Port Mirroring Configuration Examples Keyword: mirroring group, monitor port, mirroring port, remote-probe VLAN Abstract: Port mirroring is mainly used to monitor and analyze packets on a port or ports. This document introduces some typical port mirroring applications. Acronyms: Acronym Full spelling IDS Intrusion Detection System VLAN Virtual Local Area Network
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 2/16
Table of Contents 1 Feature Overview........................................................................................................................... 3 2 Application Scenarios..................................................................................................................... 3 3 Configuration Guidelines................................................................................................................ 3 4 Example of Port Mirroring with Multiple Monitor Ports ................................................................... 5 4.1 Network Requirements ........................................................................................................ 5 4.2 Configuration Considerations .............................................................................................. 5 4.3 Software Version Used........................................................................................................ 5 4.4 Configuration Procedures.................................................................................................... 6 4.4.1 Configuration on Device A ........................................................................................ 6 4.4.2 Verification................................................................................................................. 8 5 Example of Port Mirroring with Multiple Source Devices ............................................................... 8 5.1 Network Requirements ........................................................................................................ 8 5.2 Configuration Considerations .............................................................................................. 9 5.3 Software Version Used........................................................................................................ 9 5.4 Configuration Procedures.................................................................................................... 9 5.4.1 Configuration on Device A ...................................................................................... 10 5.4.2 Configuration on Device B ...................................................................................... 11 5.4.3 Configuration on Device C...................................................................................... 13 5.4.4 Verification............................................................................................................... 15 6 References ................................................................................................................................... 16
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 3/16
1 Feature Overview Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis. Port mirroring can be local or remote. In local port mirroring, the mirroring port or ports and the monitor port are located on the same device. In remote port mirroring, the mirroring port or ports and the monitor port can be located on different devices, and between them there may be multiple network devices. Port mirroring is implemented through port mirroring groups. A port mirroring group may include the mirroring port(s), monitor port, reflector port, and remote probe VLAN. For detailed description, refer to Port Mirroring Configuration in the Access Volume. 2 Application Scenarios Network traffic monitoring is needed for packet analysis or IDS deployment (as well as for a network analyzer). However, monitoring all the traffic in a large switching network is difficult, so that you can configure port mirroring to copy the traffic of a port or ports to a specific port for network traffic monitoring. 3 Configuration Guidelines During configuration, note the following: Status of mirroring groups. Port mirroring can take effect only when the mirroring groups are in the active state. You can know whether a mirroring group is active by viewing the mirroring group information. A mirroring group is in the active state if it has the required smallest complete configuration and the ports used in the smallest configuration are valid ports. The required smallest complete configuration is different for different mirroring group types. For example, for a local mirroring group, the smallest complete configuration is that the group has at least one mirroring port and one monitor port; for a remote source mirroring group that needs a reflector port, the smallest complete configuration is that the group has at least one mirroring port, a remote probe VLAN, and a reflector port; for a remote source mirroring group that needs no
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 4/16
reflector port, the smallest complete configuration is that the group has at least a mirroring port and a remote probe VLAN. Validity of mirroring ports. At present, the validity mainly refers to the Combo port validity, for Combo ports may be disabled. If the port in the smallest complete configuration is a disabled Combo port, the mirroring group will be inactive. If you enable the Combo port, the mirroring group will automatically turn active. Likewise, if you disable the Combo port in the active mirroring group, the group will become inactive. Remote probe VLAN extension. Packets with an unknown destination MAC address will be broadcasted within a VLAN. Therefore, port mirroring with multiple monitor ports can be achieved on a device where MAC address learning is disabled on the remote probe VLAN of the device. That is, you do not need to configure a monitor port in a remote mirroring group, because any port in the remote probe VLAN on a device configured with a remote port mirroring group can act as a monitor port. Inbound traffic and MAC address learning of a monitor port. If a monitor port of port mirroring has no restriction on the inbound traffic and the MAC address learning, improper configuration in certain circumstances may result in network anomaly. For example, if the monitor port is connected with an intelligent security device (IDS for example), it is necessary to disable the monitor port from receiving traffic from the intelligent security device, because the intelligent security device may send a control message (TCP reset packet for example) to terminate suspicious traffic, which may result in an unexpected result. Another example, if the monitor port is connected with a relay device (a Layer 2 switch for example), in the case that a loop occurs on the relay device, the traffic copied to the monitor port may return back along its original path, and therefore the monitor port will learn the MAC address again, resulting in network anomaly.
