Mirroring – an Effective Network Monitoring Tool (Specifications)

Hi, I've talked about mirroring working mechanism, application, and configuration in the last issue. Sometimes, when you attempt to mirror packets from a switch to multiple monitoring devices, you may see an error message saying that the configuration fails because mirroring resources have been used up. Why?

The number of mirroring entries allowed on a switch depends on the mirroring specifications. Mirroring specifications differ a lot on various switch models due to difference in such factors as chip capacities and mirroring processing mechanisms. I summarized the mirroring specifications on switches of different versions and models. Hope it will be a help to you.  I will talk about the following items today:

Observing Port Specifications: Read this section to know the maximum number of observing ports supported on a switch and how to calculate the remaining number of observing ports that can be configured.

2.     1: N Mirroring Specifications: Read this section to know how many observing ports a copy of packets can be mirrored to.

3.     N:1 Mirroring Specifications: Read this section to know how many copies of packets can be mirrored to the same observing port.

4.     M:N Mirroring Specifications: Read this section to know how many observing ports the M copies of different packets can be mirrored to.

5.     Workaround to Observing Port Insufficiency on a Switch: Read this section to know the workaround to mirroring resource insufficiency on a switch.

1        Observing Port Specifications

1.1     Observing Port Configuration Methods

Before talking about observing port specifications, I'd like to spend a little time explaining the observing port configuration methods, because the configuration method you use will affect the observing port specifications on some switches.  Switches running versions prior to V200R005 allow only configuration of a single observing port at a time. V200R005 and later versions support both single and batch observing port configuration, and the two methods can be used together. If multiple observing ports are configured in a batch, these observing ports are bound to the same mirrored port and packets on the mirrored ports will be copied to all these observing ports. Therefore, batch configuration is often used to simplify the configuration of 1:N mirroring. You can see from the following figure that a mirrored port is bound to the all the observing ports that are configured in a batch to implement 1:N mirroring.

1.2     How to Calculate the Remaining Number of Observing Ports that Can Be Configured

If observing ports have been configured on your switch and you want to configure more observing ports to monitor the network traffic on other monitoring devices, you need to calculate how many observing ports can still be configured on the switch, and how many observing ports can be specified for inbound and outbound packets on all mirrored ports respectively.

Note that the numbers of observing ports for inbound and outbound packets on a mirrored port are calculated separately. When the same observing port is specified for both the inbound and outbound packets on a mirrored port, the remaining numbers of observing ports for inbound and outbound packets both reduce by 1. As an example, an FA card supports a maximum of 6 observing. For all mirrored ports, a maximum of 4 observing ports can be specified for inbound packets, and a maximum of 2 observing ports can be specified for outbound packets. If the one observing port has been specified for inbound and outbound packets simultaneously, 3 observing ports are left for inbound packets and 1 is left for outbound packets. Therefore, you can still configure a maximum of 3 + 1 = 4 observing ports, not 6 - 1 = 5.

1.3     Observing Port Specifications

Observing port specifications include the maximum number of observing ports allowed on a switch and how many observing ports can be specified for inbound and outbound packets on all mirrored ports. We should consider these specifications when configuring the mirroring function. For details about the observing port specifications of different modular boards and fixed switches of different versions, see the product documentation.

S12700&S12700E: https://support.huawei.com/enterprise/en/doc/EDOC1100196864/9075123/observing-port-specifications

S7700&S9700: https://support.huawei.com/enterprise/en/doc/EDOC1100197287/9075123/observing-port-specifications

S2700&S3700S5700&S6700: https://support.huawei.com/enterprise/en/doc/EDOC1100197298/9075123/observing-port-specifications

2        1: N Mirroring Specifications

1:N mirroring copies packets on one mirrored port to N observing ports, as shown in the following figure.

For 1:N port mirroring, N means that packets in each direction (inbound or outbound) on a mirrored port can be mirrored to N observing ports.

For 1:N traffic mirroring, N means that a traffic mirroring behavior bound to a traffic classifier can mirror packets to an observing port group with N observing ports. Therefore, to implement 1:N traffic mirroring, you must specify an observing port group in a traffic behavior. Here, I'd like to explain specifications (value of N) of the most commonly used 1:N port mirroring feature. The N values of other 1:N mirroring features are the same as those of 1:N port mirroring.

