Example for Configuring MQC-based Local Traffic Mirroring

Local Traffic Mirroring Overview

In local traffic mirroring, service traffic matching configured rules is copied to an observing port that is directly connected to a monitoring device for analysis and monitoring.

You can configure traffic mirroring using Modular QoS Command-Line Interface (MQC) and ACL. MQC-based traffic mirroring is complex to configure but supports more matching rules and can be applied to both the inbound and outbound directions. ACL-based traffic mirroring is easy to configure but supports fewer matching rules than MQC-based traffic mirroring.

Configuration Notes

You must dedicate observing ports for mirroring use and do not configure other services on them to prevent mirrored traffic and other service traffic from affecting each other. Do not configure any member port of an Eth-Trunk as an observing port. If you must do so, ensure that the bandwidth of service traffic on this port and the bandwidth occupied by the mirrored traffic do not exceed the bandwidth limit of the port.
If the mirroring function is deployed on many ports of a device, a great deal of internal forwarding bandwidth will be occupied, which affects the forwarding of other services. Additionally, if the mirrored port bandwidth is higher than the observing port bandwidth, for example, 1000 Mbit/s on a mirrored port and 100 Mbit/s on an observing port, the observing port will fail to forward all mirrored packets in a timely manner because of insufficient bandwidth, leading to packet loss.
Both physical interfaces and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk is configured as a mirrored port, its member ports cannot be configured as observing ports.
For the applicable products and versions of this configuration example, see Applicable product models and versions.

Networking Requirements

As shown in Figure 1, the science and technology department and administrative department of a company use 10.1.1.0/24 and 10.1.2.0/24 respectively to access the Internet or communicate with each other through the Switch. The monitoring device Server is directly connected to the Switch.

The following traffic of the science and technology department needs to be monitored through the Server:

Internet access traffic
Traffic sent to the administrative department
Figure 1 Local traffic mirroring networking

Configuration Roadmap

Configure GE0/0/2 of the Switch as a local observing port to forward mirrored packets to the Server.
Configure a traffic classifier on the Switch to match Internet access traffic and traffic sent to the administrative department, and configure a traffic behavior to mirror traffic to a local observing port.
Configure a traffic policy on the Switch, bind the traffic classifier and traffic behavior to the traffic policy, and apply the traffic policy to GE0/0/1.

Procedure

Configure an observing port.

# Configure GE0/0/2 of the Switch as a local observing port.

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] observe-port 1 interface gigabitethernet 0/0/2     //Configure GE0/0/2 as a local observing port 1.

Configure a traffic classifier.

# Create a traffic classifier c1 on the Switch, and configure rules to match two types of traffic: traffic with source network segment 10.1.1.0/24 and destination TCP port number WWW and traffic with source network segment 10.1.1.0/24 and destination network segment 10.1.2.0/24.

[Switch] acl number 3000     //Create ACL 3000 to allow the packets with source network segment 10.1.1.0/24 and destination TCP port number WWW to pass through.
[Switch-acl-adv-3000] rule permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www
[Switch-acl-adv-3000] quit
[Switch] acl number 3001     //Create ACL 3001 to allow the packets with source network segment 10.1.1.0/24 and destination network segment 10.1.2.0/24 to pass through.
[Switch-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[Switch-acl-adv-3001] quit
[Switch] traffic classifier c1 operator or     //Create a traffic classifier c1, and match ACL 3000 or ACL 3001.
[Switch-classifier-c1] if-match acl 3000
[Switch-classifier-c1] if-match acl 3001
[Switch-classifier-c1] quit

Configure a traffic behavior.
# Create a traffic behavior b1 on the Switch, and define traffic mirroring in the traffic behavior to copy specified traffic to local observing port GE0/0/2.
```
[Switch] traffic behavior b1     //Create a traffic behavior b1 to mirror specified traffic to observing port 1.
[Switch-behavior-b1] mirroring to observe-port 1
[Switch-behavior-b1] quit
```
For fixed switches S6720-EI and S6720S-EI as well as cards (except X series cards) on modular switches, when configuring outbound traffic mirroring, do not configure other traffic behaviors (except the traffic statistics function of modular switches running V100R006 and earlier versions). From V200R001 to V200R010, the permit action generated by default when a traffic behavior is created on modular switches must also be deleted; otherwise, outbound traffic mirroring is ineffective.

Configure a traffic policy and apply the traffic policy to an interface.

# Create a traffic policy named p1 on the Switch, bind the traffic behavior and traffic classifier to the traffic policy, and apply the traffic policy to the inbound direction of GE0/0/1 to monitor specified traffic of the science and technology department.

[Switch] traffic policy p1     //Create a traffic policy p1 and bind the traffic behavior and traffic classifier to the traffic policy.
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] traffic-policy p1 inbound     //Apply the traffic policy p1 to the inbound direction of GE0/0/1.
[Switch-GigabitEthernet0/0/1] return

Verify the configuration.

