H3C S9500 Series Operating instructions

Brand: H3C

Model: S9500 Series

Type: Operating instructions

H3C S9500 Series, a high-performance routing switch, provides comprehensive features for enterprise campus networks, data centers, and service provider networks. It offers flexible port configurations, advanced QoS, robust security, and comprehensive routing protocols, enabling efficient data transmission, secure network access, and reliable service delivery. The S9500 Series is ideal for building scalable, resilient, and intelligent networks to meet the evolving demands of modern businesses and service providers.

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Table of Contents

Table of Contents

Chapter 1 Port Mirroring Configuration......................................................................................1-1

1.1 Introduction to Port Mirroring.............................................................................................1-1

1.1.1 Types of Port Mirroring............................................................................................1-1

1.1.2 Implementing Port Mirroring....................................................................................1-2

1.2 Configuring Local Port Mirroring........................................................................................1-4

1.3 Configuring Remote Port Mirroring....................................................................................1-5

1.3.1 Configuring a Remote Source Mirroring Group (on the Source Device) ................1-5

1.3.2 Configuring a Remote Destination Mirroring Group (on the Destination Device)......... 1-7

1.4 Displaying and Maintaining Port Mirroring.........................................................................1-9

1.5 Port Mirroring Configuration Examples..............................................................................1-9

1.5.1 Local Port Mirroring Configuration Example...........................................................1-9

1.5.2 Remote Port Mirroring Configuration Example.....................................................1-10

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-1

Chapter 1 Port Mirroring Configuration

When configuring port mirroring, go to these sections for information you are interested

in:

z Introduction to Port Mirroring

z Configuring Local Port Mirroring

z Configuring Remote Port Mirroring

z Displaying and Maintaining Port Mirroring

z Port Mirroring Configuration Examples

1.1 Introduction to Port Mirroring

Port mirroring is to copy the packets passing through a port (called a mirroring port) to

another port (called the monitor port) connected with a monitoring device for packet

analysis, as shown in the following figure.

IP network

Mirroring port

Monitor port

Monitoring

device

Figure 1-1 Port mirroring implementation example

You can select to port-mirror inbound, outbound, or bidirectional traffic on a port as

needed.

1.1.1 Types of Port Mirroring

Port mirroring can be local or remote.

z In local port mirroring, the mirroring port or ports and the monitor port are located

on the same device.

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-2

z In remote port mirroring, the mirroring port or ports and the monitor port can be

located on the same device or different devices. When they are located on

different devices, there should be no Layer-3 network in between.

1.1.2 Implementing Port Mirroring

Port mirroring is implemented through port mirroring groups. There are three types of

mirroring groups: local, remote source, and remote destination.

The following subsections describe how local port mirroring and remote port mirroring

are implemented.

I. Local port mirroring

In local port mirroring, all packets passing through a port can be mirrored. Local port

mirroring is implemented through local mirroring groups.

As shown in

Figure 1-2, packets on the mirroring port are mirrored to the monitor port

for the data monitoring device to analyze.

Figure 1-2 Local port mirroring implementation

II. Remote port mirroring

Remote port mirroring is implemented through the cooperation of a remote source

mirroring group and a remote destination mirroring group as shown in

Figure 1-3.

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-3

Figure 1-3 Remote port mirroring implementation

Remote mirroring involves the following device roles:

z Source device

The source device is the device where the mirroring ports are located. On it, you must

create a remote source mirroring group to hold the mirroring ports.

The source device copies the packets passing through the mirroring ports, broadcasts

the packets through the reflector port in the remote probe VLAN.

z Intermediate device

Intermediate devices (if any) are devices located in between the source device and the

destination device.

An intermediate device forwards mirrored packets to the next intermediate device (if

any) or the destination device.

z Destination device

The destination device is the device where the monitor port is located. On it, you must

create the remote destination mirroring group.

When receiving a packet, the destination device compares the VLAN ID carried in the

packet with the ID of the probe VLAN configured in the remote destination mirroring

group. If they are the same, the device forwards the packet to the monitoring device

through the monitor port.

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-4

 Note:

z The S9500 series support inter-board mirroring, that is, the mirroring port(s) and the

monitor port can be located on different boards on the same device.

z A source device can be connected to its destination device directly without any

intermediate device.

z As for the four Ten-GigabitEthernet ports (TE ports) on XP4B and XP4CA boards,

port mirroring can only be implemented between port 1 and 2 (for example,

Ten-GigabitEthernet 2/1/1 and Ten-GigabitEthernet 2/1/2), and between port 3 and

4 (for example, Ten-GigabitEthernet 2/1/3 and Ten-GigabitEthernet 2/1/4.)

Caution:

As port mirroring conflicts with STP, RSTP, and MSTP, do not enable STP, RSTP, or

MSTP on monitor ports.

