SupportDocumentationSwitchesCampus SwitchS7700&S8700&S9700&S12700&S16700Configuration & CommissioningTechnical Guides

What Is Mirroring

What Is Mirroring

What Is Mirroring

Introduction

This document describes the concepts and principles of mirroring and how to configure and delete mirroring.

Prerequisites

  • The switch supports the mirroring function, which is used for network detection and fault management and may involve personal communication information. Huawei cannot collect or store user communication information without permission. It is recommended that relevant functions used to collect or store user communication information be enabled in adherence with applicable laws and regulations. During the usage and storage of user communication information, measures must be taken to protect user communication information.
  • The functions and commands supported by different models may be different. This document uses S series switches of V200R013C00 as an example. For the functions and commands used on your device, see the related product documents.

Concepts of Mirroring

Definition

Mirroring copies (or mirrors) traffic received or sent (or both) on a specified source to a destination port for analysis. The specified source is called mirrored source, the destination port is called observing port, and the copied traffic is called mirrored traffic.

Mirroring sends a copy of the traffic through an observing port on a switch to a monitoring device for service analysis, without affecting the processing of original traffic on the source.

Figure 1-1 Example of mirroring

Mirrored Port and Observing Port

In Figure 1-1, all original traffic on the two source ports (mirrored ports) is mirrored to a destination port (the observing port), and the observing port sends the mirrored traffic to monitoring device. Observing ports are classified into three types based on how observing ports are connected to the monitoring device.

  • Local observing port: is directly connected to a monitoring device. These ports are used for local mirroring.

  • Layer 2 remote observing port: is connected to a monitoring device across a Layer 2 network. These ports are used for Layer 2 remote mirroring.

  • Layer 3 remote observing port: is connected to a monitoring device across a Layer 3 network. These ports are used for Layer 3 remote mirroring. Only S series modular switches support Layer 3 remote mirroring. For more information, see Plug-in Usage Guide

You must dedicate observing ports for mirroring use and do not configure other services on them to prevent mirrored traffic and other service traffic from affecting each other.

If mirroring is deployed on many ports of a switch, a great deal of internal forwarding bandwidth will be occupied, affecting the forwarding of other services. Additionally, if mirrored and observing ports provide different bandwidths, for example, 1000 Mbit/s on a mirrored port and 100 Mbit/s on an observing port, the observing port may fail to forward all mirrored traffic in a timely manner due to insufficient bandwidth, leading to packet loss.

Mirrored Source

Mirrored sources can be any one of the following:

  • Port: Traffic received or sent on a specified port is copied to an observing port. This mirroring function is port mirroring.

  • VLAN: Traffic received on all active ports in a specified VLAN is copied to an observing port. This mirroring function is VLAN mirroring.

  • MAC address: Traffic with a specified source or destination MAC address in a given VLAN is copied to an observing port. This mirroring function is MAC address mirroring.

  • Traffic: Traffic matching specified rules is copied to an observing port. This mirroring function is traffic mirroring.

Mirroring Directions

Mirroring directions define whether received or sent (or both) traffic is copied from mirrored ports to observing ports:

  • Inbound: The switch sends a copy of traffic received by mirrored ports to observing ports. This mirroring function is inbound mirroring.

  • Outbound: The switch sends a copy of traffic sent by mirrored ports to observing ports. This mirroring function is outbound mirroring.

  • Both: The switch sends a copy of traffic received and sent by mirrored ports to observing ports.

Understanding Mirroring

Port Mirroring

Port mirroring allows you to copy traffic received or sent by a mirrored port to an observing port. Depending on the observing port type, port mirroring is classified into local port mirroring and Layer 2 remote port mirroring

Local Port Mirroring

Local port mirroring copies traffic to an observing port that is directly connected to a monitoring device. Figure 1-2 shows that a local observing port forwards the traffic copied from a mirrored port to the directly connected monitoring device.

Figure 1-2 Local port mirroring

Layer 2 Remote Port Mirroring

Layer 2 remote port mirroring copies traffic to an observing port that is connected to a monitoring device across a Layer 2 network. Figure 1-3 shows the process of mirrored traffic forwarding in Layer 2 remote port mirroring.

