Login
- Table of Contents
-
- 13-Network Management and Monitoring Configuration Guides
- 00-Preface
- 01-System maintenance and debugging configuration
- 02-NQA configuration
- 03-iNQA configuration
- 04-NTP configuration
- 05-PTP configuration
- 06-Network synchronization configuration
- 07-SNMP configuration
- 08-RMON configuration
- 09-NETCONF configuration
- 10-EAA configuration
- 11-Process monitoring and maintenance configuration
- 12-Sampler configuration
- 13-Mirroring configuration
- 14-NetStream configuration
- 15-IPv6 NetStream configuration
- 16-sFlow configuration
- 17-Information center configuration
- 18-GOLD configuration
- 19-Packet capture configuration
- 20-VCF fabric configuration
- 21-CWMP configuration
- 22-SmartMC configuration
- 23-SQA configuration
- 24-eMDI configuration
- 25-Performance management configuration
- 26-Ansible configuration
- 27-Event MIB configuration
- 28-EPS agent configuration
- 29-Cloud connection configuration
- 30-EPA configuration
- 31-Packet trace configuration
- 32-KPI data collection configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-Mirroring configuration | 641.00 KB |
Contents
Layer 2 remote port mirroring (RSPAN)
Layer 3 remote port mirroring (ERSPAN)
Restrictions and guidelines: Port mirroring configuration
Configuring local port mirroring (SPAN)
Local port mirroring configuration task list
Creating a local mirroring group
Configuring source ports for the local mirroring group
Configuring source CPUs for the local mirroring group
Configuring the monitor port for the local mirroring group
Configuring Layer 2 remote port mirroring (RSPAN)
Layer 2 remote port mirroring with configurable reflector port configuration task list
Layer 2 remote port mirroring with egress port configuration task list
Configuring a remote destination group on the destination device
Configuring a remote source group on the source device
Configuring Layer 3 remote port mirroring (ERSPAN)
Layer 3 remote port mirroring configuration task list
Configuring local mirroring groups
Configuring source ports for a local mirroring group
Configuring source CPUs for a local mirroring group
Configuring the monitor port for a local mirroring group
Displaying and maintaining port mirroring
Port mirroring configuration examples
Local port mirroring configuration example (SPAN in source port mode)
Local port mirroring configuration example (SPAN in source CPU mode)
Layer 2 remote port mirroring configuration example (RSPAN with reflector port configurable)
Layer 2 remote port mirroring configuration example (RSPAN with egress port)
Example for local port mirroring with multiple monitoring devices (reflector port configurable)
Layer 3 remote port mirroring configuration example (ERSPAN)
Types of flow-mirroring traffic to an interface
Restrictions and guidelines: Flow mirroring configuration
Flow mirroring configuration task list
Configuring a traffic behavior
Applying a QoS policy to an interface
Applying a QoS policy to a VLAN
Applying a QoS policy globally
Applying a QoS policy to the control plane
Flow mirroring configuration example
Configuring port mirroring
Overview
Port mirroring copies the packets passing through a port or CPU to a port that connects to a data monitoring device for packet analysis.
Terminology
The following terms are used in port mirroring configuration.
Mirroring source
The mirroring sources can be one or more monitored ports or CPUs. The monitored ports and CPUs called source ports and source CPUs, respectively.
Packets passing through mirroring sources are copied to a port connecting to a data monitoring device for packet analysis. The copies are called mirrored packets.
Source device
The device where the mirroring sources reside is called a source device.
Mirroring destination
The mirroring destination is the destination port (also known as the monitor port) of mirrored packets and connects to a data monitoring device. Mirrored packets are sent out of the monitor port to the data monitoring device.
A monitor port might receive multiple copies of a packet when it monitors multiple mirroring sources. For example, two copies of a packet are received on Port 1 when the following conditions exist:
· Port 1 is monitoring bidirectional traffic of Port 2 and Port 3 on the same device.
· The packet travels from Port 2 to Port 3.
Destination device
The device where the monitor port resides is called the destination device.
Mirroring direction
The mirroring direction specifies the direction of the traffic that is copied on a mirroring source.
· Inbound—Copies packets received.
· Outbound—Copies packets sent.
· Bidirectional—Copies packets received and sent.
Mirroring group
Port mirroring is implemented through mirroring groups, which include local, remote source, and remote destination groups.
Reflector port, egress port, and remote probe VLAN
Reflector ports, remote probe VLANs, and egress ports are used for Layer 2 remote port mirroring. The remote probe VLAN is a dedicated VLAN for transmitting mirrored packets to the destination device. Both the reflector port and egress port reside on a source device and send mirrored packets to the remote probe VLAN.
On port mirroring devices, all ports except source, destination, reflector, and egress ports are called common ports.
Port mirroring classification
Port mirroring can be classified into local port mirroring and remote port mirroring.
· Local port mirroring—Also known as Switch Port Analyzer (SPAN). In local port mirroring, the source device is directly connected to a data monitoring device. The source device also acts as the destination device and forwards mirrored packets directly to the data monitoring device.
· Remote port mirroring—The source device is not directly connected to a data monitoring device. The source device sends mirrored packets to the destination device, which forwards the packets to the data monitoring device.
Remote port mirroring can be further classified into Layer 2 and Layer 3 remote port mirroring:
¡ Layer 2 remote port mirroring—Also known as Remote SPAN (RSPAN). The source device and destination device are on the same Layer 2 network.
¡ Layer 3 remote port mirroring—Also known as Encapsulated Remote SPAN (ERSPAN). The source device and destination device are separated by IP networks.
Local port mirroring (SPAN)
Figure 1 Local port mirroring implementation
As shown in Figure 1, the source port (Port A) and the monitor port (Port B) reside on the same device. Packets received on Port A are copied to Port B. Port B then forwards the packets to the data monitoring device for analysis.
Layer 2 remote port mirroring (RSPAN)
In Layer 2 remote port mirroring, the mirroring sources and destination reside on different devices and are in different mirroring groups.
A remote source group is a mirroring group that contains the mirroring sources. A remote destination group is a mirroring group that contains the mirroring destination. Intermediate devices are the devices between the source device and the destination device.
