Licensing Requirements and Limitations for Mirroring
Involved Network Elements
The switch needs to work with a monitoring device, which analyzes the mirrored traffic sent to it.
Licensing Requirements
Mirroring is a basic feature of a switch and is not under License control.
Feature Support in V200R019C10
Model |
Port Mirroring |
Traffic Mirroring |
VLAN Mirroring |
MAC Address Mirroring |
|---|---|---|---|---|
S2720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720I-SI, S5720S-SI, S5730-SI, S5730S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI |
Supported |
Only local inbound traffic mirroring is supported. |
Supported |
Supported |
S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I |
Supported |
Only inbound traffic mirroring is supported. |
Supported |
Supported |
S5730-HI, S5731-H, S5731S-H, S5732-H, S5731-S, S5731S-S, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S |
Supported |
Supported |
Supported |
Supported |
S5720-EI, S6720-EI, S6720S-EI |
Supported |
Supported |
Supported |
Supported |
S5720-HI |
Supported |
Supported |
Not supported |
Not supported |
For details about software mappings, visit Hardware Query Tool and search for the desired product model.
Feature Limitations
In a stack, packets can be mirrored from one member switch to another.
Packets mirrored to an observing port cannot be mirrored again on the same device.
Assuming that Port1 on switch A mirrors the received packets to the observing port Port2 on switch A, the outgoing packets on Port2 cannot be mirrored.
In versions earlier than V200R019C10, the S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-HI, S6730-H, S6730-S, and S6730S-S do not support VLAN mirroring or MAC address mirroring. You can configure traffic mirroring with traffic classification rules VLAN ID and MAC address.
On the S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, a physical port cannot be configured as an observing port and mirrored port simultaneously.
On the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, a physical port cannot be configured as an observing port and outbound mirrored port simultaneously.
- On the S5700-HI, S5710-EI, S5710-HI, S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6700-EI, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S running V200R005 or a later version, an Eth-Trunk can function as an observing port. In a stack, Eth-Trunk member ports can be located on different member switches.
- For the S5720-EI, if a total of four remote observing ports are bound in both the inbound and outbound directions of all mirrored ports, of those bound in the inbound direction, at least one must be different from those bound in the outbound direction.
For the S6720-EI and S6720S-EI, outbound traffic mirroring only copies known unicast packets. When outbound traffic mirroring is configured in a traffic behavior, other actions cannot be configured in the traffic behavior; otherwise, outbound traffic mirroring is ineffective.
On switches of versions earlier than V200R005, S5700-EI, S6700-EI, S6720S-EI, and S6720-EI of V200R005 and later versions, the copy of outbound packets may be different from the original packets because the mirroring operation is performed before other forwarding operations on the original packets. For example, if the DSCP value of the original packets needs to be changed, the copied packets are different from the original packets because they have been copied to the observing port before the change.
You must dedicate observing ports for mirroring use and do not configure other services on them to prevent mirrored traffic and other service traffic from affecting each other. Do not configure any member port of an Eth-Trunk as an observing port. If you must do so, ensure that the bandwidth of service traffic on this port and the bandwidth occupied by the mirrored traffic do not exceed the bandwidth limit of the port.
If the mirroring function is deployed on many ports of a device, a great deal of internal forwarding bandwidth will be occupied, which affects the forwarding of other services. Additionally, if the mirrored port bandwidth is higher than the observing port bandwidth, for example, 1000 Mbit/s on a mirrored port and 100 Mbit/s on an observing port, the observing port will fail to forward all mirrored packets in a timely manner because of insufficient bandwidth, leading to packet loss.
When configuring remote mirroring, you are advised not to perform other service configuration in the VLAN associated with the observing port, that is, the VLAN used to transmit mirrored packets to the monitoring device. On the intermediate device between the observing port and monitoring device, run the mac-address learning disable command in the VLAN associated with the observing port to disable MAC address learning, and run the undo mac-address vlan vlan-id command in the system view to delete all MAC address entries in this VLAN.
If both port mirroring and traffic mirroring are configured simultaneously for the same packets on the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-S, port mirroring takes effect. On other switch models, traffic mirroring takes precedence over port mirroring.
- For the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, if N:1 mirroring or multiple 1:1 mirroring configurations are implemented, mirrored packets may be lost.
- For the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, and S5735S-S, when configuring inbound mirroring, the packets that are discarded due to the rate limit in the inbound direction cannot be mirrored.
- When the same observing port is configured for outbound mirroring and inbound mirroring and multiple mirrored ports reside on the same S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735-S-I, or S5735S-S switch, only one copy of the same packets is mirrored to the observing port. In V200R019C10 and later versions, you can run the observe-port dynamic-allocation enable command to enable the function of dynamically applying for observing port resources, so that multiple copies of the same packets can be mirrored to the observing port.
An observing port in blocked state can still forward mirrored packets.
During the traffic mirroring configuration, the deny parameter cannot be configured in the ACL referenced in a traffic classifier. Otherwise, the packets matching the deny parameter can still be mirrored, but the original packets will be discarded. Therefore, to mirror only the specified service packets, set the permit parameter in all ACL rules.
- If remote port mirroring is configured, the switches through which the mirrored traffic passes perform STP calculation on the mirrored BPDUs, resulting in an STP convergence exception.