  1. The mirrored port copies original traffic and sends them to the Layer 2 remote observing port.

  2. The Layer 2 remote observing port receives the mirrored traffic from the mirrored port, adds another VLAN tag (VLAN 20) to the original traffic tagged with VLAN 10, and then forwards the traffic to the intermediate Layer 2 network. Note that in this step, you can directly specify VLAN 20 while configuring the Layer 2 remote observing port, without the need to add the port to VLAN 20.

  3. SwitchC receives the mirrored traffic sent from the Layer 2 remote observing port and then forwards the traffic to the monitoring device. To enable SwitchB, SwitchC, and the monitoring device to communicate at Layer 2, you need to add the ports connecting the intermediate Layer 2 device (SwitchC) to the Layer 2 remote observing port and monitoring device to VLAN 20.

In Layer 2 remote mirroring, a Layer 2 remote observing port is connected to a monitoring device across a Layer 2 network, so a VLAN on this Layer 2 network needs to be reserved for mirrored traffic forwarding. This VLAN is similar to VLAN 20 in Figure 1-3 and is called Layer 2 remote mirroring VLAN.

  • Create this VLAN and add ports to the VLAN on all intermediate devices in the Layer 2 network across which an observing port is connected to a monitoring device so that mirrored traffic can be flooded through the VLAN to the monitoring device.

  • Disable MAC address learning in this VLAN on all intermediate devices.

  • This VLAN cannot be the VLAN to which the original traffic belongs.

Figure 1-3 Layer 2 remote port mirroring

VLAN Mirroring

VLAN mirroring copies traffic received in a specified VLAN to an observing port. In Figure 1-4, the switch copies only the packets of VLAN 10 to the monitoring device. Similar to port mirroring, VLAN mirroring is classified into local VLAN mirroring and Layer 2 remote VLAN mirroring depending on the observing port type. Be aware of the following:

  • Only S series switches support VLAN mirroring.
  • The switch supports only inbound VLAN mirroring. That is, the switch can copy only the packets received in a specified VLAN to observing ports.
  • In Layer 2 remote VLAN mirroring, the VLAN to which the original traffic belongs must be different from the Layer 2 remote mirroring VLAN used on the intermediate Layer 2 network to forward mirrored traffic.
Figure 1-4 VLAN mirroring

MAC Address Mirroring

MAC address mirroring copies traffic with a specified source or destination MAC address in a specified VLAN to an observing port. MAC address mirroring is a more accurate mirroring mode, allowing you to monitor packets of a specified device for analysis. In Figure 1, the switch copies only the packets sent from HostB to the monitoring device. Similar to port mirroring, traffic mirroring is classified into local traffic mirroring and Layer 2 remote traffic mirroring depending on the observing port type. Be aware of the following:

  • Only S series switches support MAC address mirroring.

  • The switch supports only inbound MAC address mirroring. That is, the switch can copy only the packets with a specified source or destination MAC address and are received in a specified VLAN to observing ports.

  • In Layer 2 remote MAC address mirroring, the VLAN to which the original traffic belongs must be different from the Layer 2 remote mirroring VLAN used on the intermediate Layer 2 network to forward mirrored traffic.

Figure 1-5 MAC address mirroring

Traffic Mirroring

Implementation

Traffic mirroring copies traffic matching specified rules from one or more mirrored ports to one or more observing ports, which then send the traffic to monitoring devices for analysis. Figure 1 shows the process of traffic mirroring. The mirrored port copies service flow 2 that matches rules to the observing port, which then forwards the copied flow to the monitoring device.

Similar to port mirroring, traffic mirroring is classified into local traffic mirroring and Layer 2 remote traffic mirroring depending on the observing port type.

Figure 1-6 Traffic mirroring

Traffic Mirroring Rules

A traffic policy containing a traffic mirroring behavior can be applied globally, in a VLAN, or on a mirrored port. Traffic mirroring rules can be configured using Modular QoS Command-Line Interface (MQC) and ACL.

  • Using MQC: It is complex to configure but supports more matching rules than ACL. MQC-based traffic mirroring can be applied to both inbound and outbound directions.

  • Using ACL: It is easy to configure but supports fewer matching rules than MQC. ACL-based traffic mirroring can only be applied to the inbound direction.

In Layer 2 remote traffic mirroring, if a traffic policy containing traffic mirroring is applied in a VLAN, the VLAN cannot be the Layer 2 remote mirroring VLAN used on the intermediate Layer 2 network to forward mirrored packets.

Configuring Mirroring

Configuring Observing Ports

Context

You must dedicate observing ports for mirroring use and do not configure other services on them to prevent mirrored traffic and other service traffic from affecting each other.