Layer 2 remote port mirroring can be implemented through the reflector port method or the egress port method.
Reflector port method
In Layer 2 remote port mirroring that uses the reflector port method, packets are mirrored as follows:
1. The source device copies packets received on the mirroring sources to the reflector port.
2. The reflector port broadcasts the mirrored packets in the remote probe VLAN.
3. The intermediate devices transmit the mirrored packets to the destination device through the remote probe VLAN.
4. Upon receiving the mirrored packets, the destination device determines whether the ID of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs match, the destination device forwards the mirrored packets to the data monitoring device through the monitor port.
Figure 2 Layer 2 remote port mirroring implementation through the reflector port method
The device comes with a fixed reflector port and does not need manual configuration.
Egress port method
In Layer 2 remote port mirroring that uses the egress port method, packets are mirrored as follows:
1. The source device copies packets received on the mirroring sources to the egress port.
2. The egress port forwards the mirrored packets to the intermediate devices.
3. The intermediate devices flood the mirrored packets in the remote probe VLAN and transmit the mirrored packets to the destination device.
4. Upon receiving the mirrored packets, the destination device determines whether the ID of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs match, the destination device forwards the mirrored packets to the data monitoring device through the monitor port.
Figure 3 Layer 2 remote port mirroring implementation through the egress port method
Layer 3 remote port mirroring (ERSPAN)
ERSPAN encapsulates mirrored packets in GRE packets with a protocol number of 0x88BE and routes the packets to the remote monitoring device.
In the current software version, ERSPAN can only be implemented in tunnel mode.
For ERSPAN in tunnel mode, configure the mirroring sources and destination for the local mirroring groups on the source device and destination device as follows:
· On the source device:
¡ Configure the ports to be monitored as source ports.
¡ Configure the VLANs to be monitored as source VLANs.
¡ Configure the CPUs to be monitored as source CPUs.
¡ Configure the tunnel interface through which mirrored packets are forwarded to the destination device as the monitor port.
· On the destination device:
¡ Configure the physical port corresponding to the tunnel interface as the source port.
¡ Configure the VLAN of the physical port corresponding to the tunnel interface as the source VLAN.
¡ Configure the port that connects to the data monitoring device as the monitor port.
For example, in a network as shown in Figure 4, ERSPAN in tunnel mode works as follows:
1. The source device sends one copy of a packet received on the source port (Port A) to the tunnel interface.
The tunnel interface acts as the monitor port in the local mirroring group created on the source device.
2. The tunnel interface on the source device forwards the mirrored packet to the tunnel interface on the destination device through the GRE tunnel.
3. The destination device receives the mirrored packet from the physical interface of the tunnel interface.
The tunnel interface acts as the source port in the local mirroring group created on the destination device.
4. The physical interface of the tunnel interface sends one copy of the packet to the monitor port (Port B).
5. The monitor port (Port B) forwards the packet to the data monitoring device.
For more information about GRE tunnels and tunnel interfaces, see Layer 3—IP Services Configuration Guide.
Figure 4 ERSPAN in tunnel mode
Restrictions and guidelines: Port mirroring configuration
The reflector port method for Layer 2 remote port mirroring can be used to implement local port mirroring with multiple data monitoring devices. In the reflector port method, the reflector port broadcasts mirrored packets in the remote probe VLAN. By assigning the ports that connect to data monitoring devices to the remote probe VLAN, you can implement local port mirroring to mirror packets to multiple data monitoring devices. Make sure the ports remove the remote probe VLAN tag of the mirrored packets so the original packets can be sent to the data monitoring devices. The egress port method cannot implement local port mirroring in this way.
An aggregate interface cannot be configured as a mirroring source port, and an aggregation member port can be configured as a mirroring source port.
In a mirroring group, if an aggregation member port is configured as a source port, and an aggregate interface or aggregation member port is configured as the monitor port, make sure one of the corresponding aggregation groups operate in static aggregation mode. For more information about the static aggregation mode, see Ethernet link aggregation in Layer 2—LAN Switching Configuration Guide.
A port cannot be used by multiple mirroring groups at the same time.
Configuring local port mirroring (SPAN)
A local mirroring group takes effect only when you configure the monitor port and the source ports or source CPUs for the local mirroring group.
Local port mirroring configuration task list
|
Tasks at a glance |
|
1. (Required.) Creating a local mirroring group |
|
2. (Required.) Perform at least one of the following tasks: |
|
3. (Required.) Configuring the monitor port for the local mirroring group |
Creating a local mirroring group
|
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a local mirroring group. |
mirroring-group group-id local |
By default, no local mirroring group exists. |
Configuring source ports for the local mirroring group
To configure source ports for a local mirroring group, use one of the following methods:
· Assign a list of source ports to the mirroring group in system view.
· Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
Configuration restrictions and guidelines
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
· A mirroring group can contain multiple source ports.
· A source port cannot be configured as a reflector port, egress port, or monitor port.
· A VLAN interface cannot be configured as a source port.
· A Layer 2 or Layer 3 aggregate interface cannot be configured as a mirroring source port.
Configuring source ports in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source ports for a local mirroring group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a local mirroring group. |
Configuring source ports in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as a source port for a local mirroring group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any local mirroring groups. |
Configuring source CPUs for the local mirroring group
CPUs on the following MPUs cannot be configured as source CPUs:
· LSUM1SUPXES0.
· LSUM1SUPXD0.
· LSUM1MPUS06XEC0.
· LSUM1MPUS10XEA0.
· LSUM1MPUS06XEB0.
· LSUM1MPUS10XE0.
A mirroring group can contain multiple source CPUs.
To configure source CPUs for a local mirroring group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source CPUs for a local mirroring group. |
· In standalone mode: · In IRF mode: |
By default, no source CPU is configured for a local mirroring group. |
Configuring the monitor port for the local mirroring group
To configure the monitor port for a mirroring group, use one of the following methods:
· Configure the monitor port for the mirroring group in system view.
· Assign a port to the mirroring group as the monitor port in interface view.
Configuration restrictions and guidelines
When you configure the monitor port for a local mirroring group, follow these restrictions and guidelines:
· Do not enable the spanning tree feature on the monitor port.
