Classifier-based mirroring configuration
Evaluate the types of traffic in your network and identify the traffic types that you want to mirror.
Create an IPv4 or IPv6 traffic class using the
class
command to select the packets that you want to mirror in a session on a preconfigured local or remote destination device.A traffic class consists of match criteria, which consist of match and ignore commands.
match
commands define the values that header fields must contain for a packet to belong to the class and be managed by policy actions.ignore
commands define the values which, if contained in header fields, exclude a packet from the policy actions configured for the class.
NOTE:Be sure to enter match/ignore statements in the precise order in which you want their criteria to be used to check packets.
The following match criteria are supported in match/ignore statements for inbound IPv4/IPv6 traffic:
IP source address (IPv4 and IPv6)
IP destination address (IPv4 and IPv6)
IP protocol (such as ICMP or SNMP)
Layer 3 IP precedence bits
Layer 3 DSCP codepoint
Layer 4 TCP/UDP application port (including TCP flags)
VLAN ID
Enter one or more match or ignore commands from the class configuration context to filter traffic and determine the packets on which policy actions will be performed.
Create a mirroring policy to configure the session and destination device to which specified classes of inbound traffic are sent by entering the
policy mirror
command from the global configuration context.NOTE:Be sure to enter each class and its associated mirroring actions in the precise order in which you want packets to be checked and processed.
To configure the mirroring actions that you want to execute on packets that match the criteria in a specified class, enter one or more class action mirror commands from the policy configuration context.
You can configure only one mirroring session (destination) for each class. However, you can configure the same mirroring session for different classes.
A packet that matches the match criteria in a class is mirrored to the exit (local or remote) port that has been previously configured for the session, where session value is 1 or a text string (if you configured the session with a name when you entered the
mirror
command.)Prerequisite: The local or remote exit port for a session must be already configured before you enter the
mirror session
parameter in a class action statement:In a local mirroring session, the exit port is configured with the
mirror <session-number> port
commandIn a remote mirroring session, the remote exit port is configured with the
mirror endpoint ip
andmirror <session-number> remote ip
commands.
Restriction: In a policy, you can configure only one mirroring session per class. However, you can configure the same session for different classes.
Mirroring is not executed on packets that match ignore criteria in a class.
The execution of mirroring actions is performed in the order in which the classes are numerically listed in the policy.
The complete no form of the
class action mirror
command or theno <seq-number>
command removes a class and mirroring action from the policy configuration.To manage packets that do not match the match or ignore criteria in any class in the policy, and therefore have no mirroring actions performed on them, you can enter an optional default class. The default class is placed at the end of a policy configuration and specifies the mirroring actions to perform on packets that are neither matched nor ignored.
(Optional) To configure a default-class in a policy, enter the
default-class
command at the end of a policy configuration and specify one or more actions to be executed on packets that are not matched and not ignored.Prerequisite: The local or remote exit port for a session must be already configured with a destination device before you enter the
mirror <session>
parameter in a default-class action statement.Apply the mirroring policy to inbound traffic on a port (
interface service-policy in
command) or VLAN (vlan service-policy in
command) interface.CAUTION:After you apply a mirroring policy for one or more preconfigured sessions on a port or VLAN interface, the switch immediately starts to use the traffic-selection criteria and exit port to mirror traffic to the destination device connected to each exit port.
In a remote mirroring session that uses IPv4 encapsulation, if the remote switch is not already configured as the destination for the session, its performance may be adversely affected by the stream of mirrored traffic.
For this reason, Hewlett Packard Enterprise strongly recommends that you first configure the exit switch in a remote mirroring session before you apply a mirroring service policy on a port or VLAN interface.
Restrictions: The following restrictions apply to a mirroring service policy:
Only one mirroring policy is supported on a port or VLAN interface.
If you apply a mirroring policy to a port or VLAN interface on which a mirroring policy is already configured, the new policy replaces the existing one.
A mirroring policy is supported only on inbound traffic.
Because only one mirroring policy is supported on a port or VLAN interface, ensure that the policy you want to apply contains all the required classes and actions for your configuration.