port mirroring configuration examples (1)

8/11/2019 Port Mirroring Configuration Examples (1)

1/16

Port Mirroring Configuration Examples

Hangzhou H3C Technologies Co., Ltd. 1/16


Keyword: mirroring group, monitor port, mirroring port, remote-probe VLAN

Abstract: Port mirroring is mainly used to monitor and analyze packets on a port or ports. This

document introduces some typical port mirroring applications.

Acronyms:

Acronym Full spelling

IDS Intrusion Detection System

VLAN Virtual Local Area Network


2/16



Table of Contents

1 Feature Overview ...........................................................................................................................3

2 Application Scenarios.....................................................................................................................3

3 Configuration Guidelines................................................................................................................3

4 Example of Port Mirroring with Multiple Monitor Ports ...................................................................5

4.1 Network Requirements ........................................................................................................5

4.2 Configuration Considerations ..............................................................................................5

4.3 Software Version Used........................................................................................................5

4.4 Configuration Procedures....................................................................................................6

4.4.1 Configuration on Device A ........................................................................................6

4.4.2 Verification.................................................................................................................8

5 Example of Port Mirroring with Multiple Source Devices ...............................................................8

5.1 Network Requirements ........................................................................................................8

5.2 Configuration Considerations ..............................................................................................9

5.3 Software Version Used........................................................................................................9

5.4 Configuration Procedures....................................................................................................9

5.4.1 Configuration on Device A ......................................................................................10

5.4.2 Configuration on Device B ......................................................................................11

5.4.3 Configuration on Device C......................................................................................13

5.4.4 Verification...............................................................................................................15

6 References...................................................................................................................................16


3/16



1 Feature Overview

Port mirroring is to copy the packets passing through a port (called a mirroring port) toanother port (called the monitor port) connected with a monitoring device for packet

analysis.

Port mirroring can be local or remote. In local port mirroring, the mirroring port or

ports and the monitor port are located on the same device. In remote port mirroring,

the mirroring port or ports and the monitor port can be located on different devices,

and between them there may be multiple network devices.

Port mirroring is implemented through port mirroring groups. A port mirroring group

may include the mirroring port(s), monitor port, reflector port, and remote probe VLAN.

For detailed description, refer to Port Mirroring Configurationin theAccess Volume.

2 Application Scenarios

Network traffic monitoring is needed for packet analysis or IDS deployment (as well

as for a network analyzer). However, monitoring all the traffic in a large switching

network is difficult, so that you can configure port mirroring to copy the traffic of a portor ports to a specific port for network traffic monitoring.

3 Configuration Guidelines

During configuration, note the following:

Status of mirroring groups. Port mirroring can take effect only when the

mirroring groups are in the active state. You can know whether a mirroring

group is active by viewing the mirroring group information. A mirroring group is

in the active state if it has the required smallest complete configuration and the

ports used in the smallest configuration are valid ports. The required smallest

complete configuration is different for different mirroring group types. For

example, for a local mirroring group, the smallest complete configuration is that

the group has at least one mirroring port and one monitor port; for a remote

source mirroring group that needs a reflector port, the smallest complete

configuration is that the group has at least one mirroring port, a remote probe

VLAN, and a reflector port; for a remote source mirroring group that needs no


4/16



reflector port, the smallest complete configuration is that the group has at least

a mirroring port and a remote probe VLAN.

Validity of mirroring ports.At present, the validity mainly refers to the Combo

port validity, for Combo ports may be disabled. If the port in the smallest

complete configuration is a disabled Combo port, the mirroring group will be

inactive. If you enable the Combo port, the mirroring group will automatically

turn active. Likewise, if you disable the Combo port in the active mirroring group,

the group will become inactive.

Remote probe VLAN extension. Packets with an unknown destination MAC

address will be broadcasted within a VLAN. Therefore, port mirroring with

multiple monitor ports can be achieved on a device where MAC address

learning is disabled on the remote probe VLAN of the device. That is, you do

not need to configure a monitor port in a remote mirroring group, because any

port in the remote probe VLAN on a device configured with a remote port

mirroring group can act as a monitor port.

Inbound traffic and MAC address learning of a monitor port. If a monitor

port of port mirroring has no restriction on the inbound traffic and the MAC

address learning, improper configuration in certain circumstances may result in

network anomaly. For example, if the monitor port is connected with an

intelligent security device (IDS for example), it is necessary to disable the

monitor port from receiving traffic from the intelligent security device, because

the intelligent security device may send a control message (TCP reset packet

for example) to terminate suspicious traffic, which may result in an unexpected

result. Another example, if the monitor port is connected with a relay device (a

Layer 2 switch for example), in the case that a loop occurs on the relay device,

the traffic copied to the monitor port may return back along its original path, and

therefore the monitor port will learn the MAC address again, resulting in network

anomaly.


