H3C S9500 Series User manual
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Table of Contents
i
Table of Contents
Chapter 1 Port Mirroring Configuration......................................................................................1-1
1.1 Introduction to Port Mirroring.............................................................................................1-1
1.1.1 Types of Port Mirroring............................................................................................1-1
1.1.2 Implementing Port Mirroring....................................................................................1-2
1.2 Configuring Local Port Mirroring........................................................................................1-4
1.3 Configuring Remote Port Mirroring....................................................................................1-5
1.3.1 Configuring a Remote Source Mirroring Group (on the Source Device) ................1-5
1.3.2 Configuring a Remote Destination Mirroring Group (on the Destination Device).........1-7
1.4 Displaying and Maintaining Port Mirroring.........................................................................1-9
1.5 Port Mirroring Configuration Examples..............................................................................1-9
1.5.1 Local Port Mirroring Configuration Example...........................................................1-9
1.5.2 Remote Port Mirroring Configuration Example.....................................................1-10
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-1
Chapter 1 Port Mirroring Configuration
When configuring port mirroring, go to these sections for information you are interested
in:
zIntroduction to Port Mirroring
zConfiguring Local Port Mirroring
zConfiguring Remote Port Mirroring
zDisplaying and Maintaining Port Mirroring
zPort Mirroring Configuration Examples
1.1 Introduction to Port Mirroring
Port mirroring is to copy the packets passing through a port (called a mirroring port) to
another port (called the monitor port) connected with a monitoring device for packet
analysis, as shown in the following figure.
IP network
PC
Mirroring port
Monitor port
Monitoring
device
Figure 1-1 Port mirroring implementation example
You can select to port-mirror inbound, outbound, or bidirectional traffic on a port as
needed.
1.1.1 Types of Port Mirroring
Port mirroring can be local or remote.
zIn local port mirroring, the mirroring port or ports and the monitor port are located
on the same device.
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-2
zIn remote port mirroring, the mirroring port or ports and the monitor port can be
located on the same device or different devices. When they are located on
different devices, there should be no Layer-3 network in between.
1.1.2 Implementing Port Mirroring
Port mirroring is implemented through port mirroring groups. There are three types of
mirroring groups: local, remote source, and remote destination.
The following subsections describe how local port mirroring and remote port mirroring
are implemented.
I. Local port mirroring
In local port mirroring, all packets passing through a port can be mirrored. Local port
mirroring is implemented through local mirroring groups.
As shown in Figure 1-2, packets on the mirroring port are mirrored to the monitor port
for the data monitoring device to analyze.
Figure 1-2 Local port mirroring implementation
II. Remote port mirroring
Remote port mirroring is implemented through the cooperation of a remote source
mirroring group and a remote destination mirroring group as shown in Figure 1-3.
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-3
Figure 1-3 Remote port mirroring implementation
Remote mirroring involves the following device roles:
zSource device
The source device is the device where the mirroring ports are located. On it, you must
create a remote source mirroring group to hold the mirroring ports.
The source device copies the packets passing through the mirroring ports, broadcasts
the packets through the reflector port in the remote probe VLAN.
zIntermediate device
Intermediate devices (if any) are devices located in between the source device and the
destination device.
An intermediate device forwards mirrored packets to the next intermediate device (if
any) or the destination device.
zDestination device
The destination device is the device where the monitor port is located. On it, you must
create the remote destination mirroring group.
When receiving a packet, the destination device compares the VLAN ID carried in the
packet with the ID of the probe VLAN configured in the remote destination mirroring
group. If they are the same, the device forwards the packet to the monitoring device
through the monitor port.