1.2 Configuring Local Port Mirroring

Configuring local port mirroring is to configure local mirroring groups.

A local mirroring group comprises one or multiple mirroring ports and one monitor port.

These ports must not have been assigned to any other mirroring group.

Follow these steps to configure local port mirroring:

To do… Use the command… Remarks

Enter system view

system-view

—

Create a local mirroring

group

mirroring-group groupid local

Required

In system

view

mirroring-group groupid

mirroring-port

mirroring-port-list { inbound |

outbound | both }

interface interface-type

interface-number

[ mirroring-group groupid ]

mirroring-port { inbound |

outbound | both }

Assign

ports to

the port

mirroring

group as

mirroring

ports

In Ethernet

interface

view

quit

Required

Use either approach.

In system view, you

can assign a list of

ports to the mirroring

group at a time.

In interface view, you

can assign only the

current port to the

mirroring group. To

monitor multiple

ports, repeat the

step.

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-5

To do… Use the command… Remarks

In system

view

mirroring-group groupid

monitor-port monitor-port-id

interface interface-type

interface-number

Assign a

port to the

mirroring

group as

the

monitor

port

In Ethernet

interface

view

[ mirroring-group groupid ]

monitor-port

Required

Use either approach.

 Note:

z After you configure a port as a monitor port, you are recommended not to use it for

any other purposes. This is to ensure that the data monitoring device receives only

the mirrored traffic rather than a mix of mirrored traffic and normally forwarded

traffic.

z To have a local mirroring group take effect, you must configure a monitor port and at

least one mirroring ports in it.

1.3 Configuring Remote Port Mirroring

Configuring remote port mirroring is to configure remote mirroring groups. When doing

that, configure the remote source mirroring group on the source device and the

cooperating remote destination mirroring group on the destination device.

The two mirroring groups must be configured with the same remote probe VLAN. If

intermediate devices are involved, you must configure these devices to permit the

probe VLAN to pass through.

1.3.1 Configuring a Remote Source Mirroring Group (on the Source Device)

A remote source mirroring group comprises one or multiple mirroring ports, a remote

probe VLAN, and a reflector port. The ports and the probe VLAN must not have been

assigned to any other mirroring groups.

Follow these steps to configure a remote source port mirroring group on the source

device:

To do… Use the command… Remarks

Enter system view

system-view

—

Create a remote probe

VLAN

vlan vlan-id

Required

Return to system view

quit

—

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-6

To do… Use the command… Remarks

Create a remote source

mirroring group

mirroring-group groupid

remote-source

Required

In system

view

mirroring-group groupid

mirroring-port

mirroring-port-list { inbound |

outbound | both }

interface interface-type

interface-number

[ mirroring-group groupid ]

mirroring-port { inbound |

outbound | both }

Assign

ports to

the

mirroring

group as

mirroring

ports

In Ethernet

interface

view

quit

Required

Use either approach.

In system view, you

can assign a list of

ports to the mirroring

group at a time.

In interface view, you

can assign only the

current interface to

the mirroring group.

To monitor multiple

ports, repeat the step.

In system

view

mirroring-group groupid

reflector-port reflector-port-id

interface interface-type

interface-number

mirroring-group groupid

reflector-port

Assign a

port to

the

mirroring

group as

the

reflector

port

In Ethernet

interface

view

quit

Required

Use either approach.

Configure the remote

probe VLAN for the

mirroring group

mirroring-group groupid

remote-probe vlan

rprobe-vlan-id

Required

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-7

 Note:

z To ensure device performance, do not assign mirroring ports to a remote probe

VLAN.

z To configure a port as a reflector port, you must ensure that its link type is access, it

belongs to the default VLAN (that is, VLAN 1), and it is neither a destination port for

traffic mirroring nor a member of any other port mirroring group.

z You are recommended not to connect a network cable to a reflector port. On a

reflector port, you must disable these features: 802.1x, QinQ, port loopback, and

service loopback. To ensure normal operation of the device, you are recommended

to disable static ARP and MAC address learning on the reflector port as well.

z The outgoing port for a mirrored packet must not be the same as the reflector port.

z You are recommended to use a remote probe VLAN for port mirroring only.

z Only existing static VLANs can be configured as remote probe VLANs. To remove

the VLAN operating as a remote probe VLAN, you need to remove the VLAN from

the remote mirroring group first with the undo mirroring-group remote-probe vlan

command. Removing the probe VLAN can invalidate the remote source mirroring

group.

z To ensure the functionality of remote port mirroring, disable MAC address learning

in a remote probe VLAN on the intermediate devices, if any.

z Ensure that the mirrored packets leave the source device with the tag of the remote

probe VLAN.

