Port Mirroring Configuration Examples

Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 1/16

Keyword: mirroring group, monitor port, mirroring port, remote-probe VLAN
Abstract: Port mirroring is mainly used to monitor and analyze packets on a port or ports. This
document introduces some typical port mirroring applications.
Acronyms:
Acronym Full spelling
IDS Intrusion Detection System
VLAN Virtual Local Area Network



Table of Contents
1 Feature Overview........................................................................................................................... 3
2 Application Scenarios..................................................................................................................... 3
3 Configuration Guidelines................................................................................................................ 3
4 Example of Port Mirroring with Multiple Monitor Ports ................................................................... 5
4.1 Network Requirements ........................................................................................................ 5
4.2 Configuration Considerations .............................................................................................. 5
4.3 Software Version Used........................................................................................................ 5
4.4 Configuration Procedures.................................................................................................... 6
4.4.1 Configuration on Device A ........................................................................................ 6
4.4.2 Verification................................................................................................................. 8
5 Example of Port Mirroring with Multiple Source Devices ............................................................... 8
5.1 Network Requirements ........................................................................................................ 8
5.2 Configuration Considerations .............................................................................................. 9
5.3 Software Version Used........................................................................................................ 9
5.4 Configuration Procedures.................................................................................................... 9
5.4.1 Configuration on Device A ...................................................................................... 10
5.4.2 Configuration on Device B ...................................................................................... 11
5.4.3 Configuration on Device C...................................................................................... 13
5.4.4 Verification............................................................................................................... 15
6 References ................................................................................................................................... 16



1 Feature Overview
Port mirroring is to copy the packets passing through a port (called a mirroring port) to
another port (called the monitor port) connected with a monitoring device for packet
analysis.
Port mirroring can be local or remote. In local port mirroring, the mirroring port or
ports and the monitor port are located on the same device. In remote port mirroring,
the mirroring port or ports and the monitor port can be located on different devices,
and between them there may be multiple network devices.
Port mirroring is implemented through port mirroring groups. A port mirroring group
may include the mirroring port(s), monitor port, reflector port, and remote probe VLAN.
For detailed description, refer to Port Mirroring Configuration in the Access Volume.
2 Application Scenarios
Network traffic monitoring is needed for packet analysis or IDS deployment (as well
as for a network analyzer). However, monitoring all the traffic in a large switching
network is difficult, so that you can configure port mirroring to copy the traffic of a port
or ports to a specific port for network traffic monitoring.
3 Configuration Guidelines
During configuration, note the following:
Status of mirroring groups. Port mirroring can take effect only when the
mirroring groups are in the active state. You can know whether a mirroring
group is active by viewing the mirroring group information. A mirroring group is
in the active state if it has the required smallest complete configuration and the
ports used in the smallest configuration are valid ports. The required smallest
complete configuration is different for different mirroring group types. For
example, for a local mirroring group, the smallest complete configuration is that
the group has at least one mirroring port and one monitor port; for a remote
source mirroring group that needs a reflector port, the smallest complete
configuration is that the group has at least one mirroring port, a remote probe
VLAN, and a reflector port; for a remote source mirroring group that needs no



reflector port, the smallest complete configuration is that the group has at least
a mirroring port and a remote probe VLAN.
Validity of mirroring ports. At present, the validity mainly refers to the Combo
port validity, for Combo ports may be disabled. If the port in the smallest
complete configuration is a disabled Combo port, the mirroring group will be
inactive. If you enable the Combo port, the mirroring group will automatically
turn active. Likewise, if you disable the Combo port in the active mirroring group,
the group will become inactive.
Remote probe VLAN extension. Packets with an unknown destination MAC
address will be broadcasted within a VLAN. Therefore, port mirroring with
multiple monitor ports can be achieved on a device where MAC address
learning is disabled on the remote probe VLAN of the device. That is, you do
not need to configure a monitor port in a remote mirroring group, because any
port in the remote probe VLAN on a device configured with a remote port
mirroring group can act as a monitor port.
Inbound traffic and MAC address learning of a monitor port. If a monitor
port of port mirroring has no restriction on the inbound traffic and the MAC
address learning, improper configuration in certain circumstances may result in
network anomaly. For example, if the monitor port is connected with an
intelligent security device (IDS for example), it is necessary to disable the
monitor port from receiving traffic from the intelligent security device, because
the intelligent security device may send a control message (TCP reset packet
for example) to terminate suspicious traffic, which may result in an unexpected
result. Another example, if the monitor port is connected with a relay device (a
Layer 2 switch for example), in the case that a loop occurs on the relay device,
the traffic copied to the monitor port may return back along its original path, and
therefore the monitor port will learn the MAC address again, resulting in network
anomaly.