You can configure observing ports in two ways:

  • Configure a single observing port.

  • Configure an observing port group. This method is often used in 1:N mirroring to simplify the configuration and save observing port indexes. This is because an observing port group occupies only one observing port index regardless of how many ports are configured in the group.

Only the S5720EI, S5720HI, S5730HI, S6720EI, S6720HI, S6720S-EI, and all modular switches support observing port groups.

The management interface cannot be configured as an observing port.

Procedure

  • Configure local observing ports.

    Configuration

    Procedure

    Configure a single local observing port.

    1. Run the system-view command to enter the system view.

    2. Run the observe-port [ observe-port-index ] interface interface-type interface-number [ untag-packet ] command to configure a single local observing port.

    3. (Recommended) Run the observe-port observe-port-index forwarding disable command to disable the specified observing port from forwarding data packets.

      By default, an observing port forwards data packets.

    Configure a local observing port group.

    1. Run the system-view command to enter the system view.

    2. Run the observe-port [ observe-port-index ] interface-range { interface-type interface-number [ to interface-type interface-number ] } &<1-n> [ untag-packet ] command to configure a local observing port group.

      In &<1-n>, n is 4 on S5720EI, S6720EI, and S6720S-EI or 8 on S5720HI, S5730HI, S6720HI, and modular switches.

    3. (Optional) Run the observe-port observe-port-index interface-range { add | delete } interface-type interface-number command to add or delete specified observing ports to or from the local observing port group.

    4. (Recommended) Run the observe-port observe-port-index forwarding disable command to disable the specified observing port from forwarding data packets.

      By default, an observing port forwards data packets.

  • Configure Layer 2 remote observing ports.

    Configuration

    Command

    Configure a single Layer 2 remote observing port.

    1. Run the system-view command to enter the system view.

    2. Run the observe-port [ observe-port-index ] interface interface-type interface-number vlan vlan-id command to configure a single Layer 2 remote observing port and specify the Layer 2 remote mirroring VLAN.

    3. (Recommended) Run the observe-port observe-port-index forwarding disable command to disable the specified observing port from forwarding data packets.

      By default, an observing port forwards data packets.

    Configure a Layer 2 remote observing port group.

    1. Run the system-view command to enter the system view.

    2. Run the observe-port [ observe-port-index ] interface-range { interface-type interface-number [ to interface-type interface-number ] } &<1-n> vlan vlan-id command to configure a Layer 2 remote observing port group and specify the Layer 2 remote mirroring VLAN.

      In &<1-n>, n is 4 on S5720EI, S6720EI, and S6720S-EI or 8 on S5720HI, S5730HI, S6720HI, and modular switches.

    3. (Optional) Run the observe-port observe-port-index interface-range { add | delete } interface-type interface-number command to add or delete specified observing ports to or from the Layer 2 remote observing port group.

    4. (Recommended) Run the observe-port observe-port-index forwarding disable command to disable the specified observing port from forwarding data packets.

      By default, an observing port forwards data packets.

Verifying the Configuration

# Run the display observe-port command to view the observing port configuration. The following is a sample command output.

<HUAWEI> display observe-port
  ----------------------------------------------------------------------
  Index          : 1
  Untag-packet   : No
  Forwarding     : Yes
  Interface      : GigabitEthernet0/0/1
  ----------------------------------------------------------------------
  Index          : 2
  Untag-packet   : No
  Forwarding     : Yes
  Interface-range: GigabitEthernet0/0/2
  Vlan           : 20
  ----------------------------------------------------------------------
  Index          : 3
  Untag-packet   : No
  Forwarding     : Yes
  Interface-range: GigabitEthernet0/0/3 to GigabitEthernet0/0/5
  ----------------------------------------------------------------------

Configuring the Mirroring Mode

Procedure

Mirroring Mode

Procedure

Port mirroring

  1. Run the system-view command to enter the system view.

  2. Run the interface interface-type interface-number command to enter the interface view.

  3. Run the port-mirroring to observe-port observe-port-index { both | inbound | outbound } command to copy the traffic received or sent by the mirrored port to a specified observing port.

VLAN mirroring

  1. Run the system-view command to enter the system view.

  2. Run the vlan vlan-id command to enter the VLAN view.

  3. Run the mirroring to observe-port observe-port-index inbound command to copy the traffic received by all active ports in the VLAN to a specified observing port.

