Sunteți pe pagina 1din 7

An HP ProCurve Networking Application Note

An HP ProCurve Networking Application Note How to configure remote and intelligent mirroring on ProCurve switches

How to configure remote and intelligent mirroring on ProCurve switches

remote and intelligent mirroring on ProCurve switches Contents 1. Intr oduction 2 2. Prere quisites 2

Contents

1. Introduction

2

2. Prerequisites

2

3. Network diagram

2

4. Configuring remote and intelligent mirroring

2

4.1 Conventional port mirroring versus ProCurve remote mirroring

2

4.2 Configure remote mirroring from the CLI

3

4.3 Configure remote mirroring from PCM+

4

4.4 Configure

intelligent mirroring

6

5. Reference documents

7

How to configure remote and intelligent mirroring on ProCurve switches

1. Introduction

This application note explains how to configure remote and intelligent port mirroring on ProCurve ProVision switches. Remote port mirroring lets you redirect data flows that you monitor on a source switch to a different destination switch, which allows a centralized network analyzer or probe to capture packets for an entire LAN. This is important if you want to add an intrusion detection system (IDS) without introducing an in-line failure point.

Intelligent mirroring allows configuring an access list on the source switch to filter the traffic and send only ICMP packets to the remote switch port.

2. Prerequisites

You need a ProCurve ProVision switch, such as the ProCurve Switch 5400zl, as the source switch, and at least one other switch (such as the ProCurve Switch 3500yl used in this example) as the destination. You can use ProCurve Manager Plus or the CLI to configure remote and intelligent mirroring. To monitor traffic you need a network protocol analyzer such as Wireshark.

3. Network diagram

Figure 1 details the hardware configuration referenced in this application note.

hardware configuration referenced in this application note. Figure 1. Setup for configuring remote mirroring and

Figure 1. Setup for configuring remote mirroring and intelligent mirroring on a ProCurve ProVision switch

4. Configuring remote and intelligent mirroring

This section explains why and how to configure remote mirroring on a ProCurve ProVision switch.

4.1 Conventional port mirroring versus ProCurve remote mirroring

Port mirroring has been possible on switches, but its implementation has been limited to local mirroring of traffic. That is, to replicate a flow from a switch port, you configure a local mirror on the same switch. This involves defining:

The “mirror” or “destination” port. This is the port on the switch to which you want to send the monitored traffic flow. You connect a network analyzer here, allowing you to view the traffic.

The “monitored” or “source” ports. These are ports on the switch, from which you copy the traffic and send to the mirror port.

HP ProCurve Networking

2

How to configure remote and intelligent mirroring on ProCurve switches

This has several disadvantages:

You need a free port to act as the mirror on the switch.

To monitor traffic flows on several switches, you need to dedicate a mirror port on each switch and move your analyzer around the network.

Having both the monitored ports and the mirror port on the same switch introduces a greater potential for failure.

All traffic is mirrored, so you need to define filters on your analyzer to extract information of interest.

By contrast, with remote port mirroring on ProCurve ProVision switches you can redirect data flows from mirrored ports on the source switch to a mirror on a different destination switch. Each single source switch can mirror up to four sessions. The destination switch can capture up to a total of 32 mirror sessions from different switches.

You can configure remote mirroring from the CLI or from ProCurve Manager Plus.

4.2 Configure remote mirroring from the CLI

To configure remote mirroring from the command line:

1. On the destination switch: Activate it with a mirror endpoint command, in which you specify:

o

The source switch IP address

o

A UDP port that will be used to encapsulate the mirrored traffic

o

The destination switch IP address

o And the switch port on which you want to redirect the monitored traffic Command syntax is:

ProCurve_dst_switch(config)# mirror endpoint ip <src-ip-add> <src-udp-port> <dst-ip-add> port <port#>

For example:

3500yl(config)# mirror endpoint ip 10.1.10.1 1000 10.1.10.2 port 3

2. On the source switch (or switches): Activate it with a mirror command in which you specify:

o

The mirror session number (1 to 4)

o

The source switch IP address

o

The same UDP port that you configured on the destination switch

o The destination switch IP address Syntax for this command is:

ProCurve_source_switch(config)# mirror <1-4> [name <name>] remote ip <src-ip-add> <src- udp-port> <dst-ip-add>

For example:

5400zl(config)# mirror 1 remote ip 10.1.10.1 1000 10.1.10.2

HP ProCurve Networking

3

How to configure remote and intelligent mirroring on ProCurve switches

3. On each interface: Use the interface command to specify what traffic to monitor (in, out or both) and the mirror session number.

