Embed Size (px)
DESCRIPTION
NPI Technical Training Version 1.0b 6 December 2006. The ProCurve 3500yl/5400zl/6200yl Switch Software Update NPI Technical Training. Traffic Mirroring Section. Use only one (T or M) for each Dual-Personality Port. Use only one (T or M) for each Dual-Personality Port. 1. 1. 2. 2. 3. 3. - PowerPoint PPT Presentation
Citation preview
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
The ProCurve 3500yl/5400zl/6200yl Switch Software Update NPI Technical Training
NPI Technical Training
Version 1.0b
6 December 2006
© 2006 Hewlett-Packard Development Company, L.P.The information contained herein is subject to change without notice.
Traffic Mirroring Section
3
Traffic Mirroring
Allows you to monitor traffic to detect threats or troubleshoot problems
Advantages• Allows you to monitor traffic from the local switch or from multiple
remote switches
• Eliminates the need for a monitoring port on every switch
• Reduces the number of necessary security appliances
Network
Stations 5400zl Switch
3500yl Switch
IDS/IPS*
1
2
3
Traffic is selected based on port, VLAN, or ACL.
Selected traffic is mirrored to another switch.
Destination switch forwards mirrored traffic to IDS/IPS.
xl xl
Power
Fault
Locator
E F
C D
A
ProCurve NetworkingHP Innovation
zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22 zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22
ConsoleReset Clear
Auxiliary Port
ProCurve Switch 5400zlManagement ModuleJ8726A
InternalPower
PoEPwr
2
1
2
4
1
3
PoE
Temp
Fan
Flash
DIMM
Mgmt
ChasTest
LED ModeModules
Status
Act
FDx
Spd Usr
PoE
H
J
LK
I
G
F
D
B
E
C
AProCurveSwitch 5406zlJ8699A PoE
Usezl Modules
only
B
*Intrusion detection system (IDS)/ Intrusion prevention system (IPS)
4
Remote Traffic Mirroring
Allows you to monitor traffic to detect threats or troubleshoot problems from across the network and bring information back to the analyzer.
Network
Stations 5400zl Switch
3500yl Switch
IDS/IPS*
xl xl
Power
Fault
Locator
E F
C D
A
ProCurve NetworkingHP Innovation
zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22 zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22
ConsoleReset Clear
Auxiliary Port
ProCurve Switch 5400zlManagement ModuleJ8726A
InternalPower
PoEPwr
2
1
2
4
1
3
PoE
Temp
Fan
Flash
DIMM
Mgmt
ChasTest
LED ModeModules
Status
Act
FDx
Spd Usr
PoE
H
J
LK
I
G
F
D
B
E
C
AProCurveSwitch 5406zlJ8699A PoE
Usezl Modules
only
B
*Intrusion detection system (IDS)/ Intrusion prevention system (IPS)
5
Guidelines for Using Traffic MirroringTwo types of traffic mirroring:• Local mirroring—source and destination are on the same switch
• Remote mirroring—source and destination are on different switches
Each switch can be the:• Originator for four mirror sessions, with the destination on either the
local switch or another switch
• Destination for 32 mirror sessions
Network
5400zl Switch
3500yl Switch
IPS/IDS
xl xl
Power
Fault
Locator
E F
C D
A
ProCurve NetworkingHP Innovation
zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22 zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22
ConsoleReset Clear
Auxiliary Port
ProCurve Switch 5400zlManagement ModuleJ8726A
InternalPower
PoEPwr
2
1
2
4
1
3
PoE
Temp
Fan
Flash
DIMM
Mgmt
ChasTest
LED ModeModules
Status
Act
FDx
Spd Usr
PoE
H
J
LK
I
G
F
D
B
E
C
AProCurveSwitch 5406zlJ8699A PoE
Usezl Modules
only
B
Four mirror sessions originate on the local 5400zl Switch.