· For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not configure its member ports as source ports of the mirroring group.
· A mirroring group contains only one monitor port.
· Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
· If the source port and monitor port of a mirroring group are both aggregate interfaces, make sure at least one of them is a static aggregate interface. For more information about the static aggregation mode, see Ethernet link aggregation configuration in Layer 2—LAN Switching Configuration Guide.
Configuring the monitor port in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the monitor port for a local mirroring group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a local mirroring group. |
Configuring the monitor port in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the monitor port for a mirroring group. |
mirroring-group group-id monitor-port |
By default, a port does not act as the monitor port for any local mirroring groups. |
Configuring Layer 2 remote port mirroring (RSPAN)
To configure Layer 2 remote port mirroring, perform the following tasks:
· Configure a remote source group on the source device.
· Configure a cooperating remote destination group on the destination device.
· If intermediate devices exist, configure the following devices and ports to allow the remote probe VLAN to pass through.
¡ Intermediate devices.
¡ Ports connected to the intermediate devices on the source and destinations devices.
When you configure Layer 2 remote port mirroring, follow these restrictions and guidelines:
· To monitor the bidirectional traffic of a source port, disable MAC address learning for the remote probe VLAN on the source, intermediate, and destination devices. For more information about MAC address learning, see Layer 2—LAN Switching Configuration Guide.
· The egress port must be assigned to the remote probe VLAN. The configurable reflector port is not necessarily assigned to the remote probe VLAN.
· For a mirrored packet to successfully arrive at the remote destination device, make sure its VLAN ID is not removed or changed.
· Do not configure both MVRP and Layer 2 remote port mirroring. Otherwise, MVRP might register the remote probe VLAN with incorrect ports, which would cause the monitor port to receive undesired copies. For more information about MVRP, see Layer 2—LAN Switching Configuration Guide.
· As a best practice, configure devices in the order of the destination device, the intermediate devices, and the source device.
Layer 2 remote port mirroring with configurable reflector port configuration task list
Layer 2 remote port mirroring with egress port configuration task list
Configuring a remote destination group on the destination device
Restrictions and guidelines for remote destination group configuration
You can configure a remote destination group on an IRF fabric with member devices connected through multiple IRF physical interfaces. In this case, the monitor port of the remote destination group and the port that receives the mirrored traffic must reside on the same member device. For more information about IRF, see Virtual Technologies Configuration Guide.
Creating a remote destination group
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a remote destination group. |
mirroring-group group-id remote-destination |
By default, no remote destination group exists on a device. |
Configuring the monitor port for a remote destination group
To configure the monitor port for a mirroring group, use one of the following methods:
· Configure the monitor port for the mirroring group in system view.
· Assign a port to the mirroring group as the monitor port in interface view.
When you configure the monitor port for a remote destination group, follow these restrictions and guidelines:
· Do not enable the spanning tree feature on the monitor port.
· For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not configure its member ports as source ports of the mirroring group.
· Use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
· A mirroring group must contain only one monitor port.
· A monitor port can belong to only one mirroring group.
· If the source port and monitor port of a mirroring group are both aggregate interfaces, make sure at least one of them is a static aggregate interface. For more information about the static aggregation mode, see Ethernet link aggregation configuration in Layer 2—LAN Switching Configuration Guide.
Configuring the monitor port for a remote destination group in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the monitor port for a remote destination group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a remote destination group. |
Configuring the monitor port for a remote destination group in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the monitor port for a remote destination group. |
mirroring-group group-id monitor-port |
By default, a port does not act as the monitor port for any remote destination groups. |
Configuring the remote probe VLAN for a remote destination group
When you configure the remote probe VLAN for a remote destination group, follow these restrictions and guidelines:
· Only an existing static VLAN can be configured as a remote probe VLAN. Additionally, you must execute the undo stp vlan enable command to disable the spanning tree feature for the VLAN. For more information about the undo stp vlan enable command, see Layer 2—LAN Switching Command Reference.
· When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
· Configure the same remote probe VLAN for the remote groups on the source and destination devices.
To configure the remote probe VLAN for a remote destination group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the remote probe VLAN for a remote destination group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote destination group. |
Assigning the monitor port to the remote probe VLAN
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter the interface view of the monitor port. |
interface interface-type interface-number |
N/A |
|
3. Assign the port to the remote probe VLAN. |
· For an access port: · For a trunk port: · For a hybrid port: |
For more information about the port access vlan, port trunk permit vlan, and port hybrid vlan commands, see Layer 2—LAN Switching Command Reference. |
Configuring a remote source group on the source device
Creating a remote source group
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a remote source group. |
mirroring-group group-id remote-source |
By default, no remote source group exists on a device. |
Configuring source ports for a remote source group
To configure source ports for a mirroring group, use one of the following methods:
· Assign a list of source ports to the mirroring group in system view.
· Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
When you configure source ports for a remote source group, follow these restrictions and guidelines:
· Do not assign a source port of a mirroring group to the remote probe VLAN of the mirroring group.
· A mirroring group can contain multiple source ports.
· A source port cannot be configured as a reflector port, egress port, or monitor port.
· A VLAN interface cannot be configured as a source port.
· A Layer 2 or Layer 3 aggregate interface cannot be configured as a mirroring source port.
Configuring source ports for a remote source group in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source ports for a remote source group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a remote source group. |
Configuring a source port for a remote source group in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as a source port for a remote source group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any remote source groups. |
Configuring source CPUs for a remote source group
CPUs on the following MPUs cannot be configured as source CPUs:
· LSUM1SUPXES0.
· LSUM1SUPXD0.
· LSUM1MPUS06XEC0.
· LSUM1MPUS10XEA0.
· LSUM1MPUS06XEB0.
· LSUM1MPUS10XE0.
A mirroring group can contain multiple source CPUs.
To configure source CPUs for a remote source group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source CPUs for a remote source group. |
· In standalone mode: · In IRF mode: |
By default, no source CPU is configured for a remote source group. |
Configuring the reflector port for a remote source group
To configure the reflector port for a remote source group, use one of the following methods:
· Configure the reflector port for the remote source group in system view.
· Assign a port to the remote source group as the reflector port in interface view.
