No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring EVC Port Mirroring

Example for Configuring EVC Port Mirroring

This section provides an example for configuring port mirroring on an EVC Layer 2 sub-interface.

Networking Requirements

On the network shown in Figure 14-4, users in communities 1 and 2 run Internet, IPTV, and VoIP services. To facilitate management, network administrators add the same services into the same VLAN and different services into different VLANs. An EVC model is used so that community 1 and community 2 can communicate with each other.

For the sake of security, VLAN 10 traffic transmitted from CE1 to PE1 through subinterface1.1 needs to be monitored and analyzed. inerface2 is configured as the observing port, and subinterface1.1 is configured as the mirrored port. All the traffic from subinterface1.1 is copied to inerface2 and forwarded to the analyser for analysis.

Figure 14-4 EVC port mirroring
NOTE:
  • The configurations in this example are performed on CE1, CE2, PE1, and PE2. HUAWEI NE20E-S2 can function as CE1, CE2, PE1, and PE2.
  • interface1, subinterface1.1, subinterface1.2, inerface2, inerface3, and interface4 in this example are GE0/1/1, GE0/1/1.1, 0/1/1.2, 0/2/1, 0/1/2, and GE0/1/3 respectively.


Precautions

All services in the VLANs are located on the same network segment.

Configuration Roadmap

An EVC model is used. The EVC Layer 2 sub-interface GE 1/0/1.1 is configured as a mirrored port, and GE 2/0/1 is configured as an observing port. Traffic on GE 1/0/1.1 is copied to GE 2/0/1 and then forwarded to the analyser.

The configuration roadmap is as follows:

  1. Create an EVC model so that community 1 and community 2 can communicate with each other.
  2. Configure GE 2/0/1 on PE1 as an observing port.
  3. Configure GE 1/0/1.1 on PE1 as a mirrored port.
  4. Associate the mirrored port with the observing port and start port mirroring for traffic on GE 1/0/1.1.

Data Preparation

To complete the configuration, you need the following data:
  • Number of each interface connecting each device to users
  • Number of each interface connecting each device to another device
  • IDs of VLANs to which services belong
  • BD ID
  • Name of a mirroring instance
  • Number of the mirrored port
  • Number of the observing port

Procedure

  1. Create an EVC model so that community 1 and community 2 can communicate with each other.

    # Configure CE1.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE1
    [*HUAWEI] commit
    [~CE1] vlan 10
    [*CE1-vlan10] quit
    [*CE1] interface gigabitethernet 0/1/1
    [*CE1-GigabitEthernet0/1/1] undo shutdown
    [*CE1-GigabitEthernet0/1/1] portswitch
    [*CE1-GigabitEthernet0/1/1] port link-type access
    [*CE1-GigabitEthernet0/1/1] port default vlan 10
    [*CE1-GigabitEthernet0/1/1] quit
    [*CE1] interface gigabitethernet 0/1/2
    [*CE1-GigabitEthernet0/1/2] undo shutdown
    [*CE1-GigabitEthernet0/1/2] portswitch
    [*CE1-GigabitEthernet0/1/2] port link-type trunk
    [*CE1-GigabitEthernet0/1/2] port trunk allow-pass vlan 10
    [*CE1-GigabitEthernet0/1/2] quit
    [*CE1] commit

    # Configure CE2.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE2
    [*HUAWEI] commit
    [~CE2] vlan batch 10 30
    [*CE2] interface gigabitethernet 0/1/1
    [*CE2-GigabitEthernet0/1/1] undo shutdown
    [*CE2-GigabitEthernet0/1/1] portswitch
    [*CE2-GigabitEthernet0/1/1] port link-type access
    [*CE2-GigabitEthernet0/1/1] port default vlan 30
    [*CE2-GigabitEthernet0/1/1] quit
    [*CE2] interface gigabitethernet 0/1/3
    [*CE2-GigabitEthernet0/1/3] undo shutdown
    [*CE2-GigabitEthernet0/1/3] portswitch
    [*CE2-GigabitEthernet0/1/3] port link-type access
    [*CE2-GigabitEthernet0/1/3] port default vlan 10
    [*CE2-GigabitEthernet0/1/3] quit
    [*CE2] interface gigabitethernet 0/1/2
    [*CE2-GigabitEthernet0/1/2] undo shutdown
    [*CE2-GigabitEthernet0/1/2] portswitch
    [*CE2-GigabitEthernet0/1/2] port link-type trunk
    [*CE2-GigabitEthernet0/1/2] port trunk allow-pass vlan 10 30
    [*CE2-GigabitEthernet0/1/2] quit
    [*CE2] commit