The 3500yl Switch can receive up to 28 additional mirror sessions.
6
Guidelines for Using Traffic MirroringContinued
For local mirroring, configure exit ports:• Configure multiple mirror sessions to use the same exit port
• Load balance mirror sessions across multiple exit ports
1 3 5 7 11
8 122 4 6 Core
IDS/IPS
9
10
2
1
7
Overview of Configuration Steps
1. Configure the destination switch for remote traffic mirroring.
2. Configure the source switch.• Define the session number and the destination for the mirror
session on the source switch.– Local traffic mirroring—port on the same switch– Remote traffic mirroring—another 3500yl, 5400zl, or 6200yl Switch
• Define the source interface and the direction of traffic– Ports, including mesh ports– Static trunks– Static virtual LANs (VLANs)– Direction of traffic—inbound, outbound, or both directions
• Apply an optional Access Control List (ACL) to further select traffic.– Select inbound traffic on the source interface with an extended or
standard ACL
8
Overview of Configuration Steps3. For remote traffic mirroring, enable jumbo frames to mirror
information fields larger than 1446 bytes (untagged) or (tagged)• On both source and destination switches
• Any infrastructure switches in between
• The end stations, in this case the IPS/IDS if you know the originating frame was larger than 1522 bytes.
5400zl Switch
3500yl Switch
IPS/IDS
xl xl
Power
Fault
Locator
E F
C D
A
ProCurve NetworkingHP Innovation
zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22 zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22
ConsoleReset Clear
Auxiliary Port
ProCurve Switch 5400zlManagement ModuleJ8726A
InternalPower
PoEPwr
2
1
2
4
1
3
PoE
Temp
Fan
Flash
DIMM
Mgmt
ChasTest
LED ModeModules
Status
Act
FDx
Spd Usr
PoE
H
J
LK
I
G
F
D
B
E
C
AProCurveSwitch 5406zlJ8699A PoE
Usezl Modules
only
B Mirror session originates on the local 5400zl Switch.
The destination is on the remote 3500yl Switch.
ProCurve (config)# vlan <vlan_id> jumbo
9
Configuring the Destination Switch1. For remote traffic mirroring, configure the source and destination of
the mirror session on the destination switch
ProCurve_dst_switch(config)# mirror endpoint ip <src-ip-add> <src-udp-port> <dst-ip-add> port <port#>
Options<src-ip-add> IP address of the VLAN or subnet on which the
mirrored traffic enters or leaves the source switch
<src-udp-port> The unique UDP port number to use for the session
<dst-ip-add> IP address of the VLAN or subnet for the exit port on the destination switch
<port#> Exit port on the destination switch
These settings must match the settings you will configure on the source switch.
10
Configuring the Source SwitchRemote traffic mirroring
2. Configure the source switch
— For remote traffic mirroring, identify the mirror session, the source, and the destination.
– Replace <1-4> with the number to identify this mirror session.– Assign an optional name if you want an easier way to identify the session.– Ensure the other settings match those configured on the destination switch.
ProCurve_source_switch(config)# mirror <1-4> [name <name>] remote ip <src-ip-add> <src-udp-port> <dst-ip-add>
11
Configuring the Source SwitchLocal traffic mirroring
• For local traffic mirroring, identify the session and configure the exit port
ProCurve_source_switch(config)# mirror <1-4> [name <name>] port <port#>
1 3 5 7 11
8 122 4 6 Core
IPS/IDS
9
10
1
Exit port is port 8.
12
Configuring the Source SwitchDefine the originating interface
• Define the originating interface as a port, trunk, or mesh port
ProCurve_source_switch(config)# interface <port/trunk/mesh> monitor all [in | out | both] mirror <1-4> [mirror <1-4> . . .]
