23 Mirroring Configuration

Contents
Configuring port mirroring ··································································1

Overview ·································································································································· 1
Terminology ······················································································································· 1
Port mirroring classification and implementation ········································································· 2
Restrictions and guidelines: Port mirroring configuration ····································································· 5
Configuring local port mirroring ····································································································· 5
Local port mirroring configuration task list ················································································· 5
Creating a local mirroring group ······························································································ 6
Configuring source ports for the local mirroring group ·································································· 6
Configuring source CPUs for the local mirroring group ································································ 7
Configuring the monitor port for the local mirroring group ····························································· 7
Configuring Layer 2 remote port mirroring ······················································································· 8
Layer 2 remote port mirroring with configurable reflector port configuration task list ··························· 8
Layer 2 remote port mirroring with egress port configuration task list ·············································· 9
Configuring a remote destination group on the destination device ·················································· 9
Configuring a remote source group on the source device ··························································· 11
Configuring Layer 3 remote port mirroring ····················································································· 14
Layer 3 remote port mirroring configuration task list ·································································· 14
Configuration prerequisites ·································································································· 15
Configuring local mirroring groups ························································································· 15
Configuring source ports for a local mirroring group ·································································· 15
Configuring source CPUs for a local mirroring group ································································· 16
Configuring the monitor port for a local mirroring group······························································ 16
Displaying and maintaining port mirroring ······················································································ 17
Port mirroring configuration examples ·························································································· 18
Local port mirroring configuration example (in source port mode) ················································ 18
Local port mirroring configuration example (in source CPU mode) ··············································· 19
Layer 2 remote port mirroring configuration example (reflector port configurable) ···························· 20
Layer 2 remote port mirroring configuration example (with egress port) ········································· 22
Example for local port mirroring with multiple monitoring devices (reflector port configurable) ············ 24
Layer 3 remote port mirroring configuration example ································································· 26
Configuring flow mirroring ································································ 29
Restrictions and guidelines: Flow mirroring configuration ·································································· 29
Flow mirroring configuration task list ···························································································· 29
Configuring match criteria ·········································································································· 29
Configuring a traffic behavior ······································································································ 30
Configuring a QoS policy ··········································································································· 30
Applying a QoS policy ··············································································································· 30
Applying a QoS policy to an interface····················································································· 30
Applying a QoS policy to a VLAN ·························································································· 31
Applying a QoS policy globally ····························································································· 31
Applying a QoS policy to the control plane ·············································································· 31
Flow mirroring configuration example ··························································································· 32
Network requirements ········································································································ 32
Configuration procedure ····································································································· 32
Verifying the configuration ··································································································· 33
i
Configuring port mirroring
Overview
Port mirroring copies the packets passing through a port or CPU to a port that connects to a data
monitoring device for packet analysis.
Terminology
The following terms are used in port mirroring configuration.
Mirroring source
The mirroring sources can be one or more monitored ports or CPUs. The monitored ports and CPUs
called source ports and source CPUs, respectively.
Packets passing through mirroring sources are copied to a port connecting to a data monitoring
device for packet analysis. The copies are called mirrored packets.
Source device
The device where the mirroring sources reside is called a source device.
Mirroring destination
The mirroring destination is the destination port (also known as the monitor port) of mirrored packets
and connects to a data monitoring device. Mirrored packets are sent out of the monitor port to the
data monitoring device.
A monitor port might receive multiple copies of a packet when it monitors multiple mirroring sources.
For example, two copies of a packet are received on Port 1 when the following conditions exist:
• Port 1 is monitoring bidirectional traffic of Port 2 and Port 3 on the same device.
• The packet travels from Port 2 to Port 3.
Destination device
The device where the monitor port resides is called the destination device.
Mirroring direction
The mirroring direction specifies the direction of the traffic that is copied on a mirroring source.
• Inbound—Copies packets received.
• Outbound—Copies packets sent.
• Bidirectional—Copies packets received and sent.
Mirroring group
Port mirroring is implemented through mirroring groups, which include local, remote source, and
remote destination groups. For more information about the mirroring groups, see "Port mirroring
classification and implementation."
Reflector port, egress port, and remote probe VLAN
Reflector ports, remote probe VLANs, and egress ports are used for Layer 2 remote port mirroring.
The remote probe VLAN is a dedicated VLAN for transmitting mirrored packets to the destination
device. Both the reflector port and egress port reside on a source device and send mirrored packets
to the remote probe VLAN. For more information about the reflector port, egress port, remote probe
VLAN, and Layer 2 remote port mirroring, see "Port mirroring classification and implementation."
1
NOTE:
On port mirroring devices, all ports except source, destination, reflector, and egress ports are called
common ports.
Port mirroring classification and implementation