For 1:N VLAN mirroring or MAC address mirroring, N means that the observing port group bound to the inbound direction of a VLAN contains N observing ports. That is, to implement 1:N VLAN mirroring or MAC address mirroring, you must bind an observing port group to the inbound direction of a VLAN. In Layer 3 remote mirroring, packets on a mirrored port cannot be copied to multiple observing ports. 1:N mirroring is used to enable network traffic monitoring on multiple monitoring devices. In versions prior to V200R005, only the E series, FA series, ES0D0X12SA00, and EH1D2X12SSA0 line cards for Huawei S series modular switches support 1:N mirroring, and at most 1:2 mirroring can be configured for inbound packets on a chassis. In V200R005 and later versions, all Huawei S series switches support 1:N mirroring.

For details about the support of different modular cards and fixed switches, see the product documentation.

S12700&S12700E: https://support.huawei.com/enterprise/en/doc/EDOC1100196864/7e0061b5/1n-mirroring-specifications

S7700&S9700: https://support.huawei.com/enterprise/en/doc/EDOC1100197287/7e0061b5/1n-mirroring-specifications

S2700&S3700S5700&S6700: https://support.huawei.com/enterprise/en/doc/EDOC1100197298/7e0061b5/1n-mirroring-specifications

Note : If you have used the batch configuration command to specify an observing port group for inbound or outbound packets on a mirrored port, no other observing ports can be specified for packets of this direction on the mirrored port.

3        N:1 Mirroring Specifications

N:1 mirroring copies packets on N mirrored ports to one observing port, as shown in the following figure.

N:1 mirroring is used to monitor packet flows passing through multiple mirrored ports. There is not any limit on the value of N. In other words, you can mirror inbound or outbound packets on all mirrored ports to the same observing port, and configure as many mirrored ports as you wish.

4        M:N Mirroring Specifications

M:N mirroring copies packets on M mirrored ports to N observing ports.

Configuring M:N mirroring is equivalent to configuring 1:N mirroring M times, as shown in the figure above. M:N mirroring enables you to use multiple monitoring devices to monitor packets passing through multiple ports. M:N mirroring specifications can be deduced from 1:N and N:1 mirroring specifications: There is no limit on M, and the values of N supported on different cards or switch models are the same as those in 1:N mirroring.

5   Workaround to Observing Port Insufficiency on a Switch

Each switch supports a limited number of observing ports. What can we do if we want to use more monitoring devices than the maximum number of observing ports allowed on a switch? Here are two commonly used methods to address this problem:

Ø  Configure a remote mirroring port and configure it as an internal loopback port to broadcast packets copied on a mirrored port in a VLAN.

As shown in the figure above, we need to copy packets on a mirrored port to four monitoring devices, but SwitchB allows less than four observing ports. We can perform the following steps to enable mirrored packets to be broadcast to the ports connected to the monitoring devices.

1. Configure remote port mirroring.

<SwitchB> system-view

[SwitchB] observe-port 1 interface gigabitethernet1/0/1 vlan 20   //Configure a remote observing port and specify VLAN 20 for broadcast of mirrored packets.

[SwitchB] interface gigabitethernet1/0/6

[SwitchB-GigabitEthernet1/0/6] port-mirroring to observe-port 1 both   //Mirror both inbound and outbound packets on the mirrored port to the remote observing port used for internal loopback. 

[SwitchB-GigabitEthernet1/0/6] quit

2. Configure internal loopback.

[SwitchB] vlan batch 20   //Create VLAN 20 for internal loopback and do not configure any other services in it. 

[SwitchB] interface gigabitethernet1/0/1

[SwitchB-GigabitEthernet1/0/1] loopback internal   //Configure the remote observing port as an internal loopback port. 

[SwitchB-GigabitEthernet1/0/1] mac-address learning disable   //Disable MAC address learning to prevent the internal loopback port from learning MAC addresses of other devices, so that packets received from other devices will be looped back in the local switch. 

[SwitchB-GigabitEthernet1/0/1] stp disable   //Disable STP to prevent the internal loopback port from receiving the packets originated from the local switch, in which case the port will be blocked and transition to the Discarding state. 