# Check the traffic classifier configuration.

<Switch> display traffic classifier user-defined c1
  User Defined Classifier Information:
   Classifier: c1
    Operator: OR
    Rule(s) : if-match acl 3000
              if-match acl 3001

# Check the traffic policy configuration.

<Switch> display traffic policy user-defined p1
  User Defined Traffic Policy Information:
  Policy: p1
   Classifier: c1
    Operator: OR
     Behavior: b1
      Mirroring  to observe-port 1

# Check the observing port configuration.

<Switch> display observe-port
  ----------------------------------------------------------------------
  Index          : 1
  Untag-packet   : No
  Interface      : GigabitEthernet0/0/2
  ----------------------------------------------------------------------

# Check the mirroring configuration.

<Switch> display port-mirroring
  ----------------------------------------------------------------------
  Observe-port 1 : GigabitEthernet0/0/2
  ----------------------------------------------------------------------
  Stream-mirror:
  ----------------------------------------------------------------------
       Behavior                  Direction  Observe-port
  ----------------------------------------------------------------------
  1    b1                        -          Observe-port 1
  ----------------------------------------------------------------------

Configuration Files

Switch configuration file

#
sysname Switch
#
observe-port 1 interface GigabitEthernet0/0/2
#
acl number 3000
 rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www
acl number 3001
 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
traffic classifier c1 operator or
 if-match acl 3000
 if-match acl 3001
#
traffic behavior b1
 mirroring to observe-port 1
#
traffic policy p1 match-order config
 classifier c1 behavior b1
#
interface GigabitEthernet0/0/1
 traffic-policy p1 inbound
#
return

Applicable product models and versions

Product Model	Software Version	Remarks
S2700-52P-EI, S2700-52P-PWR-EI	V100R006C05	Only inbound traffic mirroring is supported.
S2710-SI	V100R006C05
S2720-EI	V200R006C10, V200R009C00, V200R010C00, V200R011C10, V200R012C00, V200R013C00, V200R019C00, V200R019C10
S2750-EI	V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00
S3700-SI	V100R006C05
S3700-EI	V100R006C05
S3700-HI	V200R001C00
S5700-LI	V200R001C00, V200R002C00, V200R003(C00&C02&C10), V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00
S5700S-LI	V200R001C00, V200R002C00, V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00
S5710-C-LI	V200R001C00
S5710-X-LI	V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00
S5700-SI	V200R001C00, V200R002C00, V200R003C00, V200R005C00
S5720-LI, S5720S-LI	V200R010C00, V200R011C00, V200R011C10, V200R012(C00&C20), V200R013C00, V200R019C00, V200R019C10
S5720-SI, S5720S-SI	V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00, V200R013C00, V200R019C00, V200R019C10
S5720I-SI	V200R012C00, V200R013C00, V200R019C00, V200R019C10
S5730-SI	V200R011C10, V200R012C00, V200R013C00, V200R019C00, V200R019C10
S5730S-EI	V200R011C10, V200R012C00, V200R013C00, V200R019C00, V200R019C10
S5735-L, S5735S-L	V200R019C00, V200R019C10
S5735S-L-M	V200R019C00, V200R019C10
S5735-S, S5735S-S	V200R019C00, V200R019C10
S6720-LI, S6720S-LI	V200R011C00, V200R011C10, V200R012C00, V200R013C00, V200R019C00, V200R019C10
S6720-SI, S6720S-SI	V200R011C00, V200R011C10, V200R012C00, V200R013C00, V200R019C00, V200R019C10
S5735-S-I	V200R019C10	Only inbound traffic mirroring is supported.
S5700-EI	V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02&C03)	Outbound traffic mirroring is supported since V200R005.
S5710-EI	V200R001C00, V200R002C00, V200R003C00, V200R005(C00&C02)
S5700-HI	V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00SPC500&C01&C02)
S5710-HI	V200R003C00, V200R005(C00&C02&C03)
S6700-EI	V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02)
S5720-EI	V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00, V200R013C00, V200R019C00, V200R019C10	-
S5720-HI	V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00, V200R013C00, V200R019C00, V200R019C10	-
S5730-HI	V200R012C00, V200R013C00, V200R019C00, V200R019C10	-
S5731-H	V200R013C02, V200R019C00, V200R019C10	-
S5731-S, S5731S-S	V200R019C00, V200R019C10	-
S5731S-H	V200R019C00, V200R019C10	-
S5732-H	V200R019C00, V200R019C10	-
S6720-EI	V200R008C00, V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00, V200R013C00, V200R019C00, V200R019C10	-
S6720S-EI	V200R009C00, V200R010C00, V200R011C00, V200R011C10, V200R012C00, V200R013C00, V200R019C00, V200R019C10	-
S6720-HI	V200R012C00, V200R013C00, V200R019C00, V200R019C10	-
S6730-S, S6730S-S	V200R019C00, V200R019C10	-
S6730-H	V200R013C02, V200R019C00, V200R019C10	-
S6730S-H	V200R019C10	-
S7703, S7706, S7712	V200R001(C00&C01), V200R002C00, V200R003C00, V200R005C00, V200R006C00, V200R007C00, V200R008C00, V200R009C00, V200R010C00, V200R011C10, V200R012C00, V200R013C00, V200R013C02, V200R019C00, V200R019C10	-
S7706 PoE	V200R013C00, V200R019C00, V200R019C10	-
S7703 PoE	V200R013C00, V200R019C00, V200R019C10	-

For details about software mappings, visit Hardware Query Tool and search for the desired product model.