1.3.2 Configuring a Remote Destination Mirroring Group (on the Destination

Device)

A remote destination mirroring group comprises a remote probe VLAN and a monitor

port. The port and the probe VLAN must not have been assigned to any other mirroring

groups. In addition, you must ensure that the remote probe VLAN is the same as the

one configured in the remote source mirroring group.

Follow these steps to configure a remote destination port mirroring group on the

destination device:

To do… Use the command… Remarks

Enter system view

system-view

—

Create a VLAN and enter

the VLAN view

vlan vlan-id

Required

Disable MAC address

learning in the VLAN by

assigning 0 to the count

argument

mac-address

max-mac-count count

Required

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-8

To do… Use the command… Remarks

Return to system view

quit

—

Create a remote

destination port mirroring

group

mirroring-group groupid

remote-destination

Required

Assign the VLAN you

created to the port

mirroring group

mirroring-group groupid

remote-probe vlan

rprobe-vlan-id

Required

In system

view

mirroring-group groupid

monitor-port monitor-port-id

interface interface-type

interface-number

[ mirroring-group groupid ]

monitor-port

Assign a

port to the

port

mirroring

group as

the

monitor

port

In Ethernet

interface

view

quit

Required

Use either approach.

In Ethernet interface

view, if no destination

mirroring group is

specified, group 1 is

used by default.

Enter the interface view of

the monitor port

interface interface-type

interface-number

—

If the port is

an access

port

port access vlan

rprobe-vlan-id

If the port is a

trunk port

port trunk permit vlan

rprobe-vlan-id

Assign the

monitor

port to the

remote

probe

VLAN

If the port is a

hybrid port

port hybrid vlan

rprobe-vlan-id { tagged |

untagged }

Required

Use one of the

commands

depending on the link

type of the monitor

port.

 Note:

z After you configure a port as a monitor port, you are recommended not to use it for

any other purposes. This is to ensure that the data monitoring device receives only

the mirrored traffic rather than a mix of mirrored traffic and normally forwarded

traffic.

z Only existing static VLANs can be configured as remote probe VLANs. To remove

the VLAN operating as a remote probe VLAN, you need to remove the VLAN from

the remote mirroring group first with the undo mirroring-group remote-probe vlan

command. Removing the probe VLAN can invalidate the remote source mirroring

group.

z You are recommended to use a remote probe VLAN for port mirroring only.

z To ensure the functionality of remote port mirroring, disable MAC address learning

in the remote probe VLAN on the source, intermediate, and destination devices.

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-9

1.4 Displaying and Maintaining Port Mirroring

To do… Use the command… Remarks

Display the configuration

of port mirroring groups

display mirroring-group

{ groupid | local | remote-source

| remote-destination | all }

Available in any

view

1.5 Port Mirroring Configuration Examples

1.5.1 Local Port Mirroring Configuration Example

I. Network requirements

On a network shown in Figure 1-4,

z Host A is connected to port Ethernet 1/1/1 of Switch C through Switch A.

z Host B is connected to port Ethernet 1/1/2 of Switch C through Switch B.

z A data monitoring server is connected to port Ethernet 1/1/3 of Switch C.

To monitor the packets of Host A and Host B on the server, you can configure a local

port mirroring group on Switch C by:

z Configuring ports Ethernet 1/1/1 and Ethernet 1/1/2 as mirroring ports.

z Configuring port Ethernet 1/1/3 as the monitor port.

II. Network diagram

Switch A

Switch B

Switch C

Server

Eth1/1/1

Eth1/1/2

Eth1/1/3

Host A

Host B

Figure 1-4 Network diagram for local port mirroring configuration

III. Configuration procedure

1) Configure Switch C.

# Enter system view.

<Sysname> system-view

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-10

# Create a local port mirroring group.

[Sysname] mirroring-group 1 local

# Assign port Ethernet 1/1/1 and Ethernet 1/1/2 to the port mirroring group as mirroring

ports. Assign port Ethernet 1/1/3 to the port mirroring group as the monitor port.

[Sysname] mirroring-group 1 mirroring-port ethernet 1/1/1 ethernet 1/1/2 both

[Sysname] mirroring-group 1 monitor-port ethernet 1/1/3

# Display the configuration of all the port mirroring groups.

[Sysname] display mirroring-group all

mirroring-group 1:

type: local

status: active

mirroring port:

Ethernet1/1/1 both

Ethernet1/1/2 both

monitor port: Ethernet1/1/3

After finishing the configuration, you can monitor all the packets received and sent by

Host A and Host B on the server.

1.5.2 Remote Port Mirroring Configuration Example

I. Network requirements

On a network shown in Figure 1-5,

z Host A is connected to port Ethernet 1/1/1 of Switch A.

z Host B is connected to port Ethernet 1/1/2 of Switch A.

z Port Ethernet 1/1/3 of Switch A is connected to port Ethernet 1/1/1 of Switch B.