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-4
Note:
zThe S9500 series support inter-board mirroring, that is, the mirroring port(s) and the
monitor port can be located on different boards on the same device.
zA source device can be connected to its destination device directly without any
intermediate device.
zAs for the four Ten-GigabitEthernet ports (TE ports) on XP4B and XP4CA boards,
port mirroring can only be implemented between port 1 and 2 (for example,
Ten-GigabitEthernet 2/1/1 and Ten-GigabitEthernet 2/1/2), and between port 3 and
4 (for example, Ten-GigabitEthernet 2/1/3 and Ten-GigabitEthernet 2/1/4.)
Caution:
As port mirroring conflicts with STP, RSTP, and MSTP, do not enable STP, RSTP, or
MSTP on monitor ports.
1.2 Configuring Local Port Mirroring
Configuring local port mirroring is to configure local mirroring groups.
Alocal mirroring group comprises one or multiple mirroring ports and one monitor port.
These ports must not have been assigned to any other mirroring group.
Follow these steps to configure local port mirroring:
To do… Use the command… Remarks
Enter system view system-view —
Create a local mirroring
group mirroring-group groupid local Required
In system
view
mirroring-group groupid
mirroring-port
mirroring-port-list { inbound |
outbound | both }
interface interface-type
interface-number
[mirroring-group groupid ]
mirroring-port { inbound |
outbound | both }
Assign
ports to
the port
mirroring
group as
mirroring
ports
In Ethernet
interface
view
quit
Required
Use either approach.
In system view, you
can assign a list of
ports to the mirroring
group at a time.
In interface view, you
can assign only the
current port to the
mirroring group. To
monitor multiple
ports, repeat the
step.
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-5
To do… Use the command… Remarks
In system
view mirroring-group groupid
monitor-port monitor-port-id
interface interface-type
interface-number
Assign a
port to the
mirroring
group as
the
monitor
port
In Ethernet
interface
view [mirroring-group groupid ]
monitor-port
Required
Use either approach.
Note:
zAfter you configure a port as a monitor port, you are recommended not to use it for
any other purposes. This is to ensure that the data monitoring device receives only
the mirrored traffic rather than a mix of mirrored traffic and normally forwarded
traffic.
zTo have a local mirroring group take effect, you must configure a monitor port and at
least one mirroring ports in it.
1.3 Configuring Remote Port Mirroring
Configuring remote port mirroring is to configure remote mirroring groups. When doing
that, configure the remote source mirroring group on the source device and the
cooperating remote destination mirroring group on the destination device.
The two mirroring groups must be configured with the same remote probe VLAN. If
intermediate devices are involved, you must configure these devices to permit the
probe VLAN to pass through.
1.3.1 Configuring a Remote Source Mirroring Group (on the Source Device)
A remote source mirroring group comprises one or multiple mirroring ports, a remote
probe VLAN, and a reflector port. The ports and the probe VLAN must not have been
assigned to any other mirroring groups.
Follow these steps to configure a remote source port mirroring group on the source
device:
To do… Use the command… Remarks
Enter system view system-view —
Create a remote probe
VLAN vlan vlan-id Required
Return to system view quit —
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-6
To do… Use the command… Remarks
Create a remote source
mirroring group mirroring-group groupid
remote-source Required
In system
view
mirroring-group groupid
mirroring-port
mirroring-port-list { inbound |
outbound | both }
interface interface-type
interface-number
[ mirroring-group groupid ]
mirroring-port { inbound |
outbound | both }
Assign
ports to
the
mirroring
group as
mirroring
ports
In Ethernet
interface
view
quit
Required
Use either approach.
In system view, you
can assign a list of
ports to the mirroring
group at a time.
In interface view, you
can assign only the
current interface to
the mirroring group.
To monitor multiple
ports, repeat the step.
In system
view mirroring-group groupid
reflector-port reflector-port-id
interface interface-type
interface-number
mirroring-group groupid
reflector-port
Assign a
port to
the
mirroring
group as
the
reflector
port
In Ethernet
interface
view
quit
Required
Use either approach.