MAC address mirroring

  1. Run the system-view command to enter the system view.

  2. Run the vlan vlan-id command to enter the VLAN view.

  3. Run the mac-mirroring mac-address to observe-port observe-port-index inbound command to copy the packets with a specified MAC address in the VLAN to a specified observing port.

Traffic mirroring

MQC-based traffic mirroring:

  1. Run the system-view command to enter the system view.

  2. Create a traffic classifier and specify the rules that mirrored traffic needs to match.

    1. Run the traffic classifier classifier-name command to create a traffic classifier and enter the traffic classifier view.

    2. Run the if-match command to configure matching rules in the traffic classifier.

      You can configure multiple types of matching rules in a traffic classifier. For details, see "MQC Configuration - Configuring a Traffic Classifier" in the S12700 V200R013C00 Configuration Guide - QoS Configuration.

    3. Run the quit command to exit from the traffic classifier view.

  3. Create a traffic behavior and specify the action as traffic mirroring.

    1. Run the traffic behavior behavior-name command to create a traffic behavior and enter the traffic behavior view.

    2. Run the mirroring to observe-port observe-port-index command to copy the traffic that matches the traffic classifier to the specified observing port.

    3. Run the quit command to exit from the traffic behavior view.

  4. Create a traffic policy.

    1. Run the traffic policy policy-name command to create a traffic policy and enter the traffic policy view.

    2. Run the classifier classifier-name behavior behavior-name command to bind the traffic classifier configured in step 3 and traffic behavior configured in step 4 to the traffic policy.

    3. Run the quit command to exit from the traffic policy view.

  5. Apply the traffic policy.

    A traffic policy can be applied to the system, a VLAN, or an interface. For details, see "MQC Configuration - Applying a Traffic Policy" in the S12700 V200R013C00 Configuration Guide - QoS Configuration. The traffic policy can be performed in multiple VLANs or interfaces to mirror specified traffic in multiple VLANs or interfaces to the same observing port.

    • Apply the traffic policy to the system.

      Run the traffic-policy policy-name global { inbound | outbound } [ slot slot-id ] command to apply the traffic policy globally.

    • Apply the traffic policy in a VLAN.

      Run the vlan vlan-id command to enter the VLAN view.

      Run the traffic-policy policy-name { inbound | outbound } command to apply the traffic policy to the VLAN.

    • Apply the traffic policy to an interface.

      Run the interface interface-type interface-number command to enter the interface view.

      Run the traffic-policy policy-name { inbound | outbound } command to apply the traffic policy to the interface.

ACL-based traffic mirroring:

  • In the system or a VLAN:

    • Reference a basic ACL, an advanced ACL, a named ACL, a Layer 2 ACL, or a user-defined ACL (in IPv4).

      traffic-mirror [ vlan vlan-id ] inbound acl { bas-acl | adv-acl | name acl-name | l2-acl | user-acl } [ rule rule-id ] to observe-port observe-port-index

    • Reference a basic ACL, an advanced ACL, or a named ACL (in IPv6).

      traffic-mirror [ vlan vlan-id ] inbound acl ipv6 { bas-acl | adv-acl | name acl-name } [ rule rule-id ] to observe-port observe-port-index

    • Reference a Layer 2 ACL and any one of a basic ACL, an advanced ACL, and a named ACL (in IPv4).

      traffic-mirror [ vlan vlan-id ] inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] to observe-port observe-port-index

    • Reference any one of a basic ACL and an advanced ACL and any one of a Layer 2 ACL and a named ACL (in IPv4).

      traffic-mirror [ vlan vlan-id ] inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] to observe-port observe-port-index

    • Reference a named ACL and any one of a basic ACL, an advanced ACL, a Layer 2 ACL, and a named ACL (in IPv4).

      traffic-mirror [ vlan vlan-id ] inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] to observe-port observe-port-index

  • On an interface (First, run the interface interface-type interface-number command to enter the interface view)

    • Reference a basic ACL, an advanced ACL, a named ACL, a Layer 2 ACL, or a user-defined ACL (in IPv4).

      traffic-mirror inbound acl { bas-acl | adv-acl | name acl-name | l2-acl | user-acl } [ rule rule-id ] to observe-port observe-port-index

    • Reference a basic ACL, an advanced ACL, or a named ACL (in IPv6).

