No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Port Mirroring

Configuring Port Mirroring

By configuring port mirroring, you can copy the traffic on a specified mirroring port to an observing port for analysis. In this manner, you can know the status of the traffic passing through the mirroring port.

Usage Scenario

When a network router and the router are connected directly, and traffic on interfaces of the network router need to be observed and analyzed, port mirroring can be enabled on the router to mirror traffic on interfaces of the network device to a specific packet analyzer. In this manner, you do not have to analyze packets on the interfaces of the network router.

Pre-configuration Tasks

Before configuring port mirroring, connect interfaces and set their physical parameters to ensure that the physical interface status is Up.

Configuration Procedure

To enable port mirroring, configure observing ports, mirrored ports, and specify an observing port for a line processing unit or an interface. If you no longer use port mirroring, disable it to avoid affecting user services.

Configuring an Observing Port

An observing port copies the traffic on the mirroring port to a packet analyzer. To prevent adverse impacts on running services, do not use the observing port as a service port.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run port-observing observe-index observe-index

    The observing port is configured.

    The observing port does not filter or modify frames. At the inbound side, a frame is mirrored before the header is removed; at the outbound side, a frame is mirrored after the frame is modified.

  4. (Optional) Run port-observing with-linklayer-header

    The observing port to mirror packets including the link layer header is configured.

  5. (Optional) Run port-observing pop-label { one | two | all }

    The observing interface to remove labels from MPLS packets is enabled.

  6. Run commit

    The configuration is committed.

Configuring a Mirrored Port

To analyze traffic sent or received on an interface, configure this interface as a mirrored port.

Context

You can configure the mirrored port in common mode or mirroring instance mode.
  • The common mode supports interface-based mirroring, and the mirroring instance mode supports only board-based mirroring.

  • CAR can be implemented for mirrored traffic in both modes. In common mode, CAR is implemented on each interface. In mirroring instance mode, a shared CAR can be configured in a mirroring instance and applies to different interfaces bound to the mirroring instance, which simplifies configuration and optimizes CAR resource usage.

  • A shared instance can be configured for multiple interfaces. To be specific, multiple interfaces can share a mirroring instance. This feature allows more interfaces to support port mirroring when the mirroring specification is insufficient.

Table 14-1 Interfaces supporting local mirroring

Interface Type

Mirrored Port Observing Port
Layer 2 Ethernet main interfaces (including Eth-Trunk interfaces)

Supported

NOTE:

After VLAN mapping or VLAN stacking is configured on a Layer 2 main interface, the interface still supports mirroring.

Supported

NOTE:

After VLAN mapping or VLAN stacking is configured on a Layer 2 main interface, the interface does not support be configured as an observing port.

Layer 3 Ethernet main interfaces (including Eth-Trunk interfacesand a Layer 3 main interface configured as a BAS main interface)

Supported

Supported

BAS interface Supported
NOTE:

When a VE interface functions as a BAS interface, local flow mirroring is supported only on the access VE interface in hardware loopback mode.

Not supported
Ethernet sub-interfaces (including Eth-Trunk interfaces)

Supported

NOTE:

After a sub-interface is configured as a dot1q, dot1q VLAN tag termination, QinQ VLAN tag termination, EVC, or BAS sub-interface, the sub-interface still supports mirroring.

Supported

NOTE:

After a sub-interface is configured as a dot1q, dot1q VLAN tag termination, QinQ VLAN tag termination, or BAS sub-interface, the sub-interface does not support be configured as an observing port.

The observing port can only be configured on the EVC sub-interface with untag or dot1q traffic encapsulation type.

POS interfaces

Supported

Supported

IP-Trunk interfaces

Supported

Supported

Serial interfaces

Supported

Not supported

ATM main interfaces

Supported

Not supported

ATM sub-interfaces

Supported

Not supported

Mp-Group

Supported

Not supported

Procedure

  • Common mirroring mode
    1. Run system-view

      The system view is displayed.

    2. (Optional) Run observe user-defined-filter

      A user-defined any byte matching rule for packet mirroring is configured.

