Switch port mirroring and how it works
Mirroring port (port Mirroring) to switch one or more ports (VLAN) mirroring data to one or more ports.
In some switch, we can be achieved by configuring the switch to a port on the data packet, copy it to another port, port mirroring process is, as shown below:
switchmirror
switch port mirroring principle
port 1 to port mirroring, port mirroring port 2 is, because you can see traffic through port 1 port 2, so we called the port to monitor port 1 and port 2 to port monitored.
After the market, most of the switch (e.g. cisco product) is set as a mirror port opening, to the host port will not send packets to other machines within the network, into a unidirectional receiving mode. Such situation is not conducive to monitor, because the system made no packet is sent to the client, which led to no control over the client. But Ping32 have a special means for solving such cases, such as encountered such a situation, the user can consult our technical staff.
However, there are still some switches except, for example: Ping32 common customer price good low-end switch TP-Link SF-2005 (200 pieces or less for 20 users) or TP-Link 2428web (around $ 700, for 60 users use multiple computers), because of its cheap, functional and practical, cost-effective network switch relatively big brands, so we generally advise clients to buy these two switches to be monitored.
Note: If the network computer monitoring more than 20 recommendations with TP-Link2428web The better performance of network switches, backplane bandwidth of the switch, the conversion rate is much higher than the packet TPLink-SF2005, but there are two one thousand megaports can use as a monitor. If you are using other brands of switches support port mirroring function as long as the words are equally applicable to Ping32 monitoring. Tips: Some commonly used tp-link port mirroring switch models
destination port mirroring
due to the deployment of IDS products need to monitor network traffic (network analyzer also needs), but in the current widely used in switched networks monitor all traffic considerably difficulties, it is necessary to be forwarded to a port to be implemented by configuring the network listen for one or more switch ports (VLAN) data.
Port mirroring function
To monitor all packets out of the network, install monitoring software for the management server to fetch data, such as Internet cafes must provide this feature to send data to the public security sector review. For the corporate information security, the need to protect company secrets, but also an urgent need to have a network port to provide this real-time monitoring. In using port mirroring enterprise, it can be good for data within the enterprise network monitoring and management, when the network fails, the fault location can be done well. General By configuring port mirroring, installation Ping32 monitor online behavior management software can achieve the monitoring of the entire network.
(Note: a port to the switch data frame transmitted or received identical copy to another port; wherein duplicated port is referred to as the source port, the port is referred to as copy destination port)
port mirroring usually have the following an alias:
port Mirroring replication traffic refers generally allows one port to another port, while the port can not transmit data.
Monitoring Port Monitoring Port
Spanning Port refers generally to allow traffic to copy all the ports to another port, while the port can not transmit data. SPAN port is common in Cisco switches in production, SPAN usually refers Switch Port ANalyzer. Cisco switch SPAN port does not support the transmission of data. The traffic can be a special device monitoring, troubleshooting and found it very helpful.
Port mirroring works: role SPAN (Switched Port Analyzer) primarily is to provide some kind of network traffic to the network analyzer.
It may be implemented in a plurality of source port VLAN to a port monitor image data may be a temporary control data from a plurality of port mirror to the VLAN. Transfer of all data streams on the source port number port 5 are mirrored to the monitoring port 10, and the data port analysis apparatus for all data streams received from the port 5 by monitoring. Notably, the source port and the mirror port must be located on the same switch (There are exceptions, such as Catalyst 6000 Series Switches); and SPAN does not affect the data exchange source port, it is only the source port to send or receive data copy of the package sent to the monitor port.
SPAN task in process, the user can control the parameter, to indicate the need to monitor the data stream type; may also be one or more ends, ports, one or more of the VLAN, and transmits or receives from these ports as the source port one-way or two-way flow of data to the monitor port. In Catalyst 4006 switch, configure up to six-way SPAN tasks: monitoring two input data streams, four streams of data to monitor the output. A bi-SPAN task actually contains a one-way one-way input and output. Layer switch ports and not only as the source port, the port on the three-routing Catalyst 4006 may also be provided as a source port.
SPAN task does not affect the normal operation of the switch. SPAN When a task is created, depending on the state in which the switch or operation, the task is active or inactive, and the system which will be logged. By "show monitor session" command displays the current status of SPAN.
If the system is restarted encountered, before the end of the destination port initialization, SPAN task is inactive. The destination port (port monitoring) may be any switch on a switching or routing port. When a destination port is active, any transmitted to the port and independent of the task SPAN packets will be dropped.
An object can only be in a SPAN port task. When formulated as a port is the destination port after the port can not be a source, while the redundant link port can not be a SPAN destination port. Of particular note is that if a Trunk port is configured as a SPAN destination port, its Trunk function will automatically stop.
