No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Flow Mirroring

Configuring Flow Mirroring

By configuring flow mirroring, you can copy the traffic of a specified type on the mirrored interface to the observing port for analysis. In this manner, you can know the status of the traffic of the specified type on the mirrored interface.

Usage Scenario

When refined control is required for the packets sent to the analyzer, you can use both port mirroring and traffic classification. In this manner, only the packets that meet the specific conditions are copied and the other packets are filtered out. Thus, the efficiency of the packet analyzer is improved.

Pre-configuration Tasks

Before configuring flow mirroring, connect interfaces and set their physical parameters to ensure that the physical status of the interfaces is Up.

Configuration Procedure

The tasks of configuring the observing port, configuring the observing port for mirroring of the entire interface board, and applying a traffic policy on the mirroring port are not listed in sequence. They can be configured in a random order but must be all configured; otherwise, port mirroring cannot take effect. Disabling the mirroring function is recommended if this function is no longer used; otherwise, user services are affected.
Figure 14-1 Flowchart for configuring flow mirroring

Configuring an Observing Port

An observing port copies the traffic on the mirroring port to a packet analyzer. To prevent adverse impacts on running services, do not use the observing port as a service port.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run port-observing observe-index observe-index

    The observing port is configured.

    The observing port does not filter or modify frames. At the inbound side, a frame is mirrored before the header is removed; at the outbound side, a frame is mirrored after the frame is modified.

  4. (Optional) Run port-observing with-linklayer-header

    The observing port to mirror packets including the link layer header is configured.

  5. (Optional) Run port-observing pop-label { one | two | all }

    The observing interface to remove labels from MPLS packets is enabled.

  6. Run commit

    The configuration is committed.

Specifying an Observing Port

This section describes how to specify an observing port to associate the observing and mirrored ports.

Context

Flow mirroring applies only to an entire board. When mirroring is configured on the NE20E, all mirrored traffic on an interface board must be sent to the same observing port, which functions as the observing port of the interface board. You can specify the observing port for an interface board.
NOTE:

The observing port for an interface board can reside on this interface board or another one.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run mirror to observe-index observe-index

    An observing port is specified for the interface board.

  4. Run commit

    The configuration is committed.

Defining a Policy for Mirroring Traffic

You can configure a traffic classifier to define the flows to be mirrored, configure a traffic behavior as enabling flow mirroring, and associate the traffic classifier and traffic behavior in a traffic policy.

Procedure

  • Defining a Traffic Classifier
    1. Run system-view

      The system view is displayed.

    2. Run traffic classifier classifier-name [ operator { and | or } ]

      A traffic classifier is defined and the traffic classifier view is displayed.

      The classifier-name parameter cannot be reserved. For details about traffic classification, see HUAWEI NE20E-S2 Universal Service Router Configuration Guide-QoS.

    3. Configure the matching ACL rules as required.

      • Run the if-match 8021p 8021p-code command to define a matching rule to classify traffic based on the 802.1p priority in a VLAN packet.
      • Run the if-match [ ipv6 ] acl { acl-number | name acl-name } command to define matching ACL rules.
      • Run the if-match [ ipv6 ] any command to define rules that match all packets.
      • Run the if-match destination-mac mac-address command to define a matching rule to classify traffic based on the destination MAC address.
      • Run the if-match ipv6 destination-address ipv6-address prefix-length command to define a matching rule to classify traffic based on the IPv6 destination address.
      • Run the if-match ipv6 source-address ipv6-address prefix-length command to define a matching rule to classify traffic based on the source IPv6 address.
      • Run the if-match [ ipv6 ] dscp dscp-value command to define DSCP matching rules.
      • Run the if-match mpls-exp exp-value command to define a matching rule to classify traffic based on the value of the MPLS EXP field.
      • Run the if-match ip-precedence ip-precedence command to define a matching rule to classify traffic based on IP precedence.
      • Run the if-match ipv6 next-header command to define a matching rule to classify traffic based on the value of the next IPv6 header.
      • Run the if-match source-mac mac-address command to define a matching rule to classify traffic based on the source address.
      • Run the if-match tcp syn-flag { tcpflag-value [ mask tcpflag-mask ] | bit-match { established | fin | syn | rst | psh | ack | urg | ece | cwr | ns } } command to define a matching rule to classify traffic based on the IPv4 TCP flag value.
      You can select one or several matching rules in step 3 as required.
      NOTE:
      When a device functions as a PE:
      • To match outgoing packets on the public network based on the IP Layer information, run the traffic-policy match-ip-layer mpls-pop command in the slot view.

      • To match incoming packets on the public network based on the IP Layer information, run the traffic-policy match-ip-layer mpls-push command in the slot view.

    4. Run commit

      The configuration is committed.

    5. Run return

      Return to the user view.

  • Defining the traffic behavior and enabling local traffic mirroring
    1. Run system-view

      The system view is displayed.

    2. Run traffic behavior behavior-name

      A traffic behavior is defined and the traffic behavior view is displayed.

    3. Run port-mirroring enable

      Local flow mirroring is enabled.

    4. (Optional) Run port-mirroring car cir cir-value [ pir pir-value ] [ cbs cbs-value [ pbs pbs-value ] ]

      The CAR function is configured for mirrored traffic.

    5. Run commit

      The configuration is committed.

    6. Run return

      Return to the user view.

  • Defining the traffic policy and associating the traffic class with the traffic behavior
    1. Run system-view

      The system view is displayed.

    2. Run traffic policy policy-name

      The traffic policy is defined and the policy view is displayed.

    3. Run classifier classifier-name behavior behavior-name

      A traffic behavior is specified for the classifier in the traffic policy.

    4. Run commit

      The configuration is committed.

