Configure ACLs for Mirroring

Configure the access control list (ACL) to mirror packets for an access control entry (ACE) that matches a particular packet.

Before you begin

The ACL exists.

About this task

To modify an ACL parameter, double-click the parameter you wish to change. Change the value, and then click Apply. You cannot change a parameter that the system displays it dimmed; in this case, delete the ACL, and then configure a new one.

Procedure

In the navigation pane, expand Configuration > Security > Data Path.
Click Advanced Filters (ACE/ACLs).
Click the ACL tab.
Double-click the parameterMirrorMltId to configure mirroring to a destination MLT group.
Double-click the parameter MirrorDstPortList to configure mirroring to a destination port or ports.

ACL field descriptions

Use the data in the following table to use the ACL tab.


Name	Description
AclId	Specifies a unique identifier for the ACL.
Type	Specifies the ACL type. Valid options are inVlan inPort outPort inVsn Important: The inVlan ACLs drop packets if you add a VLAN after ACE creation. Important: You can insert an inVsn ACL type for a Switched UNI only if the Switched UNI I-SID is associated with a platform VLAN.
Name	Specifies a descriptive user-defined name for the ACL.
VlanList	For inVlan ACL types, specifies all VLANs to associate with the ACL.
PortList	For inPort and outPort ACL types, specifies the ports to associate with the ACL.
DefaultAction	Specifies the action taken when no ACEs in the ACL match. Valid options are deny and permit, with permit as the default. Deny means the system drops the packets; permit means the system forwards packets.
ControlPktAction	Specifies the action taken for control packets. Valid options are deny and permit.
State	Enables or disables all of the ACEs in the ACL. The default value is enable.
PktType	Indicates the packet type to which this ACL applies.
MirrorMltId	Configures mirroring to a destination MLT.
MirrorDstPortList	Configures mirroring to a destination port or ports.
MatchType	For inVsn ACL types, specifies the match type to associate with the ACL. Valid options are: both for traffic ingressing on both UNI ports and NNI ports terminating on this node terminatingNNIOnly for traffic ingressing on NNI ports only and terminating on this node uniOnly for traffic ingressing on UNI ports only The default value is both
Isid	For inVsn ACL types, specifies the I-SID associated with the customer VLAN (Layer 2 VSN) or the customer VRF (Layer 3 VSN). This I-SID should already be configured on the fabric node. The InVSN Filter supports IP Shortcut traffic if the inVsn ACL match type is both. In this case, the I-SID is zero (0). Important: You can specify a Switched UNI I-SID if the I-SID is associated with a platform VLAN.
Origin	Indicates the origin of the ACL: config - ACL created by the user. eap - ACL created by Extensible Authentication Protocol (EAP) through Remote Authentication Dial-In User Service (RADIUS) response.
DefaultSvcRate Note: Exception: Only supported on VSP 4900 Series, VSP 7400 Series.	Specifies the service rate limit in kbps {8-4000000000}.The granularity is 8 kbps.
DefaultPeakRate Note: Exception: Only supported on VSP 4900 Series, VSP 7400 Series.	Specifies the value when exceeded causes packets to drop on ingress. Peak rate limit in kbps {8-4000000000}.The granularity is 8 kbps.