Traffic mirroring overview

Starting in software release K.12.xx, traffic mirroring (Intelligent Mirroring) allows you to mirror (send a copy of) network traffic received or transmitted on a switch interface to a local or remote destination, such as a traffic analyzer or IDS.)

Traffic mirroring provides the following benefits:

  • Allows you to monitor the traffic flow on specific source interfaces.

  • Helps in analyzing and debugging problems in network operation resulting from a misbehaving network or an individual client. The mirroring of selected traffic to an external device makes it easier to diagnose a network problem from a centralized location in a topology spread across a campus.

  • Supports remote mirroring to simultaneously mirror switch traffic on one or more interfaces to multiple remote destinations. (In remote mirroring, you must first configure the remote mirroring endpoint—remote switch and exit port—before you specify a mirroring source for a session.)

Mirroring overview

Local and remote sessions showing mirroring terms shows an example of the terms used to describe the configuration of a sample local and remote mirroring session:

  • In the local session, inbound traffic entering Switch A is monitored on port A2 and mirrored to a destination (host), traffic analyzer 1, through exit port A15 on the switch.

    A local mirroring session means that the monitored interface (A2) and exit port (A15) are on the same switch.

  • In the remote session, inbound traffic entering Switch A is monitored on port A1. A mirrored copy of monitored traffic is routed through the network to a remote mirroring endpoint: exit port B7 on Switch B. A destination device, traffic analyzer 2, is connected to the remote exit port.

    A remote mirroring session means that:

    • The monitored interface (A1) and exit port (B7) are on different switches.

    • Mirrored traffic can be bridged or routed from a source switch to a remote switch.

    Local and remote sessions showing mirroring terms

Mirroring destinations

Traffic mirroring supports destination devices that are connected to the local switch or to a remote switch:

  • Traffic can be copied to a destination (host) device connected to the same switch as the mirroring source in a local mirroring session. You can configure up to four exit ports to which destination devices are connected.

  • Traffic can be bridged or routed to a destination device connected to a different switch in a remote mirroring session. You can configure up to 32 remote mirroring endpoints (IP address and exit port) to which destination devices are connected.

Mirroring sources and sessions

Traffic mirroring supports the configuration of port and VLAN interfaces as mirroring sources in up to four mirroring sessions on a switch. Each session can have one or more sources (ports and/or static trunks, a mesh, or a VLAN interface) that monitor traffic entering and/or leaving the switch.


[NOTE: ]

NOTE: Using the CLI, you can make full use of the switch's local and remote mirroring capabilities. Using the Menu interface, you can configure only local mirroring for either a single VLAN or a group of ports, static trunks, or both.

In remote mirroring, a 54-byte remote mirroring tunnel header is added to the front of each mirrored frame for transport from the source switch to the destination switch. This may cause some frames that were close to the MTU size to exceed the MTU size. Mirrored frames exceeding the allowed MTU size are dropped, unless the optional [truncation] parameter is set in the mirror command.


Mirroring sessions

A mirroring session consists of a mirroring source and destination (endpoint.) Although a mirroring source can be one of several interfaces, as mentioned above, for any session, the destination must be a single (exit) port. The exit port cannot be a trunk, VLAN, or mesh interface.

You can map multiple mirroring sessions to the same exit port, which provides flexibility in distributing hosts, such as traffic analyzers or an IDS. In a remote mirroring endpoint, the IP address of the exit port and the remote destination switch can belong to different VLANs.

Mirroring sessions can have the same or a different destination. You can configure an exit port on the local (source) switch and/or on a remote switch as the destination in a mirroring session. When configuring a mirroring destination, consider the following options:

  • Mirrored traffic belonging to different sessions can be directed to the same destination or to different destinations.

  • You can reduce the risk of oversubscribing a single exit port by:

    • Directing traffic from different session sources to multiple exit ports.

    • Configuring an exit port with a higher bandwidth than the monitored source port.

  • You can segregate traffic by type, direction, or source.

Mirroring session limits

A switch running software release K.12.xx or greater supports the following:

  • A maximum of four mirroring (local and remote) sessions.

  • A maximum of 32 remote mirroring endpoints (exit ports connected to a destination device that receive mirrored traffic originating from monitored interfaces on a different switch.)

Selecting mirrored traffic

You can use any of the following options to select the traffic to be mirrored on a port, trunk, mesh, or VLAN interface in a local or remote session:

  • All traffic

    Monitors all traffic entering or leaving the switch on one or more interfaces (inbound and outbound.)

  • Direction-based traffic selection

    Monitors traffic that is either entering or leaving the switch (inbound or outbound.) Monitoring traffic in only one direction improves operation by reducing the amount of traffic sent to a mirroring destination.