4 Example of Port Mirroring with Multiple Monitor
Ports
4.1 Network Requirements
Two monitoring devices are present. One is a data analyzer, and the other is an IDS
device. You want to analyze Internet traffic and at the same time detect Internet
intrusion on Device A. The network diagram is as shown in Figure 1 .
Device A
Analyzer
IDS
Internet
GE1/0/25
GE1/0/27
GE1/0/28

Figure 1 Network diagram for port mirroring with multiple monitor ports
4.2 Configuration Considerations
Because each mirroring group can be configured with only one monitor port and the
mirroring port can belong to only one mirroring group, you can implement traffic
mirroring to multiple monitor ports through the remote probe VLAN.
Configure a remote source mirroring group and make sure the group is in the
active state.
Add multiple monitor ports to the remote probe VLAN.
4.3 Software Version Used
This example is configured and verified on S5510 series Ethernet switches running



COMWAREV500R002B41D001.
4.4 Configuration Procedures

Note:
The following configuration was created from the devices in a specific lab
environment. All of the devices used in this document started with a default
configuration. If you have configured your device, make sure the existing
configuration does not conflict with the following configuration.
This document is not restricted to specific software and hardware versions.

4.4.1 Configuration on Device A
I. Configuration steps
1) Configure the remote source mirroring group
# Create remote source mirroring group 1.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
# Configure GigabitEthernet 1/0/25 as the mirroring port, GigabitEthernet 1/0/26 as
the reflector port, and VLAN 2 as the remote-probe VLAN in the remote source
mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
[DeviceA] mirroring-group 1 mirroring-port GigabitEthernet 1/0/25 inbound
[DeviceA] mirroring-group 1 reflector-port GigabitEthernet 1/0/26
2) Add monitor ports to the remote probe VLAN
# Enter the view of the interface connected with the analyzer.
[DeviceA] interface GigabitEthernet 1/0/27
# Add port GigabitEthernet 1/0/27 to the remote probe VLAN.
[DeviceA-GigabitEthernet1/0/27] port access vlan 2



# Enter the view of the interface connected with the IDS.
[DeviceA-GigabitEthernet1/0/27] interface GigabitEthernet 1/0/28
# Add port GigabitEthernet 1/0/28 to the remote probe VLAN.
[DeviceA-GigabitEthernet1/0/28] port access vlan 2
II. Configuration file
<DeviceA> display current-configuration
#
version 5.20, Test 5310
#
sysname DeviceA
#
domain default enable system
#
telnet server enable
#
mirroring-group 1 remote-source
mirroring-group 1 remote-probe vlan 2
#
vlan 1
#
vlan 2
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
interface GigabitEthernet1/0/25
mirroring-group 1 mirroring-port inbound
#
mirroring-group 1 reflector-port
#
port access vlan 2
#
port access vlan 2
#



load xml-configuration
#
user-interface aux 0
idle-timeout 0 0
user-interface vty 0 4
#
return
#
4.4.2 Verification
You can see the traffic coming from the Internet on both the analyzer and the IDS,
that is, the port mirroring function has taken effect. At this time, you can analyze
Internet traffic and detect Internet intrusion simultaneously.
5 Example of Port Mirroring with Multiple Source
Devices
5.1 Network Requirements
You have only one analyzer, but you want to monitor traffic coming from the Internet
and the LAN at the same time on the analyzer. Device A is connected to Internet,
Device B is connected to LAN, and Device C is connected with Analyzer. The
network diagram is as shown in Figure 2 .
Device A
Analyzer
Internet
GE1/0/25
GE1/0/27
Device B
LAN
GE1/0/25
Device C
GE1/0/27
GE1/0/25
GE1/0/26
GE1/0/27

Figure 2 Network diagram for port mirroring with multiple source devices



5.2 Configuration Considerations
Because the mirroring is across devices, you must configure remote port mirroring.
Configure different remote probe VLANs for Device A and Device B to isolate the
traffic of Device A from that of Device B.
Configure a remote source mirroring group on Device A and Device B
respectively, and make sure the groups are in the active state.
On Device A, configure the port connected with Device C, allowing only the
remote probe VLAN of Device A.
On Device B, configure the port connected with Device C, allowing only the
remote probe VLAN of Device B.
On Device C, create the remote probe VLANs of Device A and Device B.
On Device C, configure the port connected with Device A, allowing only the
remote probe VLAN of Device A.
On Device C, configure the port connected with Device B, allowing only the
remote probe VLAN of Device B.
On Device C, configure the port connected with the analyzer, allowing only the
remote probe VLANs of Device A and Device B.
5.3 Software Version Used
This example is configured and verified on S5510 series Ethernet switches running
COMWAREV500R002B41D001.
5.4 Configuration Procedures

Note:
The following configuration was created from the devices in a specific lab
environment. All of the devices used in this document started with a default
configuration. If you have configured your device, make sure the existing
configuration does not conflict with the following configuration.
This document is not restricted to specific software and hardware versions.



