Read the mirror in one article

Everyone is familiar with mirrors. We can see the same version of ourselves in the mirror. This is because the object in front of the mirror forms an upright virtual image behind the mirror, visually "copying" an image that is exactly the same as the one in front of the mirror. object. There is also a behavior similar to mirror "copying" on the Internet - mirroring. Today I will talk about mirroring.

01. What is mirroring?

Mirroring is to copy the sent and received packets from a specified source on the network device and send them to the destination port, and then send the copied packets to the network analysis through the destination port. device so that the message can be analyzed. Simply put, when it is inconvenient to directly view and analyze the source message on the network device, then "copy" a copy and send it to a place where it is convenient for viewing and analysis without affecting the normal message forwarding of the network device. When we solve network fault problems, mirroring is an important troubleshooting method. Mirroring can also realize network traffic analysis, security defense, traffic backup and other functions.

02. What does the mirroring system include?

A complete mirroring system includes network equipment, mirroring source, destination port and network analysis equipment.

01. Network equipment

Network equipment can be switches, routers, firewalls, etc.

02. Mirror source

The mirror source can be a port, packet flow, VLAN and MAC address. Therefore, according to different mirroring sources, mirroring can be divided into port mirroring, flow mirroring, VLAN mirroring and MAC mirroring. The four mirror sources are different, but the composition of the mirror system is similar. We take port mirroring as an example to introduce. When port mirroring is enabled on a network device, the mirroring source port can be one or more, and the source port is also called a mirror port.

03. Destination port

The destination port is a designated port that receives "copy" packets. The destination port is also called the observing port. According to the location of the mirroring destination port, it can be divided into local mirroring and remote mirroring.

04. Network analysis equipment

The network analysis equipment connects to the destination port, which can be a computer with packet capture analysis software installed, or a dedicated monitoring and analysis instrument.

03. How mirroring works

Taking port mirroring as an example, we will introduce local mirroring and remote mirroring respectively.

01. Local mirroring

The source port and destination port of local mirroring are on the same network device, and "copying" and "receiving" are completed on the same network device. Copy the packets of port 1 to port 3 on network device A. Then you can monitor the packets of port 1 on port 3, which is local mirroring.

02. Remote mirroring

The source port and destination port of remote mirroring are distributed on different network devices, and mirrored packets must be transmitted across devices before they can reach the specified destination port. Copy the packet from port 1 of network device A and send it to port 3 of remote network device B, which is remote mirroring. In remote mirroring, the packets from the source port of network device A can be encapsulated and transmitted through the Layer 2 or Layer 3 network, reach the destination port of network device B, and be sent to the network analysis device connected to the destination port. The working process of other mirroring types is similar to port mirroring. Flow mirroring copies a type of packets that match specified rules to the destination port. When an ACL (Access Control List) is configured in a mirroring session, it is considered flow mirroring. Traffic mirroring can collect ACL-filtered packets as needed, and can bind ACLs in different directions of the port (outbound, inbound, or bidirectional). VLAN mirroring is to copy the inbound and outbound packets of all interfaces in a specified VLAN (Virtual Local Area Network, Virtual LAN) to the destination port. MAC mirroring is to copy the packets whose source MAC address or destination MAC address is the specified MAC address to the destination port.

04. What are the application scenarios of mirroring?

There are many applications of mirroring. Examples of common application scenarios are as follows.

01. Troubleshooting

When a fault or network anomaly occurs in the network, mirroring can capture and analyze relevant data packets to help network administrators quickly identify and locate faults, such as network congestion, loss, etc. Package or configuration errors, etc.

02. Network analysis and optimization

Through the mirroring function, you can monitor network traffic in real time and understand protocol usage and application behavior. Helps identify potential performance issues, perform network optimization in a timely manner, and ensure normal network operation. At the same time, future resource allocation and capacity expansion can also be planned based on network traffic data.

03. Security Defense

Use mirroring to monitor network traffic and discover potential security threats or attacks. For example, corporate networks can capture abnormal traffic in the network through mirroring and promptly identify intrusions, malicious attacks, and other network security events. Network administrators can quickly take action to prevent potential attacks.

04. Data backup

Through mirroring, you can copy a copy of the data message and back it up to a designated location to back up important data and prevent data loss.

Conclusion

As can be seen from the above introduction, mirroring is an important means for troubleshooting, network analysis and optimization, security defense and data backup. But the use of mirrors is not unlimited. The mirroring function must use its corresponding functions within the purpose and scope permitted by laws and regulations. During use, it is necessary to ensure that the user's communication content is strictly protected. Enabling the mirroring function will occupy the bandwidth resources of the network device, which may cause the performance of the device to process services to decrease. In severe cases, it may even affect the business. Therefore, you need to pay attention to the risks when using the mirror function and close it promptly after use. This article comes from the WeChat public account: ZTE Documents (ID: ztedoc)

The above is the detailed content of Read the mirror in one article. For more information, please follow other related articles on the PHP Chinese website!