No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Network Management and Monitoring

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R009

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Local Traffic Mirroring

Configuring Local Traffic Mirroring

After local traffic mirroring is configured, specified packets passing through mirrored ports are copied to a local monitoring device for analysis and monitoring.

Pre-configuration Tasks

Ensuring that the link layer protocol status of ports is Up.

Configuring a Local Observing Port

Context

NOTE:

In PPPoEoA and IPoEoA scenarios, only WAN-side ports can be used as observing ports.

In local port mirroring, an observing port is directly connected to a monitoring device and directly forwards the packets copied from a mirrored port to the monitoring device for analysis.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run observe-port interface interface-type interface-number

    A local observing port is configured.

    NOTE:
    • An observing port is dedicated to forwarding mirrored traffic. Do not configure other services on an observing port; otherwise, mirrored traffic and other service traffic interfere with each other.

    • If an Eth-Trunk is configured as a mirrored port, its member ports cannot be configured as mirrored ports. To configure a member port as a mirrored port, delete it from the Eth-Trunk first.
    • If a member port of an Eth-Trunk is configured as a mirrored port, the Eth-Trunk cannot be configured as a mirrored port. To configure the Eth-Trunk as a mirrored port, delete the member port from it first.

Configuring a Traffic Classifier

Configuration Process
No. Task Remarks
1 Configure a traffic classifier
  • Tasks 1 and 2 can be performed in any sequence.
  • Task 1 can be performed multiple times. That is, you can bind multiple traffic classifiers to a traffic policy so that the device mirrors packets matching the traffic classifiers.
2 Define flow mirroring in a traffic behavior
3 Configure a traffic policy -
4 Apply the traffic policy
  • Task 4 can be performed multiple times in different VLANs or on different interfaces. That is, specified flows in different VLANs or on different interfaces can be mirrored to the same observing port.
  • Only one traffic policy can be applied in the inbound or outbound direction of each interface or VLAN.

Procedure

  1. Configure a traffic classifier.

    1. Run system-view

      The system view is displayed.

    2. Run traffic classifier classifier-name [ operator { and | or } ]

      A traffic classifier is created and the traffic classifier view is displayed.

      and indicates that rules are ANDed with each other.
      • If a traffic classifier contains ACL rules, packets match the traffic classifier only when they match one ACL rule and all the non-ACL rules.

      • If a traffic classifier does not contain ACL rules, packets match the traffic classifier only when the packets match all the non-ACL rules.

      or indicates that the relationship between rules is OR. Packets match a traffic classifier as long as packets match only one rule of the traffic classifier.

      By default, the relationship between rules in a traffic classifier is OR.

    3. Run the following commands as required.

      Matching Rule

      Command

      Outer VLAN ID

      if-match vlan-id start-vlan-id [ to end-vlan-id ]

      Inner VLAN IDs in QinQ packets

      if-match cvlan-id start-vlan-id [ to end-vlan-id ]

      802.1p priority in VLAN packets

      if-match 8021p 8021p-value &<1-8>

      Inner 802.1p priority in QinQ packets

      if-match cvlan-8021p 8021p-value &<1-8>

      EXP priority in MPLS packets (AR1200&AR2200&AR3200&AR3600 series)

      if-match mpls-exp exp-value &<1-8>

      Destination MAC address

      if-match destination-mac mac-address [ mac-address-mask mac-address-mask ]

      Source MAC address

      if-match source-mac mac-address [ mac-address-mask mac-address-mask ]

      DLCI value in FR packets

      if-match dlci start-dlci-number [ to end-dlci-number ]

      DE value in FR packets

      if-match fr-de

      Protocol type field encapsulated in the Ethernet frame header

      if-match l2-protocol { arp | ip | mpls | rarp | protocol-value }

      All packets

      if-match any

      DSCP priority in IP packets

      if-match [ ipv6 ] dscp dscp-value &<1-8>
      NOTE:

      If DSCP priority matching is configured in a traffic policy, the SAE220 (WSIC) and SAE550 (XSIC) cards do not support redirect ip-nexthop ip-address post-nat.