When you configure the reflector port for a remote source group, follow these restrictions and guidelines:
· When you use an interface on an SH series interface module as the reflector port, make sure the source ports are also on the interface module.
· A mirroring group contains only one reflector port.
· A Layer 2 aggregate interface, Layer 3 aggregate interface or subinterface, or aggregation member port cannot be configured as a reflector port.
· You can configure a port as a reflector port only when the port is operating with the default duplex mode, speed, and MDI settings. You cannot change these settings for a reflector port.
· In an IRF system, IRF physical interfaces cannot be configured as reflector ports for Layer 2 remote port mirroring. For more information about IRF and IRF physical interfaces, see Virtual Technologies Configuration Guide.
Configuring the reflector port for a remote source group in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the reflector port for a remote source group. |
mirroring-group group-id reflector-port interface-type interface-number |
By default, no reflector port is configured for a remote source group. |
|
|
CAUTION: · If an IRF port is bound to only one physical interface, do not configure the physical interface as a reflector port. Otherwise, the IRF might split. · When a port is configured as a reflector port, all existing configurations of the port are restored to the default. You cannot configure other features on the reflector port. · The port to be configured as a reflector port must be a port not in use. Do not connect a network cable to a reflector port. |
Configuring the reflector port for a remote source group in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the reflector port for a remote source group. |
mirroring-group group-id reflector-port |
By default, a port does not act as the reflector port for any remote source groups. |
|
|
CAUTION: · If an IRF port is bound to only one physical interface, do not configure the physical interface as a reflector port. Otherwise, the IRF might split. · When a port is configured as a reflector port, all existing configurations of the port are restored to the default. You cannot configure other features on the reflector port. · The port to be configured as a reflector port must be a port not in use. Do not connect a network cable to a reflector port. |
Configuring the egress port for a remote source group
To configure the egress port for a remote source group, use one of the following methods:
· Configure the egress port for the remote source group in system view.
· Assign a port to the remote source group as the egress port in interface view.
When you configure the egress port for a remote source group, follow these restrictions and guidelines:
· When you use an interface on an SH series interface module as the egress port, make sure the source ports are also on the interface module.
· Disable the following features on the egress port:
¡ Spanning tree.
¡ 802.1X.
¡ IGMP snooping.
¡ Static ARP.
¡ MAC address learning.
· A mirroring group contains only one egress port.
· A Layer 2 aggregate interface, Layer 3 aggregate interface or subinterface, or aggregation member port cannot be configured as the egress port of a remote source mirroring group.
· A port of an existing mirroring group cannot be configured as an egress port.
Configuring the egress port for a remote source group in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the egress port for a remote source group. |
mirroring-group group-id monitor-egress interface-type interface-number |
By default, no egress port is configured for a remote source group. |
Configuring the egress port for a remote source group in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the egress port for a remote source group. |
mirroring-group group-id monitor-egress |
By default, a port does not act as the egress port for any remote source groups. |
Configuring the remote probe VLAN for a remote source group
When you configure the remote probe VLAN for a remote source group, follow these restrictions and guidelines:
· Only an existing static VLAN can be configured as a remote probe VLAN.
· When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port mirroring exclusively.
· The remote mirroring groups on the source device and destination device must use the same remote probe VLAN.
To configure the remote probe VLAN for a remote source group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the remote probe VLAN for a remote source group. |
mirroring-group group-id remote-probe vlan vlan-id |
By default, no remote probe VLAN is configured for a remote source group. |
Configuring Layer 3 remote port mirroring (ERSPAN)
To configure Layer 3 remote port mirroring, perform the following tasks:
· Create a local mirroring group on both the source device and the destination device.
· Configure the monitor port and source ports or source CPUs for each mirroring group.
The source and destination devices are connected by a tunnel. If intermediate devices exist, configure a unicast routing protocol on the intermediate devices to ensure Layer 3 reachability between the source and destination devices.
On the source device, perform the following tasks:
· Configure source ports or source CPUs you want to monitor.
· Configure the tunnel interface as the monitor port.
On the destination device, perform the following tasks:
· Configure the physical interface corresponding to the tunnel interface as the source port.
· Configure the port that connects the data monitoring device as the monitor port.
Layer 3 remote port mirroring configuration task list
|
Tasks at a glance |
|
|
(Required.) Configuring the source device: 1. Configuring local mirroring groups 2. Perform at least one of the following tasks: ¡ Configuring source ports for a local mirroring group |
|
|
(Required.) Configuring the destination device: 1. Configuring local mirroring groups |
|
Configuration prerequisites
Before configuring Layer 3 remote mirroring, complete the following tasks:
· Create a tunnel interface and a GRE tunnel.
· Configure the source and destination addresses of the tunnel interface as the IP addresses of the physical interfaces on the source and destination devices, respectively.
IP addresses of physical interfaces on SA series interface modules cannot be used as the source or destination IP address for the tunnel interface.
For more information about tunnel interfaces, see Layer 3—IP Services Configuration Guide.
Configuring local mirroring groups
Configure a local mirroring group on both the source device and the destination device.
To create a local mirroring group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a local mirroring group. |
mirroring-group group-id local |
By default, no local mirroring group exists on a device. |
Configuring source ports for a local mirroring group
On the source device, configure the ports you want to monitor as the source ports. On the destination device, configure the physical interface corresponding to the tunnel interface as the source port.
To configure source ports for a mirroring group, use one of the following methods:
· Assign a list of source ports to the mirroring group in system view.
· Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the operation.
Configuration restrictions and guidelines
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
· A mirroring group can contain multiple source ports.
· A source port cannot be configured as a reflector port, egress port, or monitor port.
· A VLAN interface cannot be configured as a source port.
· A Layer 2 or Layer 3 aggregate interface cannot be configured as a mirroring source port.
Configuring source ports in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source ports for a local mirroring group. |
mirroring-group group-id mirroring-port interface-list { both | inbound | outbound } |
By default, no source port is configured for a local mirroring group. |
Configuring source ports in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as a source port for a local mirroring group. |
mirroring-group group-id mirroring-port { both | inbound | outbound } |
By default, a port does not act as a source port for any local mirroring groups. |
Configuring source CPUs for a local mirroring group
CPUs on the following MPUs cannot be configured as source CPUs:
· LSUM1SUPXES0.
