Licensing Requirements and Limitations for Mirroring
Involved Network Elements
The switch needs to work with a monitoring device, which analyzes the mirrored traffic sent to it.
Licensing Requirements
Mirroring is a basic feature of a switch and is not under license control.
Feature Support in V200R019C10
All models of S12700 and S12700E series switches support mirroring.
Feature Limitations
Packets mirrored to an observing port cannot be mirrored again on the same device.
Assuming that Port1 on switch A mirrors the received packets to the observing port Port2 on switch A, the outgoing packets on Port2 cannot be mirrored.
Inter-card mirroring is supported. That is, a mirrored port and an observing port can reside on different cards.
Inter-chassis mirroring is supported in a cluster. That is, the mirrored and observing ports can be located on different member switches, and multiple observing ports for the same mirrored port can be located on different member switches.
An Eth-Trunk can function as an observing port and allows at most eight member ports, which can be located on different cards or member switches. If more than eight member ports are configured for the Eth-Trunk, mirrored packets are forwarded only to eight of the member ports.
Ports on X series cards cannot be configured as an observing port and mirrored port simultaneously.
Outbound traffic mirroring only copies known unicast packets.
The copies of outbound packets may be different from the original packets because the mirroring operation occurs before other forwarding operations are performed on the original packets. For example, if the DSCP value of the original packets needs to be changed, the copied packets are different from the original packets because they have been copied to the observing port before the change.
- When outbound traffic mirroring is configured in a traffic behavior, other actions cannot be configured in the traffic behavior (except the traffic statistics collection function in V100R006 and earlier versions). From V200R001 to V200R010, the permit action generated by default when a traffic behavior is created must also be deleted; otherwise, outbound traffic mirroring is ineffective.
You must dedicate observing ports for mirroring use and do not configure other services on them to prevent mirrored traffic and other service traffic from affecting each other. Do not configure any member port of an Eth-Trunk as an observing port. If you must do so, ensure that the bandwidth of service traffic on this port and the bandwidth occupied by the mirrored traffic do not exceed the bandwidth limit of the port.
If the mirroring function is deployed on many ports of a device, a great deal of internal forwarding bandwidth will be occupied, which affects the forwarding of other services. Additionally, if the mirrored port bandwidth is higher than the observing port bandwidth, for example, 1000 Mbit/s on a mirrored port and 100 Mbit/s on an observing port, the observing port will fail to forward all mirrored packets in a timely manner because of insufficient bandwidth, leading to packet loss.
When configuring Layer 2 remote mirroring, you are advised not to perform other service configuration in the VLAN associated with the observing port, that is, the VLAN used to transmit mirrored packets to the monitoring device. On the intermediate device between the observing port and monitoring device, run the mac-address learning disable command in the VLAN associated with the observing port to disable MAC address learning, and run the undo mac-address vlan vlan-id command in the system view to delete all MAC address entries in this VLAN.
- Assume that MAC address mirroring, traffic mirroring, port mirroring, and VLAN mirroring are all configured on a device to copy traffic to different observing ports. If a flow matches conditions of all these mirroring functions, the mirroring function taking effect on the flow varies according to the device models. For details, see the following table.
Model
Priority
X series cards
MAC address mirroring > Traffic mirroring > Port mirroring > VLAN mirroring
When multiple mirroring functions with different observing ports are configured, only one observing port can receive mirrored packets.
cards excluding X series cards
- MAC address mirroring has a higher priority than VLAN mirroring, port mirroring, and traffic mirroring. When MAC address mirroring and another type of mirroring function are configured together and different observing ports are configured for them, only the observing port corresponding to MAC address mirroring can receive mirrored packets.
- VLAN mirroring, traffic mirroring, and port mirroring have the same priority. When different observing ports are configured for these mirroring functions, the three observing ports can all receive mirrored packets.
Observing ports configured in a batch can reside on different types of cards.
If RTP snooping test instance, BFD, or MPLS OAM is configured on a switch, an observing port is occupied.
An observing port in blocked state can still forward mirrored packets.
- During the traffic mirroring configuration, if the deny parameter is configured in the ACL rule referenced by a traffic classifier: For the X series cards, packets cannot be mirrored and original packets are discarded; for other cards, packets are mirrored, but original packets are discarded. Therefore, if only specified service packets need to be mirrored, configure the permit parameter in all ACL rules.
- If remote port mirroring is configured, the switches through which the mirrored traffic passes perform STP calculation on the mirrored BPDUs, resulting in an STP convergence exception.
- A physical interface cannot be configured as multiple observing ports. A physical interface can be added to different observing port groups to receive traffic from different mirrored ports.