Configure ACLs for Mirroring

Configure the access control list (ACL) to mirror packets for an access control entry (ACE) that matches a particular packet.

Before you begin

  • The ACL exists.

About this task

To modify an ACL parameter, double-click the parameter you wish to change. Change the value, and then click Apply. You cannot change a parameter that the system displays it dimmed; in this case, delete the ACL, and then configure a new one.

Procedure

  1. In the navigation pane, expand Configuration > Security > Data Path.
  2. Click Advanced Filters (ACE/ACLs).
  3. Click the ACL tab.
  4. Double-click the parameterMirrorMltId to configure mirroring to a destination MLT group.
  5. Double-click the parameter MirrorDstPortList to configure mirroring to a destination port or ports.

ACL field descriptions

Use the data in the following table to use the ACL tab.

Name

Description

AclId

Specifies a unique identifier for the ACL.

Type

Specifies the ACL type. Valid options are

  • inVlan

  • inPort

  • outPort

  • inVsn

Important:

The inVlan ACLs drop packets if you add a VLAN after ACE creation.

Important:

You can insert an inVsn ACL type for a Switched UNI only if the Switched UNI I-SID is associated with a platform VLAN.

Name

Specifies a descriptive user-defined name for the ACL.

VlanList

For inVlan ACL types, specifies all VLANs to associate with the ACL.

PortList

For inPort and outPort ACL types, specifies the ports to associate with the ACL.

DefaultAction

Specifies the action taken when no ACEs in the ACL match. Valid options are deny and permit, with permit as the default. Deny means the system drops the packets; permit means the system forwards packets.

ControlPktAction

Specifies the action taken for control packets. Valid options are deny and permit.

State

Enables or disables all of the ACEs in the ACL. The default value is enable.

PktType

Indicates the packet type to which this ACL applies.

MirrorMltId

Configures mirroring to a destination MLT.

MirrorDstPortList

Configures mirroring to a destination port or ports.

MatchType

For inVsn ACL types, specifies the match type to associate with the ACL. Valid options are:
  • both for traffic ingressing on both UNI ports and NNI ports terminating on this node

  • terminatingNNIOnly for traffic ingressing on NNI ports only and terminating on this node

  • uniOnly for traffic ingressing on UNI ports only

The default value is both

Isid

For inVsn ACL types, specifies the I-SID associated with the customer VLAN (Layer 2 VSN) or the customer VRF (Layer 3 VSN). This I-SID should already be configured on the fabric node.

The InVSN Filter supports IP Shortcut traffic if the inVsn ACL match type is both. In this case, the I-SID is zero (0).

Important:

You can specify a Switched UNI I-SID if the I-SID is associated with a platform VLAN.

Origin

Indicates the origin of the ACL:
  • config - ACL created by the user.
  • eap - ACL created by Extensible Authentication Protocol (EAP) through Remote Authentication Dial-In User Service (RADIUS) response.

DefaultSvcRate

Specifies the service rate limit in kbps {8-4000000000}.The granularity is 8 kbps.

DefaultPeakRate

Specifies the value when exceeded causes packets to drop on ingress. Peak rate limit in kbps {8-4000000000}.The granularity is 8 kbps.