· LSUM1SUPXD0.
· LSUM1MPUS06XEC0.
· LSUM1MPUS10XEA0.
· LSUM1MPUS06XEB0.
· LSUM1MPUS10XE0.
On the source device, configure the CPUs of the cards to be monitored as the source CPUs. The destination device does not support source CPU configuration.
A mirroring group can contain multiple source CPUs.
To configure source CPUs for a local mirroring group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure source CPUs for a local mirroring group. |
· In standalone mode: · In IRF mode: |
By default, no source CPU is configured for a local mirroring group. |
Configuring the monitor port for a local mirroring group
On the source device, configure the tunnel interface as the monitor port. On the destination device, configure the port that connects to a data monitoring device as the monitor port.
To configure the monitor port for a mirroring group, use one of the following methods:
· Configure the monitor port for the mirroring group in system view.
· Assign a port to a mirroring group as the monitor port in interface view.
Configuration restrictions and guidelines
When you configure the monitor port for a local mirroring group, follow these restrictions and guidelines:
· A mirroring group contains only one monitor port.
· Do not enable the spanning tree feature on the monitor port.
· As a best practice, use a monitor port only for port mirroring, so the data monitoring device receives only the mirrored traffic.
· If the source port and monitor port of a mirroring group are both aggregate interfaces, make sure at least one of them is a static aggregate interface. For more information about the static aggregation mode, see Ethernet link aggregation configuration in Layer 2—LAN Switching Configuration Guide.
Configuring the monitor port in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the monitor port for a local mirroring group. |
mirroring-group group-id monitor-port interface-type interface-number |
By default, no monitor port is configured for a local mirroring group. |
Configuring the monitor port in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the port as the monitor port for a local mirroring group. |
mirroring-group group-id monitor-port |
By default, a port does not act as the monitor port for any local mirroring groups. |
Displaying and maintaining port mirroring
Execute display commands in any view.
|
Task |
Command |
|
Display mirroring group information. |
display mirroring-group { group-id | all | local | remote-destination | remote-source } |
Port mirroring configuration examples
Local port mirroring configuration example (SPAN in source port mode)
Network requirements
As shown in Figure 5, configure local port mirroring in source port mode to enable the server to monitor the bidirectional traffic of the Marketing department and the Technical department.
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as source ports for local mirroring group 1.
[Device] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 gigabitethernet 1/0/2 both
# Configure GigabitEthernet 1/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 monitor-port gigabitethernet 1/0/3
# Disable the spanning tree feature on the monitor port (GigabitEthernet 1/0/3).
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] undo stp enable
[Device-GigabitEthernet1/0/3] quit
Verifying the configuration
# Verify the mirroring group configuration.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
GigabitEthernet1/0/1 Both
GigabitEthernet1/0/2 Both
Monitor port: GigabitEthernet1/0/3
Local port mirroring configuration example (SPAN in source CPU mode)
Network requirements
As shown in Figure 6, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are located on the card in slot 1.
Configure local port mirroring in source CPU mode to enable the server to monitor all packets matching the following criteria:
· Received and sent by the Marketing department and the Technical department.
· Processed by the CPU of the card in slot 1 of the device.
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure the CPU of the card in slot 1 of the device as a source CPU for local mirroring group 1.
[Device] mirroring-group 1 mirroring-cpu slot 1 both
# Configure GigabitEthernet 1/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 monitor-port gigabitethernet 1/0/3
# Disable the spanning tree feature on the monitor port (GigabitEthernet 1/0/3).
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] undo stp enable
[Device-GigabitEthernet1/0/3] quit
Verifying the configuration
# Verify the mirroring group configuration.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring CPU:
Slot 1 Both
Monitor port: GigabitEthernet1/0/3
Layer 2 remote port mirroring configuration example (RSPAN with reflector port configurable)
Network requirements
As shown in Figure 7, configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing department.
Configuration procedure
1. Configure Device C (the destination device):
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 2.
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceC-GigabitEthernet1/0/1] quit
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2.
[DeviceC] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceC-vlan2] undo mac-address mac-learning enable
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceC] mirroring-group 2 remote-probe vlan 2
# Configure GigabitEthernet 1/0/2 as the monitor port for the mirroring group.
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] mirroring-group 2 monitor-port
# Disable the spanning tree feature on GigabitEthernet 1/0/2.
[DeviceC-GigabitEthernet1/0/2] undo stp enable
# Assign GigabitEthernet 1/0/2 to VLAN 2.
[DeviceC-GigabitEthernet1/0/2] port access vlan 2
[DeviceC-GigabitEthernet1/0/2] quit
2. Configure Device B (the intermediate device):
# Create VLAN 2.
<DeviceB> system-view
[DeviceB] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceB-vlan2] undo mac-address mac-learning enable
[DeviceB-vlan2] quit
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceB-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 2
[DeviceB-GigabitEthernet1/0/2] quit
3. Configure Device A (the source device):
# Create a remote source group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceA-vlan2] undo mac-address mac-learning enable
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
# Configure GigabitEthernet 1/0/1 as a source port for the mirroring group.
[DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 both
# Configure GigabitEthernet 1/0/3 as the reflector port for the mirroring group.
[DeviceA] mirroring-group 1 reflector-port gigabitethernet 1/0/3
This operation may delete all settings made on the interface. Continue? [Y/N]: y
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 2
[DeviceA-GigabitEthernet1/0/2] quit
Verifying the configuration
# Verify the mirroring group configuration on Device C.
[DeviceC] display mirroring-group all
Mirroring group 2:
Type: Remote destination
Status: Active
Monitor port: GigabitEthernet1/0/2
Remote probe VLAN: 2
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
GigabitEthernet1/0/1 Both
Reflector port: GigabitEthernet1/0/3
Remote probe VLAN: 2
Layer 2 remote port mirroring configuration example (RSPAN with egress port)
Network requirements
On the Layer 2 network shown in Figure 8, configure Layer 2 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing department.
Configuration procedure
1. Configure Device C (the destination device):
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 2.
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceC-GigabitEthernet1/0/1] quit
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2.
[DeviceC] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceC-vlan2] undo mac-address mac-learning enable
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceC] mirroring-group 2 remote-probe vlan 2
# Configure GigabitEthernet 1/0/2 as the monitor port for the mirroring group.
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] mirroring-group 2 monitor-port
# Disable the spanning tree feature on GigabitEthernet 1/0/2.
[DeviceC-GigabitEthernet1/0/2] undo stp enable
# Assign GigabitEthernet 1/0/2 to VLAN 2 as an access port.
[DeviceC-GigabitEthernet1/0/2] port access vlan 2
[DeviceC-GigabitEthernet1/0/2] quit
2. Configure Device B (the intermediate device):
# Create VLAN 2.
<DeviceB> system-view
[DeviceB] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceB-vlan2] undo mac-address mac-learning enable
[DeviceB-vlan2] quit
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceB-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 2
[DeviceB-GigabitEthernet1/0/2] quit
3. Configure Device A (the source device):
# Create a remote source group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceA-vlan2] undo mac-address mac-learning enable
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
# Configure GigabitEthernet 1/0/1 as a source port for the mirroring group.
[DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 both
# Configure GigabitEthernet 1/0/2 as the egress port for the mirroring group.
[DeviceA] mirroring-group 1 monitor-egress gigabitethernet 1/0/2
# Configure port GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 2
# Disable the spanning tree feature on the port.
[DeviceA-GigabitEthernet1/0/2] undo stp enable
[DeviceA-GigabitEthernet1/0/2] quit
Verifying the configuration
# Verify the mirroring group configuration on Device C.
[DeviceC] display mirroring-group all
Mirroring group 2:
Type: Remote destination
Status: Active
Monitor port: GigabitEthernet1/0/2
Remote probe VLAN: 2
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
GigabitEthernet1/0/1 Both
Monitor egress port: GigabitEthernet1/0/2
Remote probe VLAN: 2
Example for local port mirroring with multiple monitoring devices (reflector port configurable)
Network configuration
As shown in Figure 9, Dept. A, Dept. B, and Dept. C are connected to the device through GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3, respectively.
Configure port mirroring to enable both Server A and Server B to monitor the bidirectional traffic of departments A, B, and C.
Configuration procedure
# Create remote source group 1.
<Device> system-view
[Device] mirroring-group 1 remote-source
# Configure GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 as source ports of remote source group 1.
[Device] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 to gigabitethernet 1/0/3 both
# Configure an unused port (GigabitEthernet 1/0/6 in this example) as the reflector port of remote source group 1.
[Device] mirroring-group 1 reflector-port gigabitethernet 1/0/6
This operation may delete all settings made on the interface. Continue? [Y/N]:y
# Create VLAN 10 and assign the ports connecting the data monitoring devices to the VLAN.
[Device] vlan 10
[Device-vlan10] port gigabitethernet 1/0/4 to gigabitethernet 1/0/5
[Device-vlan10] quit
# Configure VLAN 10 as the remote probe VLAN of remote source group 1.
[Device] mirroring-group 1 remote-probe vlan 10
Verifying the configuration
# Verify the mirroring group configuration on the device.
[Device] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
GigabitEthernet1/0/1 Both
GigabitEthernet1/0/2 Both
GigabitEthernet1/0/3 Both
Reflector port: GigabitEthernet1/0/6
Remote probe VLAN: 10
Layer 3 remote port mirroring configuration example (ERSPAN)
Network requirements
On a Layer 3 network shown in Figure 10, configure Layer 3 remote port mirroring to enable the server to monitor the bidirectional traffic of the Marketing department.
Configuration procedure
1. Configure IP addresses for the tunnel interfaces and related ports on the devices. (Details not shown.)
2. Configure Device A (the source device):
# Create a service loopback group 1 and specify the unicast tunnel service for the group.
<DeviceA> system-view
[DeviceA] service-loopback group 1 type tunnel
# Assign GigabitEthernet 1/0/3 to the service loopback group 1.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
[DeviceA-GigabitEthernet1/0/3] quit
# Create tunnel interface Tunnel 1 that operates in GRE mode, and configure an IP address and subnet mask for the interface.
[DeviceA] interface tunnel 1 mode gre
[DeviceA-Tunnel1] ip address 50.1.1.1 24
# Configure source and destination IP addresses for Tunnel 1.
[DeviceA-Tunnel1] source 20.1.1.1
[DeviceA-Tunnel1] destination 30.1.1.2
[DeviceA-Tunnel1] quit
# Enable the OSPF protocol.
[DeviceA] ospf 1
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
# Create local mirroring group 1.
[DeviceA] mirroring-group 1 local
# Configure GigabitEthernet 1/0/1 as a source port and Tunnel 1 as the monitor port of local mirroring group 1.
[DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 both
[DeviceA] mirroring-group 1 monitor-port tunnel 1
3. Enable the OSPF protocol on Device B (the intermediate device).
<DeviceB> system-view
[DeviceB] ospf 1
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
4. Configure Device C (the destination device):
# Create a service loopback group 1 and specify the unicast tunnel service for the group.
[DeviceC] service-loopback group 1 type tunnel
# Assign GigabitEthernet 1/0/3 to the service loopback group 1.
[DeviceC] interface gigabitethernet 1/0/3
[DeviceC-GigabitEthernet1/0/3] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
[DeviceC-GigabitEthernet1/0/3] quit
# Create tunnel interface Tunnel 1 that operates in GRE mode, and configure an IP address and subnet mask for the interface.
[DeviceC] interface tunnel 1 mode gre
[DeviceC-Tunnel1] ip address 50.1.1.2 24
# Configure source and destination IP addresses for Tunnel 1.
[DeviceC-Tunnel1] source 30.1.1.2
[DeviceC-Tunnel1] destination 20.1.1.1
[DeviceC-Tunnel1] quit
# Enable the OSPF protocol.
[DeviceC] ospf 1
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
# Create local mirroring group 1.
[DeviceC] mirroring-group 1 local
# Configure GigabitEthernet 1/0/1 as a source port for local mirroring group 1.
[DeviceC] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 inbound
# Configure GigabitEthernet 1/0/2 as the monitor port for local mirroring group 1.
[DeviceC] mirroring-group 1 monitor-port gigabitethernet 1/0/2
# Configure an ACL to filter GRE-encapsulated mirrored packets on Device C to prevent such packets from being used for any other purposes.
