An intrusion detection device is installed in a client's computer room, which needs to mirror all the traffic on the core switch for analysis. However, there are network monitoring devices in the client's computer room. The traffic mirror has been made on the core switch and the observation port has been configured, and the interface has been used by the network monitoring device. According to the test, the H3C switch cannot configure multiple observation ports for a group of traffic images, so the device cannot be deployed normally. The H3C switch does not support the configuration of multiple traffic mirror observation ports, but the intrusion detection equipment in this scenario can only be deployed side by side. If multiple devices need to be analyzed to achieve traffic mirroring, the simplest way is to add a TAP switch, but the TAP switch is valuable. If I propose this solution, I am expected to be killed by sales. After querying the data, it is found that the remote mirror VLAN can be used to realize the local mirror to support multiple destination ports.
Network topology:
I'm too lazy to draw a picture. Even if a core switch is connected to a bunch of devices, the devices that need traffic analysis are also connected to the switch.
The specific configuration is as follows:
#Create Remote Mirror Group 1 [H3C] mirroring-group 1 remote-source #Connect the ports to be mirrored to the image group (all 1-20 ports are added to the image group here) [H3C] mirroring-group 1 mirroring-port g1/0/1 to g1/0/20 #Configure the unused port on the device as the reflection port of image group 1 (23 ports are used here) [H3C] mirroring-group 1 reflector-port g1/0/23 This operation may delete all settings made on the interface. Continue? [Y/N]:y #Turn off the reflection port spanning tree protocol [H3C]int g1/0/23 [H3C-GigabitEthernet1/0/23]undo stp enable #Create vlan10 as the remote image vlan of image group 1, and turn off the mac address learning function of vlan10 [H3C]vlan 10 [H3C-vlan10]qu [H3C]mirroring-group 1 remote-probe vlan 10 [H3C]vlan 10 [H3C-vlan10]undo mac-address mac-learning enable #Configure VLAN 10 as the remote mirror VLAN of mirror group 1. [H3C]mirroring-group 1 remote-probe vlan 10
After the configuration is completed, the configured reflection port (23 ports in this case) will light up. The device that needs to do traffic analysis can be connected to the interface of the remote image vlan (vlan10 in this case). However, it should be noted that the ports added to the remote image vlan should be removed from the image group.
This article is published at: yingfeng Blog >> H3C switch is configured with multiple traffic mirror observation ports , please indicate the source for reprinting.
