配置本地端口镜像示例
system-view[HUAWEI] sysname Switch[Switch] observe-port 1 interface gigabitethernet 0/0/4 [Switch] interface gigabitethernet 0/0/1[Switch-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound //将接口GE0/0/1的入方向绑定到索引为1的观察端口上[Switch-GigabitEthernet0/0/1] quit[Switch] interface gigabitethernet 0/0/2[Switch-GigabitEthernet0/0/2] port-mirroring to observe-port 1 inbound //将接口GE0/0/2的入方向绑定到索引为1的观察端口上[Switch-GigabitEthernet0/0/2] quit[Switch] interface gigabitethernet 0/0/3[Switch-GigabitEthernet0/0/3] port-mirroring to observe-port 1 inbound //将接口GE0/0/3的入方向绑定到索引为1的观察端口上[Switch-GigabitEthernet0/0/3] return
配置二层远程端口镜像示例
system-view[HUAWEI] sysname SwitchA[SwitchA] observe-port 1 interface gigabitethernet 0/0/2 vlan 10 //配置GE0/0/2为远程观察端口,绑定的VLAN为VLAN10,观察端口索引为1配置完成后,观察端口会将镜像报文向VLAN10进行转发,不需要在观察端口下进行接口加入VLAN的操作。[SwitchA] interface gigabitethernet 0/0/1[SwitchA-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound //将接口GE0/0/1的入方向绑定到索引为1的观察端口上[SwitchA-GigabitEthernet0/0/1] return system-view[HUAWEI] sysname SwitchB[SwitchB] vlan 10[SwitchB-vlan10] mac-address learning disable //关闭该VLAN的MAC地址学习功能[SwitchB-vlan10] quit[SwitchB] interface gigabitethernet 0/0/1[SwitchB-GigabitEthernet0/0/1] port link-type access //设置监控设备侧接口链路类型为access,接口缺省链路类型不是access口[SwitchB-GigabitEthernet0/0/1] port default vlan 10[SwitchB-GigabitEthernet0/0/1] quit[SwitchB] interface gigabitethernet 0/0/2[SwitchB-GigabitEthernet0/0/2] port link-type trunk //设置网络侧接口链路类型为trunk,接口缺省链路类型不是trunk口[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 10[SwitchB-GigabitEthernet0/0/2] return
配置基于ACL的本地流镜像示例
system-view[HUAWEI] sysname Switch[Switch] observe-port 1 interface gigabitethernet 0/0/2 //配置GE0/0/2为本地观察端口,观察端口索引为1[Switch] acl number 3000 //创建ACL 3000,规则配置为允许源地址网段为10.1.1.0/24,目的TCP端口号为WWW的端口号的报文通过[Switch-acl-adv-3000] rule permit tcp source 10.1.1.0 0.0.0.255 destination-port eq www[Switch-acl-adv-3000] quit[Switch] acl number 3001 //创建ACL 3001,规则配置为允许源地址网段为10.1.1.0/24,目的地址网段为10.1.2.0/24的报文通过[Switch-acl-adv-3001] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255[Switch-acl-adv-3001] quit[Switch] interface gigabitethernet 0/0/1[Switch-GigabitEthernet0/0/1] traffic-mirror inbound acl 3000 to observe-port 1 //将GE0/0/1入方向上匹配ACL 3000规则的报文流镜像到索引为1的观察端口[Switch-GigabitEthernet0/0/1] traffic-mirror inbound acl 3001 to observe-port 1 //将GE0/0/1入方向上匹配ACL 3001规则的报文流镜像到索引为1的观察端口[Switch-GigabitEthernet0/0/1] return
配置远程VLAN镜像示例
system-view[HUAWEI] sysname Switch[SwitchA] vlan batch 10[SwitchA] interface gigabitethernet 0/0/1[SwitchA-GigabitEthernet0/0/1] port link-type access //设置主机侧接口链路类型为access,接口缺省链路类型不是access口[SwitchA-GigabitEthernet0/0/1] port default vlan 10[SwitchA-GigabitEthernet0/0/1] quit[SwitchA] interface gigabitethernet 0/0/2[SwitchA-GigabitEthernet0/0/2] port link-type access //设置主机侧接口链路类型为access,接口缺省链路类型不是access口[SwitchA-GigabitEthernet0/0/2] port default vlan 10[SwitchA-GigabitEthernet0/0/2] quit[SwitchA] interface gigabitethernet 0/0/3[SwitchA-GigabitEthernet0/0/3] port link-type access //设置主机侧接口链路类型为access,接口缺省链路类型不是access口[SwitchA-GigabitEthernet0/0/3] port default vlan 10[SwitchA-GigabitEthernet0/0/3] quit system-view[HUAWEI] sysname SwitchB[SwitchB] vlan 20[SwitchB-vlan20] mac-address learning disable //关闭该VLAN的MAC地址学习功能[SwitchB-vlan20] quit[SwitchB] interface gigabitethernet 0/0/1[SwitchB-GigabitEthernet0/0/1] port link-type access //设置监控设备侧接口链路类型为access,接口缺省链路类型不是access口[SwitchB-GigabitEthernet0/0/1] port default vlan 20[SwitchB-GigabitEthernet0/0/1] quit[SwitchB] interface gigabitethernet 0/0/4[SwitchB-GigabitEthernet0/0/4] port link-type trunk[SwitchB-GigabitEthernet0/0/4] port trunk allow-pass vlan 20 //设置网络侧接口链路类型为trunk,接口缺省链路类型不是trunk口[SwitchB-GigabitEthernet0/0/4] return[SwitchA] observe-port 1 interface gigabitethernet 0/0/4 vlan 20 //配置GE0/0/4为二层远程观察端口,观察端口索引为1,绑定的VLAN为VLAN20[SwitchA] vlan 10[SwitchA-vlan10] mirroring to observe-port 1 inbound //VLAN10内所有接口入方向的报文镜像到索引为1的观察端口上[SwitchA-vlan10] return