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 5/16
4 Example of Port Mirroring with Multiple Monitor Ports 4.1 Network Requirements Two monitoring devices are present. One is a data analyzer, and the other is an IDS device. You want to analyze Internet traffic and at the same time detect Internet intrusion on Device A. The network diagram is as shown in Figure 1 . Device A Analyzer IDS Internet GE1/0/25 GE1/0/27 GE1/0/28
Figure 1 Network diagram for port mirroring with multiple monitor ports 4.2 Configuration Considerations Because each mirroring group can be configured with only one monitor port and the mirroring port can belong to only one mirroring group, you can implement traffic mirroring to multiple monitor ports through the remote probe VLAN. Configure a remote source mirroring group and make sure the group is in the active state. Add multiple monitor ports to the remote probe VLAN. 4.3 Software Version Used This example is configured and verified on S5510 series Ethernet switches running
Note: The following configuration was created from the devices in a specific lab environment. All of the devices used in this document started with a default configuration. If you have configured your device, make sure the existing configuration does not conflict with the following configuration. This document is not restricted to specific software and hardware versions.
4.4.1 Configuration on Device A I. Configuration steps 1) Configure the remote source mirroring group # Create remote source mirroring group 1. <DeviceA> system-view [DeviceA] mirroring-group 1 remote-source # Create VLAN 2. [DeviceA] vlan 2 [DeviceA-vlan2] quit # Configure GigabitEthernet 1/0/25 as the mirroring port, GigabitEthernet 1/0/26 as the reflector port, and VLAN 2 as the remote-probe VLAN in the remote source mirroring group. [DeviceA] mirroring-group 1 remote-probe vlan 2 [DeviceA] mirroring-group 1 mirroring-port GigabitEthernet 1/0/25 inbound [DeviceA] mirroring-group 1 reflector-port GigabitEthernet 1/0/26 2) Add monitor ports to the remote probe VLAN # Enter the view of the interface connected with the analyzer. [DeviceA] interface GigabitEthernet 1/0/27 # Add port GigabitEthernet 1/0/27 to the remote probe VLAN. [DeviceA-GigabitEthernet1/0/27] port access vlan 2
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 7/16
# Enter the view of the interface connected with the IDS. [DeviceA-GigabitEthernet1/0/27] interface GigabitEthernet 1/0/28 # Add port GigabitEthernet 1/0/28 to the remote probe VLAN. [DeviceA-GigabitEthernet1/0/28] port access vlan 2 II. Configuration file <DeviceA> display current-configuration # version 5.20, Test 5310 # sysname DeviceA # domain default enable system # telnet server enable # mirroring-group 1 remote-source mirroring-group 1 remote-probe vlan 2 # vlan 1 # vlan 2 # domain system access-limit disable state active idle-cut disable self-service-url disable # interface GigabitEthernet1/0/25 mirroring-group 1 mirroring-port inbound # interface GigabitEthernet1/0/26 mirroring-group 1 reflector-port # interface GigabitEthernet1/0/27 port access vlan 2 # interface GigabitEthernet1/0/28 port access vlan 2 #
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 8/16
load xml-configuration # user-interface aux 0 idle-timeout 0 0 user-interface vty 0 4 # return # 4.4.2 Verification You can see the traffic coming from the Internet on both the analyzer and the IDS, that is, the port mirroring function has taken effect. At this time, you can analyze Internet traffic and detect Internet intrusion simultaneously. 5 Example of Port Mirroring with Multiple Source Devices 5.1 Network Requirements You have only one analyzer, but you want to monitor traffic coming from the Internet and the LAN at the same time on the analyzer. Device A is connected to Internet, Device B is connected to LAN, and Device C is connected with Analyzer. The network diagram is as shown in Figure 2 . Device A Analyzer Internet GE1/0/25 GE1/0/27 Device B LAN GE1/0/25 Device C GE1/0/27 GE1/0/25 GE1/0/26 GE1/0/27
Figure 2 Network diagram for port mirroring with multiple source devices
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 9/16
5.2 Configuration Considerations Because the mirroring is across devices, you must configure remote port mirroring. Configure different remote probe VLANs for Device A and Device B to isolate the traffic of Device A from that of Device B. Configure a remote source mirroring group on Device A and Device B respectively, and make sure the groups are in the active state. On Device A, configure the port connected with Device C, allowing only the remote probe VLAN of Device A. On Device B, configure the port connected with Device C, allowing only the remote probe VLAN of Device B. On Device C, create the remote probe VLANs of Device A and Device B. On Device C, configure the port connected with Device A, allowing only the remote probe VLAN of Device A. On Device C, configure the port connected with Device B, allowing only the remote probe VLAN of Device B. On Device C, configure the port connected with the analyzer, allowing only the remote probe VLANs of Device A and Device B. 5.3 Software Version Used This example is configured and verified on S5510 series Ethernet switches running COMWAREV500R002B41D001. 5.4 Configuration Procedures
Note: The following configuration was created from the devices in a specific lab environment. All of the devices used in this document started with a default configuration. If you have configured your device, make sure the existing configuration does not conflict with the following configuration. This document is not restricted to specific software and hardware versions.