Both ports are trunk ports.

z Port Ethernet 1/1/2 of Switch B is connected to port Ethernet 1/1/1 of Switch C.

Both ports are trunk ports.

z A server is connected to port Ethernet 1/1/2 of Switch C.

To monitor packets of Host A and Host B on the server, you can configure remote port

mirroring groups on the switches as follows:

z On Switch A, create a remote source mirroring group; create VLAN 2 and

configure it as the remote probe VLAN; assign ports Ethernet 1/1/1 and Ethernet

1/1/2 to the port mirroring group as mirroring ports and port Ethernet 1/1/4 as the

reflector port.

z Configure port Ethernet 1/1/3 of Switch A, ports Ethernet 1/1/1 and Ethernet 1/1/2

of Switch B, and port Ethernet 1/1/1 of Switch C as trunk ports and configure them

to permit packets of VLAN 2.

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-11

z Create a remote destination mirroring group on Switch C. Configure VLAN 2 as

the remote probe VLAN and port Ethernet 1/1/2, to which the server is connected,

as the monitor port.

II. Network diagram

Switch A

Switch B

Switch C

Eth1/1/2Eth1/1/1

Eth1/1/3 Eth1/1/1

Eth1/1/2

Eth1/1/1

Eth1/1/2

Server

Host A

Host B

Eth1/1/4

Reflector Port

Figure 1-5 Network diagram for remote port mirroring configuration

III. Configuration procedure

1) Configure Switch A (the source device)

# Enter system view.

<Sysname> system-view

# Create a remote source port mirroring group.

[Sysname] mirroring-group 1 remote-source

# Create VLAN 2.

[Sysname] vlan 2

[Sysname-vlan2] quit

# Configure VLAN 2 as the remote probe VLAN of the remote port mirroring group. Add

port Ethernet 1/1/1 and Ethernet1/1/2 to the remote port mirroring group as mirroring

ports. Configure port Ethernet 1/1/4 as the reflector port.

[Sysname] mirroring-group 1 remote-probe vlan 2

[Sysname] mirroring-group 1 mirroring-port ethernet 1/1/1 ethernet 1/1/2 both

[Sysname] mirroring-group 1 reflector-port Ethernet ethernet 1/1/4

# Configure port Ethernet 1/1/3 as a trunk port and configure the port to permit the

packets of VLAN 2.

[Sysname] interface ethernet 1/1/3

[Sysname-Ethernet1/1/3] port link-type trunk

[Sysname-Ethernet1/1/3] port trunk permit vlan 2

2) Configure Switch B (an intermediate device)

# Create VLAN 2 and disable MAC address learning in it.

Operation Manual – Port Mirroring

H3C S9500 Series Routing Switches Chapter 1 Port Mirroring Configuration

1-12

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] mac-address max-mac-count 0

[Sysname-vlan2] quit

# Configure port Ethernet 1/1/1 as a trunk port and configure the port to permit the

packets of VLAN 2.

[Sysname] interface ethernet 1/1/1

[Sysname-Ethernet1/1/1] port link-type trunk

[Sysname-Ethernet1/1/1] port trunk permit vlan 2

# Configure port Ethernet 1/1/2 as a trunk port and configure the port to permit the

packets of VLAN 2.

[Sysname-Ethernet1/1/1] interface ethernet 1/1/2

[Sysname-Ethernet1/1/2] port link-type trunk

[Sysname-Ethernet1/1/2] port trunk permit vlan 2

3) Configure Switch C (the destination device)

# Enter system view.

<Sysname> system-view

# Configure port Ethernet 1/1/1 as a trunk port and configure the port to permit the

packets of VLAN 2.

[Sysname] interface ethernet 1/1/1

[Sysname-Ethernet1/1/1] port link-type trunk

[Sysname-Ethernet1/1/1] port trunk permit vlan 2

[Sysname-Ethernet1/1/1] quit

# Create a remote destination port mirroring group.

[Sysname] mirroring-group 1 remote-destination

# Create VLAN 2 and disable MAC address learning in it. Assign port Ethernet1/1/2 to

it.

[Sysname] vlan 2

[Sysname-vlan2] mac-address max-mac-count 0

[Sysname-vlan2] port ethernet 1/1/2

[Sysname-vlan2] quit

# Configure VLAN 2 as the remote probe VLAN of the remote destination port mirroring

group. Assign port Ethernet 1/1/2 to the remote destination port mirroring group as the

monitor port.

[Sysname] mirroring-group 1 remote-probe vlan 2

[Sysname] mirroring-group 1 monitor-port ethernet 1/1/2

After finishing the configuration, you can monitor all the packets received and sent by

Host A and Host B on the Server.

H3C S9500 Series Operating instructions

H3C S9500 Series Operating instructions

H3C S9500 Series Operating instructions

Related papers

Other documents