No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Local Flow Mirroring Based on the Option 82 Information of Access Users

Configuring Local Flow Mirroring Based on the Option 82 Information of Access Users

This section describes how to configure local flow mirroring based on the Option 82 information of access users, so that user packets that carry specified Option 82 information are copied to the observing port for analysis.

Usage Scenario

When more precise analysis of user traffic is required, you can combine flow mirroring based on the Option 82 information with traffic classification. In this way, only the packets that meet specified filtering conditions are copied to the observing port for analysis, improving analysis efficiency.

Pre-configuration Tasks

Before configuring flow mirroring based on the Option 82 information,

  • connect interfaces and set their physical parameters to Up.

Configuration Procedures

No particular sequence is required for configuring an observing port and mirrored port, defining a mirroring traffic policy, and applying the traffic policy globally. All these configurations, however, must be complete before flow mirroring is implemented. If you no longer use flow mirroring, disable it to avoid affecting user services.

Figure 14-2 Flowchart for configuring local flow mirroring based on the Option 82 information of access users

Configuring an Observing Port

An observing port copies the traffic on the mirroring port to a packet analyzer. To prevent adverse impacts on running services, do not use the observing port as a service port.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run port-observing observe-index observe-index

    The observing port is configured.

    The observing port does not filter or modify frames. At the inbound side, a frame is mirrored before the header is removed; at the outbound side, a frame is mirrored after the frame is modified.

  4. (Optional) Run port-observing with-linklayer-header

    The observing port to mirror packets including the link layer header is configured.

  5. (Optional) Run port-observing pop-label { one | two | all }

    The observing interface to remove labels from MPLS packets is enabled.

  6. Run commit

    The configuration is committed.

Specifying an Observing Port

This section describes how to specify an observing port to associate the observing and mirrored ports.

Context

Flow mirroring applies only to an entire board. When mirroring is configured on the NE20E, all mirrored traffic on an interface board must be sent to the same observing port, which functions as the observing port of the interface board. You can specify the observing port for an interface board.
NOTE:

The observing port for an interface board can reside on this interface board or another one.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run mirror to observe-index observe-index

    An observing port is specified for the interface board.

  4. Run commit

    The configuration is committed.

Defining a Mirroring Traffic Policy and Applying It Globally

This section describes how to use a traffic classifier to define the traffic to be mirrored, specify flow mirroring for a traffic behavior, define a traffic policy that associates the traffic classifier with the traffic behavior, and apply the traffic policy globally.

Context

When more precise analysis of user traffic is required, you can configure a mirroring traffic policy and apply it globally. In this way, only the packets that meet specified filtering conditions are copied to the observing port for analysis.

Procedure

  1. Configure an ACL.
    1. Run system-view

      The system view is displayed.

    2. Run acl name acl-name [ match-order { auto | config } ]

      A named ACL is created, and the corresponding ACL view is displayed.

    3. Run rule [ rule-id ] [ name rule-name ] { deny | permit } ip [ destination { destination-ip-address { destination-wildcard | 0 } | any } | source { source-ip-address { source-wildcard | 0 } | any } ] *

      An advanced ACL is created in the advanced ACL view.

    4. Run return

      Return to the user view.

  2. Define a traffic classifier.
    1. Run system-view

      The system view is displayed.

    2. Run traffic classifier classifier-name [ operator { and | or } ]

      A traffic classifier is defined, and the traffic classifier view is displayed.

      The classifier name specified by the classifier-name parameter cannot be predefined by the system. For configuration details, see HUAWEI NE20E-S2 Universal Service Router Configuration Guide > QoS.

    3. Run if-match [ ipv6 ] acl { acl-number | name acl-name }

      An ACL-based filtering rule is defined.

    4. Run commit

      The configuration is committed.

    5. Run return

      Return to the user view.

  3. Define a traffic behavior and enable flow mirroring.
    1. Run system-view

      The system view is displayed.

    2. Run traffic behavior behavior-name

      A traffic behavior is defined and the traffic behavior view is displayed.

    3. Run port-mirroring enable

      Local flow mirroring is enabled.

    4. (Optional) Run port-mirroring car cir cir-value [ pir pir-value ] [ cbs cbs-value [ pbs pbs-value ] ]

      The CAR function is enabled for mirrored traffic.

    5. Run commit

      The configuration is committed.

    6. Run return

      Return to the user view.

  4. Define a traffic policy that associates a traffic classifier with a traffic behavior.
    1. Run system-view

      The system view is displayed.