5.4.1 Configuration on Device A
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit
mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
[DeviceA] mirroring-group 1 mirroring-port GigabitEthernet 1/0/25 inbound
[DeviceA] mirroring-group 1 reflector-port GigabitEthernet 1/0/26
2) Configure the port connected with Device C.
# Enter GigabitEthernet 1/0/27 view.
[DeviceA] interface GigabitEthernet 1/0/27
# Configure GigabitEthernet 1/0/27 as a trunk port.
[DeviceA-GigabitEthernet1/0/27] port link-type trunk
# Configure GigabitEthernet 1/0/27 to permit the remote probe VLAN.
[DeviceA-GigabitEthernet1/0/27] port trunk permit vlan 2
# Configure GigabitEthernet 1/0/27 to deny the default VLAN.
[DeviceA-GigabitEthernet1/0/27] undo port trunk permit vlan 1
<DeviceA> display current-configuration
#
#
sysname DeviceA
#
#



#
#
vlan 1
#
vlan 2
#
domain system
state active
idle-cut disable
#
#
#
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2
#
#
idle-timeout 0 0
#
return
#
5.4.2 Configuration on Device B
<DeviceB> system-view
[DeviceB] mirroring-group 1 remote-source



# Create VLAN 3.
[DeviceB] vlan 3
[DeviceB-vlan2] quit
mirroring group.
[DeviceB] mirroring-group 1 remote-probe vlan 3
[DeviceB] mirroring-group 1 mirroring-port GigabitEthernet 1/0/25 inbound
[DeviceB] mirroring-group 1 reflector-port GigabitEthernet 1/0/26
2) Configure the port connected with Device C.
[DeviceB] interface GigabitEthernet 1/0/27
# Configure GigabitEthernet 1/0/27 as a trunk port.
[DeviceB-GigabitEthernet1/0/27] port link-type trunk
# Configure GigabitEthernet 1/0/27 to permit the remote probe VLAN.
[DeviceB-GigabitEthernet1/0/27] port trunk permit vlan 3
[DeviceB-GigabitEthernet1/0/27] undo port trunk permit vlan 1
<DeviceB> display current-configuration
#
#
sysname DeviceB
#
#
#
#
vlan 1
#
vlan 3
#



domain system
state active
idle-cut disable
#
#
#
#
#
idle-timeout 0 0
#
return
#
5.4.3 Configuration on Device C
1) Configure the remote-probe VLANs of Device A and Device B
# Create VLAN 2 and VLAN 3.
<DeviceC> system-view
[DeviceC] vlan 2
[DeviceC-vlan2] quit
[DeviceC] vlan 3
[DeviceC-vlan3] quit
2) Configure the port connected with Device A.
[DeviceC] interface GigabitEthernet 1/0/25
# Configure port GigabitEthernet 1/0/25 as a trunk port.



[DeviceC-GigabitEthernet1/0/25] port link-type trunk
# Configure GigabitEthernet 1/0/25 to permit VLAN 2.
[DeviceC-GigabitEthernet1/0/25] port trunk permit vlan 2
[DeviceC-GigabitEthernet1/0/25] undo port trunk permit vlan 1
3) Configure the port connected with Device B.
# Configure GigabitEthernet 1/0/26 to permit VLAN 3.
[DeviceC-GigabitEthernet1/0/26] port trunk permit vlan 3
4) Configure the port connected with the analyzer.
# Configure GigabitEthernet 1/0/27 to permit VLAN 2 and VLAN 3.
[DeviceC-GigabitEthernet1/0/27] port trunk permit vlan 2 to 3
<DeviceC> display current-configuration
#
#
sysname DeviceC
#
#



#
vlan 1
#
vlan 2 to 3
#
domain system
state active
idle-cut disable
#
#
#
port trunk permit vlan 2 to 3
#
#
idle-timeout 0 0
#
return
#
5.4.4 Verification
You can see the traffic coming from both the Internet and the LAN on the analyzer,
that is, the port mirroring function has taken effect.



6 References
Port Mirroring Configuration in the Access Volume.
Port Mirroring Commands in the Access Volume.

Copyright 2007-2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of
Hangzhou H3C Technologies Co., Ltd.
The information in this document is subject to change without notice.

Port Mirroring Configuration Examples

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Port Mirroring Configuration Examples

Transféré par

Droits d'auteur :

Formats disponibles

Port Mirroring Configuration Examples

Hangzhou H3C Technologies Co., Ltd. 1/16

Vous aimerez peut-être aussi