This application note explains how to configure remote and intelligent port mirroring on ProCurve ProVision switches. Remote port mirroring lets you redirect data flows that you monitor on a source switch to a different destination switch, which allows a centralized network analyzer or probe to capture packets for an entire LAN. This is important if you want to add an intrusion detection system (IDS) without introducing an in-line failure point.

Intelligent mirroring allows configuring an access list on the source switch to filter the traffic and send only ICMP packets to the remote switch port.

» Return to top

You need a ProCurve ProVision switch, such as the ProCurve Switch 5400zl, as the source switch, and at least one other switch (such as the ProCurve Switch 3500yl used in this example) as the destination. You can use ProCurve Manager Plus or the CLI to configure remote and intelligent mirroring. To monitor traffic you need a network protocol analyzer such as Wireshark.

» Return to top

Figure 1. Setup for configuring remote mirroring and intelligent mirroring on a ProCurve ProVision switch

This section explains why and how to configure remote mirroring on a ProCurve ProVision switch.

4.1 Conventional port mirroring versus ProCurve remote mirroring
Port mirroring has been possible on switches, but its implementation has been limited to local mirroring of traffic. That is, to replicate a flow from a switch port, you configure a local mirror on the same switch. This involves defining:

• The “mirror” or “destination” port. This is the port on the switch to which you want to send the monitored traffic flow. You connect a network analyzer here, allowing you to view the traffic.
• The “monitored” or “source” ports. These are ports on the switch, from which you copy the traffic and send to the mirror port.

• You need a free port to act as the mirror on the switch.
• To monitor traffic flows on several switches, you need to dedicate a mirror port on each switch and move your analyzer around the network.
• Having both the monitored ports and the mirror port on the same switch introduces a greater potential for failure.
• All traffic is mirrored, so you need to define filters on your analyzer to extract information of interest.

By contrast, with remote port mirroring on ProCurve ProVision switches you can redirect data flows from mirrored ports on the source switch to a mirror on a different destination switch. Each single source switch can mirror up to four sessions. The destination switch can capture up to a total of 32 mirror sessions from different switches.

You can configure remote mirroring from the CLI or from ProCurve Manager Plus.

» Return to top

4.2 Configure remote mirroring from the CLI
To configure remote mirroring from the command line:

1. On the destination switch: Activate it with a mirror endpoint command, in which you specify:
   • The source switch IP address
   • A UDP port that will be used to encapsulate the mirrored traffic
   • The destination switch IP address
   • And the switch port on which you want to redirect the monitored traffic
   Command syntax is:

For example:

2. On the source switch (or switches): Activate it with a mirror command in which you specify:
   • The mirror session number (1 to 4)
   • The source switch IP address
   • The same UDP port that you configured on the destination switch
   • The destination switch IP address
   Syntax for this command is:

For example:

3. On each interface: Use the interface command to specify what traffic to monitor (in, out or both) and the mirror session number.
   
   Syntax for this command is:

For example:

» Return to top

4.3 Configure remote mirroring from PCM+
The easiest way to configure remote port mirroring is to use ProCurve Manager Plus.

4.3.1 Configure the mirror port on the destination device
For example, to configure port 3 on the 3500yl to be the mirror port:

1. From PCM+ select the HP ProCurve 3500yl.
2. Go to the Port List tab, and then to Port Status.
3. Highlight port 3 and in the toolbar click on the last icon on the right: . You see a drop-down menu:
   
4. From the drop-down menu choose Configure Mirror Port. You see the Configure Mirror Port window:
   
5. Ensure Remote Monitoring is enabled and click Enable Mirror Port. The Mirror Port: option changes to true, and the button changes to Disable.
6. Select the HP ProCurve 5400zl as the mirror source:
   

» Return to top

4.3.2 Specify the ports to be monitored
Now you need to specify the ports that will be monitored (that is, the source ports) by the mirror port. For example:

1. In PCM+, select the 5400zl.
2. Click the Port List tab, and then Port Status.
3. In the Port Status table, click to select A7, the port on the 5400zl that you want to monitor.
4. Highlight port A7 and in the toolbar click on the last icon on the right: . You see the pull-down menu again:
   
5. Select Monitor Port from the pull-down menu and choose the mirror you have created. The Select Mirror Port dialog displays, with a listing of the ports and devices configured as mirror (monitoring) ports.
   
6. Select the 3500yl as the Mirror Destination, then click OK.

» Return to top

4.3.3 Capture packets

1. Plug a laptop with an analyzer to port 3 on the HP ProCurve 3500yl and open a Wireshark capture.
2. In Capture | Options, choose the capture interface.
3. Generate some traffic on the monitored port and see that the traffic shows up on the Wireshark capture.

» Return to top

4.4 Capture packets
To improve the usability of traffic mirroring, configure an access list on the source switch to filter the traffic and send only ICMP packets (and not the file transfer) to the remote switch port. For instance:

1. On the HP ProCurve 5400zl enter the following access list:

2. Add it to the monitor:

Now when you run a capture, you will only see the ICMP packets in the monitoring port.

» Return to top

This concludes the procedure for configuring remote and intelligent mirroring on ProCurve switches.

For further information about how to configure ProCurve switches to support security, please refer to the following links:

• For PCM+ and IDM manuals:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=ProCurve-Manager
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=IDM
• For user manuals for ProCurve 3500yl-5400zl-8212zl switches:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=3500-6200-5400-ChapterFiles
• For ProCurve Switch 2610 series manuals:
  http://h40060.www4.hp.com/procurve/includes/manuals/index.php?cc=uk&lc=en&content=2610

» Return to top