Can the deny parameter be configured in the ACL referenced during the traffic mirroring configuration on an S series switch

6

For S series switches, during the traffic mirroring configuration, the deny parameter cannot be configured in the ACL referenced by a traffic classifier. To mirror only specified service packets, configure the permit parameter in the ACL.
Because the deny action and mirroring action are performed simultaneously, the received data packets that need to be denied on a port are still mirrored to an observing port.

Other related questions:
ACL configuration on S series switch
An ACL filters packets based on rules. A switch with an ACL configured matches packets based on the rules to obtain the packets of a certain type, and then decides to forward or discard these packets according to the policies used by the service module to which the ACL is applied. The S series switch supports basic ACL (2000-2999), advanced ACL (3000-3999), Layer 2 ACL (4000-4999), user-defined ACL (5000-5999), USER acl (6000-9999), basic ACL6 (2000-2999), and advanced ACL6 (3000-3999). For more information about the ACL feature supported by S series switches, except S1700, click S1720&S2700&S3700&S5700&S6700&S7700&S9700 Common Operation Guide or S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples.

An ACL with no rule is configured. What is the status of the ACL that is referenced by the firewall
The ACL status is deny, that is, the ACL rejects packets.

Configuring HTTP traffic mirroring on S series switches
For S series switches (except S1700 switches), traffic mirroring can be configured to only mirror HTTP traffic with TCP destination port 80. For example, to mirror incoming HTTP traffic (received traffic) with TCP destination port 80 on GE1/0/1 to observing port GE2/0/1, perform the following configurations: 1. Configure GE2/0/1 as an observing port. [HUAWEI] observe-port 1 interface gigabitethernet 2/0/1 2. Create a traffic classifier to match traffic with TCP destination port 80. [HUAWEI] acl number 3000 [HUAWEI-acl-adv-3000] rule permit tcp destination-port eq www [HUAWEI-acl-adv-3000] quit [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 3000 [HUAWEI-classifier-c1] quit 3. Create a traffic behavior and set the action to traffic mirroring. [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] mirroring to observe-port 1 [HUAWEI-behavior-b1] quit 4. Create a traffic policy, and bind the traffic classifier and traffic behavior to the traffic policy. [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit 5. Apply the traffic policy to the inbound direction of GE1/0/1. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] traffic-policy p1 inbound

Configure local traffic mirroring on S series switch
For S series switches (except S1700 switches), traffic mirroring can be configured based on ACLs and Modular Quality of Service Command-Line Interface (MQC) (complex traffic classification). ACL-based traffic mirroring is easy to configure but supports fewer packet types than MQC-based traffic mirroring and supports only inbound traffic mirroring. MQC-based traffic mirroring is complex to configure but supports more packet types and supports mirroring of both inbound and outbound (packets that are sent) traffic. Depending on whether the mirrored device is directly connected to the monitoring device, traffic mirroring is classified into local and remote traffic mirroring. For example, copy inbound packets with the source IP address of 192.168.10.1 on GE2/0/1 to the observing port GE1/0/1 directly connected to the monitoring device. The configuration procedure is as follows: 1. ACL-based configuration [HUAWEI] observe-port 1 interface gigabitethernet 1/0/1 //Configure the local observing port. [HUAWEI] acl 2001 [HUAWEI-basic-acl-2001] rule permit source 192.168.10.1 0 //Permit packets with the source IP address of 192.168.10.1. [HUAWEI-basic-acl-2001] quit [HUAWEI] interface gigabitethernet 2/0/1 [HUAWEI-GigabitEthernet2/0/1] traffic-mirror inbound acl 2001 to observe-port 1 //Mirror specified packets on GE2/0/1 to the local observing port. 2. MQC-based configuration [HUAWEI] observe-port 1 interface gigabitethernet 1/0/1 //Configure the local observing port. [HUAWEI] acl 2001 [HUAWEI-basic-acl-2001] rule permit source 192.168.10.1 0 [HUAWEI-basic-acl-2001] quit [HUAWEI] traffic classifier c1 //Configure a traffic classifier to match packets with the sources IP address of 192.168.10.1. [HUAWEI-classifier-c1] if-match acl 2001 [HUAWEI-classifier-c1] quit [HUAWEI] traffic behavior b1 //Define traffic mirroring in a traffic behavior. [HUAWEI-behavior-b1] mirroring to observe-port 1 [HUAWEI-behavior-b1] quit [HUAWEI] traffic policy p1 //Configure a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy. [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1 [HUAWEI-trafficpolicy-p1] quit [HUAWEI] interface gigabitethernet 2/0/1 [HUAWEI-GigabitEthernet2/0/1] traffic-policy p1 inbound //Apply the traffic policy to the mirrored port.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top