Sangfor Cloud Platform (SCP)

Enterprise Cloud Computing Platform Built on Business-Centric HCI.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
6.11.3
Sangfor Cloud Platform (SCP) {{ breadTitle }} Networking Service Manual Traffic Mirroring Introduction
{{sendMatomoQuery("Sangfor Cloud Platform (SCP)","Introduction")}}

Introduction

{{ $t('productDocDetail.updateTime') }}: 2025-12-26

Traffic mirroring is a network traffic collection and analysis feature provided by SCP. It duplicates and forwards network packets from a specified interface (such as a VM interface or an edge-connected interface) to a designated destination interface (such as a VM interface or an edge-connected interface). This feature can be used together with security auditing or monitoring and analysis devices to meet traffic auditing, network monitoring, and fault troubleshooting requirements. The core values of traffic mirroring include transparent traffic collection and no impact on service communication, providing reliable data support for business security protection and network O&M.

Working Principles

Policy types: The following three types of traffic mirroring policies are supported: Traffic mirroring within a virtual network (traffic is mirrored between VM interfaces or NFV device interfaces), traffic mirroring from a virtual network to a physical network (traffic is mirrored from VM or NFV device interfaces to an edge-connected interface), and traffic mirroring between physical interfaces (traffic is mirrored between edge-connected interfaces).

Encapsulation and forwarding: For traffic mirroring across different cluster nodes, Encapsulated Remote Switched Port Analyzer (ERSPAN) is used to encapsulate the traffic to be sent from the source to the destination. During encapsulation, TCP Segmentation Offload (TSO) is used to process the memory packets, preventing external fragmentation after encapsulation. After a VM is migrated, the associated mirroring policies will be automatically migrated, eliminating the need for manual reconfiguration.

Traffic control: The mirrored traffic volume is controlled by configuring the mirror percent (0%-100%). Selecting the traffic direction allows precise collection of the required traffic, reducing unnecessary bandwidth consumption.

Applicable Scenarios

Security protection (network intrusion detection): Traffic can be mirrored from business VMs to intrusion detection devices to detect potential vulnerabilities and attack behaviors, which enables rapid threat response and business data protection.

Compliance auditing (finance and government sectors): In finance, government, and other sectors with strict compliance requirements, critical business traffic can be mirrored to auditing platforms to meet regulatory requirements for traffic retention and auditing and ensure the traceability of business operations.

Network O&M (fault troubleshooting): When network communication errors occur, mirroring traffic on relevant interfaces allows O&M personnel to analyze packet details (such as TCP retransmissions and protocol anomalies) without logging into VMs for packet capture, improving troubleshooting efficiency.

Related Concepts

Mirror source: The source of collected traffic. Supported sources include VM interfaces, NFV device interfaces, and edge-connected interfaces. Up to 1024 interfaces can be selected as the mirror source for a traffic mirroring policy.

Mirror destination: The destination to which traffic is forwarded. Only one VM interface or edge-connected interface can be selected as the mirror destination for a traffic mirroring policy, and the network environment of the mirror destination must be consistent with that of the mirror source.

VLAN ID: The VLAN ID carried in mirrored packets. Configure it when the mirror destination is an edge-connected interface, and ensure it matches the VLAN allowed on the Trunk port of the switch connected to the edge.

Mirror percent: The proportion of traffic mirrored from the source. The default value is 100%, which means all traffic of the source is mirrored. You can set a lower value to reduce bandwidth usage.

Traffic direction: The type of traffic to be mirrored. When you configure a traffic mirroring policy, you can select All (mirroring both the traffic received and sent by the source object), Inbound (mirroring only the traffic received by the source object), or Outbound (mirroring only the traffic sent by the source object) for Traffic Direction.

Constraints and Restrictions

Up to 1024 interfaces can be selected as the mirror source for a traffic mirroring policy, and only 1 VM interface or NFV device interface can be selected as the mirror destination.

When a VM interface, NFV device interface, or edge-connected interface is used as the mirror source, the interface can be associated with only 1 traffic mirroring policy. When used as the mirror destination, the interface can be associated with multiple policies.

Traffic cannot be mirrored from a physical network to a virtual network. Traffic mirroring is supported only within a virtual network, from a virtual network to a physical network, and between physical interfaces.

It is recommended to limit the number of traffic mirroring policies to 100. A larger number may increase service traffic latency and reduce throughput.

VMs associated with traffic mirroring policies can be migrated within a cluster. After migration, the associated traffic mirroring policies take effect automatically without reconfiguration.

In high-load scenarios, use a dedicated physical NIC for traffic mirroring to prevent mirrored traffic from competing for bandwidth with VM interfaces or overlay network interfaces.

When traffic is mirrored to an edge-connected interface, a VLAN ID must be configured and match the VLAN allowed on the Trunk port of the physical switch connected to the edge, and mirrored traffic cannot include the VLAN traffic.

Traffic can be mirrored across resource pools only when the resource pools are in the same communication domain. Traffic mirroring across resource pools in different communication domains is not supported.

Traffic that is blocked by the distributed firewall or limited by QoS settings is also captured and forwarded based on traffic mirroring policies.

If interface multiplexing is enabled for an interface selected as the mirror source, only business traffic is captured. Management network traffic, overlay network traffic, and other non-business traffic are not captured.

If an edge-connected interface is associated with a traffic mirroring policy, when the edge-connected interface is modified, the corresponding edge-connected interface in the traffic mirroring policy will also be changed.