitor port for local mirroring group 1.

[Device] mirroring-group 1 monitor-port ten-gigabitethernet 3/0/3

# Disable the spanning tree feature on the monitor port (Ten-GigabitEthernet 3/0/3).

[Device] interface ten-gigabitethernet 3/0/3

[Device-Ten-GigabitEthernet3/0/3] undo stp enable

[Device-Ten-GigabitEthernet3/0/3] quit

Verifying the configuration

# Verify the mirroring group configuration.

[Device] display mirroring-group all

Mirroring group 1:

    Type: Local

    Status: Active

    Mirroring port:

        Ten-GigabitEthernet3/0/1  Both

        Ten-GigabitEthernet3/0/2  Both

    Monitor port: Ten-GigabitEthernet3/0/3

Example: Configuring local port mirroring (SPAN in source VLAN mode)

Network configuration

As shown in Figure 4, configure local port mirroring in source VLAN mode to enable the server to monitor the bidirectional traffic of the two departments.

Figure 4 Network diagram

‌

Procedure

# Create local mirroring group 1.

<Device> system-view

[Device] mirroring-group 1 local

# Create VLAN 2, and assign Ten-GigabitEthernet 3/0/1 and Ten-GigabitEthernet 3/0/2 to VLAN 2.

[Device] vlan 2

[Device-vlan2] port ten-gigabitethernet 3/0/1 ten-gigabitethernet 3/0/2

[Device-vlan2] quit

# Configure VLAN 2 as a source VLAN for local mirroring group 1.

[Device] mirroring-group 1 mirroring-vlan 2 both

# Configure Ten-GigabitEthernet 3/0/3 as the monitor port for local mirroring group 1.

[Device] mirroring-group 1 monitor-port ten-gigabitethernet 3/0/3

# Disable the spanning tree feature on the monitor port (Ten-GigabitEthernet 3/0/3).

[Device] interface ten-gigabitethernet 3/0/3

[Device-Ten-GigabitEthernet3/0/3] undo stp enable

[Device-Ten-GigabitEthernet3/0/3] quit

Verifying the configuration

# Verify the mirroring group configuration.

[Device] display mirroring-group all

Mirroring group 1:

    Type: Local

    Status: Active

    Mirroring VLAN:

        2  Both

    Monitor port: Ten-GigabitEthernet3/0/3

Example: Configuring local port mirroring (SPAN in source CPU mode)

Network configuration

As shown in Figure 5, Ten-GigabitEthernet 3/0/1 and Ten-GigabitEthernet 3/0/2 are located on the card in slot 1.

Configure local port mirroring in source CPU mode to enable the server to monitor all packets matching the following criteria:

·     Received and sent by the Marketing Department and the Technical Department.

·     Processed by the CPU in slot 1 of the device.

Figure 5 Network diagram

‌

Procedure

# Create local mirroring group 1.

<Device> system-view

[Device] mirroring-group 1 local

# Configure the CPU in slot 1 of the device as a source CPU for local mirroring group 1.

[Device] mirroring-group 1 mirroring-cpu slot 1 both

# Configure Ten-GigabitEthernet 3/0/3 as the monitor port for local mirroring group 1.

[Device] mirroring-group 1 monitor-port ten-gigabitethernet 3/0/3

# Disable the spanning tree feature on the monitor port (Ten-GigabitEthernet 3/0/3).

[Device] interface ten-gigabitethernet 3/0/3

[Device-Ten-GigabitEthernet3/0/3] undo stp enable

[Device-Ten-GigabitEthernet3/0/3] quit

Verifying the configuration

# Verify the mirroring group configuration.

[Device] display mirroring-group all

Mirroring group 1:

    Type: Local

    Status: Active

    Mirroring CPU:

        Slot 1  Both

    Monitor port: Ten-GigabitEthernet3/0/3

Example: Configuring Layer 2 remote port mirroring (RSPAN with egress port)

Network configuration

On the Layer 2 network shown in Figure 6, configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing Department.