5/16



4 Example of Port Mirroring with Multiple MonitorPorts

4.1 Network Requirements

Two monitoring devices are present. One is a data analyzer, and the other is an IDS

device. You want to analyze Internet traffic and at the same time detect Internet

intrusion on Device A. The network diagram is as shown in Figure 1 .

Device A

Analyzer

IDS

InternetGE1/0/25

GE1/0/27

GE1/0/28

Figure 1 Network diagram for port mirroring with multiple monitor ports

4.2 Configuration Considerations

Because each mirroring group can be configured with only one monitor port and the

mirroring port can belong to only one mirroring group, you can implement traffic

mirroring to multiple monitor ports through the remote probe VLAN.

Configure a remote source mirroring group and make sure the group is in the

active state.

Add multiple monitor ports to the remote probe VLAN.

4.3 Software Version Used

This example is configured and verified on S5510 series Ethernet switches running


6/16



COMWAREV500R002B41D001.

4.4 Configuration Procedures

Note:

The following configuration was created from the devices in a specific lab

environment. All of the devices used in this document started with a default

configuration. If you have configured your device, make sure the existing

configuration does not conflict with the following configuration.

This document is not restricted to specific software and hardware versions.

4.4.1 Configuration on Device A

I. Configuration steps

1) Configure the remote source mirroring group

# Create remote source mirroring group 1.

system-view

[DeviceA] mirroring-group 1 remote-source

# Create VLAN 2.

[DeviceA] vlan 2

[DeviceA-vlan2] quit

# Configure GigabitEthernet 1/0/25 as the mirroring port, GigabitEthernet 1/0/26 as

the reflector port, and VLAN 2 as the remote-probe VLAN in the remote source

mirroring group.

[DeviceA] mirroring-group 1 remote-probe vlan 2

[DeviceA] mirroring-group 1 mirroring-port GigabitEthernet 1/0/25 inbound

[DeviceA] mirroring-group 1 reflector-port GigabitEthernet 1/0/26

2) Add monitor ports to the remote probe VLAN

# Enter the view of the interface connected with the analyzer.

[DeviceA] interface GigabitEthernet 1/0/27

# Add port GigabitEthernet 1/0/27 to the remote probe VLAN.

[DeviceA-GigabitEthernet1/0/27] port access vlan 2


7/16



# Enter the view of the interface connected with the IDS.

[DeviceA-GigabitEthernet1/0/27] interface GigabitEthernet 1/0/28

# Add port GigabitEthernet 1/0/28 to the remote probe VLAN.

[DeviceA-GigabitEthernet1/0/28] port access vlan 2

II. Configuration file

display current-configuration

#

version 5.20, Test 5310

#

sysname DeviceA

#

domain default enable system

#

telnet server enable

#

mirroring-group 1 remote-source

mirroring-group 1 remote-probe vlan 2

#

vlan 1

#

vlan 2

#

domain system

access-limit disable

state active

idle-cut disable

self-service-url disable

#

interface GigabitEthernet1/0/25

mirroring-group 1 mirroring-port inbound

#


mirroring-group 1 reflector-port

#


port access vlan 2

#


port access vlan 2

#


8/16



load xml-configuration

#

user-interface aux 0

idle-timeout 0 0user-interface vty 0 4

#

return

#

4.4.2 Verification

You can see the traffic coming from the Internet on both the analyzer and the IDS,

that is, the port mirroring function has taken effect. At this time, you can analyze

Internet traffic and detect Internet intrusion simultaneously.

5 Example of Port Mirroring with Multiple SourceDevices

5.1 Network Requirements

You have only one analyzer, but you want to monitor traffic coming from the Internet

and the LAN at the same time on the analyzer. Device A is connected to Internet,

Device B is connected to LAN, and Device C is connected with Analyzer. The

network diagram is as shown in Figure 2 .

Device A

Analyzer

InternetGE1/0/25

GE1/0/27

Device B

LANGE1/0/25

Device C

GE1/0/27

GE1/0/25

GE1/0/26

GE1/0/27

Figure 2 Network diagram for port mirroring with multiple source devices


9/16



5.2 Configuration Considerations

Because the mirroring is across devices, you must configure remote port mirroring.

Configure different remote probe VLANs for Device A and Device B to isolate the

traffic of Device A from that of Device B.

Configure a remote source mirroring group on Device A and Device B

respectively, and make sure the groups are in the active state.

On Device A, configure the port connected with Device C, allowing only the

remote probe VLAN of Device A.

On Device B, configure the port connected with Device C, allowing only the

remote probe VLAN of Device B.

On Device C, create the remote probe VLANs of Device A and Device B.

On Device C, configure the port connected with Device A, allowing only the

remote probe VLAN of Device A.

On Device C, configure the port connected with Device B, allowing only the

remote probe VLAN of Device B.

On Device C, configure the port connected with the analyzer, allowing only the

remote probe VLANs of Device A and Device B.

5.3 Software Version Used

This example is configured and verified on S5510 series Ethernet switches running

COMWAREV500R002B41D001.

