Feature |
Product |
Release introduced |
---|---|---|
Ingress mirroring (port and flow-based) |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
|
Egress mirroring (port-based) |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
True egress port-based mirroring that produces an identical copy of an outgoing packet is not supported. The mirrored copy does not reflect changes that occur in the switch to the outgoing packet (for example, packet fields that are updated during IP routing). As a result, the mirrored copy is not identical to the outgoing packet.
Use the port mirroring feature to monitor and analyze network traffic. Port mirroring supports both ingress (incoming traffic) and egress (outgoing traffic) port mirroring. When you enable port mirroring, the system forwards ingress or egress packets normally from the mirrored (source) port, and sends a copy of the packet to the mirroring (destination) port.
Port mirroring causes the switch to make a copy of a traffic flow and send the copy to a device for analysis. Use port mirroring in diagnostic sniffing—use the mirror to view the packets in the flow without breaking the physical connection to place a packet sniffer inline. You can also use mirroring for security reasons.
You can use egress mirroring to monitor packets as they leave specified ports. Egress mirroring on the switch is done at the end of the ingress pipeline. Since packet modifications occur in the egress pipeline, some of the changes will not be reflected in the mirrored version of the packet. Changes that occur in the egress pipeline may be reflected in the mirrored packed due to the metadata that is carried with the packet. Metadata notifies the egress pipeline what to change.
Use a network analyzer to observe and analyze packet traffic at the mirroring port. Unlike other methods that analyze packet traffic, the packet traffic is uninterrupted and packets flow normally through the mirrored port.
You can mirror to a port or list of ports or a MultiLink Trunking (MLT) group. The switch supports one-to-many, many-to-one, and many-to-many mirroring configurations.
You can use all ports in the system to function as an ingress port for mirroring (mirrored port), an egress port for mirroring (mirrored port), or as a mirroring port (where all the mirrored traffic is redirected. The number of mirroring ports (also called destination ports) that you can configure is limited by the hardware. The hardware limitation is four ports simultaneously (where each mirroring direction counts as one). For example, if two mirroring ports are designated to mirror both ingress and egress traffic then all four mirroring ports are consumed.
The following table describes ingress mirroring functionality. Only one type of mirroring destination is supported at a time. You cannot mirror the same port to multiple classes of destinations, for example, MLT. However, you can mirror to multiple physical destinations.
Important
Mirroring packets from one NNI port to another NNI port is not supported. Mirror to access ports, not NNI ports.
Function |
Support information |
---|---|
Ingress port mirroring and ingress flow mirroring |
Supported. Maximum of four mirror-to-ports per box. |
One port to one port |
Supported |
One to MLT group [for threat protection system (TPS applications)] |
Supported |
One to many (multicast group ID/VLAN) |
Not supported |
One to one (remote mirrored destination) |
Not supported |
Many to one (multiple mirrored ports to one mirroring port) |
Supported |
Many to MLT group |
Supported |
Many to many (VLAN/multicast group ID) (multiple ports with several different destinations) |
Not supported |
Many to one (relation between Remote Mirror Source [RMS] and Remote Mirror Termination [RMT]) |
Not supported |
VLAN and port combination as a mirroring destination |
Not supported |
Ingress flow mirroring |
Supported |
Allow filters to specify a separate destination for each access control entry |
Supported |
The following table describes egress mirroring functionality.
Function |
Support information |
---|---|
Egress port mirroring |
Supported |
One port to one port |
Supported |
One to MLT groups (for TPS applications) |
Supported |
One to many (multicast group ID/VLAN) |
Not supported |
Many to one (multiple mirrored ports to one mirroring port) |
Supported |
Many to MLT group |
Supported |
Many to many (multicast group ID) (multiple ports with several different destinations) |
Supported |
Many to one (relation between Remote Mirror Source [RMS] and Remote Mirror Termination [RMT]) |
Not supported |
VLAN and port combination as mirroring destination |
Not supported |
Egress flow mirroring |
Supported |
Allow filter to specify a separate destination for each access control entry |
Supported |
You can specify a destination multilink trunking (MLT) group, a destination port or set of ports.
There are two port mirroring modes: rx (ingress, that is, inPort) and tx (egress, that is, outPort). In rx mode, when you configure the ACE mirror or ACL global options to mirror packets, use the ACE to configure the mirroring destination port.
To modify a port mirroring instance, first disable the instance. Also, to change a port or MLT entry, first remove whichever parameter is attached to the entry, and then add the required entry.
You can use filters to reduce the amount of mirrored traffic. You can configure the mirroring action globally in an access control list (ACL), or for a specific access control entry (ACE) by using the ACE mirror actions. If you use the global action, mirroring applies to all ACEs that match in an ACL.
To use filters with port mirroring, apply an ACL to the mirrored port in the egress and ingress directions. Traffic patterns that match the ACL or ACE with an action of permit are forwarded to the destination and also to the mirroring port. Traffic patterns that match an ACE with an action of drop (deny) are not forwarded to the destination, but still reach the mirroring port. For example, for an ACL or ACE with a match action of permit, packets are mirrored to the specified mirroring destination on the ACE. If you enable a port or VLAN filter, then that filter is the mirroring filter.
You can specify more than one mirroring destination by using multiple ACEs. Use each ACE to specify a different destination.
You can configure a port-based and a flow-based mirroring filter on the same port. If such a case occurs, then the flow-based mirror takes precedence.
For information about how to configure ACLs and ACEs for port mirroring using CLI, see the following sections:
For information about how to configure ACLs and ACEs for port mirroring using EDM, see the following sections: