Login
- Table of Contents
-
- H3C S3610[5510] Series Ethernet Switches Operation Manual-Release 0001-(V1.02)
- 00-1Cover
- 00-2Product Overview
- 01-Login Operation
- 02-VLAN Operation
- 03-IP Address and Performance Operation
- 04-QinQ-BPDU Tunnel Operation
- 05-Port Correlation Configuration Operation
- 06-MAC Address Table Management Operation
- 07-MAC-IP-Port Binding Operation
- 08-MSTP Operation
- 09-Routing Overview Operation
- 10-IPv4 Routing Operation
- 11-IPv6 Routing Operation
- 12-IPv6 Configuration Operation
- 13-Multicast Protocol Operation
- 14-802.1x-HABP-MAC Authentication Operation
- 15-AAA-RADIUS-HWTACACS Operation
- 16-ARP Operation
- 17-DHCP Operation
- 18-ACL Operation
- 19-QoS Operation
- 20-Port Mirroring Operation
- 21-Cluster Management Operation
- 22-UDP Helper Operation
- 23-SNMP-RMON Operation
- 24-NTP Operation
- 25-DNS Operation
- 26-File System Management Operation
- 27-Information Center Operation
- 28-System Maintenance and Debugging Operation
- 29-NQA Operation
- 30-VRRP Operation
- 31-SSH Operation
- 32-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 20-Port Mirroring Operation | 120 KB |
Table of Contents
Chapter 1 Port Mirroring Configuration
1.1 Introduction to Port Mirroring
1.1.1 Classification of Port Mirroring
1.1.2 Implementing Port Mirroring
1.2 Configuring Local Port Mirroring
1.3 Configuring Remote Port Mirroring
1.3.1 Configuring Remote Source Mirroring Group
1.3.2 Configuring Remote Destination Mirroring Group
1.5 Examples of Typical Port Mirroring Configuration
1.5.1 Example of Configuring Local Port Mirroring
1.5.2 Example of Configuring Remote Port Mirroring
Chapter 1 Port Mirroring Configuration
1.1 Introduction to Port Mirroring
1.1.1 Classification of Port Mirroring
There are two kinds of port mirroring: local port mirroring and remote port mirroring.
l Local port mirroring is to copy packets at one or more ports (source ports) of a device to a destination port (destination port) for analysis and monitoring. In this case, the source ports and the destination port locate at the same device.
l Remote port mirroring implements port mirroring between multiple devices. That is, the source ports and the destination ports can be located on different devices in a network. Currently, remote port mirroring can only be implemented on Layer 2.
1.1.2 Implementing Port Mirroring
Port mirroring is implemented through port mirroring groups, which fall into these three categories: local port mirroring group, remote source port mirroring group, and remote destination port mirroring group.
Port Mirroring can be implemented as follows:
l Local port mirroring is implemented by local port mirroring groups. The source and destination ports are on the same device. In this case, packets passing through the source ports are duplicated and then are forwarded to monitor ports.
l Remote port mirroring can be implemented by remote source port mirroring groups and remote destination port mirroring groups. The source and destination ports are on different devices. In this case, packets passing through source ports are broadcast in remote mirroring VLANs through reflector ports, and those with their VLAN IDs being the remote mirroring VLAN IDs of the remote port mirroring groups are forwarded to the destination ports of the remote destination port mirroring groups by the remote devices receiving the packets.
Again, the mirroring group also supports monitoring multiple source ports by one destination port.
& Note:
l With the S3610&S5510 series, you can configure either one local mirroring group or one remote source mirroring group, but not both, at a time.
l If the destination port of traffic mirroring and that of the local port mirroring group are different, you cannot configure traffic mirroring and local port mirroring at the same time. For traffic mirroring configuration, see the related parts in the QoS module.