Applying the Traffic Policy to the Mirroring Port

After being created, the traffic policy must be applied on an interface. The configured traffic behaviors take effect only after the traffic passing through the interface matches the traffic classification rule.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

    The interface serves as the mirroring port. The interface that can function as a mirroring interface can be a GE interface or its sub-interface, an Eth-Trunk interface or its sub-interface, a POS interface, an IP-Trunk interface, an MP-group interface, a Serial interface, and a Layer 2 EVC sub-interface.

  3. Run traffic-policy policy-name { inbound | outbound } [ all-layer | link-layer | mpls-layer ]

    The traffic policy is applied to the interface.

  4. Run commit

    The configuration is committed.

(Optional) Configuring the Mirroring Statistics Function

You can configure the mirroring statistics function to monitor mirrored packet information.

Context

To enable the mirroring statistics function, perform the following steps:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mirror statistic enable

    The mirroring statistics function is enabled.

  3. Run commit

    The configuration is committed.

Verifying the Flow Mirroring Configuration

After configuring local flow mirroring, you can view the configurations of traffic classification, traffic behavior, traffic policy, and port mirroring.

Procedure

  • Run the display traffic behavior { system-defined | user-defined } [ behavior-name ] command to check the configuration of the traffic behavior.
  • Run the display traffic classifier { system-defined | user-defined } [ classifier-name ] command to check the configuration of traffic classification.
  • Run the display traffic policy { system-defined | user-defined } [ policy-name [ classifier classifier-name ] ] command to check the configurations of the behaviors for a specified classification or all classifications and the configurations of the behaviors associated with classification in a specified policy or all policies.
  • Run the display port-observing interface [ interface-type interface-number | slot slot-id ] command to check the configuration of port mirroring on the entire interface board.

Example

If the traffic behavior is configured successfully, you can view the configuration of the traffic behavior after running the display traffic behavior { system-defined | user-defined } [ behavior-name ] command.

For instance, running the display traffic behavior user-defined command, you can view the user-defined traffic behavior.
<HUAWEI> display traffic behavior user-defined
  User Defined Behavior Information:
    Behavior: mirror
      Description:
      Mirror:
        port-mirroring enable

If the traffic classification is configured successfully, you can view the configuration of traffic classification after running the display traffic classifier { system-defined | user-defined } [ classifier-name ] command.

For instance, running the display traffic classifier user-defined command, you can view the user-defined traffic classification.
<HUAWEI> display traffic classifier user-defined
  User Defined Classifier Information:
    Classifier: mirror
      Description:
      Operator: or
      Rule(s):
        if-match tcp syn-flag 2

If the traffic policy is configured successfully, you can view the configurations of the behaviors for a specified classification or all classifications and the configurations of the behaviors associated with classification in a specified policy or all policies after running the display traffic policy { system-defined | user-defined } [ policy-name [ classifier classifier-name ] ] command.

For instance, running the display traffic policy user-defined command, you can view the user-defined traffic policy.
<HUAWEI> display traffic policy user-defined
User Defined Traffic Policy Information:
  Total: 4095  Used: 3     Free: 4092
  Policy: test
     Description: huawei policy
     Step: 5
     Share-mode
     Classifier: huawei Precedence 5
     Behavior: huawei
      Marking:
        remark ip precedence 4
      Committed Access Rate:
        CIR 1000 (Kbps), PIR 0 (Kbps), CBS 10000 (byte), PBS 0 (byte)
        Conform Action: pass
        Yellow  Action: pass
        Exceed  Action: discard
      Redirecting:
        redirect lsp public 10.138.0.43
     Classifier: default-class Precedence 65535
     Behavior: be
       -none-

If port mirroring is configured successfully, you can view the configuration and referencing of the observing port on the interface board after running the display port-observing interface [ slot slot-id ] command.

For instance, running the display port-observing interface slot 1 command, you can view the configuration of the observing port on interface board 1.
<HUAWEI> display port-observing interface slot 1
L-Header: WithLinkHeader        Obs-index: Observe-index
----------------------------------------------------------------------
Interface                  L-Header Obs-index  Status Description
----------------------------------------------------------------------
GigabitEthernet0/1/0       -        5          down   -
----------------------------------------------------------------------

Disabling Flow Mirroring

Flow mirroring needs to be disabled if it is no longer used; otherwise, user services are affected.

Context

There is no specific sequence for deleting configurations for an observing port for an interface board, an observing port for a specified mirrored interface, and a mirroring interface.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run undo mirror to observe-index observe-index

    The interface is no longer an observing port for receiving mirrored packets from an entire interface board.

  4. Run quit

    The system view is displayed.

  5. Run interface interface-type interface-number

    The interface view is displayed.

    This interface functions as an observing port.

  6. Run undo port-observing observe-index observe-index

    The interface is no longer an observing port.

  7. Run quit

    The system view is displayed.

  8. Run interface interface-type interface-number

    The system view is displayed.

    This interface functions as a mirroring interface.

  9. Run undo traffic-policy { inbound | outbound } [ link-layer | mpls-layer ]

    The traffic policy is no longer applied to the interface.

  10. Run quit

    The system view is displayed.

  11. Run traffic behavior behavior-name

    A traffic behavior is defined and the traffic behavior view is displayed.

  12. Run undo port-mirroring enable

    Local flow mirroring is disabled.

  13. Run quit

    The system view is displayed.

    The traffic policy, behavior, and classifier for mirrored packets can be deleted if they are no longer used.

  14. Run undo traffic policy policy-name

    The traffic policy for flow mirroring is no longer used.

  15. Run undo traffic behavior behavior-name

    The traffic behavior for flow mirroring is deleted.

  16. Run undo traffic classifier classifier-name [ operator { and | or } ]

    The traffic classifier for flow mirroring is deleted.

  17. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19683

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next