    3. Run interface interface-type interface-number

      The interface view is displayed.

    4. Perform either of the following configurations based on requirements:

      • Run the port-mirroring { inbound [ cpu-packet ] | outbound } [ user-defined-filter user-defined-filter-id ] command to configure port mirroring.
        NOTE:
        If the cpu-packet keyword is configured, only packets to be sent to the CPU are mirrored on the interface.
      • Run the port-mirroring { inbound | outbound } vlan vlan-id1 [ to vlan-id2 ] command to configure VLAN-based mirroring.
      • Run the port-mirroring { inbound | outbound } pe-vid low-vid [ to high-vid ] ce-vid ce-vlan-id-begin [ to ce-vlan-id-end ] command to configure mirroring based on VLAN segments for inner and outer VLAN tags.

    5. Run commit

      The configuration is committed.

  • Mirroring instance mode
    1. To apply the mirroring instance mode to a Layer 2 EVC sub-interface:

      1. Run system-view

        the system view is displayed.

      2. Run mirror instance instance-name location

        A mirroring instance is created.

      3. Run commit

        The configuration is committed.

      4. Run interface interface-type interface-number.subnum mode l2

        The EVC Layer 2 sub-interface view is displayed.

      5. Run any of the following commands to configure a mirroring instance.
        • If the encapsulation type of an EVC Layer 2 sub-interface is QinQ, run port-mirroring instance instance-name { inbound | outbound } [ pe-vid pe-vid ce-vid ce-vid-begin [to ce-vid-end ] ] identifier { none | pe-vid | ce-vid | pe-ce-vid } [ group group-name ]

        • If the encapsulation type of an EVC Layer 2 sub-interface is dot1q, run port-mirroring instance instance-name { inbound | outbound } [ vid vlan-id-begin [to vlan-id-end ] ] identifier { none | vid } [ group group-name ]

        • If the encapsulation type of an EVC Layer 2 sub-interface is Untag or Default, run port-mirroring instance instance-name { inbound | outbound } [ group group-name ]

      6. Run commit

        The configuration is committed.

    2. To apply the mirroring instance mode to a BD:

      1. Run system-view

        the system view is displayed.

      2. Run mirror instance instance-name location

        A mirroring instance is created.

      3. Run commit

        The configuration is committed.

      4. Run bridge-domain bd-id

        The Bridge domain view is displayed.

      5. Run port-mirroring instance instance-name { inbound | outbound } [ group group-name ]

        The traffic in the BD is observed.

      6. Run commit

        The configuration is committed.

Specifying an Observing Port

This section describes how to specify an observing port to associate the observing and mirrored ports.

Context

Two methods are available:
  • Specify an observing port for a line processing unit.
    When packets are mirrored on the NE20E, mirrored traffic on an interface board can be sent only to an observing port. This is the observing port for the interface board.
    NOTE:

    The observing port for an interface board can reside on the interface board itself or other interface boards.

    When the mirroring instance mode is used, only Board-based mirroring is supported.

  • Specify an observing port for an interface.

    When packets are mirrored on the NE20E, mirrored traffic on an interface is sent to an observing port. This is the observing port for the interface.

    NOTE:

    Packets received on an interface can be mirrored to an observing port on any interface board. If you specify observing ports for both an interface and an interface board, the observing port specified for the interface takes precedence over the observing port specified for the interface board.

Table 14-2 Interfaces supporting local mirroring

Interface Type

Mirrored Port Observing Port
Layer 2 Ethernet main interfaces (including Eth-Trunk interfaces)

Supported

NOTE:

After VLAN mapping or VLAN stacking is configured on a Layer 2 main interface, the interface still supports mirroring.

Supported

NOTE:

After VLAN mapping or VLAN stacking is configured on a Layer 2 main interface, the interface does not support be configured as an observing port.

Layer 3 Ethernet main interfaces (including Eth-Trunk interfacesand a Layer 3 main interface configured as a BAS main interface)

Supported

Supported

BAS interface Supported
NOTE:

When a VE interface functions as a BAS interface, local flow mirroring is supported only on the access VE interface in hardware loopback mode.