    2. Run traffic policy policy-name

      A traffic policy is defined, and the traffic policy view is displayed.

    3. Run classifier classifier-name behavior behavior-name

      A traffic behavior is specified for a traffic classifier in the traffic policy.

    4. Run commit

      The configuration is committed.

    5. Run return

      Return to the user view.

  5. Create a mirroring service policy and bind it to a service group.
    1. Run system-view

      The system view is displayed.

    2. Run service-policy name policy-name mirror

      A mirroring traffic policy is created and the service policy view is displayed.

    3. Run service-group service-group-name [ inbound | outbound ] [ priority priority ]

      A service group is bound to the service policy.

    4. Run commit

      The configuration is committed.

    5. Run return

      Return to the user view.

  6. Configure the mapping between the Option 82 attribute and a service policy.
    1. Run system-view

      The system view is displayed.

    2. Run mirror rule [ rule-number ] service-policy service-policy service-policy service-policy [ partial-match ] { circuit-id | remote-id } description-text

      The mapping between a traffic policy and the Option 82 attribute is configured.

    3. Run commit

      The configuration is committed.

  7. Apply the traffic policy globally.
    1. Run traffic-policy policy-name { inbound | outbound }

      The traffic policy is applied globally to filter BAS-side user packets.

      This command is supported only on the Admin-VS.

    2. Run commit

      The configuration is committed.

Checking the Configurations

After local flow mirroring is configured, you can check configurations about the traffic classifier, traffic behavior, traffic policy, and observing port.

Procedure

  • Run the display traffic policy statistics global-acl command to check statistics about a globally applied traffic policy.
  • Run the display traffic behavior { system-defined | user-defined } [ behavior-name ] command to check the configuration about a traffic behavior.
  • Run the display traffic classifier { system-defined | user-defined } [ classifier-name ] command to check the configuration about a traffic classifier.
  • Run the display traffic policy { system-defined | user-defined } [ policy-name [ classifier classifier-name ] ] command to check the configuration about the association between a specified traffic classifier and traffic behavior in a specified traffic policy or all traffic classifiers and traffic behaviors in all traffic policies.
  • Run the display service-policy { configuration [ name configuration-policy-name | global ] | cache [ name cache-policy-name ] } command to check the configuration about a service policy and information about the service group bound to the service policy.
  • Run the display port-observing interface [ interface-type interface-number | slot slot-id ] command to check the configuration about an observing port on an interface board.

Example

If the traffic behavior is successfully configured, run the display traffic behavior { system-defined | user-defined } [ behavior-name ] command to view information about the configured traffic behavior.

For example, run the display traffic behavior user-defined command, and you can view information about a user-defined traffic behavior.

<HUAWEI> display traffic behavior user-defined
  User Defined Behavior Information:
    Behavior: mirror
      Description:
      Mirror:
        port-mirroring enable

If the traffic classifier is successfully configured, run the display traffic classifier { system-defined | user-defined } [ classifier-name ] command to view information about the configured traffic classifier.

For example, run the display traffic classifier user-defined command, and you can view information about the configured user-defined traffic classifier.

<HUAWEI> display traffic classifier user-defined
  User Defined Classifier Information:
    Classifier: mirror
      Description:
      Operator: or
      Rule(s):
        if-match tcp syn-flag 2

If the traffic policy is successfully configured, run the display traffic policy { system-defined | user-defined } [ policy-name [ classifier classifier-name ] ] command to view the configuration about the association between a specified traffic classifier and traffic behavior in a specified traffic policy or all traffic classifiers and traffic behaviors in all traffic policies.

For example, run the display traffic classifier user-defined command, and you can view information about the configured user-defined traffic policy.

<HUAWEI> display traffic policy user-defined
User Defined Traffic Policy Information:
  Total: 4095  Used: 3     Free: 4092
  Policy: test
     Description: huawei policy
     Step: 5
     Share-mode
     Classifier: huawei Precedence 5
     Behavior: huawei
      Marking:
        remark ip precedence 4
      Committed Access Rate:
        CIR 1000 (Kbps), PIR 0 (Kbps), CBS 10000 (byte), PBS 0 (byte)
        Conform Action: pass
        Yellow  Action: pass
        Exceed  Action: discard
      Redirecting:
        redirect lsp public 10.138.0.43
     Classifier: default-class Precedence 65535
     Behavior: be
       -none-

If the mirroring service policy is successfully configured and bound to a service group, run the display service-policy { configuration [ name configuration-policy-name | global ] | cache [ name cache-policy-name ] } command to view the configuration about the configured service policy and the service group to which the service policy is bound.