Port mirroring includes local port mirroring and remote port mirroring.
• Local port mirroring—The mirroring sources and the mirroring destination are on the same
device.
• Remote port mirroring—The mirroring sources and the mirroring destination are on different
devices.
Local port mirroring
In local port mirroring, the following conditions exist:
• The source device is directly connected to a data monitoring device.
• The source device acts as the destination device to forward mirrored packets to the data
monitoring device.
A local mirroring group is a mirroring group that contains the mirroring sources and the mirroring
destination on the same device. The mirroring sources and destination can be located on different
cards on the switch.
Figure 1 Local port mirroring implementation
As shown in Figure 1, the source port GigabitEthernet 1/0/1 and the monitor port GigabitEthernet
1/0/2 reside on the same device. Packets received on GigabitEthernet 1/0/1 are copied to
GigabitEthernet 1/0/2. GigabitEthernet 1/0/2 then forwards the packets to the data monitoring device
for analysis.
Remote port mirroring
In remote port mirroring, the following conditions exist:
• The source device is not directly connected to a data monitoring device.
• The source device copies mirrored packets to the destination device, which forwards them to
the data monitoring device.
• The mirroring sources and the mirroring destination reside on different devices and are in
different mirroring groups.
A remote source group is a mirroring group that contains the mirroring sources. A remote destination
group is a mirroring group that contains the mirroring destination. Intermediate devices are the
devices between the source device and the destination device.
2
Remote port mirroring includes Layer 2 and Layer 3 remote port mirroring.
• Layer 2 remote port mirroring—The mirroring sources and the mirroring destination are
located on different devices on a same Layer 2 network.
Layer 2 remote port mirroring can be implemented when a reflector port or an egress port is
available on the source device. The method to use the reflector port and the method to use the
egress port are called reflector port method and egress port method, respectively.
{ Reflector port method—Packets are mirrored as follows:
− The source device copies packets received on the mirroring sources to the reflector
port.
− The reflector port broadcasts the mirrored packets in the remote probe VLAN.
− The intermediate devices transmit the mirrored packets to the destination device
through the remote probe VLAN.
− Upon receiving the mirrored packets, the destination device determines whether the ID
of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs
are the same, the destination device forwards the mirrored packets to the data
monitoring device through the monitor port.
A reflector port can be fixed or configurable. The switch supports only the configurable
reflector port.
Figure 2 Layer 2 remote port mirroring implementation through the reflector port
method
{ Egress port method—Packets are mirrored as follows:

− The source device copies packets received on the mirroring sources to the egress port.
− The egress port forwards the mirrored packets to the intermediate devices.
− The intermediate devices flood the mirrored packets in the remote probe VLAN and
transmit the mirrored packets to the destination device.
− Upon receiving the mirrored packets, the destination device determines whether the ID
of the mirrored packets is the same as the remote probe VLAN ID. If the two VLAN IDs
are the same, the destination device forwards the mirrored packets to the data
monitoring device through the monitor port.
3
Figure 3 Layer 2 remote port mirroring implementation through the egress port
method
Mirroring process
in the device
GE1/0/1 GE1/0/2
Source GE1/0/2 GE1/0/1 GE1/0/2 GE1/0/1

Intermediate Destination
device GE1/0/1 Remote Remote GE1/0/2
device device
probe VLAN probe VLAN
Data monitoring
Host
device
Original packets Source port Egress port

Mirrored packets Monitor port Common port
To ensure Layer 2 forwarding of the mirrored packets, assign the ports connecting intermediate
devices to the source and destination devices to the remote probe VLAN.
To monitor the bidirectional traffic of a source port, disable MAC address learning for the remote
probe VLAN on the source, intermediate, and destination devices. For more information about
MAC address learning, see Layer 2—LAN Switching Configuration Guide.
• Layer 3 remote port mirroring—The mirroring sources and the mirroring destination are
separated by IP networks.
Layer 3 remote port mirroring is implemented through creating a local mirroring group on both
the source device and the destination device. For example, in a network as shown in Figure 4,
Layer 3 remote port mirroring works in the following flow:
a. The source device sends one copy of a packet received on the source port GigabitEthernet
1/0/1 to the tunnel interface.
The tunnel interface acts as the monitor port in the local mirroring group created on the
source device.
b. The tunnel interface on the source device forwards the mirrored packet to the tunnel
interface on the destination device through the GRE tunnel.
c. The destination device receives the mirrored packet from the physical interface of the tunnel
interface.
The tunnel interface acts as the source port in the local mirroring group created on the
destination device.
d. The physical interface of the tunnel interface sends one copy of the packet to the monitor
port GigabitEthernet 1/0/2.
e. GigabitEthernet 1/0/2 forwards the packet to the data monitoring device.
For more information about GRE tunnels and tunnel interfaces, see Layer 3—IP Services
Configuration Guide.
4
Figure 4 Layer 3 remote port mirroring implementation
Restrictions and guidelines: Port mirroring

configuration
The reflector port method for Layer 2 remote port mirroring can be used to implement local port
mirroring with multiple monitor ports.
In the reflector port method, the reflector port broadcasts mirrored packets in the remote probe VLAN.
By assigning ports that connect to data monitoring devices to the remote probe VLAN, you can
implement local port mirroring to mirror packets to multiple monitor ports. Make sure the ports
remove the remote probe VLAN tag of the mirrored packets so the original packets can be sent to the
data monitoring devices.
The egress port method cannot implement local port mirroring in this way.
Configuring local port mirroring

A local mirroring group takes effect only when you configure the monitor port and the source ports or
source CPUs for the local mirroring group.
Local port mirroring configuration task list

Tasks at a glance
1. (Required.) Creating a local mirroring group
2. (Required.) Perform at least one of the following tasks:

{ Configuring source ports for the local mirroring group
{ Configuring source CPUs for the local mirroring group
3. (Required.) Configuring the monitor port for the local mirroring group
5
Creating a local mirroring group
Step Command Remarks
1. Enter system view. system-view N/A
2. Create a local mirroring By default, no local
group. mirroring-group group-id local
mirroring group exists.
Configuring source ports for the local mirroring group

To configure source ports for a local mirroring group, use one of the following methods:
• Assign a list of source ports to the mirroring group in system view.
• Assign a port to the mirroring group as a source port in interface view.
To assign multiple ports to the mirroring group as source ports in interface view, repeat the
operation.
Configuration restrictions and guidelines
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
• A mirroring group can contain multiple source ports.
• Layer 2 or Layer 3 aggregate interfaces cannot be configured as source ports for mirroring
groups.
• A port can be used as a source port for multiple mirroring groups.
• A source port cannot be configured as a reflector port, egress port, or monitor port.
• In an IRF 3.1 system, a cascade port or an upstream port on a PEX cannot be configured as
source ports for mirroring groups. For more information about IRF 3.1, see IRF 3.1
configuration in Virtual Technologies Configuration Guide.
Configuring source ports in system view