Configure the remote
probe VLAN for the
mirroring group
mirroring-group groupid
remote-probe vlan
rprobe-vlan-id Required
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-7
Note:
zTo ensure device performance, do not assign mirroring ports to a remote probe
VLAN.
zTo configure a port as a reflector port, you must ensure that its link type is access, it
belongs to the default VLAN (that is, VLAN 1), and it is neither a destination port for
traffic mirroring nor a member of any other port mirroring group.
zYou are recommended not to connect a network cable to a reflector port. On a
reflector port, you must disable these features: 802.1x, QinQ, port loopback, and
service loopback. To ensure normal operation of the device, you are recommended
to disable static ARP and MAC address learning on the reflector port as well.
zThe outgoing port for a mirrored packet must not be the same as the reflector port.
zYou are recommended to use a remote probe VLAN for port mirroring only.
zOnly existing static VLANs can be configured as remote probe VLANs. To remove
the VLAN operating as a remote probe VLAN, you need to remove the VLAN from
the remote mirroring group first with the undo mirroring-group remote-probe vlan
command. Removing the probe VLAN can invalidate the remote source mirroring
group.
zTo ensure the functionality of remote port mirroring, disable MAC address learning
in a remote probe VLAN on the intermediate devices, if any.
zEnsure that the mirrored packets leave the source device with the tag of the remote
probe VLAN.
1.3.2 Configuring a Remote Destination Mirroring Group (on the Destination
Device)
A remote destination mirroring group comprises a remote probe VLAN and a monitor
port. The port and the probe VLAN must not have been assigned to any other mirroring
groups. In addition, you must ensure that the remote probe VLAN is the same as the
one configured in the remote source mirroring group.
Follow these steps to configure a remote destination port mirroring group on the
destination device:
To do… Use the command… Remarks
Enter system view system-view —
Create a VLAN and enter
the VLAN view vlan vlan-id Required
Disable MAC address
learning in the VLAN by
assigning 0 to the count
argument
mac-address
max-mac-count count Required
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-8
To do… Use the command… Remarks
Return to system view quit —
Create a remote
destination port mirroring
group
mirroring-group groupid
remote-destination Required
Assign the VLAN you
created to the port
mirroring group
mirroring-group groupid
remote-probe vlan
rprobe-vlan-id Required
In system
view mirroring-group groupid
monitor-port monitor-port-id
interface interface-type
interface-number
[mirroring-group groupid ]
monitor-port
Assign a
port to the
port
mirroring
group as
the
monitor
port
In Ethernet
interface
view
quit
Required
Use either approach.
In Ethernet interface
view, if no destination
mirroring group is
specified, group 1 is
used by default.
Enter the interface view of
the monitor port interface interface-type
interface-number —
If the port is
an access
port
port access vlan
rprobe-vlan-id
If the port is a
trunk port port trunk permit vlan
rprobe-vlan-id
Assign the
monitor
port to the
remote
probe
VLAN If the port is a
hybrid port
port hybrid vlan
rprobe-vlan-id { tagged |
untagged }
Required
Use one of the
commands
depending on the link
type of the monitor
port.
Note:
zAfter you configure a port as a monitor port, you are recommended not to use it for
any other purposes. This is to ensure that the data monitoring device receives only
the mirrored traffic rather than a mix of mirrored traffic and normally forwarded
traffic.
zOnly existing static VLANs can be configured as remote probe VLANs. To remove
the VLAN operating as a remote probe VLAN, you need to remove the VLAN from
the remote mirroring group first with the undo mirroring-group remote-probe vlan
command. Removing the probe VLAN can invalidate the remote source mirroring
group.
zYou are recommended to use a remote probe VLAN for port mirroring only.
zTo ensure the functionality of remote port mirroring, disable MAC address learning
in the remote probe VLAN on the source, intermediate, and destination devices.