Figure 6 Network diagram

‌

Procedure

1.     Configure Device C (the destination device):

# Configure Ten-GigabitEthernet 3/0/1 as a trunk port, and assign the port to VLAN 2.

<DeviceC> system-view

[DeviceC] interface ten-gigabitethernet 3/0/1

[DeviceC-Ten-GigabitEthernet3/0/1] port link-type trunk

[DeviceC-Ten-GigabitEthernet3/0/1] port trunk permit vlan 2

[DeviceC-Ten-GigabitEthernet3/0/1] quit

# Create a remote destination group.

[DeviceC] mirroring-group 2 remote-destination

# Create VLAN 2.

[DeviceC] vlan 2

# Disable MAC address learning for VLAN 2.

[DeviceC-vlan2] undo mac-address mac-learning enable

[DeviceC-vlan2] quit

# Configure VLAN 2 as the remote probe VLAN for the mirroring group.

[DeviceC] mirroring-group 2 remote-probe vlan 2

# Configure Ten-GigabitEthernet 3/0/2 as the monitor port for the mirroring group.

[DeviceC] interface ten-gigabitethernet 3/0/2

[DeviceC-Ten-GigabitEthernet3/0/2] mirroring-group 2 monitor-port

# Disable the spanning tree feature on Ten-GigabitEthernet 3/0/2.

[DeviceC-Ten-GigabitEthernet3/0/2] undo stp enable

# Assign Ten-GigabitEthernet 3/0/2 to VLAN 2 as an access port.

[DeviceC-Ten-GigabitEthernet3/0/2] port access vlan 2

[DeviceC-Ten-GigabitEthernet3/0/2] quit

2.     Configure Device B (the intermediate device):

# Create VLAN 2.

<DeviceB> system-view

[DeviceB] vlan 2

# Disable MAC address learning for VLAN 2.

[DeviceB-vlan2] undo mac-address mac-learning enable

[DeviceB-vlan2] quit

# Configure Ten-GigabitEthernet 3/0/1 as a trunk port, and assign the port to VLAN 2.

[DeviceB] interface ten-gigabitethernet 3/0/1

[DeviceB-Ten-GigabitEthernet3/0/1] port link-type trunk

[DeviceB-Ten-GigabitEthernet3/0/1] port trunk permit vlan 2

[DeviceB-Ten-GigabitEthernet3/0/1] quit

# Configure Ten-GigabitEthernet 3/0/2 as a trunk port, and assign the port to VLAN 2.

[DeviceB] interface ten-gigabitethernet 3/0/2

[DeviceB-Ten-GigabitEthernet3/0/2] port link-type trunk

[DeviceB-Ten-GigabitEthernet3/0/2] port trunk permit vlan 2

[DeviceB-Ten-GigabitEthernet3/0/2] quit

3.     Configure Device A (the source device):

# Create a remote source group.

<DeviceA> system-view

[DeviceA] mirroring-group 1 remote-source

# Create VLAN 2.

[DeviceA] vlan 2

# Disable MAC address learning for VLAN 2.

[DeviceA-vlan2] undo mac-address mac-learning enable

[DeviceA-vlan2] quit

# Configure VLAN 2 as the remote probe VLAN of the mirroring group.

[DeviceA] mirroring-group 1 remote-probe vlan 2

# Configure Ten-GigabitEthernet 3/0/1 as a source port for the mirroring group.

[DeviceA] mirroring-group 1 mirroring-port ten-gigabitethernet 3/0/1 both

# Configure Ten-GigabitEthernet 3/0/2 as the egress port for the mirroring group.

[DeviceA] mirroring-group 1 monitor-egress ten-gigabitethernet 3/0/2

# Configure Ten-GigabitEthernet 3/0/2 as a trunk port, and assign the port to VLAN 2.

[DeviceA] interface ten-gigabitethernet 3/0/2

[DeviceA-Ten-GigabitEthernet3/0/2] port link-type trunk

[DeviceA-Ten-GigabitEthernet3/0/2] port trunk permit vlan 2

# Disable the spanning tree feature on the port.

[DeviceA-Ten-GigabitEthernet3/0/2] undo stp enable

[DeviceA-Ten-GigabitEthernet3/0/2] quit

Verifying the configuration

# Verify the mirroring group configuration on Device C.

[DeviceC] display mirroring-group all

Mirroring group 2:

