enable mirror to port
enable mirror to [port
port | port_list
port_list
loopback-port
port] {remote-tag
tag}
Description
Dedicates a port on the switch to be the mirror output port, or the monitor port.
Syntax Description
port
|
Specifies the mirror output
port. |
port_list
|
Specifies the list of ports
where traffic is to be mirrored. |
loopback-port
|
Specifies an otherwise unused
port required when mirroring to a port_list. The
loopback-port is not available for switching user data
traffic. |
port
|
Specifies a single loopback
port that is used internally to provide this feature. |
remote-tag
|
Specifies the value of the
VLAN ID used by the mirrored packets when egressing the monitor
port. |
Usage Guidelines
Port mirroring configures the switch to copy all traffic
associated with one or more ports, VLANS or virtual ports. A virtual port is a
combination of a VLAN and a port. The monitor port(s) can be connected to a network
analyzer or RMON probe for packet analysis. The switch uses a traffic filter that
copies a group of traffic to the monitor port.
Up to 16 mirroring filters and one monitor port can be configured
on the switch. After a port has been specified as a monitor port, it cannot be used
for any other function. Frames that contain errors are not mirrored.
You cannot run ELSM and mirroring on the same port. If you
attempt to enable mirroring on a port that is already enabled for ELSM, the switch
returns a message similar to the following:
Error: Port mirroring cannot be enabled on an ELSM enabled port.
Summit family switches and SummitStack
only
The traffic filter can be defined based on one of the following
criteria:
- Physical port—All data
that traverses the port, regardless of VLAN configuration, is copied to the
monitor port(s). You can specify which traffic the port mirrors:
- Ingress—Mirrors traffic received at the port.
- Egress—Mirrors traffic sent from the port.
-
Ingress and egress—Mirrors traffic either received
at the port or sent from the port.
(If you omit the optional parameters, all traffic
is forwarded; the default for port-based mirroring is ingress and
egress).
- VLAN—All data to a particular VLAN, regardless of the
physical port configuration, is copied to the monitor port.
- Virtual port—All data
specific to a VLAN on a specific port is copied to the monitor port.
- Summit family switches support a maximum of 128 mirroring
filters with the restriction that a maximum of 16 VLAN and/or virtual port (port
+ VLAN) filters may be configured.
- ExtremeXOS supports up to 16 monitor ports for one-to-many
mirroring.
- Only traffic ingressing a VLAN can be monitored; you cannot
specify ingressing or egressing traffic when mirroring VLAN traffic.
- Ingress traffic is mirrored as it is received (on the
wire).
- Packets which match both an ingress filter and an egress
filter will result in two packets egressing the monitor port or ports.
- In normal mirroring, a monitor port cannot be added to a
load share group. In one-to-many mirroring, a monitor port list can be added to
a load share group, but a loopback port cannot be used in a load share group.
- You can run mirroring and sFlow on the same device when you
are running Summit family switches.
- With a monitor port or ports on Summit family switches, all
traffic ingressing the monitor port or ports is tagged only if the ingress
packet is tagged. If the packet arrived at the ingress port as untagged, the
packet egress the monitor port or ports as untagged.
- Two packets are mirrored when a packet encounters both an
ingress and egress mirroring filter.
-
The configuration of remote-tag does not require the
creation of a VLAN with the same tag; on these platforms the existence of a
VLAN with the same tag as a configured remote-tag is prevented. This
combination is allowed so that an intermediate remote mirroring switch can
configure remote mirroring using the same remote mirroring tag as other
source switches in the network. Make sure that VLANs meant to carry normal
user traffic are not configured with a tag used for remote mirroring.
When a VLAN is created with remote-tag, that tag is locked
and a normal VLAN cannot have that tag. The tag is unique across the switch.
Similarly if you try to create a remote-tag VLAN where remote-tag already
exists in a normal VLAN as a VLAN tag, you cannot use that tag and the VLAN
creation fails.