Not supported
Ethernet sub-interfaces (including Eth-Trunk interfaces)

Supported

NOTE:

After a sub-interface is configured as a dot1q, dot1q VLAN tag termination, QinQ VLAN tag termination, EVC, or BAS sub-interface, the sub-interface still supports mirroring.

Supported

NOTE:

After a sub-interface is configured as a dot1q, dot1q VLAN tag termination, QinQ VLAN tag termination, or BAS sub-interface, the sub-interface does not support be configured as an observing port.

The observing port can only be configured on the EVC sub-interface with untag or dot1q traffic encapsulation type.

POS interfaces

Supported

Supported

IP-Trunk interfaces

Supported

Supported

Serial interfaces

Supported

Not supported

ATM main interfaces

Supported

Not supported

ATM sub-interfaces

Supported

Not supported

Mp-Group

Supported

Not supported

Procedure

  1. Run system-view

    The system view is displayed.

    Perform either of the following operations:

    1. Specify an observing port for an interface board.

      • Run mirror to observe-index observe-index

        An observing port is specified for the interface board in the slot.

    2. Specify an observing port for an interface.

      • Run interface interface-type interface-number

        The interface view is displayed.

      • Run port-mirroring to { observe-index observe-index &<1-5> | null0 }

        An observing port is specified for the interface.

  2. Run commit

    The configuration is committed.

(Optional) Configuring Port Mirroring in Integrated Mode

Context

To simplify port mirroring configuration, related commands have been integrated into a single command. Perform the following steps to configure port mirroring in integrated mode:

Table 14-3 Interfaces supporting local mirroring

Interface Type

Mirrored Port Observing Port
Layer 2 Ethernet main interfaces (including Eth-Trunk interfaces)

Supported

NOTE:

After VLAN mapping or VLAN stacking is configured on a Layer 2 main interface, the interface still supports mirroring.

Supported

NOTE:

After VLAN mapping or VLAN stacking is configured on a Layer 2 main interface, the interface does not support be configured as an observing port.

Layer 3 Ethernet main interfaces (including Eth-Trunk interfacesand a Layer 3 main interface configured as a BAS main interface)

Supported

Supported

BAS interface Supported
NOTE:

When a VE interface functions as a BAS interface, local flow mirroring is supported only on the access VE interface in hardware loopback mode.

Not supported
Ethernet sub-interfaces (including Eth-Trunk interfaces)

Supported

NOTE:

After a sub-interface is configured as a dot1q, dot1q VLAN tag termination, QinQ VLAN tag termination, EVC, or BAS sub-interface, the sub-interface still supports mirroring.

Supported

NOTE:

After a sub-interface is configured as a dot1q, dot1q VLAN tag termination, QinQ VLAN tag termination, or BAS sub-interface, the sub-interface does not support be configured as an observing port.

The observing port can only be configured on the EVC sub-interface with untag or dot1q traffic encapsulation type.

POS interfaces

Supported

Supported

IP-Trunk interfaces

Supported

Supported

Serial interfaces

Supported

Not supported

ATM main interfaces

Supported

Not supported

ATM sub-interfaces

Supported

Not supported

Mp-Group

Supported

Not supported

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run port-mirroring to { null0 | interface interface-type interface-number observe-index observe-index } { inbound | cpu-packet | outbound } [ user-defined-filter user-defined-filter-id ]

    Port mirroring in integrated mode is configured.

  4. Run commit

    The configuration is committed.

(Optional) Configuring the CAR Function for Mirrored Traffic

This section describes how to configure the committed access rate (CAR) function for mirrored traffic to prevent a large amount of mirrored traffic from affecting packet processing.

Context

Before you configure the CAR function for mirrored traffic, configure a mirrored port and an observing port.

Table 14-4 Interfaces supporting local mirroring

Interface Type

Mirrored Port Observing Port
Layer 2 Ethernet main interfaces (including Eth-Trunk interfaces)

Supported

NOTE:

After VLAN mapping or VLAN stacking is configured on a Layer 2 main interface, the interface still supports mirroring.

