Sangfor Cloud Platform (SCP)

Enterprise Cloud Computing Platform Built on Business-Centric HCI.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
6.11.3
Sangfor Cloud Platform (SCP) {{ breadTitle }} Networking Service Manual Traffic Mirroring Traffic Mirroring Policy Creation
{{sendMatomoQuery("Sangfor Cloud Platform (SCP)","Traffic Mirroring Policy Creation")}}

Traffic Mirroring Policy Creation

{{ $t('productDocDetail.updateTime') }}: 2025-12-26

Introduction

You can create a complete traffic mirroring policy by defining the mirror source, mirror destination, and traffic filtering parameters (including the VLAN ID, mirror percent, and traffic direction). The specified traffic is duplicated and forwarded to the target interface based on the policy, providing a data source for subsequent traffic analysis.

Constraints and Restrictions

Traffic mirroring within a virtual network: Both the mirror source and destination must be VM interfaces or NFV device interfaces. VLAN ID configuration is not required.

Traffic mirroring from a virtual network to a physical network: The mirror source must be VM interfaces or NFV device interfaces, and the mirror destination must be an edge-connected interface. VLAN ID configuration is required.

Traffic mirroring between physical interfaces: Both the mirror source and destination must be edge-connected interfaces, and VLAN ID configuration is required.

The mirror source and destination must belong to the same cluster or communication domain. Traffic can be mirrored across resource pools only when the resource pools are in the same communication domain.

When you configure a VLAN ID, ensure the VLAN is already configured on the physical switch and allowed on the corresponding Trunk port to prevent mirrored traffic loss.

Prerequisites

You have logged in to SCP using the admin account.

Mirror source objects (such as VM interfaces or edge-connected interfaces) already exist and are in normal status.

Mirror destination objects (such as VM interfaces or edge-connected interfaces) already exist and are not exclusively associated with any traffic mirroring policies. (A destination object can be associated with multiple policies.)

If the mirror destination is an edge-connected interface, ensure the Trunk port of the physical switch has been configured to allow the corresponding VLAN traffic to pass through.

For traffic mirroring across resource pools, ensure that a communication domain has been created, and the relevant resource pools have been added to the communication domain.

Precautions

Before you configure traffic mirroring between physical interfaces, isolate the relevant ports on the physical switch to prevent MAC flapping or network loops caused by mirrored traffic.

In high-load scenarios, set the mirror percent to less than 100% and use a dedicated edge to forward mirrored traffic, reducing the impact on normal service traffic.

If the mirror destination is a security audit device, ensure the device interface is enabled and operating in listening mode. Otherwise, mirrored traffic cannot be received.

To avoid conflicts, ensure that the configured VLAN ID matches the VLAN allowed on the physical switch, and mirrored traffic does not include native VLAN traffic.

After a traffic mirroring policy is created, immediately perform a connectivity test to verify that traffic is correctly forwarded to the destination.

Steps

Step 1.Log in to SCP and go to Networking > Traffic Mirroring. (The path may vary slightly depending on the platform version.)

Step 2.Click New. In the Create Traffic Mirroring Policy pop-up window, click Configuration Guide to view instructions for different scenarios.

Step 3.Close the Configuration Guide window and configure the fields as instructed in the table below:

Field

Description

Operation Suggestion

Name

Specify a custom name to identify the use of the traffic mirroring policy.

Format: Policy Type - Source Object - Destination Object - No., Example: Virtual to Physical - Web Server - Audit Device - 01

Mirror Source

Select the source of traffic to be mirrored. Supported options include VM interfaces, NFV device interfaces, and edge-connected interfaces.

Select source objects based on the policy type. Up to 1024 interfaces can be selected as the source objects for a policy. If you select source objects on different nodes, ensure that the corresponding resource pools are in the same communication domain.

Mirror Destination

Select the destination of mirrored traffic. Only one VM interface or edge-connected interface can be selected.

Ensure that the destination type matches the source type. (For example, for traffic mirroring within a virtual network, if the source is a VM interface, the destination must also be a VM interface.)

VLAN ID

Specify the VLAN ID carried in mirrored packets. This field is required only when the mirror destination is an edge-connected interface.

Enter a VLAN ID (Example: 2000) that matches the VLAN allowed on the physical switch. This field is not required for traffic mirroring within a virtual network.

Mirror Percent

The proportion of source traffic to be mirrored. Default value: 100%

Set the value to 50%-80% in high-load scenarios. Use the default value (100%) in low-load scenarios to ensure traffic integrity.

Traffic Direction

Select the type of traffic to be mirrored. Valid values: All, Inbound, and Outbound

Select All for security auditing. For troubleshooting, select Inbound or Outbound as needed to reduce unnecessary data.

Status

Select Enabled to apply the policy immediately after creation.

In test scenarios, deselect Enabled and do not enable the policy until the configuration is complete and verified.

Step 4.After all fields are configured, click OK. The system will automatically save and apply the policy if Status is set to Enabled.

Step 5.After the policy is created, view the policy on the Traffic Mirroring page. Verify that the information displayed in the Mirror Source, Mirror Destination, and Status columns is correct.