Source port and can be referred to as a monitor port. In one SPAN task, there may be one or more source port, and can be set according to the user input direction, output or both directions, but in either case, a SPAN task is to monitor the direction of the source port are all It must be consistent. VLAN on the Catalyst 4006 switch can also be set as the source port as a whole, which means that all the ports are specified in a VLAN SPAN source ports are the current task.
Trunk port set to the source port may be used alone, or may be provided with a non-Trunk port as the source port, it is to be noted that the encapsulation does not recognize the data from a different VLAN Trunk port for monitoring port, in other words, monitoring ports received packets will not be able to identify which VLAN from.
SPAN data stream divided into three categories:
(1) input data stream (the Ingress SPAN): the source port means is received in, send a copy of its data to the data stream monitoring ports
(2) output data stream (the Egress SPAN): refers to the source port to send out, send a copy of their data to the data stream monitor port
(3) two-way data flow (Both SPAN): that is, two or more comprehensive.
SPAN is VLAN-based VLAN as the monitoring of one or several objects, in which all ports are source port, based on a similar SPAN port, VLAN-based SPAN is also divided into an input data stream, the output data stream and two-way data flow monitoring three types.
SPAN VLAN configuration process based task, points should be noted:
(. 1) may be included in the source port Trunk port
(2) for bidirectional SPAN task, if there are two sources between the source VLAN ports in the data exchange, then each will have two copies of the data packet is forwarded to the mirror port
(. 3) has a plurality of SPAN the source VLAN task, if a source VLAN is deleted, the source VLAN VLAN is also deleted from the list
(4) in a non-active state can not participate in VLAN SPAN tasks;
(5) for a set of input data stream monitoring source VLAN, routing information packets from other VLAN will not be mirrored; in addition, the output data stream is provided to monitor the transmitted VLAN to another VLAN routing information packet it is not mirrored. In other words, VLAN SPAN Layer task only exchange of packets out of port mirroring, rather than VLAN routing information between the mirror.
All non-gateway routing packets transmitted, and a multicast packet including the BPDU (Bridge Protocol Data Unit) packet, the task can use SPAN mirror.
In SPAN configure some tasks, a plurality of copies of the same source port SPAN packet is transmitted to the monitoring ports SPAN occur. As mentioned earlier, in a two-way SPAN task, it is assumed for the source port a1 and a2, d1 is the destination port, if there is a data packet transmission between a1 and a2, then the packet will be made to the a1 a2 pass d1 is transferred to two, and vice versa.
Port mirroring method for establishing
Cisco CATALYST switch port monitor configuration
Cisco CATALYST switches divided into two types, called listening port is port analysis (analysis port) in CATALYST family. 1, Catalyst 2900XL / 3500XL / 2950 series switch port monitor configuration (based on the CLI);
following commands to configure a port listener: port monitor;
e.g., F0 / 1 and F0 / 2, F0 / 3 belong to VLAN1, F0 / 1 listening F0 / 2 , F0 / 3 ports:;
the FastEthernet0 interface / 1
Port Monitor the FastEthernet0 / 2
Port Monitor the FastEthernet0 /. 3
Port Monitor the VLAN1
2, and the Catalyst 6000 Series Switches 4000,5000 port monitor configuration (IOS based)
configuration port monitor command: set span
e.g., module 1 and port 1 port 2 belong to VLAN1, VLAN2 port 3, port 4, and 5 in VLAN2, listening port 1 and port 2 3,4, 5,
SET span 1 / 1,1 / 3-5 1/2
2950/3550/3750 following format:
#monitor the session interface mod_number Number Source / port_number both
#monitor Number Where do you want the session interface mod_mnumber / port_number
// the RX-> intake port is specified flow has, tx-> both in and out of the port traffic flow has obtained
for example:
the first mirror, the source port in the first module 1 to 10 to the upper port mirror 12 is;
#monitor source interface the session. 1. 1 / 1-10 both
#monitor Where do you want the session interface. 1 1/12
second mirrors of the source port of the second module 24 is a mirror image to the upper port 13-20;
#monitor source interface the session 2 2 / 13-20 both
#monitor Where do you want the session 2 2/24 interface
when a plurality of mirrors, multi- wherein when changing parameters to modules.
Catalyst 2950 3550 Monitor does not support Port
C2950 the configure Terminal #
C2950 (config) #
C2950 (config) #monitor the session 1 0/2 Source interface fastEthernet
! - Interface 0/2 FA AS IS the Configured Source Port.