  • MAC-based traffic selection

    Monitors only traffic with a matching source and/or destination MAC address in packet headers entering and/or leaving the switch on one or more interfaces (inbound and/or outbound.)

  • Classifier-based service policy

    Provides a finer granularity of match criteria to zoom in on a subset of a monitored port or VLAN traffic (IPv4 or IPv6) and select it for local or remote mirroring (inbound only.)

Deprecation of ACL-based traffic selection

In software release K.14.01 or greater, the use of ACLs for selecting traffic in a mirroring session has been deprecated and is replaced by the use of advanced classifier-based service policies.

As with ACL criteria, classifier-based match/ignore criteria allow you to limit a mirroring session to selected inbound packets on a given port or VLAN interface (instead of mirroring all inbound traffic on the interface.)

The following commands have been deprecated:

  • interface port/trunk/mesh monitor ip access-group acl-name in mirror [ 1 - 4 | name-str ]

  • vlan vid-# monitor ip access-group acl-name in mirror [ 1 - 4 | name-str ]

After you install and boot release K.14.01 or greater, ACL-based local and remote mirroring sessions configured on a port or VLAN interface are automatically converted to classifier-based mirroring policies.

If you are running software release K.13.XX or earlier, ACL permit/deny criteria are supported to select IP traffic entering a switch to mirror in a local or remote session, using specified source and/or destination criteria.

Mirrored traffic destinations

Local destinations

A local mirroring traffic destination is a port on the same switch as the source of the traffic being mirrored.

Remote destinations

A remote mirroring traffic destination is an switch configured to operate as the exit switch for mirrored traffic sessions originating on other switches. As of June, 2007, switches capable of this operation include the following switches:

  • 3500yl

  • 5400zl


[CAUTION: ]

CAUTION: After you configure a mirroring session with traffic-selection criteria and a destination, the switch immediately starts to mirror traffic to each destination device connected to an exit port. In a remote mirroring session that uses IPv4 encapsulation, if the intended exit switch is not already configured as the destination for the session, its performance may be adversely affected by the stream of mirrored traffic. For this reason, Switch strongly recommends that you configure the exit switch for a remote mirroring session before configuring the source switch for the same session.


Monitored traffic sources

You can configure mirroring for traffic entering or leaving the switch on:

  • Ports and static trunks

    Provides the flexibility for mirroring on individual ports, groups of ports, static port trunks, or any combination of these..

  • Meshed ports

    Enables traffic mirroring on all ports configured for meshing on the switch.

  • Static VLANs

    Supports traffic mirroring on static VLANs configured on the switch. This option enables easy mirroring of traffic from all ports on a VLAN. It automatically adjusts mirroring to include traffic from newly added ports and to exclude traffic from ports removed from the VLAN.

Criteria for selecting mirrored traffic

On the monitored sources listed above, you can configure the following criteria to select the traffic you want to mirror:

  • Direction of traffic movement (entering or leaving the switch, or both.)

  • Type of IPv4 or IPv6 traffic entering the switch, as defined by a classifier-based service policy.

    In software release K.14.01 or greater, classifier-based service policies replace ACL-based traffic selection in mirroring sessions.

  • Source and/or destination MAC addresses in packet headers.

Mirroring configuration

Mirroring configuration options shows the different types of mirroring that you can configure using the CLI, Menu, and SNMP interfaces.

Mirroring configuration options

Monitoring interface and configuration level Traffic selection criteria Traffic direction
CLI config Menu and web i/f config[a] Snmp config
VLAN All traffic

Inbound only

Outbound only

Both directions

All traffic (inbound and outbound combined)

Inbound only

Outbound only

Both directions

ACL (IP traffic)[b] See About selecting inbound traffic using advanced classifier-based mirroring.
Classifier-based policy (IPv4 or IPv6 traffic) Inbound only Not available Not available

Port(s)

Trunk(s)

Mesh

All traffic

Inbound only

Outbound only

Both directions

All traffic (inbound and outbound combined)

Inbound only

Outbound only

Both directions

ACL (IP traffic)[c] See About selecting inbound traffic using advanced classifier-based mirroring.
Classifier-based policy (IPv4 or IPv6 traffic) Inbound only Not available Not available
Switch (global) MAC source/destination address

Inbound only

Outbound only

Both directions

Not available

Inbound only

Outbound only

Both directions

[a] Configures only session 1, and only for local mirroring.

[b] In release K.14.01 and greater, the use of ACLs to select inbound traffic in a mirroring session (using the

[ interface | vlan ]monitor ip access-group in mirror

command) has been deprecated and is replaced with classifier-based mirroring policies.