    # Configure PE1.

    <HUAWEI> system-view
    [~HUAWEI] sysname PE1
    [*HUAWEI] commit
    [~PE1] bridge-domain 10
    [~PE1-bd10] quit
    [*PE1] interface gigabitethernet 0/1/1
    [*PE1-GigabitEthernet0/1/1] undo shutdown
    [*PE1-GigabitEthernet0/1/1] quit
    [*PE1] interface gigabitethernet 0/1/1.1 mode l2
    [*PE1-GigabitEthernet0/1/1.1] encapsulation dot1q vid 10
    [*PE1-GigabitEthernet0/1/1.1] bridge-domain 10
    [*PE1-GigabitEthernet0/1/1.1] quit
    [~PE1] interface gigabitethernet 0/1/2
    [*PE1-GigabitEthernet0/1/2] undo shutdown
    [*PE1-GigabitEthernet0/1/2] quit
    [*PE1] interface gigabitethernet 0/1/2.1 mode l2
    [*PE1-GigabitEthernet0/1/2.1] encapsulation dot1q vid 10
    [*PE1-GigabitEthernet0/1/2.1] bridge-domain 10
    [*PE1-GigabitEthernet0/1/2.1] commit
    [~PE1-GigabitEthernet0/1/2] quit

    # Configure PE2.

    <HUAWEI> system-view
    [~HUAWEI] sysname PE2
    [*HUAWEI] commit
    [~PE2] bridge-domain 10
    [~PE2-bd10] quit
    [*PE2] interface gigabitethernet 0/1/1
    [*PE2-GigabitEthernet0/1/1] undo shutdown
    [*PE2-GigabitEthernet0/1/1] quit
    [*PE2] interface gigabitethernet 0/1/1.1 mode l2
    [*PE2-GigabitEthernet0/1/1.1] encapsulation dot1q vid 10
    [*PE2-GigabitEthernet0/1/1.1] bridge-domain 10
    [*PE2-GigabitEthernet0/1/1.1] quit
    [*PE2] interface gigabitethernet 0/1/1.2 mode l2
    [*PE2-GigabitEthernet0/1/1.2] encapsulation dot1q vid 30
    [*PE2-GigabitEthernet0/1/1.2] rewrite map 1-to-1 vid 10
    [*PE2-GigabitEthernet0/1/1.2] bridge-domain 10
    [*PE2-GigabitEthernet0/1/1.2] quit
    [~PE2] interface gigabitethernet 0/1/2
    [*PE2-GigabitEthernet0/1/2] undo shutdown
    [*PE2-GigabitEthernet0/1/2] quit
    [*PE2] interface gigabitethernet 0/1/2.1 mode l2
    [*PE2-GigabitEthernet0/1/2.1] encapsulation dot1q vid 10
    [*PE2-GigabitEthernet0/1/2.1] bridge-domain 10
    [*PE2-GigabitEthernet0/1/2.1] commit
    [~PE2-GigabitEthernet0/1/2] quit

  2. Configure GE 2/0/1 on PE1 as an observing port.

    [*PE1] interface gigabitethernet 0/2/1
    [*PE1-GigabitEthernet0/2/1] port-observing observe-index 1
    [*PE1-GigabitEthernet0/2/1] commit
    [~PE1-GigabitEthernet0/2/1] quit

  3. Configure GE 1/0/1.1 on PE1 as a mirrored port.

    [*PE1] mirror instance evcto201 location
    [*PE1] commit
    [*PE1] interface gigabitethernet 0/1/1.1 mode l2
    [*PE1-GigabitEthernet0/1/1.1] port-mirroring instance evcto201  inbound  vid 10 identifier none
    [*PE1-GigabitEthernet0/1/1.1] commit
    [~PE1-GigabitEthernet0/1/1.1] quit

  4. Associate the mirrored port with the observing port

    [*PE1] slot 1
    [*PE1-slot1] mirror to observe-index 1
    [*PE1-slot1] commit
    [~PE1-slot1] quit

  5. Verify the configuration.

    After completing the configuration, run the display bridge-domain command to view bridge domain information, including the bridge domain to which an EVC Layer 2 sub-interface belongs and the bridge domain status. The following example uses the command output on PE1.