      traffic-mirror inbound acl ipv6 { bas-acl | adv-acl | name acl-name } [ rule rule-id ] to observe-port observe-port-index

    • Reference a Layer 2 ACL and any one of a basic ACL, an advanced ACL, and a named ACL (in IPv4).

      traffic-mirror inbound acl l2-acl [ rule rule-id ] acl { bas-acl | adv-acl | name acl-name } [ rule rule-id ] to observe-port observe-port-index

    • Reference any one of a basic ACL and an advanced ACL and any one of a Layer 2 ACL and a named ACL (in IPv4).

      traffic-mirror inbound acl { bas-acl | adv-acl } [ rule rule-id ] acl { l2-acl | name acl-name } [ rule rule-id ] to observe-port observe-port-index

    • Reference a named ACL and any one of a basic ACL, an advanced ACL, a Layer 2 ACL, and a named ACL (in IPv4).

      traffic-mirror inbound acl name acl-name [ rule rule-id ] acl { bas-acl | adv-acl | l2-acl | name acl-name } [ rule rule-id ] to observe-port observe-port-index

Verifying the Configuration

# Run the display port-mirroring command to view the mirroring configuration. The following is a sample command output.

<HUAWEI> display port-mirroring
 ----------------------------------------------------------------------
  Observe-port 1 : GigabitEthernet0/0/1
  Observe-port 2 : GigabitEthernet0/0/2
  Observe-port 3 : GigabitEthernet0/0/3
  Observe-port 4 : GigabitEthernet0/0/4
  ----------------------------------------------------------------------
  Port-mirror:
  ----------------------------------------------------------------------
       Mirror-port               Direction  Observe-port
  ----------------------------------------------------------------------
  1    GigabitEthernet0/0/15     Inbound    Observe-port 1
  ----------------------------------------------------------------------
  Stream-mirror:
  ----------------------------------------------------------------------
       Behavior                  Direction  Observe-port
  ----------------------------------------------------------------------
  1    b1                        -          Observe-port 2
  ----------------------------------------------------------------------
  Vlan-mirror:
  ----------------------------------------------------------------------
  Mirror-vlan              Direction     Observe-port
  ----------------------------------------------------------------------
  10                       Inbound       Observe-port 3
  ----------------------------------------------------------------------
  Mac-mirror:
  ----------------------------------------------------------------------
  Mirror-mac       Vlan    Direction     Observe-port
  ----------------------------------------------------------------------
  0001-0001-0001   10      Inbound       Observe-port 4
  ----------------------------------------------------------------------

Deleting the Mirroring Configuration

Context

If you want to delete the mirroring configuration and restore observing ports as service ports, perform the following operations.

Before deleting the mirroring configuration, you can run the display port-mirroring command and display current-configuration command to view the mirroring configuration on the device. The following example describes how to delete the mirroring configuration.

Procedure

  • Delete the port mirroring configuration.

    <HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] undo port-mirroring to observe-port 1 inbound   // Unbind the mirrored port from the observing port 1.
[HUAWEI-GigabitEthernet0/0/2] quit
[HUAWEI] undo observe-port 1   // Delete the observing port.

  • Delete the VLAN mirroring configuration.

    <HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] undo mirroring to observe-port 1 inbound   // Unbind the VLAN from the observing port 1.
[HUAWEI-vlan10] quit
[HUAWEI] undo observe-port 1   // Delete the observing port.

  • Delete the MAC address mirroring configuration.

    <HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] undo mac-mirroring 1-1-1 to observe-port 1 inbound   // Unbind the MAC address from the observing port 1.
[HUAWEI-vlan10] quit
[HUAWEI] undo observe-port 1   // Delete the observing port.

  • Delete the traffic mirroring configuration.

    <HUAWEI> system-view 
[HUAWEI] interface gigabitethernet 0/0/2 
[HUAWEI-GigabitEthernet0/0/2] undo traffic-policy p1 inbound   // Cancel the traffic policy.
[HUAWEI-GigabitEthernet0/0/2] quit 
[HUAWEI] undo traffic policy p1   // Delete the traffic policy.
[HUAWEI] undo traffic behavior b1   // Delete the traffic behavior.
[HUAWEI] undo traffic classifier c1   // Delete the traffic classifier (This operation is optional. If this traffic classifier is being used by another traffic policy, it can be retained.)
[HUAWEI] undo observe-port 1   // Delete the observing port.