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 10/16
5.4.1 Configuration on Device A I. Configuration steps 1) Configure the remote source mirroring group # Create remote source mirroring group 1. <DeviceA> system-view [DeviceA] mirroring-group 1 remote-source # Create VLAN 2. [DeviceA] vlan 2 [DeviceA-vlan2] quit # Configure GigabitEthernet 1/0/25 as the mirroring port, GigabitEthernet 1/0/26 as the reflector port, and VLAN 2 as the remote-probe VLAN in the remote source mirroring group. [DeviceA] mirroring-group 1 remote-probe vlan 2 [DeviceA] mirroring-group 1 mirroring-port GigabitEthernet 1/0/25 inbound [DeviceA] mirroring-group 1 reflector-port GigabitEthernet 1/0/26 2) Configure the port connected with Device C. # Enter GigabitEthernet 1/0/27 view. [DeviceA] interface GigabitEthernet 1/0/27 # Configure GigabitEthernet 1/0/27 as a trunk port. [DeviceA-GigabitEthernet1/0/27] port link-type trunk # Configure GigabitEthernet 1/0/27 to permit the remote probe VLAN. [DeviceA-GigabitEthernet1/0/27] port trunk permit vlan 2 # Configure GigabitEthernet 1/0/27 to deny the default VLAN. [DeviceA-GigabitEthernet1/0/27] undo port trunk permit vlan 1 II. Configuration file <DeviceA> display current-configuration # version 5.20, Test 5310 # sysname DeviceA # domain default enable system # telnet server enable
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 11/16
# mirroring-group 1 remote-source mirroring-group 1 remote-probe vlan 2 # vlan 1 # vlan 2 # domain system access-limit disable state active idle-cut disable self-service-url disable # interface GigabitEthernet1/0/25 mirroring-group 1 mirroring-port inbound # interface GigabitEthernet1/0/26 mirroring-group 1 reflector-port # interface GigabitEthernet1/0/27 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2 # load xml-configuration # user-interface aux 0 idle-timeout 0 0 user-interface vty 0 4 # return # 5.4.2 Configuration on Device B I. Configuration steps 1) Configure the remote source mirroring group # Create remote source mirroring group 1. <DeviceB> system-view [DeviceB] mirroring-group 1 remote-source
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 12/16
# Create VLAN 3. [DeviceB] vlan 3 [DeviceB-vlan2] quit # Configure GigabitEthernet 1/0/25 as the mirroring port, GigabitEthernet 1/0/26 as the reflector port, and VLAN 3 as the remote-probe VLAN in the remote source mirroring group. [DeviceB] mirroring-group 1 remote-probe vlan 3 [DeviceB] mirroring-group 1 mirroring-port GigabitEthernet 1/0/25 inbound [DeviceB] mirroring-group 1 reflector-port GigabitEthernet 1/0/26 2) Configure the port connected with Device C. # Enter GigabitEthernet 1/0/27 view. [DeviceB] interface GigabitEthernet 1/0/27 # Configure GigabitEthernet 1/0/27 as a trunk port. [DeviceB-GigabitEthernet1/0/27] port link-type trunk # Configure GigabitEthernet 1/0/27 to permit the remote probe VLAN. [DeviceB-GigabitEthernet1/0/27] port trunk permit vlan 3 # Configure GigabitEthernet 1/0/27 to deny the default VLAN. [DeviceB-GigabitEthernet1/0/27] undo port trunk permit vlan 1 II. Configuration file <DeviceB> display current-configuration # version 5.20, Test 5310 # sysname DeviceB # domain default enable system # telnet server enable # mirroring-group 1 remote-source mirroring-group 1 remote-probe vlan 3 # vlan 1 # vlan 3 #
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 13/16
