The ProCurve 3500yl/5400zl/6200yl Switch Software Update ... · 3 Traffic Mirroring Allows you to monitor traffic to detect threats or troubleshoot problems Advantages • Allows

© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.

The ProCurve 3500yl/5400zl/6200yl Switch Software Update NPI Technical Training

NPI Technical Training Version 1.0b6 December 2006

© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.

Traffic Mirroring Section

3

Traffic Mirroring

Allows you to monitor traffic to detect threats or troubleshoot problems Advantages• Allows you to monitor traffic from the local switch or from multiple

remote switches • Eliminates the need for a monitoring port on every switch• Reduces the number of necessary security appliances

Network

Stations 5400zl Switch

3500yl Switch

IDS/IPS*

1

2

3

Traffic is selected based on port, VLAN, or ACL.

Selected traffic is mirrored to another switch.

Destination switch forwards mirrored traffic to IDS/IPS.

hp procurve

Gig-T/GBIC

xl module

J4907A

xl module

10/100/1000-T Ports (1-14, 15T, 16T) -ports are IEEE Auto MDI/MDI-X Dual-Personality Ports: 10/100/1000-T (T) or Mini-GBIC (M)

1

8

2

9

3

10

4

11

5

12

6

13

7

14

1

8 14

Use only one (T or M) for each Dual-Personality Port

Link Mode

Link Mode T 15 T 16M M

hp procurve

Gig-T/GBIC

xl module

J4907A

xl module


1

8

2

9

3

10

4

11

5

12

6

13

7

14

1

8 14


Link Mode


*Intrusion detection system (IDS)/ Intrusion prevention system (IPS)

4

Remote Traffic Mirroring

Allows you to monitor traffic to detect threats or troubleshoot problems from across the network and bring information back to the analyzer.

Network

Stations 5400zl Switch

3500yl Switch

IDS/IPS*

hp procurve

Gig-T/GBIC

xl module

J4907A

xl module


1

8

2

9

3

10

4

11

5

12

6

13

7

14

1

8 14


Link Mode


hp procurve

Gig-T/GBIC

xl module

J4907A

xl module


1

8

2

9

3

10

4

11

5

12

6

13

7

14

1

8 14


Link Mode


*Intrusion detection system (IDS)/ Intrusion prevention system (IPS)

5

Guidelines for Using Traffic MirroringTwo types of traffic mirroring:• Local mirroring—source and destination are on the same switch• Remote mirroring—source and destination are on different switches

Each switch can be the:• Originator for four mirror sessions, with the destination on either the

local switch or another switch• Destination for 32 mirror sessions

Network

5400zl Switch

3500yl Switch

IPS/IDS

hp procurve

Gig-T/GBIC

xl module

J4907A

xl module


1

8

2

9

3

10

4

11

5

12

6

13

7

14

1

8 14


Link Mode


hp procurve

Gig-T/GBIC

xl module

J4907A

xl module


1

8

2

9

3

10

4

11

5

12

6

13

7

14

1

8 14


Link Mode


Four mirror sessions originate on the local 5400zl Switch.

The 3500yl Switch can receiveup to 28 additional mirror

sessions.

6

Guidelines for Using Traffic MirroringContinued

For local mirroring, configure exit ports:• Configure multiple mirror sessions to use the same exit port• Load balance mirror sessions across multiple exit ports

1 3 5 7 11

8 122 4 6 Core

IDS/IPS

9

10

2

1

7

Overview of Configuration Steps1. Configure the destination switch for remote traffic

mirroring.2. Configure the source switch.

• Define the session number and the destination for the mirror session on the source switch.

– Local traffic mirroring—port on the same switch– Remote traffic mirroring—another 3500yl, 5400zl, or 6200yl Switch

• Define the source interface and the direction of traffic– Ports, including mesh ports– Static trunks– Static virtual LANs (VLANs)– Direction of traffic—inbound, outbound, or both directions

• Apply an optional Access Control List (ACL) to further select traffic.– Select inbound traffic on the source interface with an extended or

standard ACL

8

Overview of Configuration Steps3. For remote traffic mirroring, enable jumbo frames to

mirror information fields larger than 1446 bytes (untagged) or (tagged)• On both source and destination switches• Any infrastructure switches in between• The end stations, in this case the IPS/IDS if you know the

originating frame was larger than 1522 bytes.

5400zl Switch

3500yl Switch

IPS/IDS

hp procurve

Gig-T/GBIC

xl module

J4907A

xl module


1

8

2

9

3

10

4

11

5

12

6

13

7

14

1

8 14


Link Mode


hp procurve

Gig-T/GBIC

xl module

J4907A

xl module


1

8

2

9

3

10

4

11

5

12

6

13

7

14

1

8 14


Link Mode

Link Mode T 15 T 16M M Mirror session originates on the local 5400zl Switch.

The destination is on the remote 3500yl Switch.