    [~PE1] display bridge-domain
    The total number of bridge-domains is : 1
    --------------------------------------------------------------------------------
    MAC_LRN: MAC learning;         STAT: Statistics;         SPLIT: Split-horizon;
    BC: Broadcast;                 MC: Unknown multicast;    UC: Unknown unicast;
    *down: Administratively down;  FWD: Forward;             DSD: Discard;
    --------------------------------------------------------------------------------
    
    BDID  State MAC-LRN STAT    BC  MC  UC  SPLIT   Description
    --------------------------------------------------------------------------------
    10    up    enable  disable FWD FWD FWD disable

    Run the display ethernet uni information command to view information about the traffic encapsulation type and behavior configured on an EVC Layer 2 sub-interface. The following example uses the command output on PE2.

    [~PE2] display ethernet uni information
      GigabitEthernet0/1/1.1
        Total encapsulation number: 1
          encapsulation dot1q vid 10
        No action
      GigabitEthernet0/1/1.2
        Total encapsulation number: 1
          encapsulation dot1q vid 30
        Rewrite map 1-to-1 vid 10
      GigabitEthernet0/1/2.1
        Total encapsulation number: 1
          encapsulation dot1q vid 10
        No action

    Community 1 and community 2 can communicate with each other.

    Run the display mirror instance [ instance-name ] location command. The command output shows the configuration of a port mirroring instance on an EVC Layer 2 sub-interface.

    [~PE1] display mirror instance location
    instance evcto201 
        car                   : -

Configuration Files

  • PE1 configuration file

    #
    sysname PE1
    #
    mirror instance evcto201 location
    #
    slot 1 
     mirror to observe-index 1
    #
    interface GigabitEthernet0/1/1
     undo shutdown
    #
    interface GigabitEthernet0/1/1.1 mode l2
     encapsulation dot1q vid 10
     bridge-domain 10
     port-mirroring instance evcto201  inbound  vid 10 identifier none
    #
    interface GigabitEthernet0/1/2
     undo shutdown
    #
    interface GigabitEthernet0/1/2.1 mode l2
     encapsulation dot1q vid 10
     bridge-domain 10
    #
    interface GigabitEthernet0/2/1
     port-observing observe-index 1
    #
    return
  • PE2 configuration file

    #
    sysname PE2
    #
    interface GigabitEthernet0/1/1
     undo shutdown
    #
    interface GigabitEthernet0/1/1.1 mode l2
     encapsulation dot1q vid 10
     bridge-domain 10
    #
    interface GigabitEthernet0/1/1.2 mode l2
     encapsulation dot1q vid 30
     rewrite map 1-to-1 vid 10
     bridge-domain 10
    #
    interface GigabitEthernet0/1/2
     undo shutdown
    #
    interface GigabitEthernet0/1/2.1 mode l2
     encapsulation dot1q vid 10
     bridge-domain 10
    #
    return
  • CE1 configuration file

    #
    sysname CE1
    #
    vlan batch 10
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type access
     port default vlan 10
     dcn
    #
    interface GigabitEthernet0/1/2
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 10
    #
    return
  • CE2 configuration file

    #
    sysname CE1
    #
    vlan batch 10 30
    #
    interface GigabitEthernet0/1/1
     portswitch
     undo shutdown
     port link-type access
     port default vlan 30
     dcn
    #
    interface GigabitEthernet0/1/2
     portswitch
     undo shutdown
     port link-type trunk
     port trunk allow-pass vlan 10 30
    #
    interface GigabitEthernet0/1/3
     portswitch
     undo shutdown
     port link-type access
     port default vlan 10
    #
    return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19798

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next