[DeviceC] acl number 3900
[DeviceC-acl-ipv4-adv-3900] rule 0 deny gre source 50.1.1.1 0 destination 50.1.1.2 0
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] packet-filter 3900 inbound
Verifying the configuration
# Verify the mirroring group configuration on Device A.
[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
GigabitEthernet1/0/1 Both
Monitor port: Tunnel1
# Display information about all mirroring groups on Device C.
[DeviceC] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
GigabitEthernet1/0/1 Inbound
Monitor port: GigabitEthernet1/0/2
Configuring flow mirroring
Flow mirroring copies packets matching a class to a destination for packet analyzing and monitoring. It is implemented through QoS policies.
To configure flow mirroring, perform the following tasks:
· Define traffic classes and configure match criteria to classify packets to be mirrored. Flow mirroring allows you to flexibly classify packets to be analyzed by defining match criteria.
· Configure traffic behaviors to mirror the matching packets to the specified destination.
You can configure an action to mirror the matching packets to one of the following destinations:
· Interface—The matching packets are copied to an interface connecting to a data monitoring device. The data monitoring device analyzes the packets received on the interface.
· CPU—The matching packets are copied to the CPU of the card where they are received. The CPU analyzes the packets or delivers them to upper layers.
· In-band network telemetry (INT) processor—The matching packets are copied to the INT processor.
For more information about QoS policies, traffic classes, and traffic behaviors, see ACL and QoS Configuration Guide.
Types of flow-mirroring traffic to an interface
Depending on whether the mirroring source and mirroring destination are on the same device, flow-mirroring traffic to an interface includes the following types:
· Flow mirroring SPAN—Flow-mirrors traffic to a local interface.
· Flow mirroring RSPAN—Flow-mirrors traffic to an interface, and then forwards traffic to a remote Layer 2 interface based on the VLAN of the mirrored traffic or through QoS traffic redirecting.
· Flow mirroring ERSPAN—Encapsulates traffic in GRE packets with protocol number 0x88BE and routes the traffic to a remote monitoring device at Layer 3.
Flow mirroring SPAN or RSPAN
For flow mirroring SPAN, configure a QoS policy on the source device. Configure the QoS policy as follows:
1. Configure a traffic class to match packets.
2. Configure a traffic behavior to flow-mirror traffic to an interface without specifying the destination-ip or source-ip keyword.
3. Associate the traffic class with the traffic behavior.
When the device receives a matching packet, the device sends one copy of the packet to the interface specified by the traffic behavior. The interface forwards the mirrored packet to the monitoring device.
Figure 11 Flow mirroring SPAN
To implement RSPAN, forward the mirrored packet to a remote Layer 2 interface based on the VLAN of the mirrored packet or through QoS traffic redirecting.
Flow mirroring ERSPAN
On all devices from source to destination, configure a unicast routing protocol to ensure Layer 3 reachability between the devices.
In this mode, configure a QoS policy on the source device. Configure the QoS policy as follows:
1. Configure a traffic class to match packets.
2. Configure a traffic behavior to flow-mirror traffic to an interface.
3. Associate the traffic class with the traffic behavior.
You can configure flow-mirroring traffic to an interface in one of the following modes:
· Directly specifying an outgoing interface—In this mode, specify both the outgoing interface and encapsulation parameters. The device encapsulates packets with the specified parameters and then forwards packets out of the specified interface.
· Specifying an outgoing interface through route lookup—In this mode, specify only encapsulation parameters without specifying an outgoing interface. The device looks up a route for the encapsulated mirrored packets based on the source IP address and destination IP address of the encapsulated packets. The outgoing interface of the route is a destination interface of the mirrored packets.
In this mode, you can use the load sharing function of a routing protocol to forward mirrored packets to multiple destination interfaces.
As shown in Figure 12, flow mirroring ERSPAN in encapsulation parameter mode works as follows:
1. The source device copies a matching packet.
2. The source device encapsulates the packet with the specified ERSPAN encapsulation parameters.
3. The source device forwards the packet in either of the following methods:
¡ Forwards the mirrored packets out of the specified outgoing interface.
¡ Looks up a route for the encapsulated mirrored packet based on the source IP address and destination IP address of the encapsulated packet.
4. The encapsulated packet is routed to the monitoring device.
5. The monitoring device decapsulates the packet and analyzes the packet contents.
The packet sent to the monitoring device through flow mirroring in this mode is encapsulated. In this mode, make sure the monitoring device supports decapsulating packets.
Figure 12 Flow mirroring ERSPAN in encapsulation parameter mode
Restrictions and guidelines: Flow mirroring configuration
For information about the configuration commands except the mirror-to command, see ACL and QoS Command Reference.
Outbound flow mirroring is not available for multicast, broadcast, or unknown unicast traffic.
When a QoS policy configured with packet truncation is applied to the outbound direction of an interface, as a best practice, do not configure the source IP and destination IP encapsulated for mirrored packets on multiple cards.
When a QoS policy is applied to the outbound direction of an aggregation group, the flow mirroring action cannot be applied. A QoS policy can be applied to the outbound direction of Layer 2 aggregate interfaces, Layer 3 aggregate interfaces, and Layer 3 aggregate subinterfaces. A QoS policy can be applied to the outbound direction of up to 31 aggregate interfaces.
As a best practice to modify a QoS policy that is configured with more than two actions of flow-mirroring traffic to interfaces, first remove the application of the policy, modify the policy, and then re-apply it.
Flow mirroring configuration task list
|
Tasks at a glance |
|
(Required.) Configuring match criteria |
|
(Required.) Configuring a traffic behavior |
|
(Required.) Configuring a QoS policy |
|
(Required.) Applying a QoS policy: · Applying a QoS policy to an interface · Applying a QoS policy to a VLAN |
Configuring match criteria
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a class and enter class view. |
traffic classifier tcl-name [ operator { and | or } ] |
By default, no traffic class exists. |
|
3. Configure match criteria. |
if-match match-criteria |
By default, no match criterion is configured in a traffic class. |
Configuring a traffic behavior
Restrictions and guidelines
Only flow mirroring ERSPAN supports the sampler and truncation keywords, and the sampler referenced cannot use the fixed sampling mode. In QoS policies applied to an interface, the samplers referenced in traffic behaviors (if any) must be the same.
