Documente Academic
Documente Profesional
Documente Cultură
Contents
1. Introduction ................................................................................................................................................................. 2
2. Prerequisites ............................................................................................................................................................... 2
3. Network diagram ......................................................................................................................................................... 2
4. Configuring remote and intelligent mirroring .......................................................................................................... 2
4.1 Conventional port mirroring versus ProCurve remote mirroring.............................................................................. 2
4.2 Configure remote mirroring from the CLI................................................................................................................. 3
4.3 Configure remote mirroring from PCM+ .................................................................................................................. 4
4.4 Configure intelligent mirroring ................................................................................................................................. 6
5. Reference documents................................................................................................................................................. 7
1. Introduction
This application note explains how to configure remote and intelligent port mirroring on ProCurve ProVision switches.
Remote port mirroring lets you redirect data flows that you monitor on a source switch to a different destination switch,
which allows a centralized network analyzer or probe to capture packets for an entire LAN. This is important if you
want to add an intrusion detection system (IDS) without introducing an in-line failure point.
Intelligent mirroring allows configuring an access list on the source switch to filter the traffic and send only ICMP
packets to the remote switch port.
2. Prerequisites
You need a ProCurve ProVision switch, such as the ProCurve Switch 5400zl, as the source switch, and at least one
other switch (such as the ProCurve Switch 3500yl used in this example) as the destination. You can use ProCurve
Manager Plus or the CLI to configure remote and intelligent mirroring. To monitor traffic you need a network protocol
analyzer such as Wireshark.
3. Network diagram
Figure 1 details the hardware configuration referenced in this application note.
Figure 1. Setup for configuring remote mirroring and intelligent mirroring on a ProCurve ProVision switch
The mirror or destination port. This is the port on the switch to which you want to send the monitored traffic
flow. You connect a network analyzer here, allowing you to view the traffic.
The monitored or source ports. These are ports on the switch, from which you copy the traffic and send to
the mirror port.
HP ProCurve Networking
To monitor traffic flows on several switches, you need to dedicate a mirror port on each switch and move your
analyzer around the network.
Having both the monitored ports and the mirror port on the same switch introduces a greater potential for
failure.
All traffic is mirrored, so you need to define filters on your analyzer to extract information of interest.
By contrast, with remote port mirroring on ProCurve ProVision switches you can redirect data flows from mirrored
ports on the source switch to a mirror on a different destination switch. Each single source switch can mirror up to four
sessions. The destination switch can capture up to a total of 32 mirror sessions from different switches.
You can configure remote mirroring from the CLI or from ProCurve Manager Plus.
For example:
3500yl(config)# mirror endpoint ip 10.1.10.1 1000 10.1.10.2 port 3
2. On the source switch (or switches): Activate it with a mirror command in which you specify:
o The mirror session number (1 to 4)
o The source switch IP address
o The same UDP port that you configured on the destination switch
o The destination switch IP address
Syntax for this command is:
ProCurve_source_switch(config)# mirror <1-4> [name <name>] remote ip <src-ip-add> <srcudp-port> <dst-ip-add>
For example:
5400zl(config)# mirror 1 remote ip 10.1.10.1 1000 10.1.10.2
HP ProCurve Networking
3. On each interface: Use the interface command to specify what traffic to monitor (in, out or both) and the mirror
session number.
Command syntax is:
ProCurve_source_switch(config)# interface <port/trunk/mesh> monitor all [in | out |
both] mirror <1-4> [mirror <1-4> . . .]
For example:
5400zl(config)# interface A7 monitor all both mirror 1
HP ProCurve Networking
4. From the drop-down menu choose Configure Mirror Port. You see the Configure Mirror Port window:
5. Ensure Remote Monitoring is enabled and click Enable Mirror Port. The Mirror Port: option changes to true,
and the button changes to Disable.
6. Select the HP ProCurve 5400zl as the mirror source:
HP ProCurve Networking
5. Select Monitor Port from the pull-down menu and choose the mirror you have created. The Select Mirror Port
dialog displays, with a listing of the ports and devices configured as mirror (monitoring) ports.
Now when you run a capture, you will only see the ICMP packets in the monitoring port.
HP ProCurve Networking
5. Reference documents
This concludes the procedure for configuring remote and intelligent mirroring on ProCurve switches.
For further information about how to configure ProCurve switches to support security, please refer to the following
links:
HP ProCurve Networking