端口镜像

最新推荐文章于 2025-06-05 07:30:00 发布

PacketLittle

最新推荐文章于 2025-06-05 07:30:00 发布

阅读量6.1k

点赞数 3

CC 4.0 BY-SA版权

分类专栏：路由交换文章标签：路由器华为端口镜像 cisco

本文链接：https://blog.youkuaiyun.com/PacketLittle/article/details/50634870

路由交换专栏收录该内容

1 篇文章

订阅专栏

本文介绍华为NE80E/40E及Cisco IOS XR系统的端口镜像配置方法。涵盖华为设备的观测端口设置、整板镜像、基于流的镜像配置流程，以及Cisco CRS路由器的Monitor Session、源端口与目的端口配置细节。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

华为NE80E/40E端口镜像

NE80E/40E镜像特性性

支持每个接口板配置一个观测端口
支持对上送CPU报文进行单独镜像
支持同板和跨版的上、下行镜像
支持二层端口配置镜像功能

配置镜像功能注意

对帧不进行修改。输入侧，帧去掉帧头之前被镜像；输出侧，帧在修改之后被镜像
不建议在观测端口再配置其他业务
每块接口板上的镜像报文只能镜像到同一个观测端口
路由器支持不同类型接口之间的镜像，如GE与POS，但是不同类型接口报文封装不一致，会导致接口计数统计不准

配置端口镜像

配置观测端口

[Router]system-view
[RouterB-GigabitEthernet1/0/0] port-observing observe-index 1

observe-index 必须与该端口所在的接口板的槽位号一致

配置整版镜像的观测端口

[Router]system-view
[RouterB] slot 3
[RouterB-slot-3] mirror to observe-index 1
[RouterB-slot-3] quit

配置接口板的整板镜像观测端口后，此接口板上的所有接口如果需要镜像，报文就会被镜像到这个观测端口。
本板镜像的观测端口可以在本接口板上还可以配置在其他接口

配置端口镜像

system-view
interface G3/0/3
port-mirroring inbound [cpu-packet]
port-mirroring outbound

基于流的镜像

配置观测端口

<RouterB> system-view
[RouterB] interface gigabitethernet3/0/2
[RouterB-GigabitEthernet3/0/2] port-observing observe-index 3

配置整版镜像的观测端口

[RouterB] slot 3
[RouterB-slot-3] mirror to observe-index 3
[RouterB-slot-3] quit

定义ACL策略

[RouterB]acl 3001
[RouterB-acl-basic-3001]rule permit tcp destination-port eq www

配置流分类，匹配ACL策略

[RouterB] traffic classifier a
[RouterB-classifier-a] if-match acl 3001
[RouterB-classifier-a] quit
[RouterB] quit

配置流行为

[RouterB] traffic behavior e
[RouterB-behavior-e] port-mirroring enable
[RouterB-behavior-e] quit

定义流策略，将流分类与流行为匹配

[RouterB] traffic policy 1
[RouterB-trafficpolicy-1] classifier a behavior e
[RouterB-trafficpolicy-1] quit

将流量策略应用在接口

[RouterB] interface gigabitethernet3/0/0
[RouterB-GigabitEthernet3/0/0] traffic-policy 1 inbound
[RouterB-GigabitEthernet3/0/0] quit

Cisco IOS XR 端口镜像

Source Port特性

源端口可以是任意接口类型（BVIs除外）
It can be any port type, such as Bundle Interface, Gigabit Ethernet, 10-Gigabit Ethernet
每个源端口只能在1个mirroring session中
Each source port can be monitored in at most one traffic mirroring session
端口镜像流量可能被转发时，不能作为源端口
Interfaces over which mirrored traffic may be routed must not be configured as a source port.
ACL-based镜像在Cisco CRS路由是可选的。流量镜像基于全局的ACL配置
ACL-based traffic mirroring. Traffic is mirrored based on the configuration of the global interface
ACL. This is optional on the Cisco CRS Router.

Monitor Session

一个Cisco CRS 路由能够有最大8个Monitor Session
A single Cisco CRS Router can have a maximum of eight monitor sessions
一个Monitor Session 只能有一个destination
A single monitor session can have only one destination
一个目的只能属于一个Monitor Session
A single destination can belong to only one monitor session.
一个Cisco CRS Router所有Monitor Session能够有最大800个源端口
A monitor session can have a maximum of 800 source ports, as long as the maximum number of
source ports from all monitoring sessions does not exceed 800.

Destination特性

端口镜像的目的是一个IP地址，而不是一个具体端口（由路由决定镜像流量被送往哪个端口）
A destination is defined by IP address (IPv4 or IPv6), and is not tied to a specific interface (as
routing decides which interface the mirrored packets are actually sent over).
2个Monitor Session不能拥有一个相同IP地址
No two monitor sessions must have the same destination IP adress.

Layer-3 Traffic Mirroring

router# configure                    
router(config)#monitor-session mon1
router(config-mon)# destination next-hop ipv4 214.23.4.10
router(config-mon)# commit

router(config)# interface 
gigabitethernet0/0/0/10.10      
router(config-if)# monitor-session mon1 
router(config-if)#commit

ACL-based Trafficices access-list

The global interface ACL should be configured using one of these commands with the capture keyword:
- ipv4 access-list
- ipv6 access-list
- ethernet-serices access-list
Trouble Shooting ACL-Based Traffic Mirroring
- 即使在源镜像端口中配置acl命令，但是没有使用capture关键字，将不会有流量被镜像
  Even when the acl command is configured on the source mirroring port, if the ACL configuration
  command does not use the capture keyword, no traffic gets mirrored.
- ACL中配置capture关键字，但是没有在源镜像端口配acl命令，虽然流量会被镜像，但是没有ACL过滤
  If the ACL configuration uses the capture keyword, but the acl command is not configured on the
  source port, although traffic is mirrored, no access list configuration is applied.

router# configure
router(config)# monitor-session mon1
router(config-mon)# destination next-hop ipv4 24.23.4.10    
router(config-mon)# commit

router# configure t                  
router(config)# interface g0/2/0/11
router(config-if)# ipv4 access-group acl_www ingress
router(config-if)# monitor-session mon1 direction rx-only
router(config-if)# acl
router(config-if-mon)# commit

router# configure
router(config)# ipv4 access-list acl_www
router(config-ipv4-acl)# 5 permit tcp any any eq  www capture 
router(config-ipv4-acl)# 10 permit ip any any 
router(config-ipv4-acl)# commit

# Cisco IOS XR acl-based forwarding

“`
ipv4 access-list PBR1
5 permit ipv4 any any eq www nexthop1 tracke 11 ipv4 172.31.86.89
9000 permit ipv4 any any

interface Bundle-Ether10
ipv4 address x.x.x.x 255.255.255.248
ipv4 access-group PBR1 ingress

ip sla
operation 11
type icmp echo
destination address 172.imeout 500
frequency 10

track 11
type rtr 11 reachability
delay down 15lay down 15
“`