[All About Switches] 08 Mirroring – an Effective Network Monitoring Tool(Working Mechanism and Configuration) Highlighted

Latest reply: Sep 7, 2016 18:34:36 5937 4 1 2

 

There is an approach to copy any types of service packets transmitted on a network. What is it?

The answer is mirroring.

Then, what is mirroring?

Mirroring is a function that copies packets on a specified port (mirrored port) to another specified port (observing port), which then forwards the copy of packets to a network monitoring device to help the network administrator monitor the network status and locate faults.

You can see how mirroring works and what precautions to take in mirroring configuration from the following figure.

20170531155323058001.png

What can mirroring do for network maintenance?

1.           Fault location

Abnormal traffic or errored packets may be transmitted on a network due to exceptions in software processing, hardware failures of network devices, viruses, or misoperations of users. To locate a network problem based on packets on the network without affecting network operations, you can use the mirroring function.

2.           Service monitoring

Mirroring can be configured on aggregation or core switches on an enterprise network to mirror service packets, enabling administrators to better understand the service traffic model on the network without affecting normal service delivery. For example, a network administrator can know how many employees are using chat applications and ranking of visits to internal servers by monitoring mirrored service packets.

3.           Intrusion detection

Mirroring can be configured on an uplink port of an enterprise's egress router to copy all the inbound and outbound traffic transmitted through the port to an intrusion detection system (IDS) server. The network administrator can analyze real-time traffic information to discover attack intentions, behaviors, or results, and take actions to protect confidentiality, integrity, and availability of network resources. For example, if the number of visits to an internal server from the Internet increases sharply, the administrator can analyze the mirrored packets to see whether the server is undergoing an attack.

 

Although mirroring is a powerful function, you need to observe the following rule when using this function on Huawei S series switches:

The mirroring function is mainly used for network monitoring and fault management and may collect users' communication information. Huawei will not collect or save users' communication information independently. You must use this function in compliance with applicable laws and regulations. Ensure that your customers' privacy is protected when you are using or saving communication information.

Since we have learned how powerful the mirroring function is, let's have a look at different mirroring modes supported on Huawei S series switches.

Function

Definition

Product Support

Port mirroring

Copies packets on a specified port (mirrored port) to an observing port.

Supported on all product models

Traffic mirroring

Copies packets of a specified type to an observing port.

Supported on all product models

VLAN mirroring

Copies packets of a specified VLAN (mirrored VLAN) to an observing port.

Not supported on fixed switches S5720HI, S5730HI, and S6720HI, as well as modular switches

MAC address mirroring

Copies the packets with a specified MAC address to an observing port.

Not supported on fixed switches S5720HI, S5730HI, and S6720HI, as well as modular switches

How to configure mirroring

You need to perform the following steps no matter which mirroring mode you want to configure:

1.       Create an observing port. Use any of the following commands to suit the networking scenario.

Scenario

Command

The observing port is directly connected to the monitoring device (local mirroring).

observe-port [ <observe-port-index> ] <interface

interface-type interface-number>

The observing port is connected to the monitoring device across a Layer 2 network (Layer 2 remote mirroring).

observe-port [ <observe-port-index> ] <interface

interface-type interface-number> vlan <vlan-id>

The observing port is connected to the monitoring device across a Layer 3 network (Layer 3 remote mirroring, only supported on modular switches).

observe-port [ <observe-port-index> ] <interface

interface-type interface-number> destination-ip <dest-ip-address> source-ip <source-ip-address> [ dscp <dscp-value> | vlan <vlan-id> ] *

 

 

PS: To copy packets to multiple observing ports, run the observing port configuration command multiple times or configure an observing port group.

2.       Copy specified packets to the observing port. Use any of the following commands depending on the port mirroring mode you have chosen.

Mirroring Mode

Command

Port mirroring

port-mirroring to observe-port <observe-port-index> { both | inbound | outbound }

Traffic mirroring

Use Modular QoS Command Line Interface (MQC): mirroring to observe-port <observe-port-index>

Use ACL: traffic-mirror

VLAN mirroring

mirroring to observe-port <observe-port-index> inbound

MAC address mirroring

mac-mirroring mac-address to observe-port <observe-port-index> inbound

 

 

PS: The both, inbound, and outbound keywords indicate bidirectional, inbound, and outbound packets, respectively.

Now, I will show how to configure Layer 2 remote port mirroring in a simple networking.

20170531155324331002.png

Staff A is located in the same VLAN as the DNS server and connects to the server through a Layer 2 network. After Layer 2 remote port mirroring is configured on SwitchA, the administrator can monitor staff A's visits to the DNS server on the monitoring PC.

1. The following are configurations on the two switches:

l  SwitchA configuration file

#

sysname SwitchA

#

vlan batch 10 20   //VLAN10 is the user VLAN to which staff A belongs, and VLAN 20 is used to forward mirrored packets.

#

observe-port 1 interface GigabitEthernet0/0/1 vlan 20  //Configure GE0/0/1 as a Layer 2 remote observing port.

Set the observing port index to 1 and specify VLAN 20 for mirrored packet forwarding. The copied packets will be sent to VLAN 20 through GE0/0/1.

#

interface GigabitEthernet0/0/1   //The preceding command has enabled mirrored packets to be sent to VLAN 20 through observing port GE0/0/1, so you do not need to add GE0/0/1 to VLAN 20.

#

interface GigabitEthernet0/0/2

 port link-type access

 port default vlan 10    //Add GE0/0/2 to VLAN 10 to enable communication between staff A and DNS.

 port-mirroring to observe-port 1 inbound  //Mirror inbound packets on GE0/0/2 (packets received from staff A) to the observing port 1 (GE0/0/1).

#

interface GigabitEthernet0/0/3

 port link-type access

 port default vlan 10    //Add GE0/0/3 to VLAN 10 to enable communication between staff A and DNS.

l  SwitchB configuration file

#

sysname SwitchB

#

vlan batch 20  //VLAN 20 is used to forward mirrored packets to the monitoring PC.

#

interface GigabitEthernet0/0/1

 port link-type trunk

 port trunk allow-pass vlan 20  //Add GE0/0/1 to VLAN 20 so that mirrored packets can be forwarded to the monitoring PC.

#

interface GigabitEthernet0/0/2

 port link-type access

 port default vlan 20  //Add GE0/0/2 to VLAN 20 so that mirrored packets can be forwarded to the monitoring PC.

 

2. Check the port mirroring configuration on SwitchA.

20170531155325119003.png

3.       Check whether the packets sent from staff A to the DNS server are mirrored to the monitoring PC.

Start a packet capture tool on the monitoring PC, and then initiate a ping test from the PC of staff A to the DNS server. Capture packets on the monitoring PC.

20170531155326982004.png

The packet capture tool has captured the ping packet with staff A's IP address as the source and the monitoring PC's IP address as the destination. This proves that the port mirroring configuration has taken effect.

 

That's all for today's introduction to mirroring mechanism and configuration. Stay tuned for the next issue about specifications of mirroring.

 

本帖最后由 交换机在江湖 于 2017-05-31 15:54 编辑

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

BAZO Created Oct 21, 2015 16:06:34 Helpful(0) Helpful(0)

Many Thnks

  • x
  • convention:

user_2790689 Created Jul 14, 2015 11:41:18 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

indraj Created Feb 14, 2016 00:18:52 Helpful(0) Helpful(0)

Very informative. Thanks!

  • x
  • convention:

yaba_mobhe Created Sep 5, 2016 19:29:34 Helpful(0) Helpful(0)

thank you

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top