Although you can configure the switch to monitor both ingress and egress traffic, some restrictions apply:
VSP 4900 Series, VSP 7200 Series, VSP 7400 Series, VSP 8000 Series, VSP 8600 Series, and XA1400 Series do not support true egress mirroring because packets are mirrored prior to the completion of packet processing, so egress mirrored packets can differ from the packets egressing the port.
For the VOSS platforms, only VSP 4450 Series supports true egress mirroring.
Note
To mirror the egress traffic for VSP 4900 Series, VSP 7200 Series, VSP 7400 Series, VSP 8000 Series, and VSP 8600 Series platforms, you can use the NEXT-hop device ingress mirroring to capture the egress packets of the switch.
Mirrored traffic shares ingress queue and fabric bandwidth with normal traffic and therefore can impact normal traffic. Therefore, use these features with this potential consequence in mind and enable them only for troubleshooting, debugging, or for security purposes such as packet sniffing, intrusion detection, or intrusion prevention.
You can configure as many ingress mirroring flows as you have filters.
To avoid VLAN members from seeing mirrored traffic, you must remove mirroring (destination) ports from all VLANs.
The MAC drops an errored packet, for example, packets that are too short or too long. Control packets consumed by the MAC (802.3x flow control) are also not mirrored.
Certain control packets generated by the CP cannot be egress mirrored, such as those in the following list:
BPDU
EAPoL
IP Directed Broadcast
LACP
LLDP
Multicast routed packets
NAAP
NLB
Nodal CFM
TDP
VLACP
Ingress multicast packets appear in egress mirroring.
On the VSP 7400 Series, if incoming traffic from the same source port is simultaneously ingress mirrored on an incoming port into one I-SID and egress mirrored on another outgoing port into a different I-SID, the mirrored packet carries an I-SID associated with ingress mirroring.
On the VSP 7400 Series and 5520 Series, any incoming traffic that does not contain a VLAN tag is not mirrored into an I-SID if the offset ID is in the range 2 to 1000. It is mirrored to an I-SID only if the offset ID is 1.
On the 5520 Series, the original CVLAN tag on the mirrored packet is preserved for only one mirrored I-SID if the offset ID is 1. The original CVLAN tag is not preserved in a mirrored packet for all other remaining mirrored I-SIDs if the offset ID is in the range 2 to 1000.
To use an Extreme Integrated Application Hosting port with a connect type as OVS or SR-IOV for Port Mirroring, associate VLAN 4091 to the virtual machine (VM) vport to send the mirrored packets to the VM.
Port mirroring resources are limited to four ports simultaneously (where each mirroring direction counts as one). For example, if two mirroring ports are designated to mirror both ingress and egress traffic then all four mirroring ports are consumed.
Important
To enable any one of the above applications, you must have at least one free mirroring resource. If all four port mirroring resources are already in use, the switch displays a Resource not available error message when you try to enable the application.
The VSP 8600 uses the four reserved resources for port mirroring and ACLs that have a mirroring action. For the other applications, this restriction does not apply because the VSP 8600 uses mirroring resources that do not come out of the four reserved port mirroring resources.
If you receive a Resource not available error message, you can use the show mirror-resources command to view information about mirror resource usage. For more information, see Displaying Mirror Resource Usage.
The show mirror-resources command is not available on all platforms. Use CLI command completion Help to determine if the command is available on your switch.