Note on router port mirroring

A port image is a method of mirroring data from one or more ports of a vswitch to one or more ports, it copies packets of the specified port and VLAN to other ports. The destination port is connected to the data monitoring device, to analyze the traffic of one or more network interfaces, you can configure a vswitch to forward data of one or more ports to a port for network listening.

1. According to the range of use, port images can be divided into the following three types:

1. Local Port image: You can copy packets from the device's source port, source VLAN, and source CPU to the destination port of the device for monitoring and analyzing these packets.

2. Remote Port Mirroring across two layers: You can copy packets from the source port/source VLAN/source CPU of the device to the destination port of another device over a two-layer network, it is used to monitor and analyze these packets.

3. Remote Port Mirroring across three layers: You can copy packets from the device's source port, source VLAN, and source CPU over a three-layer network to the destination port of another device, it is used to monitor and analyze source packets.

2. Port images are implemented through image groups. Image groups can be divided into local image groups, remote source image groups, and remote destination image groups.

● 1. The local port image can mirror all packets by means of a local image group, that is, the port/source CPU and destination port in the source port/source VLAN are in the same local image group. The device copies the source port packets and forwards them to the target port.

Packets from the source port, source VLAN, and source CPU are mirrored to the destination port. In this way, data monitoring devices connected to the destination port can monitor and analyze these packets, the local image group supports cross-board images, that is, the destination port and source port/source CPU in the source VLAN can be on different boards of the same device.

● 2. The cross-layer remote port image can mirror all packets other than the Protocol packets. It is implemented through mutual cooperation between the remote source image group and the remote destination image group, you can create a remote source Image Group on the source device. After the source device copies the packets of the source port, source VLAN, and source CPU, it broadcasts the packets in the remote image VLAN through the reflection port and sends them to the target device through an intermediate device.

After receiving the report, if the vlan id of the target device is the same as that of the remote image VLAN in the remote destination image group, the device forwards the vlan id to the target port, the data monitoring device connected to the destination port can monitor and analyze the packets of the source port, source VLAN, and source CPU on the source device.

3. You can create a remote source Image Group on the source device and a remote target image group on the target device. After the source device copies the packets of the source port, source VLAN, and source CPU, it broadcasts the packets in the remote image VLAN through the outbound port and sends them to the target device through the intermediate device, the data monitoring device connected to the destination port can monitor and analyze the packets of the source port, source VLAN, and source CPU on the source device.

● 1. users need to ensure the interconnectivity between the remote image VLAN's endogenous devices and the destination devices through the L2 network.

● 2. The source port, source VLAN, and source CPU packets will be broadcast in the remote image VLAN of the source device, therefore, you can add other ports on the source device to the remote image VLAN to implement the local port mirroring function. When the image packet is sent to the remote destination device, the user shall ensure that the vlan id in the image message is correct. If the vlan id is modified or deleted, the cross-layer remote image function will become invalid.

● 3. The cross-layer remote port image can mirror all packets other than the Protocol packets. It is implemented through the cooperation of the remote source image group, remote destination image group, and GRE tunnel, on the Source Device, packets from the source port, source VLAN, and source CPU are mirrored to the Tunnel interface, and then transmitted to the target device through the GRE Tunnel, the destination device forwards packets to the destination port through the Tunnel interface.

Last

The source port is the monitored port. You can monitor and analyze the packets through this port. The source VLAN is the monitored VLAN, you can monitor and analyze packets from all ports in the VLAN. The source CPU is the CPU on the monitored board. You can monitor and analyze packets sent from the CPU.