Configuring Port Mirroring

Use port mirroring to aid in diagnostic and security operations.

About this task

Use port mirroring to make a copy of a traffic flow and send that copy to a device for analysis, for example, for diagnostic sniffing. Use the mirror to see the packets in the flow without breaking into the physical connection to place a packet onto the sniffer inline. You can also use port mirroring for security. You can send flows to inspection engines for post processing.

Connect the sniffer (or other traffic analyzer) to the output port you specify in this procedure.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Create a port mirroring instance:

    mirror-by-port <1-479> in-port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} {monitor-mlt <1-512>| out-port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

  3. Create an I-SID mirroring instance:

    mirror-by-port <1–479> [in-port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} monitor-isid-offset <1-1000> [mode <rx|tx|both>][qos <qos-level>]]

  4. Configure the mode:

    mirror-by-port <1-479> mode <both|rx|tx>

    Note

    Note

    • When you configure tx mode port mirroring on T-UNI and SPBM NNI ports, unknown unicast, broadcast and multicast traffic packets that ingress these ports and the system displays it on the mirror destination port, although they do not egress the mirror source port. This is because tx mode port mirroring happens on the mirror source port before the source port squelching logic drops the packets at the egress port.

    • The available four mirroring resources are shared between Fabric RSPAN and regular port mirroring, and are allocated based on the mode configured, Ingress (rx) or Egress (tx). Each configured mode occupies one mirroring resource, but when you configure the mode as both, it occupies two mirroring resources (one for Rx and one for Tx).

    • Do not configure the source of mirrored traffic (mirroring to an I-SID) and the analyzer (monitoring an I-SID) on the same local device with the same I-SID offset. If you require mirroring and monitoring on the same local device, use standard port-based mirroring instead of Fabric RSPAN. Fabric RSPAN mirrors traffic into an I-SID of the SPB Fabric network and monitors traffic on the remote device; the network analyzer resides on the remote monitoring device and not on the same local device.

  5. Enable the mirroring instance:

    mirror-by-port <1-479> enable

  6. Modify existing mirroring entries as required:

    mirror-by-port mirror-port <1-479> {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

    OR

    mirror-by-port monitor-mlt <1-479> <1-512>

    OR

    mirror-by-port monitor-port <1-479> {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

    Note

    Note

    Before you can modify an existing entry, you must disable the entry: no mirror-by-port <1-479> enable .

  7. Modify QoS value for Fabric RSPAN mirroring session:

    mirror-by-port <1-479> qos <0-5>

  8. Verify the configuration:

    show mirror-by-port

Example

Port mirroring configuration:

Switch:1> enable

Switch:1# configure terminal

Create the port mirroring instance:

Switch:1(config)# mirror-by-port 8 in-port 1/15 out-port 1/1

The analyzer connects to port 1/1.

Disable the entry:

Switch:1(config)# no mirror-by-port 8 enable

Mirror both ingress and egress traffic passing through port 1/16:

Switch:1(config)# mirror-by-port 8 mode both

Enable mirroring for the instance:

Switch:1(config)# mirror-by-port 8 enable

Fabric RSPAN configuration:

Switch:1> enable

Switch:1# configure terminal

Create the Fabric RSPAN mirroring instance:

Switch:1(config)#mirror-by-port 3 in-port 1/3 monitor-isid-offset 3 mode both qos 3

Disable the entry:

Switch:1(config)# no mirror-by-port 3 enable

Mirror the egress traffic passing through port 1/3:

Switch:1(config)# mirror-by-port 3 mode tx

Enable Fabric RSPAN for the instance:

Switch:1(config)# mirror-by-port 3 enable

The sample command output in the following example does not necessarily reflect the preceding examples.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#show mirror-by-port

=============================================================================
                              Diag Mirror-By-Port

=============================================================================
ID   MIRRORED_PORT   MIRRORING_DEST  ENABLE   MODE  REMOTE-MIRROR   DSCP TTL
                                                      VLAN-ID
------------------------------------------------------------------------------
1     1/1              2/1           true      both    0   0             64
2     1/2              2/2           true      rx      0   0             64 
3     1/3              2/3           true      tx      0   0             64
4     1/4              2/4           true      both    0   0             64 

Variable Definitions

The following table defines parameters for the mirror-by-port command.

Variable

Value

<1-479>

Specifies the entry ID.

enable

Enables or disables a mirroring instance already created in the mirror-by-port table.

in-port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}{|monitor-mlt <1-512> |out-port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

Creates a new mirror-by-port table entry.

  • in-port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} specifies the mirrored port.

  • monitor-mlt <1-512> specifies the mirroring MLT ID from 1–512.

  • out-port {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]} specifies the mirroring port.

mirror-port <1-479> {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

Modifies the mirrored port.

Before you can modify an existing entry, you must disable the entry: no mirror-by-port <1-479> enable.

monitor-ip <1-479> {A.B.C.D} [dscp <0-63>] [ttl <2-255>]

Creates a mirroring instance for Layer 3 mirroring. The destination must be an IP address {A.B.C.D}. The default DSCP is 0 and the default TTL is 255.

monitor-mlt <1-479> <1-512>

Modifies the monitoring MLT.<1-512> specifies the mirroring MLT ID.

Before you can modify an existing entry, you must disable the entry: no mirror-by-port <1-479> enable.

monitor-port <1-479> {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

Modifies the monitoring ports.

Before you can modify an existing entry, you must disable the entry: no mirror-by-port <1-479> enable.

monitor-vlan <1-479> <1-4059>

Modifies the monitoring VLAN.

Before you can modify an existing entry, you must disable the entry: no mirror-by-port <1-479> enable.

Specifies the VLAN ID in the range of 1 to 4059. By default, VLAN IDs 1 to 4059 are configurable and the system reserves VLAN IDs 4060 to 4094 for internal use. On switches that support the vrf-scaling and spbm-config-mode boot configuration flags, if you enable these flags, the system also reserves VLAN IDs 3500 to 3998. VLAN ID 1 is the default VLAN and you cannot create or delete VLAN ID 1.

mode <both|rx|tx>

Configures the mirroring mode. The default is rx.

  • both mirrors both egress and ingress packets.

  • rx mirrors ingress packets.

  • tx mirrors egress packets.

monitor-isid-offset <1-1000>

Specifies the offset ID that is mapped to the actual monitor I-SID where packets are mirrored.

Monitor I-SID = base monitor I-SID + offset ID.

The base monitor I-SID is 16776000.

qos <0-5>

Specifies the Quality of Service (QoS) profiles for the system. Monitoring I-SID supports six different QoS levels, each QoS level can be configured individually. Default value is 1.