Traffic mirroring configuration example
Network requirements
Different departments of a company use IP addresses on different subnets. The marketing and technology departments use the IP addresses on subnets 192.168.1.0/24 and 192.168.2.0/24 respectively. The working hour of the company is from 8:00 to 18:00 on weekdays.
Configure traffic mirroring so that the server can monitor the traffic that the technology department sends to access the Internet, and IP traffic that the technology department sends to the marketing department.
Figure 40: Network diagram
Configuration procedure
Monitor the traffic sent by the technology department to access the Internet:
# Create ACL 3000 to allow packets from the technology department (on subnet 192.168.2.0/24) to access the Internet.
<DeviceA> system-view [DeviceA] acl number 3000 [DeviceA-acl-adv-3000] rule permit tcp source 192.168.2.0 0.0.0.255 destination-port eq www [DeviceA-acl-adv-3000] quit
# Create traffic class tech_c, and configure the match criterion as ACL 3000.
[DeviceA] traffic classifier tech_c [DeviceA-classifier-tech_c] if-match acl 3000 [DeviceA-classifier-tech_c] quit
# Create traffic behavior tech_b, and configure the action of mirroring traffic to port GigabitEthernet 1/0/3.
[DeviceA] traffic behavior tech_b [DeviceA-behavior-tech_b] mirror-to interface GigabitEthernet 1/0/3 [DeviceA-behavior-tech_b] quit
# Create QoS policy tech_p, and associate traffic class tech_c with traffic behavior tech_b in the QoS policy.
[DeviceA] qos policy tech_p [DeviceA-qospolicy-tech_p] classifier tech_c behavior tech_b [DeviceA-qospolicy-tech_p] quit
# Apply QoS policy tech_p to the outgoing packets of GigabitEthernet 1/0/1.
[DeviceA] interface GigabitEthernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] qos apply policy tech_p outbound [DeviceA-GigabitEthernet1/0/1] quit
Monitor the traffic that the technology department sends to the marketing department:
# Configure a time range named work to cover the time from 8: 00 to 18: 00 in working days.
[DeviceA] time-range work 8:0 to 18:0 working-day
# Create ACL 3001 to allow packets sent from the technology department (on subnet 192.168.2.0/24) to the marketing department (on subnet 192.168.1.0/24).
[DeviceA] acl number 3001 [DeviceA-acl-adv-3001] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range work [DeviceA-acl-adv-3001] quit
# Create traffic class mkt_c, and configure the match criterion as ACL 3001.
[DeviceA] traffic classifier mkt_c [DeviceA-classifier-mkt_c] if-match acl 3001 [DeviceA-classifier-mkt_c] quit
# Create traffic behavior mkt_b, and configure the action of mirroring traffic to port GigabitEthernet 1/0/3.
[DeviceA] traffic behavior mkt_b [DeviceA-behavior-mkt_b] mirror-to interface GigabitEthernet 1/0/3 [DeviceA-behavior-mkt_b] quit
# Create QoS policy mkt_p, and associate traffic class mkt_c with traffic behavior mkt_b in the QoS policy.
[DeviceA] qos policy mkt_p [DeviceA-qospolicy-mkt_p] classifier mkt_c behavior mkt_b [DeviceA-qospolicy-mkt_p] quit
# Apply QoS policy mkt_p to the outgoing packets of GigabitEthernet 1/0/2.
[DeviceA] interface GigabitEthernet 1/0/2 [DeviceA-GigabitEthernet1/0/2] qos apply policy mkt_p outbound
Verify the configurations.
After completing the configurations, through the server, you can monitor all traffic sent by the technology department to access the Internet and the IP traffic that the technology department sends to the marketing department during working hours.