The S- K- and 7100-Series devices support remote mirroring using a Layer 2 (L2) GRE tunnel. Any L2 traffic (unicast, multicast, or broadcast) that can be mirrored with a non-L2 GRE remote mirror can be mirrored with an L2 GRE remote mirror. The mirror source port is the source of the mirrored packets found on the local router of interest. The mirror encapsulates the L2 traffic seen by the mirrored source port in an IP GRE header and delivers it to the tunnel destination address on the S- and K-Series or to the L2 tunnel bridge port as the destination address on the 7100-Series. The tunnel destination address is the ultimate destination port of the tunnel where packets are decapsulated and delivered to the port local to the remote router.
Note
The 7100-Series device supports encapsulation for remote mirror; the 7100-Series does not support decapsulation. The remote mirror destination device must be a device that supports decapsulation for full remote mirroring support. A 7100-Series can be used if you intend to use a packet monitoring program as the means of capturing the packet contents.The 7100-Series supports IPv4 addressing only for remote mirroring.
The tunnel destination port resides on a remote router with the appropriate L2 GRE tunnel configuration back to the ultimate mirror destination. The intermediate mirror destination port is the actual mirror destination of the local SMON or, in the case of S- and K-Series, policy configuration. Once the L2 tunnel is enabled and fully configured, packets sent to an intermediate destination are encapsulated and forwarded for any SMON or policy port mirrors that use the mirror destination port. Once the tunnel is enabled, the tunnel destination port is in internal loopback mode and can no longer be used as a normal switch port.
Configuration of a remote mirror using a L2 GRE tunnel consists of:
The following CLI input sets up the L2 GRE tunnel for mirrored port ge.1.1 by:
System(rw)->configure System(rw-config)->interface loop.0.1 System(rw-config-intf-loop.0.1)->ip address 88.88.88.1/32 System(rw-config-intf-loop.0.1)->no shutdown System(rw-config-intf-loop.0.1)->exit System(rw-config)->interface vlan.0.20 System(rw-config-intf-vlan.0.20)->ip address 6.1.1.1 255.255.255.0 primary System(rw-config-intf-vlan.0.20)->no shutdown System(rw-config-intf-vlan.0.20)->exit System(rw-config)->interface tunnel 5 System(rw-config-intf-tun.0.5)->tunnel destination 99.99.99.1 System(rw-config-intf-tun.0.5)->tunnel mode gre l2 ge.1.8 System(rw-config-intf-tun.0.5)->tunnel mirror enable System(rw-config-intf-tun.0.5)->tunnel source 88.88.88.1 System(rw-config-intf-tun.0.5)->no shutdown System(rw-config-intf-tun.0.5)->exit System(rw-config)->ip route 99.99.99.1/32 6.1.1.2 interface vlan.0.20 1 System(rw-config)->exit
System(rw)->configure System(rw-config)->interface loop.0.1 System(rw-config-intf-loop.0.1)->ip address 88.88.88.1/32 System(rw-config-intf-loop.0.1)->no shutdown System(rw-config-intf-loop.0.1)->exit System(rw-config)->interface tunnel 5 System(rw-config-intf-tun.0.5)->tunnel destination 99.99.99.1 System(rw-config-intf-tun.0.5)->tunnel mode gre l2 tbp.0.1 System(rw-config-intf-tun.0.5)->tunnel mirror enable System(rw-config-intf-tun.0.5)->tunnel source 88.88.88.1 System(rw-config-intf-tun.0.5)->no shutdown System(rw-config-intf-tun.0.5)->exit System(rw-config)->ip route 99.99.99.1/32 6.1.1.2 interface vlan.0.20 1 System(rw-config)->exit
The following CLI input creates an SMON port mirror specifying the L2 GRE mirror-destination (ge.1.8 on the S- and K-Series; tbp.0.1 on the 7100-Series) as the destination:
S-K-Series(rw)->set port mirror create ge.1.1 ge.1.8 both 7100-Series(rw)->set port mirroring create ge.1.1 tbp.0.1 both System(rw)->
The following CLI input sets up the L2 GRE tunnel on the mirror destination router. The 7100-Series does not support decapsulation of the mirrored packet. If you require decapsulation of the mirrored packet, the following CLI input sets up the L2 GRE tunnel on the mirror destination router for an S-Series or K-Series device, by:
You do not enable the mirrored tunnel on the mirror destination router. The L2 GRE-encapsulated packets:
A PC running a packet-monitoring program, such as WireShark, can be attached to this port. The packet-monitoring program displays the L2 traffic that is seen by ge.1.1 on the router on which the mirrored port resides.
S-K-Series(rw)->configure S-K-Series(rw-config)->interface loop.0.1 S-K-Series(rw-config-intf-loop.0.1)->ip address 99.99.99.1/32 S-K-Series(rw-config-intf-loop.0.1)->no shutdown S-K-Series(rw-config-intf-loop.0.1)->exit S-K-Series(rw-config)->interface vlan.0.33 S-K-Series(rw-config-intf-vlan.0.33)->ip address 5.1.1.1 255.255.255.0 primary S-K-Series(rw-config-intf-vlan.0.33)->no shutdown S-K-Series(rw-config-intf-vlan.0.33)->exit S-K-Series(rw-config)->interface tunnel 12 S-K-Series(rw-config-intf-tun.0.12)->tunnel destination 88.88.88.1 S-K-Series(rw-config-intf-tun.0.12)->tunnel mode gre l2 ge.2.4 S-K-Series(rw-config-intf-tun.0.12)->tunnel source 99.99.99.1 S-K-Series(rw-config-intf-tun.0.12)->no shutdown S-K-Series(rw-config-intf-tun.0.12)->exit S-K-Series(rw-config)->ip route 88.88.88.1/32 5.1.1.2 interface vlan.0.33 1 S-K-Series(rw-config)->exit S-K-Series(rw)->
The following CLI input (S-, K-Series):
System(rw)->set policy profile 1 mirror-destination 2 System(rw)->set policy rule admin-profile port ge.1.1 mask 16 port-string ge.1.1 admin-pid 1 System(rw)->set mirror create 2 System(rw)->set mirror ports ge.1.8 2