Method for disabling port mirroring on the USG6000 series

You can configure local port mirroring,the packets flows through the port can be copied to the local monitoring device for analysis and monitoring. Before you configure a local port mirroring, you need to port link protocol status to Up. 1 Configure local observing port. Background information For local port mirroring, monitoring devices connected to the observing port directly. If the interface is configured as the mirroring port, it is recommended that you do not perform any configuration on the interface, or it will affects the mirroring function: -if the observing port not only has a mirroring packets and other service traffic, you will not be able to distinguish packet source. -if the observing port is congested, due to the relatively low priority, mirroring packets may be discarded. Operation steps Run the following command system-view, access the system view. Run the following command observe-port interface interface-type interface-number, local observing port is configured. 2.Configure local port mirroring port. Background information Mirroring port can be arbitrary interface type. If you have already set the Eth-trunk to the mirroring port, it is impossible to separate configuration its member port as a mirrored port. If you want to configure a member port as a mirrored port, you need to cancel the binding function. If you have already configured a member port of Eth-trunk as a mirrored port, it is impossible to configuration Eth-trunk as the mirror port. If you want to configure the Eth-trunk as a mirrored port, you need to first cancle the mirroring port function on member interfaces . Operation steps Run the following command system-view, access the system view. Run the following command interface interface-type interface-number, access the interface view. Run the command mirror observe-port { both | inbound | outbound } [ exclude-link-head ], configure local port mirroring port.

Only the version before V200R005C32 supports remote port mirroring session. By configuring the remote port mirroring session, you can copy flows through the port of the packets to the remote monitoring device for analysis and monitoring. Before configure the remote port mirroring session , you need to configure the routing protocol and GRE tunnel. 1.Configure remote viewing server Operation steps Run the following command system-view, access the system view. Run the command observe-server destination-ip destination-ip-address source-ip source-ip-address [ dscp dscp-value ], configure the remote mirroring observation server. Note: Destination-ip-address is IP address of monitor the device , source-ip-address is a mirrored port IP address. If the monitoring equipment and mirroring port IP address is the private address, in order to ensure communication between private network address in the public network, you need to configure the GRE tunnel. Configure remote mirroring port 2 Background information The mirroring port can be IP-Trunk interface, ethernet interface or Eth-Trunk interface. Eth-trunk -if you have already configured as the mirroring port, it is impossible to separate configuration its member port as a mirrored port. If you want to configure a member port as a mirrored port, you need to cancel the binding function. -If a member port the of Eth-trunk is configured as a mirrored port, it is impossible to configuration Eth-trunk as the mirror port. If you want to configure the Eth-trunk as a mirrored port, you need to first cancle the mirroring port on the member interfaces . Operation steps Run the following command system-view, access the system view. Run the following command interface interface-type interface-number, access the interface view. Run the command mirror to observe-server{ both | inbound | outbound }, configure remote mirroring port.

To locate network problems by capturing and analyzing session packets without interrupting services, you should configure port mirroring. Port mirroring copies packets on the specified service interface to a non-service interface. When a session is abnormal, you can locate the fault by viewing the protocol analyzer connected to the non-service interface without affecting services. The service interface is known as the mirroring port and the non-service interface known as the observing port.

The following example is provided for you to disable the interface login for the USG6000 series on the CLI: # On GigabitEthernet 1/0/1, configure to prohibit the administrator from accessing the device using HTTP. system-view [sysname] interface GigabitEthernet 1/0/1 [sysname-GigabitEthernet1/0/1] service-manage http deny This configuration has a higher priority than security policies. After the configuration completes, even you are allowed to access the local zone from the interface locating security zone, as an administrator, you still cannot log in to the device through the interface.

Perform the following operations to configure port mirroring:

1. Run the system-view command to enter the system view.
2. Run the observe-port [ observe-port-index ] interface interface-type interface-number command to configure a local observing port.
   To configure multiple local observing ports, run this command multiple times.
3. Run the interface interface-type interface-number command to enter the interface view.
4. Run the port-mirroring observe-port observe-port-index { both | inbound | outbound } command to copy traffic to a specified observing port.
   To copy traffic to multiple observing ports, run this command multiple times.
5. Run the commit command to commit the configuration.

Configuring 1:1 Port Mirroring
You can copy packets on a mirrored port to an observing port. For example, copy incoming packets on mirrored port 10GE1/0/1 to observing port 10GE1/0/2.

<HUAWEI> system-view
[~HUAWEI] observe-port 1 interface 10ge 1/0/2
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] port-mirroring observe-port 1 inbound
[*HUAWEI-10GE1/0/1] commit

Configuring 1:N Port Mirroring
You can copy packets on one mirrored port to N observing ports. For example, copy incoming packets on mirrored port 10GE1/0/1 to observing ports 10GE1/0/2 and 10GE1/0/3.

<HUAWEI> system-view
[~HUAWEI] observe-port 1 interface 10ge 1/0/2
[*HUAWEI] observe-port 2 interface 10ge 1/0/3
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] port-mirroring observe-port 1 inbound
[*HUAWEI-10GE1/0/1] port-mirroring observe-port 2 inbound
[*HUAWEI-10GE1/0/1] commit

Configuring N:1 Port Mirroring
You can copy packets on N mirrored ports to one observing port. For example, copy incoming packets on mirrored ports 10GE1/0/1 and 10GE1/0/2 to observing port 10GE1/0/3.

<HUAWEI> system-view
[~HUAWEI] observe-port 1 interface 10ge 1/0/3
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] port-mirroring observe-port 1 inbound
[*HUAWEI-10GE1/0/1] quit
[*HUAWEI] interface 10ge 1/0/2
[*HUAWEI-10GE1/0/2] port-mirroring observe-port 1 inbound
[*HUAWEI-10GE1/0/2] commit