2. Configure source ports for a mirroring-group group-id By default, no source port is

local mirroring group. mirroring-port interface-list configured for a local mirroring
{ both | inbound | outbound } group.
Configuring source ports in interface view

2. Enter interface view. interface interface-type

N/A
interface-number
3. Configure the port as a mirroring-group group-id By default, a port does not act as
source port for a local mirroring-port { both | inbound | a source port for any local
mirroring group. outbound } mirroring groups.
6
Configuring source CPUs for the local mirroring group
CPUs on the LSQM3MPUB0 MPUs cannot be configured as source CPUs:
A mirroring group can contain multiple source CPUs.
To configure source CPUs for a local mirroring group:

• In standalone mode:
mirroring-group group-id mirroring-cpu
slot slot-number-list { both | inbound |
2. Configure source outbound } By default, no source CPU
CPUs for a local • In IRF mode: is configured for a local
mirroring group. mirroring-group group-id mirroring-cpu mirroring group.
chassis chassis-number slot
slot-number-list { both | inbound |
outbound }
Configuring the monitor port for the local mirroring group

To configure the monitor port for a mirroring group, use one of the following methods:
• Configure the monitor port for the mirroring group in system view.
• Assign a port to the mirroring group as the monitor port in interface view.
When you configure the monitor port for a local mirroring group, follow these restrictions and
guidelines:
• Do not enable the spanning tree feature on the monitor port.
• For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not
configure its member ports as source ports of the mirroring group.
• A mirroring group contains only one monitor port.
• In an IRF 3.1 system, the monitor port must reside on the same card as a source port in the
mirroring group if the following conditions are met:
{ The source port resides on a parent device in the IRF 3.1 system.
{ The card where the source port resides has interfaces that support cascade ports.
For more information about cascade port-capable interfaces, see IRF 3.1 configuration in
Virtual Technologies Configuration Guide.
• Use a monitor port only for port mirroring, so the data monitoring device receives only the
mirrored traffic.
Configuring the monitor port in system view

2. Configure the monitor port mirroring-group group-id By default, no monitor port is

for a local mirroring group. monitor-port interface-type configured for a local mirroring
interface-number group.
7
Configuring the monitor port in interface view


N/A
interface-number
3. Configure the port as the By default, a port does not act as

monitor port for a mirroring mirroring-group group-id
the monitor port for any local
group. monitor-port
mirroring groups.
Configuring Layer 2 remote port mirroring

To configure Layer 2 remote port mirroring, perform the following tasks:
• Configure a remote source group on the source device.
• Configure a cooperating remote destination group on the destination device.
• If intermediate devices exist, configure the following devices and ports to allow the remote
probe VLAN to pass through.
{ Intermediate devices.
{ Ports connected to the intermediate devices on the source and destinations devices.
When you configure Layer 2 remote port mirroring, follow these restrictions and guidelines:
• The egress port must be assigned to the remote probe VLAN. The configurable reflector port is
not necessarily assigned to the remote probe VLAN.
• For a mirrored packet to successfully arrive at the remote destination device, make sure its
VLAN ID is not removed or changed.
• Do not configure both MVRP and Layer 2 remote port mirroring. Otherwise, MVRP might
register the remote probe VLAN with incorrect ports, which would cause the monitor port to
receive undesired copies. For more information about MVRP, see Layer 2—LAN Switching
• As a best practice, configure devices in the order of the destination device, the intermediate
devices, and the source device.
Layer 2 remote port mirroring with configurable reflector port

configuration task list
Tasks at a glance
(Required.) Configuring a remote destination group on the destination device:
1. Creating a remote destination group
2. Configuring the monitor port for a remote destination group
3. Configuring the remote probe VLAN for a remote destination group
4. Assigning the monitor port to the remote probe VLAN
(Required.) Configuring a remote source group on the source device:

1. Creating a remote source group
2. Perform at least one of the following tasks:
{ Configuring source ports for a remote source group
{ Configuring source CPUs for a remote source group
8
Tasks at a glance
3. Configuring the reflector port for a remote source group
4. Configuring the remote probe VLAN for a remote source group
Layer 2 remote port mirroring with egress port configuration

task list
Tasks at a glance
(Required.) Configuring a remote destination group on the destination device:
1. Creating a remote destination group
2. Configuring the monitor port for a remote destination group
3. Configuring the remote probe VLAN for a remote destination group
4. Assigning the monitor port to the remote probe VLAN
(Required.) Configuring a remote source group on the source device:
1. Creating a remote source group
{ Configuring source ports for a remote source group
{ Configuring source CPUs for a remote source group
3. Configuring the egress port for a remote source group
4. Configuring the remote probe VLAN for a remote source group
Configuring a remote destination group on the destination

device
Restrictions and guidelines for remote destination group configuration
You can configure a remote destination group on an IRF fabric with member devices connected
through multiple IRF physical interfaces. In this case, the monitor port of the remote destination
group and the port that receives the mirrored traffic must reside on the same member device. For
more information about IRF, see Virtual Technologies Configuration Guide.
Creating a remote destination group

2. Create a remote destination mirroring-group group-id By default, no remote destination
group. remote-destination group exists on a device.
Configuring the monitor port for a remote destination group

• Assign a port to the mirroring group as the monitor port in interface view.
When you configure the monitor port for a remote destination group, follow these restrictions and
guidelines:
9
• For a Layer 2 aggregate interface configured as the monitor port of a mirroring group, do not
configure its member ports as source ports of the mirroring group.
• Use a monitor port only for port mirroring, so the data monitoring device receives only the
mirrored traffic.
• A mirroring group must contain only one monitor port.
• A monitor port can belong to only one mirroring group.
Configuring the monitor port for a remote destination group in system view


for a remote destination monitor-port interface-type configured for a remote
group. interface-number destination group.
Configuring the monitor port for a remote destination group in interface view