1.2 Configuring Local Port Mirroring
Follow these steps to configure a local port mirroring:
|
Use the command… |
Remarks |
||
|
Enter system view |
system-view |
— |
|
|
Create local mirroring group |
mirroring-group group-id local |
Required |
|
|
Configure source port for the mirroring group |
Configure source port in system view |
mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound } |
One of them is required. You can configure multiple source ports at the same time in system view, or configure a source port in a specific interface view. |
|
Configure source port in interface view |
interface interface-type interface-number |
||
|
[ mirroring-group group-id ] mirroring-port { both | inbound | outbound } |
|||
|
quit |
|||
|
Configure destination port for the mirroring group |
Configure destination port in system view |
mirroring-group group-id monitor-port monitor-port-id |
One of them is required. The two ways of configuration are the same. |
|
Configure destination port in interface view |
interface interface-type interface-number |
||
|
[ mirroring-group group-id ] monitor-port |
|||
& Note:
l A local mirroring group is effective only when it has both a source port and the destination port.
l You must create a mirroring group before you can specify it.
l You are not recommended to enable STP, RSTP or MSTP on the destination port; otherwise it will affect the device’s normal functions. And vice versa.
l An aggregation port cannot be specified as a destination port.
l A source port or a destination port cannot be a member port of the current mirroring group.
l You can configure multiple source ports for a mirroring group, but only one destination port.
1.3 Configuring Remote Port Mirroring
To implement remote port mirroring, you need to define a special VLAN, called remote-probe VLAN, on a switch. All mirrored packets will be transferred from the source switch to the destination port of the destination switch through this VLAN. Thus, the destination switch can monitor the port packets sent from the ports of the source switch. Remote-probe VLAN requires that:
l All ports connecting the devices in remote-probe VLAN are configured as the trunk ports.
l You are not recommended to configure the default VLAN as remote-probe VLAN.
l Layer 2 interoperability must be ensured by configuration between the source and destination switches over the remote-probe VLAN.
The application of remote port mirroring is illustrated in the following figure:
Figure 1-1 remote port mirroring application
There are three types of switches with the remote port mirroring enabled.
l Source switch: The monitored port resident switch. Through Layer 2 forwarding, it sends traffics to be mirrored to an intermediate switch or destination switch over the remote-probe VLAN.
l Intermediate switch: Switches between the source switch and destination switch on the network. An intermediate switch forwards mirrored traffic flows to the next intermediate switch or the destination switch. Circumstances can occur where no intermediate switch is present, if a direct connection exists between the source and destination switches.
l Destination switch: The remote mirroring destination port resident switch. It forwards mirrored traffic flows it received from the remote-probe VLAN to the monitoring device through the destination port.
& Note:
When the switch serves as the intermediate switch or destination switch of remote mirroring, to ensure normal implementation of mirroring, you are recommended to enable redirection on the inbound port to redirect all the packets in Remote-probe VLAN to the corresponding outbound port (on the intermediate switch) or the destination port of the mirroring (on the destination switch). If you configure to mirror the packets in both inbound and outbound directions (with the both keyword), make sure you enable redirection on the inbound port. This is because the inbound port learns both the source and destination MAC addresses of the packets; if the inbound and outbound ports for the packets are the same, the packets will be discarded. For redirection configuration, see the related parts in the QoS module.
1.3.1 Configuring Remote Source Mirroring Group
Follow these steps to configure a remote port mirroring:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Create remote source mirroring group |
mirroring-group group-id remote-source |
Required |
|
|
Configure source port for the mirroring group |
Configure source port in system view |
mirroring-group group-id mirroring-port mirroring-port-list { both | inbound | outbound } |
One of them is required. You can configure multiple source ports at the same time in system view, or configure a source port in a specific interface view. |
|
Configure source port in interface view |
interface interface-type interface-number |
||
|
[ mirroring-group group-id ] mirroring-port { both | inbound | outbound } |
|||
|
quit |
|||
|
Configure reflector port for the mirroring group |
Configure reflector port in system view |
mirroring-group group-id reflector-port reflector-port-id |
One of them is required. The two ways of configuration are the same. |
|
Configure reflector port in interface view |
interface interface-type interface-number |
||
|
mirroring-group group-id reflector-port |
|||
|
quit |
|||
|
Configure remote mirroring VLAN for mirroring group |
mirroring-group group-id remote-probe vlan rprobe-vlan-id |
Required |
|
& Note:
l All the ports of a remote source mirroring group belong to a single device.