ProCurve (config)# vlan <vlan_id> jumbo

9

Configuring the Destination Switch1. For remote traffic mirroring, configure the source and destination of

the mirror session on the destination switch

ProCurve_dst_switch(config)# mirror endpoint ip <src-ip-add> <src-udp-port> <dst-ip-add> port <port#>

Options

IP address of the VLAN or subnet for the exit port on the destination switch

<dst-ip-add>

The unique UDP port number to use for the session

<src-udp-port>

Exit port on the destination switch

IP address of the VLAN or subnet on which the mirrored traffic enters or leaves the source switch

<port#>

<src-ip-add>These settings must match the settings you will configure on the source switch.

10

Configuring the Source SwitchRemote traffic mirroring

2. Configure the source switch— For remote traffic mirroring, identify the mirror session, the source,

and the destination.

– Replace <1-4> with the number to identify this mirror session.– Assign an optional name if you want an easier way to identify the session.

– Ensure the other settings match those configured on the destination switch.

ProCurve_source_switch(config)# mirror <1-4> [name <name>] remote ip <src-ip-add> <src-udp-port> <dst-ip-add>

11

Configuring the Source SwitchLocal traffic mirroring

• For local traffic mirroring, identify the session and configure the exit port

ProCurve_source_switch(config)# mirror <1-4> [name <name>]port <port#>

1 3 5 7 11

8 122 4 6 Core

IPS/IDS

9

10

1

Exit port is port 8.

12

Configuring the Source SwitchDefine the originating interface

• Define the originating interface as a port, trunk, or mesh port

ProCurve_source_switch(config)# interface <port/trunk/mesh> monitor all [in | out | both] mirror <1-4> [mirror <1-4> . . .]

Options

Number for this mirror session<1-4>

Direction of traffic that you want mirrored: in = traffic entering portout = traffic exiting portboth = all traffic

[in | out | both]

Port, trunk, or mesh<port/trunk/mesh>

13

• Define the originating interface as a VLAN or VLANs

– Replace <vlan-range> with a VLAN or a range or VLANs.

ProCurve_source_switch(config)# vlan <vlan-ID> monitor all [in | out | both] mirror <1-4> [mirror <1-4> . . .]

Configuring the Source SwitchSelect the originating interface

5400zl Switch

Network

VLAN 1

VLAN 2

14

Using an ACL to Further Select Traffic Optional

• To use an ACL to select traffic arriving on an interface, enter:

– Replace <acl_name> with the name of the ACL you have configured.

ProCurve_source_switch(config)# interface <port/trunk/mesh>monitor ip access-group <acl_name> in mirror <1-4> [mirror <1-4> . . .]

ProCurve_source_switch(config)# vlan <vlan-ID> monitor ip access-group <acl_name> in mirror <1-4> [mirror <1-4> . . .]

15

Enabling Jumbo Frames

3. For remote traffic mirroring, enable jumbo frames on the source switch, destination switch, and any intervening infrastructure switches

For example:

ProCurve_Source (config)# vlan 8 jumbo

ProCurve_Destination (config)# vlan 8 jumbo

ProCurve_Infrastructure (config)# vlan 8 jumbo

16

Traffic Mirroring show Commands

View information about mirror sessions configured on the switch

ProCurve# show monitor [<1-4>]

Network Monitoring

Sessions Status Type Sources---------- ------- ----- ---------1 active port 12 active IPv4 33 active port 14 Inactive

Mirror endpoint

Type Dest Address Source Address UDP Src UDP Dst Port----- --------------- ----------------- --------- --------- -----IPv4 10.8.1.100 10.8.1.1 8453 3279 A17

Port = local mirror session

IPv4 = remote mirror session

Indicates # of criteria for mirror session

17

Example Configuration

Source Switch10.8.1.1

Destination Switch10.8.1.100

IPS/IDS

hp procurve

Gig-T/GBIC

xl module

J4907A

xl module


1

8

2

9

3

10

4

11

5

12

6

13

7

14

1

8 14


Link Mode


hp procurve

Gig-T/GBIC

xl module

J4907A

xl module


1

8

2

9

3

10

4

11

5

12

6

13

7

14

1

8 14


Link Mode


Running configuration: !Dst switch!vlan 8

untagged 1-5ip address 10.8.1.100 255.255.255.0jumboexit

mirror endpoint ip 10.8.1.1 1000 10.8.1.100 port 22

Running configuration: !Source switch!vlan 8

untagged B1-B24ip address 10.8.1.1 255.255.255.0jumboexit

mirror 1 remote ip 10.8.1.1 1000 10.8.1.100interface B1

monitor all both mirror 1exit

interface B2monitor all both mirror 1exit

Originatinginterface

18

Documents

The ProCurve 3500yl/5400zl/6200yl Switch Software Update ... · 3 Traffic Mirroring Allows you to monitor traffic to detect threats or troubleshoot problems Advantages • Allows