N/A
interface-number

monitor port for a remote mirroring-group group-id
the monitor port for any remote
destination group. monitor-port
destination groups.
Configuring the remote probe VLAN for a remote destination group

When you configure the remote probe VLAN for a remote destination group, follow these restrictions
and guidelines:
• Only an existing static VLAN can be configured as a remote probe VLAN.
• When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port
mirroring exclusively.
• Configure the same remote probe VLAN for the remote groups on the source and destination
devices.
To configure the remote probe VLAN for a remote destination group:

2. Configure the remote probe By default, no remote probe

VLAN for a remote mirroring-group group-id
VLAN is configured for a remote
destination group. remote-probe vlan vlan-id
destination group.
Assigning the monitor port to the remote probe VLAN

10
2. Enter the interface view interface interface-type
of the monitor port. N/A
interface-number
• For an access port:
port access vlan vlan-id For more information about the
• For a trunk port: port access vlan, port trunk
3. Assign the port to the permit vlan, and port hybrid
port trunk permit vlan vlan-id
remote probe VLAN. vlan commands, see Layer
• For a hybrid port: 2—LAN Switching Command
port hybrid vlan vlan-id { tagged Reference.
| untagged }
Configuring a remote source group on the source device

Creating a remote source group

2. Create a remote source mirroring-group group-id By default, no remote source
group. remote-source group exists on a device.
Configuring source ports for a remote source group

To configure source ports for a mirroring group, use one of the following methods:
operation.
When you configure source ports for a remote source group, follow these restrictions and guidelines:
• Do not assign a source port of a mirroring group to the remote probe VLAN of the mirroring
group.
groups.
Configuring source ports for a remote source group in system view


remote source group. mirroring-port interface-list configured for a remote source
Configuring a source port for a remote source group in interface view
11

N/A
interface-number
source port for a remote mirroring-port { both | inbound | a source port for any remote
source group. outbound } source groups.
Configuring source CPUs for a remote source group

To configure source CPUs for a remote source group:

mirroring-group group-id mirroring-cpu
slot slot-number-list { both | inbound |
2. Configure source CPUs outbound } By default, no source
for a remote source • In IRF mode: CPU is configured for a
group. mirroring-group group-id mirroring-cpu remote source group.
chassis chassis-number slot
slot-number-list { both | inbound |
outbound }
Configuring the reflector port for a remote source group

To configure the reflector port for a remote source group, use one of the following methods:
• Configure the reflector port for the remote source group in system view.
• Assign a port to the remote source group as the reflector port in interface view.
When you configure the reflector port for a remote source group, follow these restrictions and
guidelines:
• The port to be configured as a reflector port must be a port not in use. Do not connect a network
cable to a reflector port.
• When a port is configured as a reflector port, all existing configurations of the port are cleared.
You cannot configure other features on the reflector port.
• If an IRF port is bound to only one physical interface, do not configure the physical interface as
a reflector port. Otherwise, the IRF might split.
• A mirroring group contains only one reflector port.
• You can configure a port as a reflector port only when the port is operating with the default
duplex mode, speed, and MDI settings. You cannot change these settings for a reflector port.
• In an IRF system, IRF physical interfaces cannot be configured as reflector ports for Layer 2
remote port mirroring. For more information about IRF and IRF physical interfaces, see Virtual
Technologies Configuration Guide.
Configuring the reflector port for a remote source group in system view
12
2. Configure the reflector port mirroring-group group-id By default, no reflector port is

for a remote source group. reflector-port interface-type configured for a remote source
Configuring the reflector port for a remote source group in interface view


N/A
interface-number

reflector port for a remote mirroring-group group-id
the reflector port for any remote
source group. reflector-port
source groups.
Configuring the egress port for a remote source group

To configure the egress port for a remote source group, use one of the following methods:
• Configure the egress port for the remote source group in system view.
• Assign a port to the remote source group as the egress port in interface view.
When you configure the egress port for a remote source group, follow these restrictions and
guidelines:
• Disable the following features on the egress port:
{ Spanning tree.
{ 802.1X.
{ IGMP snooping.
{ Static ARP.
{ MAC address learning.
• A mirroring group contains only one egress port.
• A port of an existing mirroring group cannot be configured as an egress port.
Configuring the egress port for a remote source group in system view

2. Configure the egress port for mirroring-group group-id By default, no egress port is
a remote source group. monitor-egress interface-type configured for a remote source
Configuring the egress port for a remote source group in interface view

13

N/A
interface-number

egress port for a remote mirroring-group group-id
the egress port for any remote
source group. monitor-egress
source groups.
Configuring the remote probe VLAN for a remote source group

When you configure the remote probe VLAN for a remote source group, follow these restrictions and
guidelines:
• Only an existing static VLAN can be configured as a remote probe VLAN.
• When a VLAN is configured as a remote probe VLAN, use the remote probe VLAN for port
mirroring exclusively.
• The remote mirroring groups on the source device and destination device must use the same
remote probe VLAN.
To configure the remote probe VLAN for a remote source group:

2. Configure the remote probe By default, no remote probe

VLAN for a remote source mirroring-group group-id
VLAN is configured for a remote
group. remote-probe vlan vlan-id
source group.
Configuring Layer 3 remote port mirroring

To configure Layer 3 remote port mirroring, perform the following tasks:
• Create a local mirroring group on both the source device and the destination device.
• Configure the monitor port and source ports or source CPUs for each mirroring group.
The source and destination devices are connected by a tunnel. If intermediate devices exist,
configure a unicast routing protocol on the intermediate devices to ensure Layer 3 reachability
between the source and destination devices.
On the source device, perform the following tasks:
• Configure source ports or source CPUs you want to monitor.
• Configure the tunnel interface as the monitor port.
On the destination device, perform the following tasks:
• Configure the physical interface corresponding to the tunnel interface as the source port.
• Configure the port that connects the data monitoring device as the monitor port.
Layer 3 remote port mirroring configuration task list