l A reflector port cannot be a member port of the current mirroring group, an aggregation port. It is required to be an access port and belong to the default VLAN.
l A port can be configured as a reflector port only when it operates with the following settings being the defaults: operation mode (half duplex/full duplex), port speed, MDI setting. Conversely, these settings cannot be modified once a port is configured as a reflector port.
l It is recommended that the user should not add source port to remote mirroring VLAN; otherwise it will affect the device's performance.
l It is not recommended to connect network cable to the reflector port and to configure the following functions on this port: STP, RSTP, MSTP, 802.1x, IGMP Snooping, QinQ, port loopback, business loopback, static ARP and MAC address learning. Otherwise it will affect the device’s normal function.
l You can configure only one reflector port for a remote source mirroring group.
l You need to create a static VLAN before you can configure remote mirroring VLAN. A VLAN cannot be deleted directly if it is configured as a remote mirroring VLAN. To delete it, you must first delete the remote mirroring VLAN configuration. After the group takes effect, if you delete the VLAN, you will also disable the group.
l A port can be configured in only one mirroring group, and a VLAN can be used by only one mirroring group.
1.3.2 Configuring Remote Destination Mirroring Group
Follow these steps to configure a remote destination mirroring group:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Create a remote destination mirroring group |
mirroring-group group-id remote-destination |
Required |
|
|
Configure remote mirroring VLAN for the mirroring group |
mirroring-group group-id remote-probe vlan rprobe-vlan-id |
Required |
|
|
Configure destination port for the mirroring group |
Configure destination port in system view |
mirroring-group group-id monitor-port monitor-port-id |
One of them is required. The two ways of configuration are the same. |
|
Configure destination port in interface view |
interface interface-type interface-number |
||
|
[ mirroring-group group-id ] monitor-port |
|||
|
quit |
|||
|
Enter destination interface view |
interface interface-type interface-number |
— |
|
|
Add destination port to remote mirroring VLAN |
The destination port is an access port |
port access vlan rprobe-vlan-id |
One of them is required. |
|
The destination port is a trunk port |
port trunk permit vlan rprobe-vlan-id |
||
|
The destination port is a hybrid port |
port hybrid vlan rprobe-vlan-id { tagged | untagged } |
||
& Note:
l A destination port cannot be a member port of the current mirroring group.
l A port can be configured in only one mirroring group, and a VLAN can be used by only one mirroring group.
l You are not recommended to enable STP, RSTP or MSTP on the destination port. Otherwise it will affect the device’s normal functions. And vice versa.
l You need to create a static VLAN before you can configure remote mirroring VLAN. A VLAN cannot be deleted directly if it is configured as a remote mirroring VLAN. To delete it, you must first delete the remote mirroring VLAN configuration. After the group takes effect, if you delete the VLAN, you will also disable the group.
1.4 Displaying Port Mirroring
Follow these steps to display port mirroring:
|
To do… |
Use the command… |
Remarks |
|
Display the configuration information of port mirroring group |
display mirroring-group { group-id | all | local | remote-destination | remote-source } |
Available in any view |
1.5 Examples of Typical Port Mirroring Configuration
1.5.1 Example of Configuring Local Port Mirroring
I. Network requirements
The user’s network is described as follows:
l The packets of Department 1 are connected to Switch C through port Ethernet1/0/1.
l The packets of Department 2 are connected to Switch C through port Ethernet1/0/2.
l The data detect device is connected to Switch C through port Ethernet1/0/3.
The demand is to monitor packets of Department 1 and Department 2 through the Server.
For implementing the demand using local port mirroring, run the following configuration on Switch C:
l Configure Ethernet1/0/1 and Ethernet1/0/2 as the source port.
l Connect the Server’s port Ethernet1/0/3 as the destination port.
II. Network diagram
Figure 1-2 Configuring Local Port Mirroring Network Diagram
III. Configuration procedure
1) Configure Switch C:
# Create local mirroring group
<Sysname> system-view
[Sysname] mirroring-group 1 local
# Configure mirroring and destination ports for local mirroring group.
[Sysname] mirroring-group 1 mirroring-port Ethernet 1/0/1 Ethernet 1/0/2 both
[Sysname] mirroring-group 1 monitor-port Ethernet 1/0/3
# Display configuration information of all mirroring groups.
[Sysname] display mirroring-group all
mirroring-group 1:
type: local
status: active
mirroring port:
Ethernet1/0/1 both
Ethernet1/0/2 both
monitor port: Ethernet1/0/3
After finishing the configuration, the user can monitor all the packets received and sent by Department 1 and Department 2 on the Server.
