Got it

Traffic mirroring

Created: Feb 26, 2020 06:23:34Latest reply: Feb 26, 2020 06:30:34 70 1 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hello all,

We have configured port mirroring on the egress switch S5720 to monitor network traffic. The configuration is as follows: 

#   

acl number 3100 

rule 1 permit ip source 192.168.100.0 0.0.0.255 

rule 2 permit ip source 192.168.101.0 0.0.0.255

#                                        

traffic classifier c1 operator or 

 if-match acl 3100

#

 traffic behavior b1 

   mirroring to observe-port 2 observe-port 2 interface GigabitEthernet1/0/20

#

 traffic policy p1 match-order config 

  classifier c1 behavior b1 

#

Now, we need to configure traffic from intranet users to intranet server not to be mirrored. We added rules in the ACL 3000:

#

acl number 3100 

rule 3 deny ip source 192.168.100.0 0.0.0.255 destination 10.20.100.0 0.0.0.255 

rule 4 deny ip source 192.168.101.0 0.0.0.255 destination 10.20.100.0 0.0.0.255

#

 After the configuration is complete, we find that all traffic could no longer be mirrored. What is the problem with this configuration? Thank you!


  • x
  • convention:

Featured Answers
Popeye_Wang
Admin Created Feb 26, 2020 06:30:34 Helpful(0) Helpful(0)

Hi Sprout,

During the traffic mirroring configuration, the deny parameter cannot be configured in the ACL referenced in a traffic classifier. Otherwise, the packets matching the deny parameter can still be mirrored, but the original packets will be discarded. Therefore, to mirror only the specified service packets, set the permit parameter in all ACL rules.

For details, please refer to the Limitations for Mirroring.

In your case, I think you can configure a new ACL and don’t set an observing port for the data in the ACL. So the traffic will be discarded first.

acl number 3101  

rule 3 deny ip source 192.168.100.0 0.0.0.255 destination 10.20.100.0 0.0.0.255  

rule 4 deny ip source 192.168.101.0 0.0.0.255 destination 10.20.100.0 0.0.0.255 

traffic classifier c2 operator or  

if-match acl 3101 

traffic policy p1 match-order config  

classifier c2 behavior b2        // Configured in the front

classifier c1 behavior b1  

traffic behavior b2 

#


View more
  • x
  • convention:

All Answers
Popeye_Wang
Popeye_Wang Admin Created Feb 26, 2020 06:30:34 Helpful(0) Helpful(0)

Hi Sprout,

During the traffic mirroring configuration, the deny parameter cannot be configured in the ACL referenced in a traffic classifier. Otherwise, the packets matching the deny parameter can still be mirrored, but the original packets will be discarded. Therefore, to mirror only the specified service packets, set the permit parameter in all ACL rules.

For details, please refer to the Limitations for Mirroring.

In your case, I think you can configure a new ACL and don’t set an observing port for the data in the ACL. So the traffic will be discarded first.

acl number 3101  

rule 3 deny ip source 192.168.100.0 0.0.0.255 destination 10.20.100.0 0.0.0.255  

rule 4 deny ip source 192.168.101.0 0.0.0.255 destination 10.20.100.0 0.0.0.255 

traffic classifier c2 operator or  

if-match acl 3101 

traffic policy p1 match-order config  

classifier c2 behavior b2        // Configured in the front

classifier c1 behavior b1  

traffic behavior b2 

#


View more
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login

Huawei Enterprise Support Community
Huawei Enterprise Support Community