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-9
1.4 Displaying and Maintaining Port Mirroring
To do… Use the command… Remarks
Display the configuration
of port mirroring groups
display mirroring-group
{ groupid |local |remote-source
|remote-destination | all }
Available in any
view
1.5 Port Mirroring Configuration Examples
1.5.1 Local Port Mirroring Configuration Example
I. Network requirements
On a network shown in Figure 1-4,
zHost A is connected to port Ethernet 1/1/1 of Switch C through Switch A.
zHost B is connected to port Ethernet 1/1/2 of Switch C through Switch B.
zA data monitoring server is connected to port Ethernet 1/1/3 of Switch C.
To monitor the packets of Host A and Host B on the server, you can configure a local
port mirroring group on Switch C by:
zConfiguring ports Ethernet 1/1/1 and Ethernet 1/1/2 as mirroring ports.
zConfiguring port Ethernet 1/1/3 as the monitor port.
II. Network diagram
Switch A
Switch B
Switch C Server
Eth1/1/1
Eth1/1/2
Eth1/1/3
Host A
Host B
Figure 1-4 Network diagram for local port mirroring configuration
III. Configuration procedure
1) Configure Switch C.
# Enter system view.
<Sysname> system-view
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-10
# Create a local port mirroring group.
[Sysname] mirroring-group 1 local
# Assign port Ethernet 1/1/1 and Ethernet 1/1/2 to the port mirroring group as mirroring
ports.Assign port Ethernet 1/1/3 to the port mirroring group as the monitor port.
[Sysname] mirroring-group 1 mirroring-port ethernet 1/1/1 ethernet 1/1/2 both
[Sysname] mirroring-group 1 monitor-port ethernet 1/1/3
# Display the configuration of all the port mirroring groups.
[Sysname] display mirroring-group all
mirroring-group 1:
type: local
status: active
mirroring port:
Ethernet1/1/1 both
Ethernet1/1/2 both
monitor port: Ethernet1/1/3
After finishing the configuration, you can monitor all the packets received and sent by
Host A and Host B on the server.
1.5.2 Remote Port Mirroring Configuration Example
I. Network requirements
On a network shown in Figure 1-5,
zHost A is connected to port Ethernet 1/1/1 of Switch A.
zHost B is connected to port Ethernet 1/1/2 of Switch A.
zPort Ethernet 1/1/3 of Switch A is connected to port Ethernet 1/1/1 of Switch B.
Both ports are trunk ports.
zPort Ethernet 1/1/2 of Switch B is connected to port Ethernet 1/1/1 of Switch C.
Both ports are trunk ports.
zA server is connected to port Ethernet 1/1/2 of Switch C.
To monitor packets of Host A and Host B on the server, you can configure remote port
mirroring groups on the switches as follows:
zOn Switch A, create a remote source mirroring group; create VLAN 2 and
configure it as the remote probe VLAN; assign ports Ethernet 1/1/1 and Ethernet
1/1/2 to the port mirroring group as mirroring ports and port Ethernet 1/1/4 as the
reflector port.
zConfigure port Ethernet 1/1/3 of Switch A, ports Ethernet 1/1/1 and Ethernet 1/1/2
of Switch B, and port Ethernet 1/1/1 of Switch C as trunk ports and configure them
to permit packets of VLAN 2.
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-11
zCreate a remote destination mirroring group on Switch C. Configure VLAN 2 as
the remote probe VLAN and port Ethernet 1/1/2, to which the server is connected,
as the monitor port.
II. Network diagram
Switch A
Switch B Switch C
Eth1/1/2Eth1/1/1
Eth1/1/3 Eth1/1/1 Eth1/1/2 Eth1/1/1
Eth1/1/2
Server
Host A Host B
Eth1/1/4
Reflector Port
Figure 1-5 Network diagram for remote port mirroring configuration
III. Configuration procedure
1) Configure Switch A (the source device)
# Enter system view.
<Sysname> system-view
# Create a remote source port mirroring group.
[Sysname] mirroring-group 1 remote-source
# Create VLAN 2.
[Sysname] vlan 2
[Sysname-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the remote port mirroring group. Add
port Ethernet 1/1/1 and Ethernet1/1/2 to the remote port mirroring group as mirroring
ports. Configure port Ethernet 1/1/4 as the reflector port.