For example, run the display service-policy configuration name gd-edsg1 command, and you can view the configuration about the service policy named gd-edsg1 and the service group to which gd-edsg1 is bound.

<HUAWEI> display service-policy configuration name gd-edsg1
------------------------------------------------
Service-policy-index         : 0
  Service-policy-name          : gd-edsg1
  Service-policy-type          : EDSG
  Policy-storage-type          : configuration
  Reference-count              : 0
  Service-IP-type              : IPv6
  Service-class-inbound        :ef
  Service-class-outbound       :ef
  Authentication-scheme-name   : -
  Accounting-scheme-name       : default1
  Radius-server-template       : template1
  Service-group-name           : -
  Service-group-priority       : -
  Inbound-cir                  : 100(kbps)
  Inbound-pir                  : 100(kbps)
  Inbound-cbs                  : 100(bytes)
  Inbound-pbs                  : 3000(bytes)
  Outbound-cir                 : 10000(kbps)
  Outbound-pir                 : -
  Outbound-cbs                 : -
  Outbound-pbs                 : -
  Prepaid-profile-name         : -
  HTTP-redirect-profile        : -
  Diameter monitor key         : -
  Inbound-match-usergroup      : no
  Outbound-match-usergroup     : no
  Current time-range template  :-
  Time-range template          : t1
    Inbound-cir       : 10000(kbps)  
    Inbound-pir       : - 
    Inbound-cbs       : - 
    Inbound-pbs       : - 
    Outbound-cir      : 10000(kbps) 
    Outbound-pir      : -  
    Outbound-cbs      : - 
    Outbound-pbs      : -
  Time-range template        : t2
    Inbound-cir       : 20000(kbps) 
    Inbound-pir       : - 
    Inbound-cbs       : - 
    Inbound-pbs       : - 
    Outbound-cir      : 20000(kbps) 
    Outbound-pir      : - 
    Outbound-cbs      : - 
    Outbound-pbs      : -
  Time-range template        : t3
    Inbound-cir       : 30000(kbps) 
    Inbound-pir       : - 
    Inbound-cbs       : -
    Inbound-pbs       : - 
    Outbound-cir      : 30000(kbps) 
    Outbound-pir      : - 
    Outbound-cbs      : - 
    Outbound-pbs      : -
 ------------------------------------------------ 

If flow mirroring is successfully configured, run the display port-observing interface [ slot slot-id ] command to view the configuration about the observing port on an interface board.

For example, run the display port-observing interface slot 1 command, and you can view detailed configuration about the observing port on the interface board in slot 1.

<HUAWEI> display port-observing interface slot 1
L-Header: WithLinkHeader        Obs-index: Observe-index
----------------------------------------------------------------------
Interface                  L-Header Obs-index  Status Description
----------------------------------------------------------------------
GigabitEthernet0/1/0       -        5          down   -
----------------------------------------------------------------------

Disabling Flow Mirroring

Flow mirroring needs to be disabled if it is no longer used; otherwise, user services are affected.

Context

There is no specific sequence for deleting configurations for an observing port for an interface board, an observing port for a specified mirrored interface, and a mirroring interface.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run undo mirror to observe-index observe-index

    The interface is no longer an observing port for receiving mirrored packets from an entire interface board.

  4. Run quit

    The system view is displayed.

  5. Run interface interface-type interface-number

    The interface view is displayed.

    This interface functions as an observing port.

  6. Run undo port-observing observe-index observe-index

    The interface is no longer an observing port.

  7. Run quit

    The system view is displayed.

  8. Run interface interface-type interface-number

    The system view is displayed.

    This interface functions as a mirroring interface.

  9. Run undo traffic-policy { inbound | outbound } [ link-layer | mpls-layer ]

    The traffic policy is no longer applied to the interface.

  10. Run quit

    The system view is displayed.

  11. Run traffic behavior behavior-name

    A traffic behavior is defined and the traffic behavior view is displayed.

  12. Run undo port-mirroring enable

    Local flow mirroring is disabled.

  13. Run quit

    The system view is displayed.

    The traffic policy, behavior, and classifier for mirrored packets can be deleted if they are no longer used.

  14. Run undo traffic policy policy-name

    The traffic policy for flow mirroring is no longer used.

  15. Run undo traffic behavior behavior-name

    The traffic behavior for flow mirroring is deleted.

  16. Run undo traffic classifier classifier-name [ operator { and | or } ]

    The traffic classifier for flow mirroring is deleted.

  17. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20513

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next