Port Mirroring

Table 1. Port Mirroring product support

Feature

Product

Release introduced

For configuration details, see VOSS User Guide.

Ingress mirroring (port and flow-based)

5520 Series

VOSS 8.2.5

VSP 4450 Series

VSP 4000 4.0

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 4.2.1

VSP 7400 Series

VOSS 8.0

VSP 8200 Series

VSP 8200 4.0

VSP 8400 Series

VOSS 4.2

VSP 8600 Series

VSP 8600 4.5

XA1400 Series

VOSS 8.0.50

Egress mirroring (port-based)

5520 Series

VOSS 8.2.5

VSP 4450 Series

VSP 4000 4.0

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 4.2.1

VSP 7400 Series

VOSS 8.0

VSP 8200 Series

VSP 8200 4.0

VSP 8400 Series

VOSS 4.2

VSP 8600 Series

VSP 8600 4.5

XA1400 Series

VOSS 8.0.50

True egress port-based mirroring that produces an identical copy of an outgoing packet is supported only on the VSP 4450 Series. On all other platforms, the mirrored copy does not reflect changes that occur in the switch to the outgoing packet (for example, packet fields that are updated during IP routing). As a result, the mirrored copy is not identical to the outgoing packet.

Use the port mirroring feature to monitor and analyze network traffic. Port mirroring supports both ingress (incoming traffic) and egress (outgoing traffic) port mirroring. When you enable port mirroring, the system forwards ingress or egress packets normally from the mirrored (source) port, and sends a copy of the packet to the mirroring (destination) port.

Overview

Port mirroring causes the switch to make a copy of a traffic flow and send the copy to a device for analysis. Use port mirroring in diagnostic sniffing—use the mirror to view the packets in the flow without breaking the physical connection to place a packet sniffer inline. You can also use mirroring for security reasons.

You can use egress mirroring to monitor packets as they leave specified ports. Egress mirroring on the switch is done at the end of the ingress pipeline. Since packet modifications occur in the egress pipeline, some of the changes will not be reflected in the mirrored version of the packet. Changes that occur in the egress pipleline may be reflected in the mirrored packed due to the metadata that is carried with the packet. Metadata notifies the egress pipeline what to change.

Use a network analyzer to observe and analyze packet traffic at the mirroring port. Unlike other methods that analyze packet traffic, the packet traffic is uninterrupted and packets flow normally through the mirrored port.

You can mirror to a port or list of ports or a MultiLink Trunking (MLT) group. The switch supports one-to-many, many-to-one, and many-to-many mirroring configurations.

Ingress and Egress Mirrored Ports

You can use all ports in the system to function as an ingress port for mirroring (mirrored port), an egress port for mirroring (mirrored port), or as a mirroring port (where all the mirrored traffic is redirected. The number of mirroring ports (also called destination ports) that you can configure is limited by the hardware. The hardware limitation is 4 ports simultaneously (where each mirroring direction counts as one). For example, if two mirroring ports are designated to mirror both ingress and egress traffic then all 4 mirroring ports are consumed.

The following table describes ingress mirroring functionality. Only one type of mirroring destination is supported at a time. You cannot mirror the same port to multiple classes of destinations, for example, MLT. However, you can mirror to multiple physical destinations.

Important

Important

  • Flow or ACL-based based mirroring is not supported for ingress and egress on VSP 8600 Series.

  • Mirroring packets from one NNI port to another NNI port is not supported. Mirror to access ports, not NNI ports.

Table 2. Ingress mirroring functionality

Function

Support information

Ingress port mirroring and ingress flow mirroring

Supported. Maximum of 4 mirror-to-ports per box.

One port to one port

Supported

One to MLT group [for threat protection system (TPS applications)]

Supported

One to many (multicast group ID/VLAN)

Not supported

One to one (remote mirrored destination)

Not supported

Many to one (multiple mirrored ports to one mirroring port)

Supported

Many to MLT group

Supported

Many to many (VLAN/multicast group ID) (multiple ports with several different destinations)

Not supported

Many to one (relation between Remote Mirror Source [RMS] and Remote Mirror Termination [RMT])

Not supported

VLAN and port combination as a mirroring destination

Not supported

Ingress flow mirroring

Supported

Allow filters to specify a separate destination for each access control entry

Supported

The following table describes egress mirroring functionality.

Table 3. Egress mirroring functionality

Function

Support information

Egress port mirroring

Supported

One port to one port

Supported

One to MLT groups (for TPS applications)

Supported

One to many (multicast group ID/VLAN)

Not supported

Many to one (multiple mirrored ports to one mirroring port)

Supported

Many to MLT group

Supported

Many to many (multicast group ID) (multiple ports with several different destinations)

Supported

Many to one (relation between Remote Mirror Source [RMS] and Remote Mirror Termination [RMT])

Not supported

VLAN and port combination as mirroring destination

Not supported

Egress flow mirroring

Supported

Allow filter to specify a separate destination for each access control entry

Supported

Port Configuration

You can specify a destination multilink trunking (MLT) group, a destination port or set of ports.

There are two port mirroring modes: rx (ingress, that is, inPort) and tx (egress, that is, outPort). Configure the mirroring action globally in an access control list (ACL), or for a specific access control entry (ACE) by using the ACE mirror actions. Configure the mirroring destination by using an ACE.

In rx modes, when you configure the ACE mirror or ACL global options to mirror, use the ACE to configure the mirroring destination port.

Note

Note

Not all hardware platforms support ACL global action to mirror.

To modify a port mirroring instance, first disable the instance. Also, to change a port or MLT entry, first remove whichever parameter is attached to the entry, and then add the required entry.

ACLs, ACEs, and Port Mirroring

You can configure an ACL or an ACE to perform the mirroring operation. To do so, you can configure the ACL global action to mirror, or you can configure the ACE action to mirror. If you use the global action, mirroring applies to all ACEs that match in an ACL.

To decouple flow-based mirrors from port-based mirrors, ACEs use a parameter called mirror, which you can configure to specific mirror to MLT ID, VLAN, port, or port list.

You can use filters to reduce the amount of mirrored traffic. To use filters with port mirroring, you must use an ACL-based filter. Apply an ACL to the mirrored port in the egress and ingress directions. Traffic patterns that match the ACL or ACE with an action of permit are forwarded to the destination and also to the mirroring port. Traffic patterns that match an ACE with an action of drop (deny) are not forwarded to the destination, but still reach the mirroring port For example, for an ACL or ACE with a match action of permit and debug mirroring enabled, packets are mirrored to the specified mirroring destination on the ACE. If you enable a port or VLAN filter, that filter is the mirroring filter.

You can specify more than one mirroring destination by using multiple ACEs. Use each ACE to specify a different destination.

You can configure a port-based and a flow-based mirroring filter on the same port. If such a case occurs, then the flow-based mirror takes precedence.

For more information about how to configure ACLs and ACEs, see Traffic Filtering.