Example for Configuring ACL-based Local Traffic Mirroring
Networking Requirements
In Figure 8-14, the science and technology department and administrative department of a company use the network segments 10.1.1.0/24 and 10.1.2.0/24, respectively, to access the Internet or communicate with each other through the Switch. The monitoring device (Server) is directly connected to the Switch.
- Traffic to the Internet
- Traffic to the administrative department
Configuration Roadmap
- Configure GE1/0/2 of the Switch as a local observing port to forward mirrored packets to the Server.
- Configure advanced ACLs to match two types of traffic of the science and technology department: Internet access traffic and traffic sent to the administrative department.
- Configure an ACL-based traffic policy on GE1/0/1 to mirror the matching traffic.
Procedure
- Configure an observing port.
# Configure GE1/0/2 of the Switch as a local observing port.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] observe-port 1 interface gigabitethernet 1/0/2
# Disable the observing port from forwarding data packets. This configuration is optional and recommended, so that it forwards only mirrored packets.
[Switch] observe-port 1 forwarding disable
- Configure advanced ACLs.
# Create two advanced ACLs numbered 3000 and 3001 on the Switch, configure ACL 3000 to match traffic with source address 10.1.1.0/24 and destination TCP port number WWW, and configure ACL 3001 to match traffic with source address 10.1.1.0/24 and destination address 10.1.2.0/24.
[Switch] acl number 3000 [Switch-acl-adv-3000] rule permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www [Switch-acl-adv-3000] quit [Switch] acl number 3001 [Switch-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Switch-acl-adv-3001] quit
- Configure an ACL-based traffic policy.
# Configure an ACL-based traffic policy on GE1/0/1 of the Switch to mirror the matching traffic.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] traffic-mirror inbound acl 3000 to observe-port 1 [Switch-GigabitEthernet1/0/1] traffic-mirror inbound acl 3001 to observe-port 1 [Switch-GigabitEthernet1/0/1] return
- Verify the configuration.
# Check ACL rules and traffic behavior information.
<Switch> display traffic-applied interface gigabitethernet 1/0/1 inbound ----------------------------------------------------------- ACL applied inbound interface GigabitEthernet1/0/1 ACL 3000 rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www (match-counter 0) ACTIONS: mirror to observe-port 1 ----------------------------------------------------------- ACL 3001 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 (match-counter 0) ACTIONS: mirror to observe-port 1 -----------------------------------------------------------
# Check the observing port configuration.
<Switch> display observe-port ---------------------------------------------------------------------- Index : 1 Untag-packet : No Forwarding : No Interface : GigabitEthernet1/0/2 ----------------------------------------------------------------------
# Check the mirroring configuration.
<Switch> display port-mirroring ---------------------------------------------------------------------- Observe-port 1 : GigabitEthernet1/0/2 ---------------------------------------------------------------------- Stream-mirror: ---------------------------------------------------------------------- Behavior Direction Observe-port ---------------------------------------------------------------------- 1 SACL - Observe-port 1 ----------------------------------------------------------------------