1.5.2 Example of Configuring Remote Port Mirroring
I. Network requirements
The user’s network is described as follows:
l The packets of Department 1 are connected to Switch A through port Ethernet1/0/1.
l The packets of Department 2 are connected to Switch A through port Ethernet1/0/2.
l Trunk port Ethernet1/0/3 of Switch A and Trunk port Ethernet1/0/1 of Swtich B are connected together.
l Trunk port Ethernet1/0/2 of Switch B and Trunk port Ethernet1/0/1 of Swtich C are connected together.
l The data detect device is connected to Switch C through Ethernet1/0/2.
The demand is to monitor packets of Department 1 and Department 2 through the Server.
For implementing the demand using remote port mirroring, run the following configuration on:
l On Switch A, Configure remote source mirroring group and define VLAN2 as remote mirroring VLAN, Ethernet1/0/1 and Ethernet1/0/2 as source ports and Ethernet1/0/4 as reflector port.
l Configure Ethernet1/0/3 of Switch A, Ethernet1/0/1 and Ethernet1/0/2 of Switch B and Ethernet1/0/1 Switch C as trunk ports which allow packets of VLAN2 to pass.
l On Switch C, Configure remote destination mirroring group and define VLAN2 as remote mirroring VLAN and Ethernet1/0/2 as destination port.
II. Network diagram
Figure 1-3 Configuring Remote Port Mirroring Network Diagram
III. Configuration procedure
1) Configure Switch A:
# Create remote source mirroring group.
<Sysname> system-view
[Sysname] mirroring-group 1 remote-source
# Create VLAN2.
[Sysname] vlan 2
[Sysname-vlan2] quit
# Configure remote mirroring VLAN, source port and reflector port for remote mirroring group.
[Sysname] mirroring-group 1 remote-probe vlan 2
[Sysname] mirroring-group 1 mirroring-port Ethernet 1/0/1 Ethernet 1/0/2 inbound
[Sysname] mirroring-group 1 reflector-port Ethernet 1/0/4
# Configure trunk port Ethernet1/0/3 to allow VLAN2 packets to pass.
[Sysname] interface Ethernet 1/0/3
[Sysname-Ethernet1/0/3] port link-type trunk
[Sysname-Ethernet1/0/3] port trunk permit vlan 2
2) Configure Switch B:
# Configure Trunk port Ethernet1/0/1 to allow VLAN2 packets to pass
<Sysname> system-view
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port link-type trunk
[Sysname-Ethernet1/0/1] port trunk permit vlan 2
[Sysname-Ethernet1/0/1] quit
# Configure trunk port Ethernet1/0/2 to allow VLAN2 packets to pass.
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] port link-type trunk
[Sysname-Ethernet1/0/2] port trunk permit vlan 2
& Note:
You are recommended to enable redirection on Ethernet 1/0/1 to redirect all the packets in Remote-probe VLAN to Ethernet 1/0/2. For redirection configuration, see the related parts in the QoS module.
3) Configure Switch C:
# Configure Trunk port Ethernet1/0/1 to allow VLAN2 packets to pass.
<Sysname> system-view
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port link-type trunk
[Sysname-Ethernet1/0/1] port trunk permit vlan 2
[Sysname-Ethernet1/0/1] quit
# Create remote destination mirroring group.
[Sysname] mirroring-group 1 remote-destination
# Create VLAN2.
[Sysname] vlan 2
[Sysname-vlan2] quit
# Configure remote mirroring VLAN and destination port for the remote destination mirroring group.
[Sysname] mirroring-group 1 remote-probe vlan 2
[Sysname] mirroring-group 1 monitor-port Ethernet 1/0/2
After finishing the configuration, the user can monitor all the packets sent by Department 1 and Department 2 on the Server.