Tasks at a glance
(Required.) Configuring the source device:
14
Tasks at a glance
1. Configuring local mirroring groups
{ Configuring source ports for a local mirroring group
{ Configuring source CPUs for a local mirroring group
3. Configuring the monitor port for a local mirroring group
(Required.) Configuring the destination device:
1. Configuring local mirroring groups
2. Configuring source ports for a local mirroring group
3. Configuring the monitor port for a local mirroring group
Configuration prerequisites
Before configuring Layer 3 remote mirroring, complete the following tasks:
• Create a tunnel interface and a GRE tunnel.
• Configure the source and destination addresses of the tunnel interface as the IP addresses of
the physical interfaces on the source and destination devices, respectively.
IP addresses of physical interfaces on SA series interface modules cannot be used as the
source or destination IP address for the tunnel interface.
For more information about tunnel interfaces, see Layer 3—IP Services Configuration Guide.
Configuring local mirroring groups

Configure a local mirroring group on both the source device and the destination device.
To create a local mirroring group:

2. Create a local mirroring By default, no local mirroring
group. mirroring-group group-id local
group exists on a device.
Configuring source ports for a local mirroring group

On the source device, configure the ports you want to monitor as the source ports. On the destination
device, configure the physical interface corresponding to the tunnel interface as the source port.
To configure source ports for a mirroring group, use one of the following methods:
operation.
When you configure source ports for a local mirroring group, follow these restrictions and guidelines:
groups.
15
Configuring source ports in system view


local mirroring group. mirroring-port interface-list configured for a local mirroring
Configuring source ports in interface view


N/A
interface-number
source port for a local mirroring-port { both | inbound | a source port for any local
mirroring group. outbound } mirroring groups.
Configuring source CPUs for a local mirroring group

On the source device, configure the CPUs of the cards to be monitored as the source CPUs. The
destination device does not support source CPU configuration.
To configure source CPUs for a local mirroring group:

mirroring-group group-id
mirroring-cpu slot slot-number-list
2. Configure source CPUs { both | inbound | outbound } By default, no source CPU is
for a local mirroring • In IRF mode: configured for a local
group. mirroring-group group-id mirroring group.
mirroring-cpu chassis
chassis-number slot slot-number-list
{ both | inbound | outbound }
Configuring the monitor port for a local mirroring group

On the source device, configure the tunnel interface as the monitor port. On the destination device,
configure the port that connects to a data monitoring device as the monitor port.
16
• Assign a port to a mirroring group as the monitor port in interface view.
When you configure the monitor port for a local mirroring group, follow these restrictions and
guidelines:
• A mirroring group contains only one monitor port.
• In an IRF 3.1 system, the monitor port must reside on the same card as a source port in the
mirroring group if the following conditions are met:
{ The device is a parent device in the IRF 3.1 system.
{ The source port resides on a card that support cascade ports.
For more information about the cards that support cascade ports, see IRF 3.1 configuration in
Virtual Technologies Configuration Guide.
• As a best practice, use a monitor port only for port mirroring, so the data monitoring device
receives only the mirrored traffic.
Configuring the monitor port in system view


for a local mirroring group. monitor-port interface-type configured for a local mirroring
Configuring the monitor port in interface view


N/A
interface-number

monitor port for a local mirroring-group group-id
the monitor port for any local
mirroring group. monitor-port
mirroring groups.
Displaying and maintaining port mirroring

Execute display commands in any view.
Task Command
display mirroring-group { group-id | all | local |
Display mirroring group information.
remote-destination | remote-source }
17
Port mirroring configuration examples
Local port mirroring configuration example (in source port
mode)
Network requirements
As shown in Figure 5, configure local port mirroring in source port mode to enable the server to
monitor the bidirectional traffic of the Marketing department and the Technical department.
Figure 5 Network diagram
Configuration procedure
# Create local mirroring group 1.
<Device> system-view
[Device] mirroring-group 1 local
# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as source ports for local mirroring group
1.
[Device] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 gigabitethernet 1/0/2
both
# Configure GigabitEthernet 1/0/3 as the monitor port for local mirroring group 1.
[Device] mirroring-group 1 monitor-port gigabitethernet 1/0/3
# Disable the spanning tree feature on the monitor port (GigabitEthernet 1/0/3).
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] undo stp enable
[Device-GigabitEthernet1/0/3] quit
Verifying the configuration

# Verify the mirroring group configuration.
[Device] display mirroring-group all
Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
18
GigabitEthernet1/0/1 Both
Monitor port: GigabitEthernet1/0/3
Local port mirroring configuration example (in source CPU

mode)
As shown in Figure 6, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are located on the card in slot
1.
Configure local port mirroring in source CPU mode to enable the server to monitor all packets
matching the following criteria:
• Received and sent by the Marketing department and the Technical department.
• Processed by the CPU of the card in slot 1 of the device.
[Device] mirroring-group 1 local
# Configure the CPU of the card in slot 1 of the device as a source CPU for local mirroring group 1.
[Device] mirroring-group 1 mirroring-cpu slot 1 both
[Device] mirroring-group 1 monitor-port gigabitethernet 1/0/3
# Disable the spanning tree feature on the monitor port (GigabitEthernet 1/0/3).
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] undo stp enable
[Device-GigabitEthernet1/0/3] quit

# Verify the mirroring group configuration.
Mirroring group 1:
19
Type: Local
Status: Active
Mirroring CPU:
Slot 1 Both
Layer 2 remote port mirroring configuration example