domain system access-limit disable state active idle-cut disable self-service-url disable # interface GigabitEthernet1/0/25 mirroring-group 1 mirroring-port inbound # interface GigabitEthernet1/0/26 mirroring-group 1 reflector-port # interface GigabitEthernet1/0/27 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 3 # load xml-configuration # user-interface aux 0 idle-timeout 0 0 user-interface vty 0 4 # return # 5.4.3 Configuration on Device C I. Configuration steps 1) Configure the remote-probe VLANs of Device A and Device B # Create VLAN 2 and VLAN 3. <DeviceC> system-view [DeviceC] vlan 2 [DeviceC-vlan2] quit [DeviceC] vlan 3 [DeviceC-vlan3] quit 2) Configure the port connected with Device A. # Enter GigabitEthernet 1/0/25 view. [DeviceC] interface GigabitEthernet 1/0/25 # Configure port GigabitEthernet 1/0/25 as a trunk port.
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 14/16
[DeviceC-GigabitEthernet1/0/25] port link-type trunk # Configure GigabitEthernet 1/0/25 to permit VLAN 2. [DeviceC-GigabitEthernet1/0/25] port trunk permit vlan 2 # Configure GigabitEthernet 1/0/25 to deny the default VLAN. [DeviceC-GigabitEthernet1/0/25] undo port trunk permit vlan 1 3) Configure the port connected with Device B. # Enter GigabitEthernet 1/0/26 view. [DeviceC] interface GigabitEthernet 1/0/26 # Configure port GigabitEthernet 1/0/26 as a trunk port. [DeviceC-GigabitEthernet1/0/26] port link-type trunk # Configure GigabitEthernet 1/0/26 to permit VLAN 3. [DeviceC-GigabitEthernet1/0/26] port trunk permit vlan 3 # Configure GigabitEthernet 1/0/26 to deny the default VLAN. [DeviceC-GigabitEthernet1/0/26] undo port trunk permit vlan 1 4) Configure the port connected with the analyzer. # Enter GigabitEthernet 1/0/27 view. [DeviceC] interface GigabitEthernet 1/0/27 # Configure port GigabitEthernet 1/0/27 as a trunk port. [DeviceC-GigabitEthernet1/0/27] port link-type trunk # Configure GigabitEthernet 1/0/27 to permit VLAN 2 and VLAN 3. [DeviceC-GigabitEthernet1/0/27] port trunk permit vlan 2 to 3 # Configure GigabitEthernet 1/0/27 to deny the default VLAN. [DeviceC-GigabitEthernet1/0/27] undo port trunk permit vlan 1 II. Configuration file <DeviceC> display current-configuration # version 5.20, Test 5310 # sysname DeviceC # domain default enable system # telnet server enable
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 15/16
# vlan 1 # vlan 2 to 3 # domain system access-limit disable state active idle-cut disable self-service-url disable # interface GigabitEthernet1/0/25 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2 # interface GigabitEthernet1/0/26 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 3 # interface GigabitEthernet1/0/27 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 2 to 3 # load xml-configuration # user-interface aux 0 idle-timeout 0 0 user-interface vty 0 4 # return # 5.4.4 Verification You can see the traffic coming from both the Internet and the LAN on the analyzer, that is, the port mirroring function has taken effect.
Port Mirroring Configuration Examples
Hangzhou H3C Technologies Co., Ltd. 16/16
6 References Port Mirroring Configuration in the Access Volume. Port Mirroring Commands in the Access Volume.
Copyright 2007-2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.