    Type: Remote destination

    Status: Active

    Monitor port: Ten-GigabitEthernet3/0/2

    Remote probe VLAN: 2

# Verify the mirroring group configuration on Device A.

[DeviceA] display mirroring-group all

Mirroring group 1:

    Type: Remote source

    Status: Active

    Mirroring port:

        Ten-GigabitEthernet3/0/1  Both

    Monitor egress port: Ten-GigabitEthernet3/0/2

    Remote probe VLAN: 2

Configuring flow mirroring

About flow mirroring

Flow mirroring copies packets matching a class to a destination for packet analyzing and monitoring. It is implemented through QoS.

To implement flow mirroring through QoS, perform the following tasks:

·     Define traffic classes and configure match criteria to classify packets to be mirrored. Flow mirroring allows you to flexibly classify packets to be analyzed by defining match criteria.

·     Configure traffic behaviors to mirror the matching packets to the specified destination.

You can configure an action to mirror the matching packets to one of the following destinations:

·     Interface—The matching packets are copied to an interface and then forwarded to a data monitoring device for analysis.

·     CPU—The matching packets are copied to the CPU of an IRF member device. The CPU analyzes the packets or delivers them to upper layers.

·     (In standalone mode.) (In IRF mode.) CPU—The matching packets are copied to the CPU of the card where they are received. The CPU analyzes the packets or delivers them to upper layers.

For more information about QoS policies, traffic classes, and traffic behaviors, see ACL and QoS Configuration Guide.

Types of flow-mirroring traffic to an interface

Depending on whether the mirroring source and mirroring destination are on the same device, flow-mirroring traffic to an interface includes the following types:

·     Flow mirroring SPAN—Flow-mirrors traffic to a local interface.

·     Flow mirroring ERSPAN—Encapsulates traffic in GRE packets with protocol number 0x88BE (ERSPANv2) and routes the traffic to a remote monitoring device at Layer 3.

Flow mirroring SPAN

For flow mirroring SPAN, configure a QoS policy on the source device. Configure the QoS policy as follows:

1.     Configure a traffic class to match packets.

2.     Configure a traffic behavior to flow-mirror traffic to an interfacewithout specifying the destination-ip or source-ip keyword..

3.     Associate the traffic class with the traffic behavior.

When the device receives a matching packet, the device sends one copy of the packet to the interface specified by the traffic behavior. The interface forwards the mirrored packet to the monitoring device.

Figure 7 Flow mirroring SPAN

 

‌

Flow mirroring ERSPAN

Flow mirroring ERSPAN can be implemented in encapsulation parameter mode or monitoring group mode.

On all devices from source to destination, configure a unicast routing protocol to ensure Layer 3 reachability between the devices.

Encapsulation parameter mode

In this mode, configure a QoS policy on the source device. Configure the QoS policy as follows:

1.     Configure a traffic class to match packets.

2.     Configure a traffic behavior to flow-mirror traffic to an interface.

3.     Associate the traffic class with the traffic behavior.

You can configure flow-mirroring traffic to an interface in one of the following modes:

·     Directly specifying an outgoing interface—In this mode, specify both the outgoing interface and encapsulation parameters. The device encapsulates packets with the specified parameters and then forwards packets out of the specified interface.

·     Specifying an outgoing interface through route lookup—In this mode, specify only encapsulation parameters without specifying an outgoing interface. The device looks up a route for the encapsulated mirrored packets based on the source IP address and destination IP address of the encapsulated packets. The outgoing interface of the route is a destination interface of the mirrored packets.

In this mode, you can use the load sharing function of a routing protocol to forward mirrored packets to multiple destination interfaces.

