Example for Configuring ACL-based Local Traffic Mirroring
Local Traffic Mirroring Overview
In local traffic mirroring, service traffic matching configured rules is copied to an observing port that is directly connected to a monitoring device for analysis and monitoring.
You can configure traffic mirroring using Modular QoS Command-Line Interface (MQC) and ACL. MQC-based traffic mirroring is complex to configure but supports more matching rules and can be applied to both the inbound and outbound directions. ACL-based traffic mirroring is easy to configure but supports fewer matching rules than MQC-based traffic mirroring.
Configuration Notes
You must dedicate observing ports for mirroring use and do not configure other services on them to prevent mirrored traffic and other service traffic from affecting each other. Do not configure any member port of an Eth-Trunk as an observing port. If you must do so, ensure that the bandwidth of service traffic on this port and the bandwidth occupied by the mirrored traffic do not exceed the bandwidth limit of the port.
If the mirroring function is deployed on many ports of a device, a great deal of internal forwarding bandwidth will be occupied, which affects the forwarding of other services. Additionally, if the mirrored port bandwidth is higher than the observing port bandwidth, for example, 1000 Mbit/s on a mirrored port and 100 Mbit/s on an observing port, the observing port will fail to forward all mirrored packets in a timely manner because of insufficient bandwidth, leading to packet loss.
Both physical interfaces and Eth-Trunks can be configured as mirrored ports. If an Eth-Trunk is configured as a mirrored port, its member ports cannot be configured as observing ports.
Huawei S series fixed switches except S2700-SI running V100R006C05 support ACL-based local traffic mirroring. Huawei S series modular switches support ACL-based local traffic mirroring in V200R005 and later versions.
Networking Requirements
As shown in Figure 1, the science and technology department and administrative department of a company use 10.1.1.0/24 and 10.1.2.0/24 respectively to access the Internet or communicate with each other through the Switch. The monitoring device Server is directly connected to the Switch.
- Internet access traffic
- Traffic sent to the administrative department
Configuration Roadmap
- Configure GE0/0/2 of the Switch as a local observing port to forward mirrored packets to the Server.
- Configure advanced ACLs to match two types of traffic of the science and technology department: Internet access traffic and traffic sent to the administrative department.
- Configure an ACL-based traffic policy on GE0/0/1 to mirror the matching traffic.
Procedure
- Configure an observing port.
# Configure GE0/0/2 of the Switch as a local observing port.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] observe-port 1 interface gigabitethernet 0/0/2 //Configure GE0/0/2 as local observing port 1.
- Configure advanced ACLs.
# Create two advanced ACLs numbered 3000 and 3001 on the Switch, configure ACL 3000 to match traffic with source network segment 10.1.1.0/24 and destination TCP port number WWW, and configure ACL 3001 to match traffic with source network segment 10.1.1.0/24 and destination network segment 10.1.2.0/24.
[Switch] acl number 3000 //Create ACL 3000 to allow the packets with source network segment 10.1.1.0/24 and destination TCP port number WWW to pass through. [Switch-acl-adv-3000] rule permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www [Switch-acl-adv-3000] quit [Switch] acl number 3001 //Create ACL 3001 to allow the packets with source network segment 10.1.1.0/24 and destination network segment 10.1.2.0/24 to pass through. [Switch-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Switch-acl-adv-3001] quit [Switch] traffic classifier c1 operator or //Create a traffic classifier c1, and match ACL 3000 or ACL 3001. [Switch-classifier-c1] if-match acl 3000 [Switch-classifier-c1] if-match acl 3001 [Switch-classifier-c1] quit
- Configure an ACL-based traffic policy.
# Configure an ACL-based traffic policy on GE0/0/1 of the Switch to mirror the matching traffic.
[Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] traffic-mirror inbound acl 3000 to observe-port 1 //Mirror the incoming packets that match ACL 3000 on GE0/0/1 to observing port 1. [Switch-GigabitEthernet0/0/1] traffic-mirror inbound acl 3001 to observe-port 1 //Mirror the incoming packets that match ACL 3001 on GE0/0/1 to observing port 1. [Switch-GigabitEthernet0/0/1] return
- Verify the configuration.
# Check ACL rules and traffic behavior information.
<Switch> display traffic-applied interface gigabitethernet 0/0/1 inbound ----------------------------------------------------------- ACL applied inbound interface GigabitEthernet0/0/1 ACL 3000 rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www (match-counter 0) ACTIONS: mirror to observe-port 1 ----------------------------------------------------------- ACL 3001 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 (match-counter 0) ACTIONS: mirror to observe-port 1 -----------------------------------------------------------
# Check the observing port configuration.
<Switch> display observe-port ---------------------------------------------------------------------- Index : 1 Untag-packet : No Interface : GigabitEthernet0/0/2 ----------------------------------------------------------------------
# Check the mirroring configuration.
<Switch> display port-mirroring ---------------------------------------------------------------------- Observe-port 1 : GigabitEthernet0/0/2 ---------------------------------------------------------------------- Stream-mirror: ---------------------------------------------------------------------- Behavior Direction Observe-port ---------------------------------------------------------------------- 1 SACL - Observe-port 1 ----------------------------------------------------------------------
Configuration Files
Configuration file of the Switch
# sysname Switch # observe-port 1 interface GigabitEthernet0/0/2 # acl number 3000 rule 5 permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www acl number 3001 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 # interface GigabitEthernet0/0/1 traffic-mirror inbound acl 3000 to observe-port 1 traffic-mirror inbound acl 3001 to observe-port 1 # return