[Sysname] mirroring-group 1 remote-probe vlan 2
[Sysname] mirroring-group 1 mirroring-port ethernet 1/1/1 ethernet 1/1/2 both
[Sysname] mirroring-group 1 reflector-port Ethernet ethernet 1/1/4
# Configure port Ethernet 1/1/3 as a trunk port and configure the port to permit the
packets of VLAN 2.
[Sysname] interface ethernet 1/1/3
[Sysname-Ethernet1/1/3] port link-type trunk
[Sysname-Ethernet1/1/3] port trunk permit vlan 2
2) Configure Switch B (an intermediate device)
# Create VLAN 2 and disable MAC address learning in it.
Operation Manual – Port Mirroring
H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration
1-12
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] mac-address max-mac-count 0
[Sysname-vlan2] quit
# Configure port Ethernet 1/1/1 as a trunk port and configure the port to permit the
packets of VLAN 2.
[Sysname] interface ethernet 1/1/1
[Sysname-Ethernet1/1/1] port link-type trunk
[Sysname-Ethernet1/1/1] port trunk permit vlan 2
# Configure port Ethernet 1/1/2 as a trunk port and configure the port to permit the
packets of VLAN 2.
[Sysname-Ethernet1/1/1] interface ethernet 1/1/2
[Sysname-Ethernet1/1/2] port link-type trunk
[Sysname-Ethernet1/1/2] port trunk permit vlan 2
3) Configure Switch C (the destination device)
# Enter system view.
<Sysname> system-view
# Configure port Ethernet 1/1/1 as a trunk port and configure the port to permit the
packets of VLAN 2.
[Sysname] interface ethernet 1/1/1
[Sysname-Ethernet1/1/1] port link-type trunk
[Sysname-Ethernet1/1/1] port trunk permit vlan 2
[Sysname-Ethernet1/1/1] quit
# Create a remote destination port mirroring group.
[Sysname] mirroring-group 1 remote-destination
# Create VLAN 2 and disable MAC address learning in it. Assign port Ethernet1/1/2 to
it.
[Sysname] vlan 2
[Sysname-vlan2] mac-address max-mac-count 0
[Sysname-vlan2] port ethernet 1/1/2
[Sysname-vlan2] quit
# Configure VLAN 2 as the remote probe VLAN of the remote destination port mirroring
group. Assign port Ethernet 1/1/2 to the remote destination port mirroring group as the
monitor port.
[Sysname] mirroring-group 1 remote-probe vlan 2
[Sysname] mirroring-group 1 monitor-port ethernet 1/1/2
After finishing the configuration, you can monitor all the packets received and sent by
Host A and Host B on the Server.
Other manuals for S9500 Series
73
Table of contents
Other H3C Switch manuals
H3C
H3C S9500 Series User manual
H3C
H3C Mini Series User manual
H3C
H3C S5830V2 series Installation manual
H3C
H3C S3100 Series User manual
H3C
H3C S9500 Series User manual
H3C
H3C S5820V2 series Installation manual
H3C
H3C S5560S-SI User manual
H3C
H3C Mini S9G User manual
H3C
H3C S5820V2H User manual
H3C
H3C S5500-EI series User manual
H3C
H3C S9820-8C User manual
H3C
H3C S10500 Series User manual
H3C
H3C S7500 Series User manual
H3C
H3C A3600 Series User manual
H3C
H3C S12500X-AF Series Quick guide
H3C
H3C S5560S-SI User manual
H3C
H3C S3100-52P User manual
H3C
H3C S5820X-28C User manual
H3C
H3C S5120-SI Series User manual
H3C
H3C S7500 Series Installation instructions