As shown in Figure 8, flow mirroring ERSPAN in encapsulation parameter mode works as follows:

1.     The source device copies a matching packet.

2.     The source device encapsulates the packet with the specified ERSPAN encapsulation parameters.

3.     The source device forwards the packet in either of the following methods:

¡     Forwards the mirrored packets out of the specified outgoing interface.

¡     Looks up a route for the encapsulated mirrored packet based on the source IP address and destination IP address of the encapsulated packet.

4.     The encapsulated packet is routed to the monitoring device.

5.     The monitoring device decapsulates the packet and analyzes the packet contents.

The packet sent to the monitoring device through flow mirroring in this mode is encapsulated. In this mode, make sure the monitoring device supports decapsulating packets.

Figure 8 Flow mirroring ERSPAN in encapsulation parameter mode

‌

Monitoring group mode

As shown in Figure 9, flow mirroring ERSPAN in monitoring group mode works as follows:

1.     On the source device, configure a monitoring group, add member interfaces to the monitoring group, and configure the encapsulation parameters for the member interfaces.

2.     On the source device, apply a QoS policy as follows:

a.     Configure a traffic class to match packets.

b.     Configure a traffic behavior to mirror traffic to the monitoring group.

c.     Create a QoS policy, and associate the traffic class with the traffic behavior in the QoS policy.

d.     Apply the QoS policy.

3.     The source device copies a matching packet and mirrors the packet to the monitoring group. The member interfaces of the monitoring group encapsulate the packet with the specified encapsulation parameters.

4.     The source device forwards the packet in either of the following methods:

¡     Forwards the mirrored packet out of the specified outgoing interface.

¡     Looks up a route for the encapsulated mirrored packet based on the source IP address and destination IP address of the encapsulated packet.

5.     The encapsulated packet is routed to the monitoring device.

6.     The monitoring device decapsulates the packet and analyzes the packet contents.

The packet sent to the monitoring device through flow mirroring in this mode is encapsulated. In this mode, make sure the monitoring device supports decapsulating packets.

Figure 9 Flow mirroring ERSPAN in monitoring group mode

‌

Restrictions and guidelines: Flow mirroring configuration

For information about the configuration commands except the mirror-to command, see ACL and QoS Command Reference.

When you use the mirror-to cpu command to configure the action of mirroring traffic to a CPU, the action does not take effect on the outgoing packets of interfaces.

Flow mirroring tasks at a glance

To configure flow mirroring, perform the following tasks:

1.     Configuring a traffic class

A traffic class defines the criteria that filters the traffic to be mirrored.

2.     Configuring a traffic behavior

A traffic behavior specifies mirroring destinations.

3.     Configuring a QoS policy

4.     Applying a QoS policy

Choose one of the following tasks:

¡     Applying a QoS policy to an interface

¡     Applying a QoS policy to a VLAN

¡     Applying a QoS policy globally

Configuring a traffic class

1.     Enter system view.

system-view

2.     Create a class and enter class view.

traffic classifier classifier-name [ operator { and | or } ]

3.     Configure match criteria.

if-match match-criteria

By default, no match criterion is configured in a traffic class.

4.     (Optional.) Display traffic class information.

In standalone mode:

display traffic classifier user-defined [ classifier-name ] [ slot slot-number ]

In IRF mode:

display traffic classifier user-defined [ classifier-name ] [ chassis chassis-number slot slot-number ]

For more information about this command, see ACL and QoS Command Reference.

Configuring a traffic behavior

Procedure

1.     Enter system view.

system-view

2.     Configure a monitoring group.

a.     Create a monitoring group.

monitoring-group group-id

b.     Assign ports to the monitoring group.