(reflector port configurable)
As shown in Figure 7, configure Layer 2 remote port mirroring to enable the server to monitor the
bidirectional traffic of the Marketing department.
1. Configure Device C (the destination device):
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 2.
<DeviceC> system-view
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceC-GigabitEthernet1/0/1] quit
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2.
[DeviceC] vlan 2
# Disable MAC address learning for VLAN 2.
[DeviceC-vlan2] undo mac-address mac-learning enable
[DeviceC-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN for the mirroring group.
[DeviceC] mirroring-group 2 remote-probe vlan 2
# Configure GigabitEthernet 1/0/2 as the monitor port for the mirroring group.
[DeviceC-GigabitEthernet1/0/2] mirroring-group 2 monitor-port
20
# Disable the spanning tree feature on GigabitEthernet 1/0/2.
[DeviceC-GigabitEthernet1/0/2] undo stp enable
# Assign GigabitEthernet 1/0/2 to VLAN 2.
[DeviceC-GigabitEthernet1/0/2] port access vlan 2
2. Configure Device B (the intermediate device):
# Create VLAN 2.
<DeviceB> system-view
[DeviceB] vlan 2
[DeviceB-vlan2] undo mac-address mac-learning enable
[DeviceB-vlan2] quit
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 2
[DeviceB-GigabitEthernet1/0/1] quit
3. Configure Device A (the source device):
# Create a remote source group.
<DeviceA> system-view
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] undo mac-address mac-learning enable
[DeviceA-vlan2] quit
[DeviceA] mirroring-group 1 remote-probe vlan 2
# Configure GigabitEthernet 1/0/1 as a source port for the mirroring group.
[DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 both
# Configure GigabitEthernet 1/0/3 as the reflector port for the mirroring group.
[DeviceA] mirroring-group 1 reflector-port gigabitethernet 1/0/3
This operation may delete all settings made on the interface. Continue? [Y/N]: y
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 2
[DeviceA-GigabitEthernet1/0/2] quit

# Verify the mirroring group configuration on Device C.
[DeviceC] display mirroring-group all
21
Mirroring group 2:
Type: Remote destination
Status: Active
Remote probe VLAN: 2
# Verify the mirroring group configuration on Device A.

[DeviceA] display mirroring-group all
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
Reflector port: GigabitEthernet1/0/3
Layer 2 remote port mirroring configuration example (with

egress port)
On the Layer 2 network shown in Figure 8, configure Layer 2 remote port mirroring to enable the
server to monitor the bidirectional traffic of the Marketing department.
[DeviceC-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 2
# Create a remote destination group.
[DeviceC] mirroring-group 2 remote-destination
# Create VLAN 2.
22
[DeviceC] vlan 2
[DeviceC-vlan2] undo mac-address mac-learning enable
[DeviceC-vlan2] quit
[DeviceC] mirroring-group 2 remote-probe vlan 2
# Configure GigabitEthernet 1/0/2 as the monitor port for the mirroring group.
[DeviceC-GigabitEthernet1/0/2] mirroring-group 2 monitor-port
# Disable the spanning tree feature on GigabitEthernet 1/0/2.
[DeviceC-GigabitEthernet1/0/2] undo stp enable
# Assign GigabitEthernet 1/0/2 to VLAN 2 as an access port.
[DeviceC-GigabitEthernet1/0/2] port access vlan 2
2. Configure Device B (the intermediate device):
# Create VLAN 2.
[DeviceB] vlan 2
[DeviceB-vlan2] undo mac-address mac-learning enable
[DeviceB-vlan2] quit
# Create a remote source group.
[DeviceA] mirroring-group 1 remote-source
# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] undo mac-address mac-learning enable
[DeviceA-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the mirroring group.
[DeviceA] mirroring-group 1 remote-probe vlan 2
# Configure GigabitEthernet 1/0/1 as a source port for the mirroring group.
# Configure GigabitEthernet 1/0/2 as the egress port for the mirroring group.
[DeviceA] mirroring-group 1 monitor-egress gigabitethernet 1/0/2
# Configure port GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 2.
23
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 2
# Disable the spanning tree feature on the port.
[DeviceA-GigabitEthernet1/0/2] undo stp enable

# Verify the mirroring group configuration on Device C.
Mirroring group 2:
Type: Remote destination
Status: Active

Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
Monitor egress port: GigabitEthernet1/0/2
Example for local port mirroring with multiple monitoring

devices (reflector port configurable)
Network configuration
As shown in Figure 9, Dept. A, Dept. B, and Dept. C are connected to the device through
GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3, respectively.
Configure port mirroring to enable both Server A and Server B to monitor the bidirectional traffic of
departments A, B, and C.
24
/4
1/0
GE
GE
1/
0/
5
Procedure
# Create remote source group 1.
[Device] mirroring-group 1 remote-source
# Configure GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 as source ports of remote source
group 1.
[Device] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 to gigabitethernet 1/0/3
both
# Configure an unused port (GigabitEthernet 1/0/6 in this example) as the reflector port of remote
source group 1.
[Device] mirroring-group 1 reflector-port gigabitethernet 1/0/6
This operation may delete all settings made on the interface. Continue? [Y/N]:y
# Create VLAN 10 and assign the ports connecting the data monitoring devices to the VLAN.
[Device] vlan 10
[Device-vlan10] port gigabitethernet 1/0/4 to gigabitethernet 1/0/5
[Device-vlan10] quit
# Configure VLAN 10 as the remote probe VLAN of remote source group 1.