Options
<port/trunk/mesh> Port, trunk, or mesh
[in | out | both] Direction of traffic that you want mirrored: in = traffic entering portout = traffic exiting portboth = all traffic
<1-4> Number for this mirror session
13
• Define the originating interface as a VLAN or VLANs
– Replace <vlan-range> with a VLAN or a range or VLANs.
ProCurve_source_switch(config)# vlan <vlan-ID> monitor all [in | out | both] mirror <1-4> [mirror <1-4> . . .]
Configuring the Source SwitchSelect the originating interface
Power
Fault
Locator
E F
C D
A
ProCurve NetworkingHP Innovation
zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22 zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22
ConsoleReset Clear
Auxiliary Port
ProCurve Switch 5400zlManagement ModuleJ8726A
InternalPower
PoEPwr
2
1
2
4
1
3
PoE
Temp
Fan
Flash
DIMM
Mgmt
ChasTest
LED ModeModules
Status
Act
FDx
Spd Usr
PoE
H
J
LK
I
G
F
D
B
E
C
AProCurveSwitch 5406zlJ8699A PoE
Usezl Modules
only
B
5400zl Switch
Network
VLAN 1
VLAN 2
14
Using an ACL to Further Select Traffic Optional
• To use an ACL to select traffic arriving on an interface, enter:
– Replace <acl_name> with the name of the ACL you have configured.
ProCurve_source_switch(config)# interface <port/trunk/mesh> monitor ip access-group <acl_name> in mirror <1-4> [mirror <1-4> . . .]
ProCurve_source_switch(config)# vlan <vlan-ID> monitor ip access-group <acl_name> in mirror <1-4> [mirror <1-4> . . .]
15
Enabling Jumbo Frames
3. For remote traffic mirroring, enable jumbo frames on the source switch, destination switch, and any intervening infrastructure switches
For example:
ProCurve_Source (config)# vlan 8 jumbo
ProCurve_Destination (config)# vlan 8 jumbo
ProCurve_Infrastructure (config)# vlan 8 jumbo
16
Traffic Mirroring show Commands
View information about mirror sessions configured on the switch
ProCurve# show monitor [<1-4>]
Network Monitoring
Sessions Status Type Sources ---------- ------- ----- --------- 1 active port 1 2 active IPv4 3 3 active port 1 4 Inactive
Mirror endpoint
Type Dest Address Source Address UDP Src UDP Dst Port ----- --------------- ----------------- --------- --------- ----- IPv4 10.8.1.100 10.8.1.1 8453 3279 A17
Port = local mirror session
IPv4 = remote mirror session
Indicates # of criteria for mirror session
17
Example Configuration
Source Switch10.8.1.1
Destination Switch10.8.1.100
IPS/IDS
xl xl
Power
Fault
Locator
E F
C D
A
ProCurve NetworkingHP Innovation
zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22 zlProCurve24p Gig-Tzl Module J8702A PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
1 5
62
3
4
7 11
128
9
10
13 17
1814
15
16
19 23
2420
21
22
ConsoleReset Clear
Auxiliary Port
ProCurve Switch 5400zlManagement ModuleJ8726A
InternalPower
PoEPwr
2
1
2
4
1
3
PoE
Temp
Fan
Flash
DIMM
Mgmt
ChasTest
LED ModeModules
Status
Act
FDx
Spd Usr
PoE
H
J
LK
I
G
F
D
B
E
C
AProCurveSwitch 5406zlJ8699A PoE
Usezl Modules
only
B
Running configuration: !Dst switch!vlan 8 untagged 1-5 ip address 10.8.1.100 255.255.255.0 jumbo exitmirror endpoint ip 10.8.1.1 1000 10.8.1.100 port 22
Running configuration: !Source switch!vlan 8 untagged B1-B24 ip address 10.8.1.1 255.255.255.0 jumbo exitmirror 1 remote ip 10.8.1.1 1000 10.8.1.100interface B1 monitor all both mirror 1 exitinterface B2 monitor all both mirror 1 exit
Originatinginterface
18