BlackDiamond 8800 series switches and SummitStack only
The traffic filter
can be defined based on one of the following criteria:
- Physical port—All data
that traverses the port, regardless of VLAN configuration, is copied to the
monitor port(s). You can specify which traffic the port mirrors:
- Ingress—Mirrors traffic received at the port.
- Egress—Mirrors traffic sent from the port.
-
Ingress and egress—Mirrors traffic either received
at the port or sent from the port.
(If you omit the optional parameters, all traffic
is forwarded; the default for port-based mirroring is ingress and
egress).
- VLAN—All data to a
particular VLAN, regardless of the physical port configuration, is copied to the
monitor port.
- Virtual port—All data
specific to a VLAN on a specific port is copied to the monitor port.
- BlackDiamond 8800 series switches and SummitStack support a
maximum of 128 mirroring filters with the restriction that a maximum of 16 VLAN
and/or virtual port (port + VLAN) filters may be configured.
- ExtremeXOS supports up to 16 monitor ports for one-to-many
mirroring.
- Only traffic ingressing a VLAN can be monitored; you cannot
specify ingressing or egressing traffic when mirroring VLAN traffic.
- Ingress traffic is mirrored as it is received (on the
wire).
- Two packets are mirrored when a packet encounters both an
ingress and egress mirroring filter.
- When traffic is modified by hardware on egress, egress
mirrored packets may not be transmitted out of the monitor port as they egressed
the port containing the egress mirroring filter. For example, an egress mirrored
packet that undergoes VLAN translation is mirrored with the untranslated VLAN
ID. In addition, IP multicast packets which are egress mirrored contain the
source MAC address and VLAN ID of the unmodified packet.
- You cannot include the monitor port for a BlackDiamond 8800
series switch or SummitStack in a load-sharing group.
- You can run mirroring and sFlow on the same device when you
are running BlackDiamond 8000 c-, e-, and xl-series modules in a BlackDiamond
8800 chassis or a SummitStack.
- With a monitor port or ports on a BlackDiamond 8000 c-, e-,
or xl-series module or a Summit X460, X480, and X670 series switch in a
SummitStack, the mirrored packet is tagged only if the ingress packet is tagged
(regardless of what module the ingressing port is on). If the packet arrived at
the ingress port as untagged, the packet egress the monitor port(s) as untagged.
- With the BlackDiamond 8000 c-, e-, xl-, and xm-series
modules or Summit X460, X480, and X670 series switches in a SummitStack, you may
see a packet mirrored twice. This occurs only if both the ingress mirrored port
and the monitor port or ports are on the same one-half of the module and the
egress mirrored port is either on the other one-half of that module or on
another module.
- On BlackDiamond 8800 series, Summit family series, or
SummitStack switches, when traffic is modified by hardware on egress, egress
mirrored packets may not be transmitted out of the monitor port as they egressed
the port containing the egress mirroring filter. For example, an egress mirrored
packet that undergoes VLAN translation is mirrored with the untranslated VLAN
ID. In addition, IP multicast packets which are egress mirrored contain the
source MAC address and VLAN ID of the unmodified packet.
- The configuration of remote-tag does not require the
creation of a VLAN with the same tag; on these platforms the existence of a VLAN
with the same tag as a configured remote-tag is prevented. This combination is
allowed so that an intermediate remote mirroring switch can configure remote
mirroring using the same remote mirroring tag as other source switches in the
network. Make sure that VLANs meant to carry normal user traffic are not
configured with a tag used for remote mirroring.
- When a VLAN is created with remote-tag, that tag is locked
and a normal VLAN cannot have that tag. The tag is unique across the switch.
Similarly if you try to create a remote-tag VLAN where remote-tag already exists
in a normal VLAN as a VLAN tag, you cannot use that tag and the VLAN creation
fails.
Example
The following example
selects slot 3, port 4 as the mirror, or monitor, port on the BlackDiamond 8810
switch:
enable mirror to port 3:4
History
This command was added in ExtremeXOS 15.3.
Platform Availability
This
command is available on all platforms.