No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 Series Agile Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring MQC-based Local Traffic Mirroring

Example for Configuring MQC-based Local Traffic Mirroring

Local Traffic Mirroring Overview

In local traffic mirroring, service traffic matching configured rules is copied to an observing port that is directly connected to a monitoring device for analysis and monitoring.

You can configure traffic mirroring using Modular QoS Command-Line Interface (MQC) and ACL. MQC-based traffic mirroring is complex to configure but supports more matching rules and can be applied to both the inbound and outbound directions. ACL-based traffic mirroring is easy to configure but supports fewer matching rules than MQC-based traffic mirroring.

Configuration Notes

  • You must dedicate observing ports for mirroring use and do not configure other services on them to prevent mirrored traffic and other service traffic from affecting each other. Do not configure any member port of an Eth-Trunk as an observing port. If you must do so, ensure that the bandwidth of service traffic on this port and the bandwidth occupied by the mirrored traffic do not exceed the bandwidth limit of the port.

  • If the mirroring function is deployed on many ports of a device, a great deal of internal forwarding bandwidth will be occupied, which affects the forwarding of other services. Additionally, if the mirrored port bandwidth is higher than the observing port bandwidth, for example, 1000 Mbit/s on a mirrored port and 100 Mbit/s on an observing port, the observing port will fail to forward all mirrored packets in a timely manner because of insufficient bandwidth, leading to packet loss.

  • On all Huawei S series modular switch models, Eth-Trunks can be configured as observing ports.

  • Both physical interfaces and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk is configured as a mirrored port, its member ports cannot be configured as observing ports.

  • This configuration example applies to all switches running all versions.

Networking Requirements

As shown in Figure 17-13, the science and technology department and administrative department of a company use 10.1.1.0/24 and 10.1.2.0/24 respectively to access the Internet or communicate with each other through the Switch. The monitoring device Server is directly connected to the Switch.

The following traffic of the science and technology department needs to be monitored through the Server:
  • Internet access traffic
  • Traffic sent to the administrative department
Figure 17-13  Local traffic mirroring networking

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure GE1/0/2 of the Switch as a local observing port to forward mirrored packets to the Server.
  2. Configure a traffic classifier on the Switch to match Internet access traffic and traffic sent to the administrative department, and configure a traffic behavior to mirror traffic to a local observing port.
  3. Configure a traffic policy on the Switch, bind the traffic classifier and traffic behavior to the traffic policy, and apply the traffic policy to GE1/0/1.

Procedure

  1. Configure an observing port.

    # Configure GE1/0/2 of the Switch as a local observing port.

    <HUAWEI> system-view
    [HUAWEI] sysname Switch
    [Switch] observe-port 1 interface gigabitethernet 1/0/2     //Configure GE1/0/2 as a local observing port 1.
    

  2. Configure a traffic classifier.

    # Create a traffic classifier c1 on the Switch, and configure rules to match two types of traffic: traffic with source network segment 10.1.1.0/24 and destination TCP port number WWW and traffic with source network segment 10.1.1.0/24 and destination network segment 10.1.2.0/24.

    [Switch] acl number 3000     //Create ACL 3000 to allow the packets with source network segment 10.1.1.0/24 and destination TCP port number WWW to pass through.
    [Switch-acl-adv-3000] rule permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www
    [Switch-acl-adv-3000] quit
    [Switch] acl number 3001     //Create ACL 3001 to allow the packets with source network segment 10.1.1.0/24 and destination network segment 10.1.2.0/24 to pass through.
    [Switch-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    [Switch-acl-adv-3001] quit
    [Switch] traffic classifier c1 operator or     //Create a traffic classifier c1, and match ACL 3000 or ACL 3001.
    [Switch-classifier-c1] if-match acl 3000
    [Switch-classifier-c1] if-match acl 3001
    [Switch-classifier-c1] quit

  3. Configure a traffic behavior.

    # Create a traffic behavior b1 on the Switch, and define traffic mirroring in the traffic behavior to copy specified traffic to local observing port GE1/0/2.

    [Switch] traffic behavior b1     //Create a traffic behavior b1 to mirror specified traffic to observing port 1.
    [Switch-behavior-b1] mirroring to observe-port 1
    [Switch-behavior-b1] quit
    NOTE:

    For cards (except X series cards) on modular switches, when configuring outbound traffic mirroring, do not configure other traffic behaviors (except the traffic statistics function of modular switches running V100R006 and earlier versions). From V200R001 to V200R010, the permit action generated by default when a traffic behavior is created on modular switches must also be deleted; otherwise, outbound traffic mirroring is ineffective.

  4. Configure a traffic policy and apply the traffic policy to an interface.

    # Create a traffic policy named p1 on the Switch, bind the traffic behavior and traffic classifier to the traffic policy, and apply the traffic policy to the inbound direction of GE1/0/1 to monitor specified traffic of the science and technology department.

    [Switch] traffic policy p1     //Create a traffic policy p1 and bind the traffic behavior and traffic classifier to the traffic policy.
    [Switch-trafficpolicy-p1] classifier c1 behavior b1
    [Switch-trafficpolicy-p1] quit
    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] traffic-policy p1 inbound     //Apply the traffic policy p1 to the inbound direction of GE1/0/1.
    [Switch-GigabitEthernet1/0/1] return

  5. Verify the configuration.

    # Check the traffic classifier configuration.

    <Switch> display traffic classifier user-defined c1
      User Defined Classifier Information:
       Classifier: c1
        Precedence: 5
        Operator: OR
        Rule(s) : if-match acl 3000
                  if-match acl 3001

    # Check the traffic policy configuration.

    <Switch> display traffic policy user-defined p1
      User Defined Traffic Policy Information:
      Policy: p1
       Classifier: c1
        Operator: OR
         Behavior: b1
          Permit
          Mirroring  to observe-port 1
    

    # Check the observing port configuration.

    <Switch> display observe-port
      ----------------------------------------------------------------------
      Index          : 1
      Untag-packet   : No
      Interface      : GigabitEthernet1/0/2
      ----------------------------------------------------------------------
    

    # Check the mirroring configuration.

    <Switch> display port-mirroring
      ----------------------------------------------------------------------
      Observe-port 1 : GigabitEthernet1/0/2
      ----------------------------------------------------------------------
      Stream-mirror:
      ----------------------------------------------------------------------
           Behavior                  Direction  Observe-port
      ----------------------------------------------------------------------
      1    b1                        -          Observe-port 1
      ----------------------------------------------------------------------
    

Configuration Files

  • Switch configuration file

    #
    sysname Switch
    #
    observe-port 1 interface GigabitEthernet1/0/2
    #
    acl number 3000
     rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www
    acl number 3001
     rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
    #
    traffic classifier c1 operator or precedence 5
     if-match acl 3000
     if-match acl 3001
    #
    traffic behavior b1
     permit
     mirroring to observe-port 1
    #
    traffic policy p1 match-order config
     classifier c1 behavior b1
    #
    interface GigabitEthernet1/0/1
     traffic-policy p1 inbound
    #
    return
    
Download
Updated: 2019-05-16

Document ID: EDOC1000069466

Views: 249893

Downloads: 1982

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next