Command syntax is:

ProCurve_source_switch(config)# interface <port/trunk/mesh> monitor all [in | out |

both] mirror <1-4> [mirror <1-4>

.]

For example:

5400zl(config)# interface A7 monitor all both mirror 1

4.3 Configure remote mirroring from PCM+

The easiest way to configure remote port mirroring is to use ProCurve Manager Plus.

4.3.1 Configure the mirror port on the destination device For example, to configure port 3 on the 3500yl to be the mirror port:

1. From PCM+ select the HP ProCurve 3500yl.

2. Go to the Port List tab, and then to Port Status.

3. Highlight port 3 and in the toolbar click on the last icon on the right:

port 3 and in the toolbar click on the last icon on the right: HP ProCurve

HP ProCurve Networking

port 3 and in the toolbar click on the last icon on the right: HP ProCurve

. You see a drop-down menu:

4

How to configure remote and intelligent mirroring on ProCurve switches

4. From the drop-down menu choose Configure Mirror Port. You see the Configure Mirror Port window:

Mirr or Port. You see the Configure Mirror Port window: 5. Ensure Remote Monitoring is enabled

5. Ensure Remote Monitoring is enabled and click Enable Mirror Port. The Mirror Port: option changes to true, and the button changes to Disable.

6. Select the HP ProCurve 5400zl as the mirror source:

6. Select the HP ProCurve 5400zl as the mirror source: 4.3.2 Specify the ports to be

4.3.2 Specify the ports to be monitored Now you need to specify the ports that will be monitored (that is, the source ports) by the mirror port. For example:

1. In PCM+, select the 5400zl.

2. Click the Port List tab, and then Port Status.

3. In the Port Status table, click to select A7, the port on the 5400zl that you want to monitor.

4. Highlight port A7 and in the toolbar click on the last icon on the right:

A7 and in the toolbar click on the last icon on the right: HP ProCurve Networking

HP ProCurve Networking

A7 and in the toolbar click on the last icon on the right: HP ProCurve Networking

. You see the pull-down menu again:

5

How to configure remote and intelligent mirroring on ProCurve switches

5. Select Monitor Port from the pull-down menu and choose the mirror you have created. The Select Mirror Port dialog displays, with a listing of the ports and devices configured as mirror (monitoring) ports.

ports and devices configured as mi rror (monitoring) ports. 6. Select the 3500yl as the Mi

6. Select the 3500yl as the Mirror Destination, then click OK.

4.3.3 Capture packets

1. Plug a laptop with an analyzer to port 3 on the HP ProCurve 3500yl and open a Wireshark capture.

2. In Capture | Options, choose the capture interface.

3. Generate some traffic on the monitored port and see that the traffic shows up on the Wireshark capture.

4.4 Configure intelligent mirroring

To improve the usability of traffic mirroring, configure an access list on the source switch to filter the traffic and send only ICMP packets (and not the file transfer) to the remote switch port. For instance:

1. On the HP ProCurve 5400zl enter the following access list:

ip access-list extended "mirror-acl"

10

permit icmp any any

20

deny ip any any

exit

2. Add it to the monitor:

interface A3 monitor ip access-group mirror-acl in mirror 1

Now when you run a capture, you will only see the ICMP packets in the monitoring port.

HP ProCurve Networking

6

How to configure remote and intelligent mirroring on ProCurve switches

5. Reference documents

This concludes the procedure for configuring remote and intelligent mirroring on ProCurve switches.

For further information about how to configure ProCurve switches to support security, please refer to the following links:

For PCM+ and IDM manuals:

http://www.hp.com/rnd/support/manuals/ProCurve-Manager.htm

http://www.hp.com/rnd/support/manuals/IDM.htm

For user manuals for ProCurve 3500yl-5400zl-8212zl switches:

http://www.hp.com/rnd/support/manuals/3500-6200-5400-ChapterFiles.htm

For ProCurve Switch 2610 series manuals:

http://www.hp.com/rnd/support/manuals/2610.htm

For further information, please visit www.procurve.eu

HP ProCurve Networking
HP ProCurve Networking

© 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Wireshark is a registered trademark of Gerald Combs.

4AA2-1721EEE, July 2008

7