[Device] mirroring-group 1 remote-probe vlan 10

# Verify the mirroring group configuration on the device.
Mirroring group 1:
Type: Remote source
Status: Active
Mirroring port:
Reflector port: GigabitEthernet1/0/6
25
Layer 3 remote port mirroring configuration example
On a Layer 3 network shown in Figure 10, configure Layer 3 remote port mirroring to enable the
server to monitor the bidirectional traffic of the Marketing department.
1. Configure IP addresses for the tunnel interfaces and related ports on the devices. (Details not
shown.)
# Create a service loopback group 1 and specify the unicast tunnel service for the group.
[DeviceA] service-loopback group 1 type tunnel
# Assign GigabitEthernet 1/0/3 to the service loopback group 1.
[DeviceA-GigabitEthernet1/0/3] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
# Create tunnel interface Tunnel 1 that operates in GRE mode, and configure an IP address
and subnet mask for the interface.
[DeviceA] interface tunnel 1 mode gre
[DeviceA-Tunnel1] ip address 50.1.1.1 24
# Configure source and destination IP addresses for Tunnel 1.
[DeviceA-Tunnel1] source 20.1.1.1
[DeviceA-Tunnel1] destination 30.1.1.2
[DeviceA-Tunnel1] quit
# Enable the OSPF protocol.
[DeviceA] ospf 1
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
26
[DeviceA] mirroring-group 1 local
# Configure GigabitEthernet 1/0/1 as a source port and Tunnel 1 as the monitor port of local
mirroring group 1.
[DeviceA] mirroring-group 1 monitor-port tunnel 1
3. Enable the OSPF protocol on Device B (the intermediate device).
[DeviceB] ospf 1
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
# Create a service loopback group 1 and specify the unicast tunnel service for the group.
[DeviceC] service-loopback group 1 type tunnel
# Assign GigabitEthernet 1/0/3 to the service loopback group 1.
[DeviceC-GigabitEthernet1/0/3] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
# Create tunnel interface Tunnel 1 that operates in GRE mode, and configure an IP address
and subnet mask for the interface.
[DeviceC] interface tunnel 1 mode gre
[DeviceC-Tunnel1] ip address 50.1.1.2 24
# Configure source and destination IP addresses for Tunnel 1.
[DeviceC-Tunnel1] source 30.1.1.2
[DeviceC-Tunnel1] destination 20.1.1.1
[DeviceC-Tunnel1] quit
# Enable the OSPF protocol.
[DeviceC] ospf 1
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
[DeviceC] mirroring-group 1 local
# Configure GigabitEthernet 1/0/1 as a source port for local mirroring group 1.
[DeviceC] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 inbound
[DeviceC] mirroring-group 1 monitor-port gigabitethernet 1/0/2

Mirroring group 1:
27
Type: Local
Status: Active
Mirroring port:
Monitor port: Tunnel1
# Display information about all mirroring groups on Device C.

Mirroring group 1:
Type: Local
Status: Active
Mirroring port:
GigabitEthernet1/0/1 Inbound
28
Configuring flow mirroring
Flow mirroring copies packets matching a class to a destination for packet analyzing and monitoring.
It is implemented through QoS policies.
To configure flow mirroring, perform the following tasks:
• Define traffic classes and configure match criteria to classify packets to be mirrored. Flow
mirroring allows you to flexibly classify packets to be analyzed by defining match criteria.
• Configure traffic behaviors to mirror the matching packets to the specified destination.
You can configure an action to mirror the matching packets to one of the following destinations:
• Interface—The matching packets are copied to an interface connecting to a data monitoring
device. The data monitoring device analyzes the packets received on the interface.
• CPU—The matching packets are copied to the CPU of the card where they are received. The
CPU analyzes the packets or delivers them to upper layers.
For more information about QoS policies, traffic classes, and traffic behaviors, see ACL and QoS
Restrictions and guidelines: Flow mirroring

configuration
For information about the configuration commands except the mirror-to command, see ACL and
QoS Command Reference.
Outbound flow mirroring is not available for multicast, broadcast, or unknown unicast traffic.
Flow mirroring configuration task list

Tasks at a glance
(Required.) Configuring match criteria
(Required.) Configuring a traffic behavior
(Required.) Configuring a QoS policy
(Required.) Applying a QoS policy:

• Applying a QoS policy to an interface
• Applying a QoS policy to a VLAN
• Applying a QoS policy globally
• Applying a QoS policy to the control plane
Configuring match criteria

2. Create a class and enter traffic classifier tcl-name
class view. By default, no traffic class exists.
[ operator { and | or } ]
29
3. Configure match criteria. By default, no match criterion is

if-match match-criteria
configured in a traffic class.
Configuring a traffic behavior

To configure a traffic behavior:

2. Create a traffic behavior and By default, no traffic behavior
enter traffic behavior view. traffic behavior behavior-name
exists.
• Mirror traffic to an interface:
mirror-to interface
3. Configure a mirroring action interface-type By default, no mirroring action is
for the traffic behavior. interface-number configured for a traffic behavior.
• Mirror traffic to the CPU:
mirror-to cpu
4. (Optional.) Display traffic
behavior configuration. display traffic behavior Available in any view.
Configuring a QoS policy

2. Create a QoS policy and
enter QoS policy view. qos policy policy-name By default, no QoS policy exists.
3. Associate a class with a

traffic behavior in the QoS classifier tcl-name behavior By default, no traffic behavior is
policy. behavior-name associated with a class.
4. (Optional.) Display QoS

policy configuration. display qos policy Available in any view.
Applying a QoS policy

Applying a QoS policy to an interface
By applying a QoS policy to an interface, you can mirror the traffic in the specified direction of the
interface. A policy can be applied to multiple interfaces. In one direction (inbound or outbound) of an
interface, only one policy can be applied.
On a PEX in an IRF 3.1 system, a QoS policy does not take effect on interfaces acting as member
ports of a Layer 2 aggregation group or VXLAN site-facing interfaces. For information about IRF 3.1,
see IRF 3.1 configuration in Virtual Technologies Configuration Guide. For information about VXLAN,
see VXLAN Configuration Guide.
To apply a QoS policy to an interface:
30
Step Command
1. Enter system view. system-view
2. Enter interface view. interface interface-type interface-number
3. Apply a policy to the interface. qos apply policy policy-name { inbound | outbound }
Applying a QoS policy to a VLAN