Supported

NOTE:

After VLAN mapping or VLAN stacking is configured on a Layer 2 main interface, the interface does not support be configured as an observing port.

Layer 3 Ethernet main interfaces (including Eth-Trunk interfacesand a Layer 3 main interface configured as a BAS main interface)

Supported

Supported

BAS interface Supported
NOTE:

When a VE interface functions as a BAS interface, local flow mirroring is supported only on the access VE interface in hardware loopback mode.

Not supported
Ethernet sub-interfaces (including Eth-Trunk interfaces)

Supported

NOTE:

After a sub-interface is configured as a dot1q, dot1q VLAN tag termination, QinQ VLAN tag termination, EVC, or BAS sub-interface, the sub-interface still supports mirroring.

Supported

NOTE:

After a sub-interface is configured as a dot1q, dot1q VLAN tag termination, QinQ VLAN tag termination, or BAS sub-interface, the sub-interface does not support be configured as an observing port.

The observing port can only be configured on the EVC sub-interface with untag or dot1q traffic encapsulation type.

POS interfaces

Supported

Supported

IP-Trunk interfaces

Supported

Supported

Serial interfaces

Supported

Not supported

ATM main interfaces

Supported

Not supported

ATM sub-interfaces

Supported

Not supported

Mp-Group

Supported

Not supported

Procedure

  1. Run system-view

    The system view is displayed.

  2. When the mirrored port is not an EVC Layer 2 sub-interface, run interface interface-type interface-number

    The interface view is displayed.

    When an EVC Layer 2 sub-interface or a bridge domain functions as the mirrored port, enter the following views to configure CAR for mirrored traffic:
    • If the mirrored port is created in common mode, run interface interface-type interface-number.subnum mode l2

      The EVC layer 2 sub-interface view is displayed.

    • If the mirrored port is created in mirroring instance mode, run mirror instance instance-name location

      A mirroring instance is created, and the mirroring instance view is displayed.

  3. Run port-mirroring car cir cir-value [ pir pir-value ] [ cbs cbs-value [ pbs pbs-value ] ]

    The CAR function is configured for mirrored traffic to limit the rate of mirrored packets.

(Optional) Configuring the Mirroring Statistics Function

You can configure the mirroring statistics function to monitor mirrored packet information.

Context

To enable the mirroring statistics function, perform the following steps:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mirror statistic enable

    The mirroring statistics function is enabled.

  3. Run commit

    The configuration is committed.

Verifying the Port Mirroring Configuration

After local port mirroring is configured, you can view the configurations of the mirrored port, observing port, index of the observing port, and observing port applied on the interface board.

Procedure

  • Run the display port-mirroring interface [ interface-type interface-number | slot slot-id ] command to view the configuration of the mirrored port.
  • Run the display port-observing interface [ interface-type interface-number | slot slot-id ] command to view the configuration of the observing port.
  • Run the display port-observing observe-index [ observe-index ]command to view the configuration of the observing port with a specified observe index.
  • Run the display mirror instance [ instance-name ] location command to check the configuration of a port mirroring instance on an EVC Layer 2 sub-interface.
  • Run the display observe user-defined-filter [ user-defined-filter-id ] command displays a user-defined mirroring rule.
  • Run the display port-mirroring integration [ interface interface-type interface-number ] command to check integrated port mirroring configurations.

Example

After the mirrored port is configured successfully, you can run the display port-mirroring interface command to view the configuration of all the mirrored port on the router; you can run the display port-mirroring interface interface-type interface-number command to view the configuration of a specified mirrored port; you can run the display port-mirroring interface slot slot-id command to view the configuration of all the mirrored ports on a specified interface board.

For example, running the display port-mirroring interface command, you can view the configuration of all the mirrored ports on the router.