      IP precedence in IP packets

      if-match ip-precedence ip-precedence-value &<1-8>
      NOTE:

      if-match [ ipv6 ] dscp and if-match ip-precedence cannot be configured simultaneously in a traffic classifier where the relationship between rules is AND.

      Layer 3 protocol type

      if-match protocol { ip | ipv6 }

      QoS group index of packets

      if-match qos-group qos-group-value

      IPv4 packet length

      if-match packet-length min-length [ to max-length ]

      PVC information in ATM packets

      if-match pvc vpi-number/vci-number

      RTP port number

      if-match rtp start-port start-port-number end-port end-port-number

      SYN Flag in the TCP packet header

      if-match tcp syn-flag { ack | fin | psh | rst | syn | urg } *

      Inbound interface

      if-match inbound-interface interface-type interface-number

      Outbound interface

      if-match outbound-interface Cellular interface-number:channel

      ACL rule

      if-match acl { acl-number | acl-name }
      NOTE:
      • Before defining a matching rule for traffic classification based on an ACL, create the ACL.

      • To use an ACL in a traffic classifier to match the source IP address, run the qos pre-nat command on an interface to configure NAT pre-classification. NAT pre-classification enables the NAT-enabled device to carry the private IP address before translation on the outbound interface so that the NAT-enabled device can classify IP packets based on private IP addresses and provide differentiated services.

      ACL6 rule

      if-match ipv6 acl { acl-number | acl-name }
      NOTE:
      • Before defining a matching rule for traffic classification based on an ACL, create the ACL.

      • To use an ACL in a traffic classifier to match the source IP address, run the qos pre-nat command on an interface to configure NAT pre-classification. NAT pre-classification enables the NAT-enabled device to carry the private IP address before translation on the outbound interface so that the NAT-enabled device can classify IP packets based on private IP addresses and provide differentiated services.

      Application protocol

      if-match application application-name [ user-set user-set-name ] [ time-range time-name ]

      NOTE:

      Before defining a matching rule based on an application protocol, enable Smart Application Control (SA) and load the signature file.

      SA group

      if-match category category-name [ user-set user-set-name ] [ time-range time-name ]

      NOTE:
      • Before defining a matching rule based on an application protocol, enable Smart Application Control (SA) and load the signature file.

      User group

      if-match user-set user-set-name [ time-range time-range-name ]

    4. Run quit

      Exit from the traffic classifier view.

  2. Define flow mirroring in a traffic behavior.

    1. Run traffic behavior behavior-name

      A traffic behavior is created and the traffic behavior view is displayed.

    2. Run mirror to observe-port

      The device is configured to mirror the packets matching traffic classification rules to the specified observing port.

    3. Run return

      Return to the user view.

  3. Configure a traffic policy.

    1. Run system-view

      The system view is displayed.

    2. Run traffic policy policy-name

      A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.

      By default, no traffic policy is created in the system.

    3. Run classifier classifier-name behavior behavior-name [ precedence precedence-value ]

      A traffic behavior is bound to a traffic classifier in a traffic policy.

      By default, no traffic classifier or traffic behavior is bound to a traffic policy.

    4. Run quit

      Exit from the traffic policy view.

    5. Run quit

      Exit from the system view.

  4. Apply the traffic policy.

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number [.subinterface-number ]

      The interface view is displayed.

    3. Run traffic-policy policy-name { inbound | outbound }

      The traffic policy is applied to the inbound or outbound direction on the interface.

      By default, no traffic policy is applied to an interface.

Checking the Configuration

Procedure

  • Run the display observe-port command to check the observing port.
  • Run the display traffic behavior { system-defined | user-defined } [ behavior-name ] command to check the traffic behavior configuration.
  • Run the display traffic classifier { system-defined | user-defined } [ classifier-name ] command to check the traffic classifier configuration.
  • Run the display traffic policy user-defined [ policy-name [ classifier classifier-name ] ] command to check the traffic policy configuration.
  • Run the display traffic-policy applied-record [ policy-name ] command to check the application record of a specified mirroring policy.
Translation
Download
Updated: 2019-05-17

Document ID: EDOC1000174072

Views: 109817

Downloads: 348

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next