When a QoS policy is applied to the outbound direction for flow mirroring ERSPAN, you cannot specify the sampler parameter.
On the SH series interface modules, when a QoS policy is applied to the outbound direction for flow mirroring ERSPAN, you cannot specify the vxlan parameter.
Configuration procedure
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a traffic behavior and enter traffic behavior view. |
traffic behavior behavior-name |
By default, no traffic behavior exists. |
|
3. Configure a mirroring action for the traffic behavior. |
Mirror traffic to an interface: · Syntax I: · Syntax II: · Syntax III: Mirror traffic to the CPU: Mirror traffic to the INT processor: |
Choose one of the tasks. By default, no mirroring action is configured for a traffic behavior. When you use syntax I or syntax II to configure flow-mirroring traffic to interfaces, only the SH cards support specifying the vxlan vxlan-id [ destination-port destination-port-value | source-port source-port-value ] * parameter. If you specify the destination-ipv6 destination-ipv6-address source-ipv6 source-ipv6-address parameter, for this parameter to take effect, you must specify the vxlan vxlan-id [ destination-port destination-port-value | source-port source-port-value ] * parameter. When you specify the vxlan parameter, you must also set the destination-port destination-port-value parameter to the default value 4789 for the VXLAN encapsulation to take effect. This rule applies only on the SH series interface modules. When the outgoing interface corresponding to the destination IP encapsulated for mirrored packets is a Layer 3 Ethernet subinterface, the VLAN to which the Layer 3 Ethernet subinterface belongs must be the same as the VLAN of mirrored packets. |
|
4. (Optional.) Display traffic behavior configuration. |
display traffic behavior |
Available in any view. |
Configuring a QoS policy
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Create a QoS policy and enter QoS policy view. |
qos [ mirroring ] policy policy-name |
By default, no QoS policy exists. |
|
3. Associate a class with a traffic behavior in the QoS policy. |
classifier tcl-name behavior behavior-name |
By default, no traffic behavior is associated with a class. |
|
4. (Optional.) Display QoS policy configuration. |
display qos policy |
Available in any view. |
Applying a QoS policy
Applying a QoS policy to an interface
By applying a QoS policy to an interface, you can mirror the traffic in the specified direction of the interface. A policy can be applied to multiple interfaces. In one direction (inbound or outbound) of an interface, only one policy can be applied.
A QoS policy can be applied only to the outbound direction, and the QoS policy cannot be configured with both a flow-mirroring action and other actions.
To apply a QoS policy to an interface:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter interface view. |
interface interface-type interface-number |
|
3. Apply a policy to the interface. |
qos apply [ mirroring ] policy policy-name { inbound | outbound } |
Applying a QoS policy to a VLAN
You can apply a QoS policy to a VLAN to mirror the traffic in the specified direction on all ports in the VLAN.
A QoS policy cannot be applied to the outbound direction of a VLAN.
To apply the QoS policy to a VLAN:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Apply a QoS policy to a VLAN. |
qos vlan-policy policy-name vlan vlan-id-list inbound |
Applying a QoS policy globally
You can apply a QoS policy globally to mirror the traffic in the specified direction on all ports.
A QoS policy cannot be applied to the outbound direction globally.
To apply a QoS policy globally:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Apply a QoS policy globally. |
qos apply [ mirroring ] policy policy-name global inbound |
Applying a QoS policy to the control plane
You can apply a QoS policy to the control plane to mirror the traffic in the specified direction of all ports on the control plane.
A QoS policy for flow mirroring ERSPAN cannot be applied to the outbound direction.
To apply a QoS policy to the control plane:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter control plane view. |
· In standalone mode: · In IRF mode: |
|
3. Apply a QoS policy to the control plane. |
qos apply policy policy-name inbound |
Flow mirroring configuration example
Network requirements
As shown in Figure 13, configure flow mirroring so that the server can monitor the following traffic:
· All traffic that the Technical department sends to access the Internet.
· IP traffic that the Technical department sends to the Marketing department during working hours (8:00 to 18:00) on weekdays.
Configuration procedure
# Create working hour range work, in which working hours are from 8:00 to 18:00 on weekdays.
<DeviceA> system-view
[DeviceA] time-range work 8:00 to 18:00 working-day
# Create ACL 3000 to allow packets from the Technical department to access the Internet and to the Marketing department during working hours.
[Device-acl-ipv4-adv-3000] rule permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range work
[Device-acl-ipv4-adv-3000] quit
# Create traffic class tech_c, and configure the match criterion as ACL 3000.
[DeviceA] traffic classifier tech_c
[DeviceA-classifier-tech_c] if-match acl 3000
[DeviceA-classifier-tech_c] quit
# Create traffic behavior tech_b, configure the action of mirroring traffic to port GigabitEthernet 1/0/3.
[DeviceA] traffic behavior tech_b
[DeviceA-behavior-tech_b] mirror-to interface gigabitethernet 1/0/3
[DeviceA-behavior-tech_b] quit
# Create QoS policy tech_p, and associate traffic class tech_c with traffic behavior tech_b in the QoS policy.
[DeviceA] qos policy tech_p
[DeviceA-qospolicy-tech_p] classifier tech_c behavior tech_b
[DeviceA-qospolicy-tech_p] quit
# Apply QoS policy tech_p to the incoming packets of GigabitEthernet 1/0/4.
[DeviceA] interface gigabitethernet 1/0/4
[DeviceA-GigabitEthernet1/0/4] qos apply policy tech_p inbound
[DeviceA-GigabitEthernet1/0/4] quit
Verifying the configuration
# Verify that the server can monitor the following traffic:
· All traffic sent by the Technical department to access the Internet.
· IP traffic that the Technical department sends to the Marketing department during working hours on weekdays.
(Details not shown.)