Syntax I:

monitoring-port interface-list [ { destination-ip destination-ip-address source-ip source-ip-address | destination-ipv6 destination-ipv6-address source-ipv6 source-ipv6-address } [ dscp dscp-value | vlan vlan-id | vrf-instance  vrf-name ] * [ destination-mac mac-address ] ]

Syntax II:

monitoring-port { destination-ip destination-ip-address source-ip source-ip-address | destination-ipv6 destination-ipv6-address source-ipv6 source-ipv6-address } [ dscp dscp-value | vlan vlan-id | vrf-instance vrf-name ] * [ destination-mac mac-address ]

By default, a monitoring group does not contain any port.

If you specify encapsulation parameters when flow-mirroring traffic to a monitoring group, the encapsulation parameters for flow-mirroring traffic to the monitoring group member ports must be the same as the encapsulation parameters of the first member port.

c.     Return to system view.

quit

3.     Create a traffic behavior and enter traffic behavior view.

traffic behavior behavior-name

4.     Configure mirroring destinations for the traffic behavior. Choose one option as needed:

¡     Mirror traffic to interfaces.

Syntax I:

mirror-to interface interface-type interface-number [ backup-interface interface-type interface-number ] [ sampler sampler-name ] [ truncation ] [ { destination-ip destination-ip-address source-ip source-ip-address | destination-ipv6 destination-ipv6-address source-ipv6 source-ipv6-address } [ dscp dscp-value | vlan vlan-id | vrf-instance vrf-name ] * ] [ destination-mac mac-address ] ]

Syntax II:

mirror-to interface { destination-ip destination-ip-address source-ip source-ip-address | destination-ipv6 destination-ipv6-address source-ipv6 source-ipv6-address } [ sampler sampler-name ][ truncation ] [ dscp dscp-value | vlan vlan-id | vrf-instance vrf-name ] * [ destination-mac mac-address ]

Syntax III:

mirror-to interface interface-type interface-number reflector-port interface-type interface-number strip-vlan vlan-id

When you use syntax III, the specified mirroring destination interface and reflector port must be assigned to a mirroring-type service loopback group. For more information about service loopback groups, see service loopback group configuration in Layer 2—LAN Switching Configuration Guide.

By default, no mirroring actions exist to mirror traffic to interfaces.

You cannot flow-mirror traffic to tunnel interfaces.

¡     Mirror traffic to a monitoring group.

mirror-to monitoring-group group-id

By default, no mirroring actions exist to mirror traffic to a monitoring group.

¡     Mirror traffic to the CPU.

mirror-to cpu

By default, no mirroring actions exist to mirror traffic to the CPU.

5.     (Optional.) Display traffic behavior configuration.

In standalone mode:

display traffic classifier user-defined [ classifier-name ] [ slot slot-number ]

In IRF mode:

display traffic classifier user-defined [ classifier-name ] [ chassis chassis-number slot slot-number ]

For more information about this command, see ACL and QoS Command Reference.

Configuring a QoS policy

1.     Enter system view.

system-view

2.     Create a QoS policy and enter QoS policy view.

qos [ mirroring ] policy policy-name

3.     Associate a class with a traffic behavior in the QoS policy.

classifier classifier-name behavior behavior-name

By default, no traffic behavior is associated with a class.

4.     (Optional.) Display QoS policy configuration.

In standalone mode:

display qos policy user-defined [ mirroring ] [ policy-name [ classifier classifier-name ] ] [ slot slot-number ]

In IRF mode:

display qos policy user-defined [ mirroring ] [ policy-name [ classifier classifier-name ] ] [ chassis chassis-number slot slot-number ]

For more information about this command, see ACL and QoS Command Reference.

Applying a QoS policy

Applying a QoS policy to an interface

Restrictions and guidelines

You can apply a QoS policy to an interface to mirror the traffic of the interface.

A policy can be applied to multiple interfaces.

In one traffic direction of an interface, only one QoS policy can be applied.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Apply a policy to the interface.

qos apply [ mirroring ] policy policy-name { inbound | outbound }

4.     (Optional.) Display the QoS policy applied to the interface.