5.4 Configuration Procedures

Note:

The following configuration was created from the devices in a specific lab

environment. All of the devices used in this document started with a default

configuration. If you have configured your device, make sure the existing

configuration does not conflict with the following configuration.

This document is not restricted to specific software and hardware versions.


10/16



5.4.1 Configuration on Device A




system-view

[DeviceA] mirroring-group 1 remote-source

# Create VLAN 2.

[DeviceA] vlan 2

[DeviceA-vlan2] quit



mirroring group.

[DeviceA] mirroring-group 1 remote-probe vlan 2

[DeviceA] mirroring-group 1 mirroring-port GigabitEthernet 1/0/25 inbound

[DeviceA] mirroring-group 1 reflector-port GigabitEthernet 1/0/26

2) Configure the port connected with Device C.

# Enter GigabitEthernet 1/0/27 view.

[DeviceA] interface GigabitEthernet 1/0/27

# Configure GigabitEthernet 1/0/27 as a trunk port.

[DeviceA-GigabitEthernet1/0/27] port link-type trunk

# Configure GigabitEthernet 1/0/27 to permit the remote probe VLAN.

[DeviceA-GigabitEthernet1/0/27] port trunk permit vlan 2

# Configure GigabitEthernet 1/0/27 to deny the default VLAN.

[DeviceA-GigabitEthernet1/0/27] undo port trunk permit vlan 1



#


#

sysname DeviceA

#


#



11/16



#



#vlan 1

#

vlan 2

#

domain system


state active

idle-cut disable


#



#



#


port link-type trunk

undo port trunk permit vlan 1port trunk permit vlan 2

#


#


idle-timeout 0 0

user-interface vty 0 4

#

return

#

5.4.2 Configuration on Device B




system-view

[DeviceB] mirroring-group 1 remote-source


12/16



# Create VLAN 3.

[DeviceB] vlan 3

[DeviceB-vlan2] quit



mirroring group.

[DeviceB] mirroring-group 1 remote-probe vlan 3

[DeviceB] mirroring-group 1 mirroring-port GigabitEthernet 1/0/25 inbound

[DeviceB] mirroring-group 1 reflector-port GigabitEthernet 1/0/26

2) Configure the port connected with Device C.

# Enter GigabitEthernet 1/0/27 view.[DeviceB] interface GigabitEthernet 1/0/27

# Configure GigabitEthernet 1/0/27 as a trunk port.

[DeviceB-GigabitEthernet1/0/27] port link-type trunk

# Configure GigabitEthernet 1/0/27 to permit the remote probe VLAN.

[DeviceB-GigabitEthernet1/0/27] port trunk permit vlan 3


[DeviceB-GigabitEthernet1/0/27] undo port trunk permit vlan 1



#


#

sysname DeviceB

#


#


#



#

vlan 1

#

vlan 3

#


13/16



domain system


state active

idle-cut disableself-service-url disable

#



#



#



undo port trunk permit vlan 1

port trunk permit vlan 3

#


#


idle-timeout 0 0


#return

#

5.4.3 Configuration on Device C


1) Configure the remote-probe VLANs of Device A and Device B

# Create VLAN 2 and VLAN 3.

system-view

[DeviceC] vlan 2

[DeviceC-vlan2] quit

[DeviceC] vlan 3

[DeviceC-vlan3] quit

2) Configure the port connected with Device A.


[DeviceC] interface GigabitEthernet 1/0/25

# Configure port GigabitEthernet 1/0/25 as a trunk port.


14/16



[DeviceC-GigabitEthernet1/0/25] port link-type trunk

# Configure GigabitEthernet 1/0/25 to permit VLAN 2.

[DeviceC-GigabitEthernet1/0/25] port trunk permit vlan 2


[DeviceC-GigabitEthernet1/0/25] undo port trunk permit vlan 1

3) Configure the port connected with Device B.





# Configure GigabitEthernet 1/0/26 to permit VLAN 3.

[DeviceC-GigabitEthernet1/0/26] port trunk permit vlan 3



4) Configure the port connected with the analyzer.





# Configure GigabitEthernet 1/0/27 to permit VLAN 2 and VLAN 3.

[DeviceC-GigabitEthernet1/0/27] port trunk permit vlan 2 to 3





#


#

sysname DeviceC

#


#



15/16



#

vlan 1

#

vlan 2 to 3#

domain system


state active

idle-cut disable


#





#





#


port link-type trunkundo port trunk permit vlan 1

port trunk permit vlan 2 to 3

#


#


idle-timeout 0 0


#

return

#

5.4.4 Verification

You can see the traffic coming from both the Internet and the LAN on the analyzer,

that is, the port mirroring function has taken effect.


16/16



6 References

Port Mirroring Configurationin theAccess Volume.

Port Mirroring Commandsin theAccess Volume.

Copyright 2007-2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of

Hangzhou H3C Technologies Co., Ltd.

The information in this document is subject to change without notice.

port mirroring configuration examples (1)

Documents