[SwitchB-GigabitEthernet1/0/1]port link-type access

[SwitchB-GigabitEthernet1/0/1] port default vlan 20   //Add the port to VLAN 20 used for broadcast of mirrored packets. 

[SwitchB-GigabitEthernet1/0/1]quit

[SwitchB] interface gigabitethernet1/0/2

[SwitchB-GigabitEthernet1/0/2]port link-type access

[SwitchB-GigabitEthernet1/0/2] port default vlan 20   //Add the port to VLAN 20 used for broadcast of mirrored packets.

[SwitchB-GigabitEthernet1/0/2]quit

[SwitchB] interface gigabitethernet1/0/3

[SwitchB-GigabitEthernet1/0/3]port link-type access

[SwitchB-GigabitEthernet1/0/3] port default vlan 20   //Add the port to VLAN 20 used for broadcast of mirrored packets.

[SwitchB-GigabitEthernet1/0/3]quit

[SwitchB] interface gigabitethernet1/0/4

[SwitchB-GigabitEthernet1/0/4]port link-type access

[SwitchB-GigabitEthernet1/0/4]port default vlan 20   //Add the port to VLAN 20 used for broadcast of mirrored packets.

[SwitchB-GigabitEthernet1/0/4]quit

[SwitchB] interface gigabitethernet1/0/5

[SwitchB-GigabitEthernet1/0/5]port link-type access

[SwitchB-GigabitEthernet1/0/5] port default vlan 20   //Add the port to VLAN 20 used for broadcast of mirrored packets.

[SwitchB-GigabitEthernet1/0/5]quit

Ø Configure remote mirroring and use an intermediate device to broadcast mirrored packets in a VLAN.

As shown in the figure above, we need to monitor packets passing through a mirrored port on three monitoring devices, but SwitchB allows less than three observing ports. We can perform the following steps to enable SwitchC to broadcast mirrored packets in a VLAN:

1. Configure remote port mirroring on SwitchB.

<SwitchB> system-view

[SwitchB] observe-port 1 interface gigabitethernet1/0/1 vlan 20   //Configure a remote observing port and specify VLAN 20 for forwarding of mirrored packets.

[SwitchB] interface gigabitethernet1/0/2

[SwitchB-GigabitEthernet1/0/2]port-mirroring to observe-port 1 both   //Mirror both inbound and outbound packets on the mirrored port to the remote observing port.

[SwitchB-GigabitEthernet1/0/2]quit

2. Add ports on SwitchC to VLAN 20.

[SwitchC] interface gigabitethernet1/0/1

[SwitchC-GigabitEthernet1/0/1] port link-type trunk

[SwitchC-GigabitEthernet1/0/1]port trunk allow-pass vlan 20   //Add the port to VLAN 20 used to forward mirrored packets. 

[SwitchC-GigabitEthernet1/0/1] quit

[SwitchC] interface gigabitethernet1/0/2

[SwitchC-GigabitEthernet1/0/2] port link-type access

[SwitchC-GigabitEthernet1/0/2]port default-vlan 20   //Add the port to VLAN 20 used to forward mirrored packets. 

[SwitchC-GigabitEthernet1/0/2] quit

[SwitchC] interface gigabitethernet1/0/3

[SwitchC-GigabitEthernet1/0/3] port link-type access

[SwitchC-GigabitEthernet1/0/3]port default-vlan 20   //Add the port to VLAN 20 used to forward mirrored packets. 

[SwitchC-GigabitEthernet1/0/3] quit

[SwitchC] interface gigabitethernet1/0/4

[SwitchC-GigabitEthernet1/0/4] port link-type access

[SwitchC-GigabitEthernet1/0/4]port default-vlan 20   //Add the port to VLAN 20 used to forward mirrored packets. 

[SwitchB-GigabitEthernet1/0/4] quit

That's all what I want to talk today. For more information about the mirroring feature, you can download product documentation at http://support.huawei.com/enterprise/productsupport?lang=en&idAbsPath=7919710|9856733|7923144&pid=7923144. You can also post your questions or suggestions here, and I will reply as soon as possible.

★★★Summary★★★ All About Huawei Switch Features and Configurations

That is all I want to share with you. Thank you!