About selecting inbound/outbound traffic using a MAC address
Use the
monitor mac mirror
command at the global configuration level to apply a source and/or destination MAC address as the selection criteria used in a local or remote mirroring session.
While classifier-based mirroring allows you to mirror traffic using a policy to specify IP addresses as selection criteria, MAC-based mirroring allows you monitor switch traffic using a source and/or destination MAC address. You can apply MAC-based mirroring in one or more mirroring sessions on the switch to monitor:
Inbound traffic
Outbound traffic
Both inbound and outbound traffic
MAC-based mirroring is useful in Switch Network Immunity security solutions that provide detection and response to malicious traffic at the network edge. After isolating a malicious MAC address, a security administrator can mirror all traffic sent to and received from the suspicious address for troubleshooting and traffic analysis.
The MAC address that you enter with the
monitor mac mirror
command is configured to select traffic for mirroring from all ports and learned VLANs on the switch. Therefore, a suspicions MAC address used in wireless applications can be continuously monitored as it re-appears in switch traffic on different ports or VLAN interfaces.
You can configure MAC-based mirroring from the CLI or an SNMP management station and use it to mirror:
All inbound and outbound traffic from a group of hosts to one destination device.
Inbound and/or outbound traffic from each host to a different destination device.
Inbound and outbound traffic from all monitored hosts separately on two destination devices: mirroring all inbound traffic to one device and all outbound traffic to another device.
Restrictions
The following restrictions apply to MAC-based mirroring:
Up to 320 different MAC addresses are supported for traffic selection in all mirroring sessions configured on the switch.
A destination MAC address is not supported as mirroring criteria for routed traffic, because in routed packets, the destination MAC address is changed to the next-hop address when the packet is forwarded. Therefore, the destination MAC address that you want to mirror will not appear in routed packet headers.
This restriction also applies to the destination MAC address of a host that is directly connected to a routing switch. (Normally, a host is connected to an edge switch, which is directly connected to the router.)
To mirror routed traffic, we recommend that you use classifier-based policies to select IPv4 or IPv6 traffic for mirroring, as described in.
On a switch, you can use a MAC address only once as a source MAC address and only once as a destination MAC address to filter mirrored traffic.
For example, after you enter the following commands:
monitor mac 111111-222222 src mirror 1
monitor mac 111111-222222 dest mirror 2
The following commands are not supported:
monitor mac 111111-222222 src mirror 3
monitor mac 111111-222222 dest mirror 4
In addition, if you enter the
monitor mac 111111-222222 both mirror 1
command, you cannot use the MAC address111111-222222
in any othermonitor mac mirror
configuration commands on the switch.To re-use a MAC address that has already been configured as a source and/or destination address for traffic selection in a mirror session, you must first remove the configuration by entering the
no
form of the command and then re-enter the MAC address in a newmonitor mac mirror
command.For example, if you have already configured MAC address
111111-222222
to filter inbound and outbound mirrored traffic, and you decide to use it to filter only inbound traffic in a mirror session, you could enter the following commands:monitor mac 111111-222222 both mirror 1
no monitor mac 111111-222222 both mirror 1
monitor mac 111111-222222 src mirror 1
A mirroring session in which you configure MAC-based mirroring is not supported on a port, trunk, mesh, or VLAN interface on which a mirroring session with a classifier-based mirroring policy is configured.