In standalone mode:

display qos [ mirroring ] policy interface [ interface-type interface-number [ pvc { pvc-name | vpi/vci } ] ] [ inbound | outbound ] [ slot slot-number ]

In IRF mode:

display qos [ mirroring ] policy interface [ interface-type interface-number [ pvc { pvc-name | vpi/vci } ] ] [ inbound | outbound ] [ chassis chassis-number slot slot-number ]

For more information about this command, see ACL and QoS Command Reference.

Applying a QoS policy to a VLAN

Restrictions and guidelines

You can apply a QoS policy to a VLAN to mirror the traffic on all ports in the VLAN.

Procedure

1.     Enter system view.

system-view

2.     Apply a QoS policy to a VLAN.

qos vlan-policy policy-name vlan vlan-id-list { inbound | outbound }

3.     (Optional.) Display the QoS policy applied to the VLAN.

In standalone mode:

display qos vlan-policy { name policy-name | vlan [ vlan-id ] } [ inbound | outbound ] [ slot slot-number ]

In IRF mode:

display qos vlan-policy { name policy-name | vlan [ vlan-id ] } [ inbound | outbound ] [ chassis chassis-number slot slot-number ]

For more information about this command, see ACL and QoS Command Reference.

Applying a QoS policy globally

Restrictions and guidelines

You can apply a QoS policy globally to mirror the traffic on all ports.

Procedure

1.     Enter system view.

system-view

2.     Apply a QoS policy globally.

qos apply [ mirroring ] policy policy-name global { inbound | outbound }

3.     (Optional.) Display global QoS policies.

In standalone mode:

display qos [ mirroring ] policy global [ inbound | outbound ] [ slot slot-number ]

In IRF mode:

display qos [ mirroring ] policy global [ inbound | outbound ] [ chassis chassis-number slot slot-number ]

For more information about this command, see ACL and QoS Command Reference.

Display and maintenance commands for flow mirroring

Execute display commands in any view.

 

Task	Command
Display monitoring group information.	display monitoring-group { group-id | all }

‌

Flow mirroring configuration examples

Example: Configuring flow mirroring

Network configuration

As shown in Figure 10, configure flow mirroring so that the server can monitor the following traffic:

·     All traffic that the Technical Department sends to access the Internet.

·     IP traffic that the Technical Department sends to the Marketing Department during working hours (8:00 to 18:00) on weekdays.

Figure 10 Network diagram

‌

Procedure

# Create working hour range work, in which working hours are from 8:00 to 18:00 on weekdays.

<Device> system-view

[Device] time-range work 8:00 to 18:00 working-day

# Create IPv4 advanced ACL 3000 to allow packets from the Technical Department to access the Internet and the Marketing Department during working hours.

[Device] acl advanced 3000

[Device-acl-ipv4-adv-3000] rule permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www

[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range work

[Device-acl-ipv4-adv-3000] quit

# Create traffic class tech_c, and configure the match criterion as ACL 3000.

[Device] traffic classifier tech_c

[Device-classifier-tech_c] if-match acl 3000

[Device-classifier-tech_c] quit

# Create traffic behavior tech_b, configure the action of mirroring traffic to Ten-GigabitEthernet 3/0/3.

[Device] traffic behavior tech_b

[Device-behavior-tech_b] mirror-to interface ten-gigabitethernet 3/0/3

[Device-behavior-tech_b] quit

# Create QoS policy tech_p, and associate traffic class tech_c with traffic behavior tech_b in the QoS policy.

[Device] qos policy tech_p

[Device-qospolicy-tech_p] classifier tech_c behavior tech_b

[Device-qospolicy-tech_p] quit

# Apply QoS policy tech_p to the incoming packets of Ten-GigabitEthernet 3/0/4.

[Device] interface ten-gigabitethernet 3/0/4

[Device-Ten-GigabitEthernet3/0/4] qos apply policy tech_p inbound

[Device-Ten-GigabitEthernet3/0/4] quit

Verifying the configuration

# Verify that the server can monitor the following traffic:

·     All traffic sent by the Technical Department to access the Internet.

·     IP traffic that the Technical Department sends to the Marketing Department during working hours on weekdays.

(Details not shown.)