C2950 (config) #monitor Where do you want the session 1 interface fastEthernet 0/3
-!. Interface Fa0 / 3 IS AS Where do you want the Configured Port
Huawei switch port mirroring configuration brief
"environment configuration parameters "
- PC1 connected to the switch E0 / 1 port, IP address 1.1.1.1/24
- PC2 connected to the switch E0 / 2 port, IP address 2.2.2.2/24
- E0 / 24 for the switch uplink ports
- Server connected to the switch E0 / 8 port, which is the mirrored port
"Network requirements"
service packets of two pc monitor 1. Use the switch through port mirroring function server.
2. mirror arranged in different ways:
1) based on the mirroring port
2) flow-based mirroring
"data flow port mirroring" Second, the data arrangement step
based on the mirrored port is completely out of the copied data packets mirrored port to a mirrored port, so that the flow rate to observe or fault location.
[3026] other switch mirror
S2008 / S2016 / S2026 / S2403H / S3026 are based on other switches support port mirroring, there are two methods:
Method a - Configuration image (observed) ports
[SwitchA] monitor-port e0 / 8 - Configuration is mirrored port
[SwitchA] port mirror Ethernet 0/1 to Ethernet 0/2
Method II - It can be defined once and a mirrored port mirror
[SwitchA] port mirror Ethernet 0/1 to Ethernet 0/2 observing-port Ethernet 0/8
[8016 port switch configuration mirroring]
1. Assuming the switch 8016 is mirrored port E1 / 0/15 , mirrored port E1 / 0/0, to set the port 1/0/15 observation port mirroring port.
[SwitchA] Ethernet Port Monitor 1/0/15
2. 1/0/0 port set to mirror port, its input and output data is mirrored.
[SwitchA] port mirroring ethernet 1/0/0 both ethernet 1/0/15
may be through two different ports, the input and output data are image - Set E1 / 0/15 and E2 / 0/0 mirroring (observed) ports
[SwitchA] Ethernet Port Monitor 1/0/15
2. 1/0/0 port set to mirror port, respectively, using E1 / 0/15 and E2 / 0/0 of the mirror input and output data.
[SwitchA] Port mirroring gigabitethernet 1/0/0 Ingress ethernet 1/0/15
[SwitchA] Port mirroring gigabitethernet 1/0/0 Egress ethernet 2/0/0
"based on the data flow traffic mirroring"
flow-based switches for mirroring some flow mirroring, each connection has two directions of data flow, for the switch for the two data streams to separate image.
[3500 / 3026E / 3026F / 3050]
〖〗 based mirroring three streams - Define an extended ACL
[SwitchA] acl num 100 - Define a rule source address of the packet destined for all destination address 1.1.1.1/32
[SwitchA-acl-adv-101 ] rule 0 permit ip source 1.1.1.1 0 destination any - Define a rule source address for all packets whose destination address is the source address 1.1.1.1/32
[SwitchA-ACL-ADV-101]. 1 the permit rule 1.1.1.1 Where do you want the any IP Source 0
4. ACL rule complies with the above-described mirror packets to E0 / 8 ports
[SwitchA] mirrored-to ip- group 100 interface e0 / 8
〖〗 flow Layer mirroring
a defined ACL 1.
[SwitchA] NUM ACL 200 is
2. to define a rule sent from other E0 / 1 All packets ports
[SwitchA] Ingress interface Ethernet0 the permit rule 0 / Egress interface Ethernet0. 1/2
3. define a rule from all other ports to E0 / 1 port for the data packet
[SwitchA] rule 1 permit ingress interface Ethernet0 / 2 egress Ethernet0 interface /. 1
4. the ACL packets meet the above image to E0 /. 8
[SwitchA] Using mirrored-to-Link Group E0 interface 200 is /. 8
[5516/6506/6503 / 6506R]
At present, the three-port product support mirroring traffic
1. definitions mirrored port
[SwitchA] Monitor 3/0/2 Ethernet-port
2. mirror port defined
[SwitchA] mirroring-port Ethernet 3/0/1 inbound
[supplement] - Mirroring can generally high rate port mirroring low speed port, such as port mirroring 1000M 100M port, can not be achieved otherwise
- 8016 supports cross-board port mirroring
Third, test validation can be seen a corresponding message via the mirror port on the observation port software tool, you can observe the flow or fault location
Note! In this remind you, different versions of the same model equipment, configuration and sometimes there is a difference, and ultimately to correspond to the version of the operating manual shall prevail. How to switch to other brands of switches mirrored reference to the relevant documentation can be configured correctly, this is not to list here.
Effective correct configured switch port mirroring can use the normal Ping32 Internet monitoring and management software, the general configuration image as long as the total export of the data is mirrored to the port corresponding Ping32 server connected to the switch on it that we are talking about a port mirroring on-one, if no special needs, we do not do many-to-port mirroring, that more data mirroring source port to a port on because under normal circumstances, as long as the total export of the data mirroring to Ping32 We can achieve the monitoring and management of the entire network.