You can apply a QoS policy to a VLAN to mirror the traffic in the specified direction on all ports in the
VLAN.
To apply the QoS policy to a VLAN:
Step Command
2. Apply a QoS policy to a VLAN. qos vlan-policy policy-name vlan vlan-id-list

{ inbound | outbound }
Applying a QoS policy globally

You can apply a QoS policy globally to mirror the traffic in the specified direction on all ports.
To apply a QoS policy globally:
Step Command
2. Apply a QoS policy globally. qos apply policy policy-name global { inbound |
outbound }
Applying a QoS policy to the control plane

You can apply a QoS policy to the control plane to mirror the traffic in the specified direction of all
ports on the control plane.
To apply a QoS policy to the control plane:
Step Command
control-plane slot slot-number
2. Enter control plane view.
• In IRF mode:
control-plane chassis chassis-number slot slot-number
3. Apply a QoS policy to the
control plane. qos apply policy policy-name { inbound | outbound }
31
Flow mirroring configuration example
As shown in Figure 11, configure flow mirroring so that the server can monitor the following traffic:
• All traffic that the Technical department sends to access the Internet.
• IP traffic that the Technical department sends to the Marketing department during working
hours (8:00 to 18:00) on weekdays.
# Create working hour range work, in which working hours are from 8:00 to 18:00 on weekdays.
[DeviceA] time-range work 8:00 to 18:00 working-day
# Create ACL 3000 to allow packets from the Technical department to access the Internet and to the
Marketing department during working hours.
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule permit tcp source 192.168.2.0 0.0.0.255 destination-port
eq www
[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination
192.168.1.0 0.0.0.255 time-range work
[Device-acl-ipv4-adv-3000] quit
# Create traffic class tech_c, and configure the match criterion as ACL 3000.
[DeviceA] traffic classifier tech_c
[DeviceA-classifier-tech_c] if-match acl 3000
[DeviceA-classifier-tech_c] quit
# Create traffic behavior tech_b, configure the action of mirroring traffic to port GigabitEthernet
1/0/3.
[DeviceA] traffic behavior tech_b
[DeviceA-behavior-tech_b] mirror-to interface gigabitethernet 1/0/3
[DeviceA-behavior-tech_b] quit
32
# Create QoS policy tech_p, and associate traffic class tech_c with traffic behavior tech_b in the
QoS policy.
[DeviceA] qos policy tech_p
[DeviceA-qospolicy-tech_p] classifier tech_c behavior tech_b
[DeviceA-qospolicy-tech_p] quit
# Apply QoS policy tech_p to the incoming packets of GigabitEthernet 1/0/4.

[DeviceA-GigabitEthernet1/0/4] qos apply policy tech_p inbound

# Verify that the server can monitor the following traffic:
• All traffic sent by the Technical department to access the Internet.
• IP traffic that the Technical department sends to the Marketing department during working
hours on weekdays.
(Details not shown.)
33

23 Mirroring Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

23 Mirroring Configuration

Uploaded by

Copyright:

Available Formats

Contents

Configuring port mirroring ··································································1

Port mirroring classification and implementation

{ Egress port method—Packets are mirrored as follows:

Source GE1/0/2 GE1/0/1 GE1/0/2 GE1/0/1

Original packets Source port Egress port

Restrictions and guidelines: Port mirroring

Configuring local port mirroring

Local port mirroring configuration task list

2. (Required.) Perform at least one of the following tasks:

Configuring source ports for the local mirroring group

Step Command Remarks

2. Configure source ports for a mirroring-group group-id By default, no source port is

Configuring source ports in interface view

Step Command Remarks

2. Enter interface view. interface interface-type

Step Command Remarks

Configuring the monitor port for the local mirroring group

Step Command Remarks

2. Configure the monitor port mirroring-group group-id By default, no monitor port is

Step Command Remarks

2. Enter interface view. interface interface-type

3. Configure the port as the By default, a port does not act as

Configuring Layer 2 remote port mirroring

Layer 2 remote port mirroring with configurable reflector port

(Required.) Configuring a remote source group on the source device:

Layer 2 remote port mirroring with egress port configuration

Configuring a remote destination group on the destination

Step Command Remarks

Configuring the monitor port for a remote destination group

Step Command Remarks

2. Configure the monitor port mirroring-group group-id By default, no monitor port is

Step Command Remarks

2. Enter interface view. interface interface-type

3. Configure the port as the By default, a port does not act as

Configuring the remote probe VLAN for a remote destination group

Step Command Remarks

2. Configure the remote probe By default, no remote probe

Assigning the monitor port to the remote probe VLAN

Step Command Remarks

Configuring a remote source group on the source device

Step Command Remarks

Configuring source ports for a remote source group

Step Command Remarks

2. Configure source ports for a mirroring-group group-id By default, no source port is

Configuring a source port for a remote source group in interface view

2. Enter interface view. interface interface-type

Configuring source CPUs for a remote source group

Step Command Remarks

Configuring the reflector port for a remote source group

2. Configure the reflector port mirroring-group group-id By default, no reflector port is

Step Command Remarks

2. Enter interface view. interface interface-type

3. Configure the port as the By default, a port does not act as

Configuring the egress port for a remote source group

Step Command Remarks

Step Command Remarks

2. Enter interface view. interface interface-type

3. Configure the port as the By default, a port does not act as

Configuring the remote probe VLAN for a remote source group

Step Command Remarks

2. Configure the remote probe By default, no remote probe

Configuring Layer 3 remote port mirroring

Layer 3 remote port mirroring configuration task list