[c] In release K.14.01 and greater, the use of ACLs to select inbound traffic in a mirroring session (using the

[ interface | vlan ]monitor ip access-group in mirror

command) has been deprecated and is replaced with classifier-based mirroring policies.

Configuration notes

Using the CLI, you can configure all mirroring options on a switch.

Using the Menu, you can configure only session 1 and only local mirroring in session 1 for traffic in both directions on specified interfaces. (If session 1 has been already configured in the CLI for local mirroring for inbound-only or outbound-only traffic, and you use the Menu to modify the session 1 configuration, session 1 is automatically reconfigured to monitor both inbound and outbound traffic on the assigned interfaces. If session 1 has been configured in the CLI with a classifier-based mirroring policy or as a remote mirroring session, an error message is displayed if you try to use the Menu to configure the session.)

You can use the CLI can configure sessions 1 to 4 for local or remote mirroring in any combination, and override a Menu configuration of session 1.

You can also use SNMP configure sessions 1 to 4 for local or remote mirroring in any combination and override a Menu configuration of session 1, except that SNMP cannot be used to configure a classifier-based mirroring policy.

Remote mirroring endpoint and intermediate devices

The remote mirroring endpoint that is used in a remote mirroring session must be an switch that supports the mirroring functions described in this chapter. (A remote mirroring endpoint consists of the remote switch and exit port connected to a destination device.) Because remote mirroring on an switch uses IPv4 to encapsulate mirrored traffic sent to a remote endpoint switch, the intermediate switches and routers in a layer 2/3 domain can be from any vendor if they support IPv4.

The following restrictions apply to remote endpoint switches and intermediate devices in a network configured for traffic mirroring:

  • The exit port for a mirroring destination must be an individual port and not a trunk, mesh, or VLAN interface.

  • A switch mirrors traffic on static trunks, but not on dynamic LACP trunks.

  • A switch mirrors traffic at line rate. When mirroring multiple interfaces in networks with high-traffic levels, it is possible to copy more traffic to a mirroring destination than the link supports. However, some mirrored traffic may not reach the destination. If you are mirroring a high-traffic volume, you can reduce the risk of oversubscribing a single exit port by:

    • Directing traffic from different session sources to multiple exit ports.

    • Configuring an exit port with a higher bandwidth than the monitored source port.

Migration to release K.12.xx

On a switch that is running a software release earlier than K.12.xx with one or more mirroring sessions configured, when you download and boot release K.12.xx, the existing mirroring configurations are managed as follows:

  • A legacy mirroring configuration on a port or VLAN interface maps to session 1.

  • Traffic-selection criteria for session 1 is set to both; both inbound and outbound traffic (traffic entering and leaving the switch) on the configured interface is selected for mirroring.

  • In a legacy mirroring configuration, a local exit port is applied to session 1.

Booting from software versions earlier than K.12.xx

If it is necessary to boot the switch from a legacy (pre-K.12.xx) software version after using version K.12.xx or greater to configure mirroring, remove mirroring from the configuration before booting with the earlier software.

Maximum supported frame size

The IPv4 encapsulation of mirrored traffic adds a 54-byte header to each mirrored frame. If a resulting frame exceeds the MTU allowed in the path from the mirroring source to the mirroring destination, the frame is dropped, unless the optional [truncation] parameter is set in the mirror command.

Frame truncation

Mirroring does not truncate frames unless the truncation parameter in the mirror command is set. If that parameter is not set, oversized mirroring frames are dropped. Also, remote mirroring does not allow downstream devices in a mirroring path to fragment mirrored frames.

Migration to release K.14.01 or greater


[NOTE: ]

NOTE: If a switch is running software release K.12.xx, you must first upgrade to release K.13.xx before migrating the switch to release K.14.01 or greater.


When you download and boot software release K.14.01 or greater on a switch that is running release K.13.xx and has one or more mirroring sessions configured, an ACL-based mirroring configuration on a port or VLAN interface is mapped to a class and policy configuration based on the ACL.

The new mirroring policy is automatically configured on the same port or VLAN interface on which the mirroring ACL was assigned. The behavior of the new class and mirroring-policy configuration exactly matches the traffic-selection criteria and mirroring destination used in the ACL-based session.)

Mirroring configuration in show run output in release K.13.xx and Mirroring configuration in show run output in release K.14.01 or greater show how ACL-based selection criteria in a mirroring session are converted to a classifier-based policy and class configuration when you install release K.14.01 or greater on a switch.

Mirroring configuration in show run output in release K.13.xx

Mirroring configuration in show run output in release K.14.01 or greater