Port mirroring is used on a network switch or a router to send a copy of network packets seen on the specified ports (source ports) to other specified ports (destination ports). With port mirroring enables, the packets can be monitored and analyzed. Port mirroring is applied widely, for example, network engineers can use port mirroring to analyze and debug data or diagnose errors on their networks without affecting the packet processing capabilities of the network devices. And the Ministry of Culture and Public Security can collect related data from port mirroring to analyze the network behaviors, so as to ensure a healthy network environment.
Local and remote port mirroring are two types of port mirroring based on different working ranges of mirroring. They operate on different principles.
Local port mirroring is the most basic form of mirroring. All source ports are located on the same network device as the destination ports. As figure 1 shows, local port mirroring enables the network switch to forward the copy of the packet on the source port (Eth 1/1) to the destination port (Eth 1/2). Then the monitoring device connected with the destination port can monitor and analyze the packet.
As for remote port mirroring, source ports and destination ports are not on the same device. As figure 2 shows, source port (Eth 1/3) is on one switch, and destination port (Eth 1/3) is on the other switch. The source port forwards the packet copy to the destination port through the uplink connection achieved by the port (Eth 1/4) on the two switches. Therefore, local port mirroring can realize the data monitoring and analysis across devices.
The prerequisite of configuring port mirroring is ensuring the network device (no matter a switch or router) supports port mirroring. And then select one mode, local port mirroring or remote port mirroring configuration.
Local port mirroring configuration roadmap:
1. Create a VLAN.
2. Add the source port and destination port to VLAN.
3. Configure IP address.
4. Configure port mirroring on the destination port, and copy the packet from the source port to the destination port.
Remote port mirroring configuration roadmap:
1. Create the source port in a global schema.
2. Configure the uplink port on one switch.
3. Create a destination port in a global schema.
4. Configure the uplink port on another switch.
1. Configuration takes effect after setting one port as the source port and setting another port as the destination port in local port mirroring.
2. When creating a mirroring group, only one destination port can be set, but there could be one or more source ports in the group.
3. If one port has been specified as the source port in one mirroring group, it can’t be a member of another mirroring group.
4. If one port has been specified as the destination port in one mirroring group, it can’t be a member of another mirroring group.
5. It’s recommended that do not apply STP, RSTP or MSTP on the destination port, otherwise, the device may malfunction.
Port mirroring and traffic mirroring belong to mirroring function.
Traffic mirroring copies the specified traffic that matches a certain configuration rule to the destination port for analysis and monitoring. As figure 3 shows, the source port copies the data flow that matches the rule from client 2 to the destination port, which then sends the copied data flow to the monitoring device. The matched data flow can be set by ACL (Access Control List) or configuration commands. With traffic mirroring, only the selected or matched traffic are sent to the monitoring device, while port mirroring copies every packet that passes through the interface to the monitoring device.
Port mapping, also called port forwarding, is used to forward an IP address of LAN to the WAN, or forward an IP address from WAN to the LAN. In a typical residential network, nodes obtain Internet access via a cable modem connected to a router. The router is configured with a public IP address, while the computer behind the router has a private IP address that is invisible to the hosts on the Internet. When users search on Google, the host on the Internet only recognizes the router’s IP and sent the data to the router. And then the router forwards the data to the PC via port mapping list (note that only the router with port mapping can send the feedback data to the corresponding PC). Thus, port mapping is a process of data forwarding, while port mirroring is a process of data copying.
In general, users can verify port mirroring results by the software of capturing packet. Run the software on the monitoring device, the configuration succeeds when obtaining the packet sent or received by the source port.