When the detecting device is in off-line mode, to detect traffic, you need to configure optical splitting or mirroring to copy traffic to the detecting device.
NOTE: In optical splitting mode, you need to only deploy an optical splitter.
Mirroring, packets received or sent by a port (mirroring port) are copied to a specified port (observing port) and then are issued to the detecting device. By analyzing packets captured by the detecting device, you can learn data transmitted over the mirroring port.
As shown in Figure 1, the detecting device is directly connected to GE1/0/1 on Router1, which uses interfaces as mirroring and observing ports. Inbound traffic of GE1/0/0 is copied to GE1/0/1 through the port mirroring, and then is issued to the detecting device for analysis.
Mirroring and traffic-diversion routers can be the same router or different ones.
This mode applies to enterprise networks because of low costs and no extra device or component; however, this mode requires CLI configurations on the router.
To enable traffic copying in mirroring mode, only configure CLIs related to port mirroring on the router. The following uses Huawei NE80E as an example for describing how to configure port mirroring on the router.
- Configure the local observing port.
- Run the system-view command to access the system view.
- Run the interface interface-type interface-number command to access the interface view.
This interface serves as the local observing port. Such interfaces involve the GE interface and its subinterfaces, the Eth-Trunk interface and its subinterfaces, the POS interface, and the IP-Trunk interface, for example, Router1 GE1/0/1 shown in Figure 1.
- Run the port-observing observe-index observe-index command to configure a local observing port.
When the physical port serves as the observing port, the index number of the observing port must be identical with the slot number of the LPU where the interface resides. When the logical interface serves as the observing port, the index number cannot be used by another observing port.
- Run the quit command to return to the system view.
- Configure the observing port for the mirroring of the entire LPU.
- Run the slot slot-id command to access the slot view.
- Run the mirror to observe-index observe-index command to configure the observing port for the mirroring of the LPU.
After the command is configured, the observing port of the index serves as that for the mirroring of the entire LPU. When mirroring is enabled on an interface of the LPU, packets are mirrored to this observing port. Such an observing port can be configured on either the local LPU or another LPU.
- Run the quit command to return to the system view.
- Configure port mirroring.
- Run the interface interface-type interface-number command to access the interface view.
This interface serves as the local mirroring port. Such interfaces involve the GE interface and its subinterfaces, the POS interface, FR interface, serial interface, and MP-Group interface, for example, Router1 GE1/0/0 shown in Figure 1.
- Run the port-mirroring inbound [ cpu-packet ] command to observe the inbound traffic of the local mirroring port.
- Run the interface interface-type interface-number command to access the interface view.