There is an approach to copy any types of service packets transmitted on a network. What is it?
The answer is mirroring.
Then, what is mirroring?
Mirroring is a function that copies packets on a specified port (mirrored port) to another specified port (observing port), which then forwards the copy of packets to a network monitoring device to help the network administrator monitor the network status and locate faults.
You can see how mirroring works and what precautions to take in mirroring configuration from the following figure.
What can mirroring do for network maintenance?
1. Fault location
Abnormal traffic or errored packets may be transmitted on a network due to exceptions in software processing, hardware failures of network devices, viruses, or misoperations of users. To locate a network problem based on packets on the network without affecting network operations, you can use the mirroring function.
2. Service monitoring
Mirroring can be configured on aggregation or core switches on an enterprise network to mirror service packets, enabling administrators to better understand the service traffic model on the network without affecting normal service delivery. For example, a network administrator can know how many employees are using chat applications and ranking of visits to internal servers by monitoring mirrored service packets.
3. Intrusion detection
Mirroring can be configured on an uplink port of an enterprise's egress router to copy all the inbound and outbound traffic transmitted through the port to an intrusion detection system (IDS) server. The network administrator can analyze real-time traffic information to discover attack intentions, behaviors, or results, and take actions to protect confidentiality, integrity, and availability of network resources. For example, if the number of visits to an internal server from the Internet increases sharply, the administrator can analyze the mirrored packets to see whether the server is undergoing an attack.
Although mirroring is a powerful function, you need to observe the following rule when using this function on Huawei S series switches:
The mirroring function is mainly used for network monitoring and fault management and may collect users' communication information. Huawei will not collect or save users' communication information independently. You must use this function in compliance with applicable laws and regulations. Ensure that your customers' privacy is protected when you are using or saving communication information.
Since we have learned how powerful the mirroring function is, let's have a look at different mirroring modes supported on Huawei S series switches.
Function | Definition | Product Support |
Port mirroring | Copies packets on a specified port (mirrored port) to an observing port. | Supported on all product models |
Traffic mirroring | Copies packets of a specified type to an observing port. | Supported on all product models |
VLAN mirroring | Copies packets of a specified VLAN (mirrored VLAN) to an observing port. | Supported only on some fixed switches. For details, see the product documentation. |
MAC address mirroring | Copies the packets with a specified MAC address to an observing port. | Supported only on some fixed switches. For details, see the product documentation. |
How to configure mirroring
You need to perform the following steps no matter which mirroring mode you want to configure:
1. Create an observing port. Use any of the following commands to suit the networking scenario.
Scenario | Command |
The observing port is directly connected to the monitoring device (local mirroring). | observe-port [ <observe-port-index> ] <interface interface-type interface-number> |
The observing port is connected to the monitoring device across a Layer 2 network (Layer 2 remote mirroring). | observe-port [ <observe-port-index> ] <interface interface-type interface-number> vlan <vlan-id> |
The observing port is connected to the monitoring device across a Layer 3 network (Layer 3 remote mirroring, only supported on modular switches). | observe-port [ <observe-port-index> ] <interface interface-type interface-number> destination-ip <dest-ip-address> source-ip <source-ip-address> [ dscp <dscp-value> | vlan <vlan-id> ] *
|
PS: To copy packets to multiple observing ports, run the observing port configuration command multiple times or configure an observing port group.
2. Copy specified packets to the observing port. Use any of the following commands depending on the port mirroring mode you have chosen.
Mirroring Mode | Command |
Port mirroring | port-mirroring to observe-port <observe-port-index> { both | inbound | outbound } |
Traffic mirroring | Use Modular QoS Command Line Interface (MQC): mirroring to observe-port <observe-port-index> Use ACL: traffic-mirror |
VLAN mirroring | mirroring to observe-port <observe-port-index> inbound |
MAC address mirroring | mac-mirroring mac-address to observe-port <observe-port-index> inbound
|
PS: The both, inbound, and outbound keywords indicate bidirectional, inbound, and outbound packets, respectively.
Now, I will show how to configure Layer 2 remote port mirroring in a simple networking.
Staff A is located in the same VLAN as the DNS server and connects to the server through a Layer 2 network. After Layer 2 remote port mirroring is configured on SwitchA, the administrator can monitor staff A's visits to the DNS server on the monitoring PC.
1. The following are configurations on the two switches:
l SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20 //VLAN10 is the user VLAN to which staff A belongs, and VLAN 20 is used to forward mirrored packets.
#
observe-port 1 interface GigabitEthernet0/0/1 vlan 20 //Configure GE0/0/1 as a Layer 2 remote observing port.
Set the observing port index to 1 and specify VLAN 20 for mirrored packet forwarding. The copied packets will be sent to VLAN 20 through GE0/0/1.
#
interface GigabitEthernet0/0/1 //The preceding command has enabled mirrored packets to be sent to VLAN 20 through observing port GE0/0/1, so you do not need to add GE0/0/1 to VLAN 20.
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10 //Add GE0/0/2 to VLAN 10 to enable communication between staff A and DNS.
port-mirroring to observe-port 1 inbound //Mirror inbound packets on GE0/0/2 (packets received from staff A) to the observing port 1 (GE0/0/1).
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10 //Add GE0/0/3 to VLAN 10 to enable communication between staff A and DNS.
l SwitchB configuration file
#
sysname SwitchB
#
vlan batch 20 //VLAN 20 is used to forward mirrored packets to the monitoring PC.
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 //Add GE0/0/1 to VLAN 20 so that mirrored packets can be forwarded to the monitoring PC.
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20 //Add GE0/0/2 to VLAN 20 so that mirrored packets can be forwarded to the monitoring PC.
2. Check the port mirroring configuration on SwitchA.
3. Check whether the packets sent from staff A to the DNS server are mirrored to the monitoring PC.
Start a packet capture tool on the monitoring PC, and then initiate a ping test from the PC of staff A to the DNS server. Capture packets on the monitoring PC.
The packet capture tool has captured the ping packet with staff A's IP address as the source and the monitoring PC's IP address as the destination. This proves that the port mirroring configuration has taken effect.
That's all for today's introduction to the mirroring mechanism and configuration. Stay tuned for the next issue about specifications of mirroring.
★★★Summary★★★ All About Huawei Switch Features and Configurations