<HUAWEI> display port-mirroring interface
--------------------------------------------------------------------------------
Interface                 VLAN CAR Type   In/Out WithLinkHeader Instance 
--------------------------------------------------------------------------------
GigabitEthernet0/1/0      no   -   Port     In   -              -       
--------------------------------------------------------------------------------

After the observing port is configured successfully, you can run the display port-observing interface command to view the configuration of all the observing ports on the router; you can run the display port-observing interface interface-type interface-number command to view the configuration of a specified observing port; you can run the display port-observing interface slot slot-id command to view the configuration of all the observing ports on a specified interface board.

For example, running the display port-observing interface command, and you can view the configuration of all the observing ports on the router.

<HUAWEI> display port-observing interface
L-Header: WithLinkHeader        Obs-index: Observe-index
----------------------------------------------------------------------
Interface                  L-Header Obs-index  Status Description
----------------------------------------------------------------------
GigabitEthernet0/1/0       -        5          down   -            
----------------------------------------------------------------------

Run the display port-observing observe-index [ observe-index ]command, you can view the configuration of the observing port with a specified observe index.

<HUAWEI> display port-observing observe-index
L-Header: WithLinkHeader        Obs-index: Observe-index
----------------------------------------------------------------------
Interface                  L-Header Obs-index Status Description
----------------------------------------------------------------------
GigabitEthernet0/1/0      -        2          up     -
---------------------------------------------------------------------- 
Run the display mirror instance [ instance-name ] location command. The command output shows the configuration of a port mirroring instance on an EVC Layer 2 sub-interface.
<HUAWEI> display mirror instance location
instance e 
    car                   : -
 instance f
    car                   : 500 
Run the display observe user-defined-filter command displays a user-defined mirroring rule.
<HUAWEI> display observe user-defined-filter 1
observer user-defined-filter 1 offset 10 value abcdabcd ffffffff
Run the display port-mirroring integration command to view integrated port mirroring configurations.
<HUAWEI> display port-mirroring integration
-------------------------------------------------------------------------------------------------------
Interface                        Obs-Interface            Obs-index         In/Out
------------------------------------------------------------------------------------------------------------
GigabitEthernet0/1/0             GigabitEthernet0/1/1     3                  In
------------------------------------------------------------------------------------------------------------

Disabling Port Mirroring

Port mirroring needs to be disabled if it is no longer used; otherwise, user services are affected.

Context

An observing port for receiving packets mirrored from the entire interface board, an observing port, and a mirroring interface can be deleted in a random order.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run slot slot-id

    The slot view is displayed.

  3. Run undo mirror to observe-index observe-index

    The interface is no longer an observing port for receiving mirrored packets from an entire interface board.

  4. Run quit

    The system view is displayed.

  5. Run interface interface-type interface-number

    The interface view is displayed.

    This interface functions as an observing port.

  6. Run undo port-observing observe-index observe-index

    The interface is no longer an observing port.

  7. Run quit

    The system view is displayed.

  8. Run interface interface-type interface-number

    The interface view is displayed.

    This interface functions as a mirroring interface.

  9. Run undo port-mirroring { inbound [ cpu-packet ] | outbound } [ user-defined-filter user-defined-filter-id ]

    The interface is no longer a mirroring interface.

  10. Run undo observe user-defined-filter

    The user-defined any byte matching rule for mirroring is canceled.

  11. Run undo port-mirroring inbound { inbound | outbound } vlan { vlan-id1 [ to vlan-id2 ] }

    The Layer 2 interface is no longer a mirroring interface.

  12. Run undo port-mirroring to { observe-index observe-index &<1-5> | null0 }

    The interface is no longer an observing port for mirroring.

  13. Run undo port-mirroring instance instance-name { inbound | outbound } pe-vid pe-vid ce-vid ce-vid-begin [to ce-vid-end ]

    Port mirroring is disabled.

  14. Run undo port-mirroring instance instance-name { inbound | outbound } vid vlan-id-begin [to vlan-id-end ]

    Port mirroring is disabled.

  15. Run undo port-mirroring instance instance-name { inbound | outbound }

    Port mirroring is disabled.

  16. Run undo mirror instance instance-name location

    A mirroring instance is disabled.

  17. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20473

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next