Classifier-based mirroring configuration
Evaluate the types of traffic in your network and identify the traffic types that you want to mirror.
Create an IPv4 or IPv6 traffic class using the
class
command to select the packets that you want to mirror in a session on a preconfigured local or remote destination device. (See Configuring classifier-based mirroring.)A traffic class consists of match criteria, which consist of match and ignore commands.
match
commands define the values that header fields must contain for a packet to belong to the class and be managed by policy actions.ignore
commands define the values which, if contained in header fields, exclude a packet from the policy actions configured for the class.
NOTE: Be sure to enter match/ignore statements in the precise order in which you want their criteria to be used to check packets.
The following match criteria are supported in match/ignore statements for inbound IPv4/IPv6 traffic:
IP source address (IPv4 and IPv6)
IP destination address (IPv4 and IPv6)
IP protocol (such as ICMP or SNMP)
Layer 3 IP precedence bits
Layer 3 DSCP codepoint
Layer 4 TCP/UDP application port (including TCP flags)
VLAN ID
Enter one or more match or ignore commands from the class configuration context to filter traffic and determine the packets on which policy actions will be performed. (See “Syntax”.)
Create a mirroring policy to configure the session and destination device to which specified classes of inbound traffic are sent by entering the
policy mirror
command from the global configuration context.NOTE: Be sure to enter each class and its associated mirroring actions in the precise order in which you want packets to be checked and processed.
To configure the mirroring actions that you want to execute on packets that match the criteria in a specified class, enter one or more class action mirror commands from the policy configuration context. (See “Syntax”.)
You can configure only one mirroring session (destination) for each class. However, you can configure the same mirroring session for different classes.
A packet that matches the match criteria in a class is mirrored to the exit (local or remote) port that has been previously configured for the session, where session is a value from 1 to 4 or a text string (if you configured the session with a name when you entered the
mirror
command.)Prerequisite: The local or remote exit port for a session must be already configured before you enter the
mirror
parameter in a class action statement:session
In a local mirroring session, the exit port is configured with the
mirror
command.<SESSION-NUMBER>
portIn a remote mirroring session, the remote exit port is configured with the
mirror endpoint ip
andmirror
commands.<SESSION-NUMBER>
remote ip
Restriction: In a policy, you can configure only one mirroring session per class. However, you can configure the same session for different classes.
Mirroring is not executed on packets that match ignore criteria in a class.
The execution of mirroring actions is performed in the order in which the classes are numerically listed in the policy.
The complete no form of the
class action mirror
command or theno
command removes a class and mirroring action from the policy configuration.<SEQ-NUMBER>
To manage packets that do not match the match or ignore criteria in any class in the policy, and therefore have no mirroring actions performed on them, you can enter an optional default class. The default class is placed at the end of a policy configuration and specifies the mirroring actions to perform on packets that are neither matched nor ignored.
(Optional) To configure a default-class in a policy, enter the
default-class
command at the end of a policy configuration and specify one or more actions to be executed on packets that are not matched and not ignored. (See “Syntax”.)Prerequisite: The local or remote exit port for a session must be already configured with a destination device before you enter the
mirror
parameter in a default-class action statement.<SESSION>
Apply the mirroring policy to inbound traffic on a port (
interface service-policy in
command) or VLAN (vlan service-policy in
command) interface.CAUTION: After you apply a mirroring policy for one or more preconfigured sessions on a port or VLAN interface, the switch immediately starts to use the traffic-selection criteria and exit port to mirror traffic to the destination device connected to each exit port.
In a remote mirroring session that uses IPv4 encapsulation, if the remote switch is not already configured as the destination for the session, its performance may be adversely affected by the stream of mirrored traffic.
For this reason, Switch strongly recommends that you first configure the exit switch in a remote mirroring session, as described in Configure a mirroring destination on a remote switch and Configure a mirroring session on the source switch, before you apply a mirroring service policy on a port or VLAN interface.
Restrictions: The following restrictions apply to a mirroring service policy:
Only one mirroring policy is supported on a port or VLAN interface.
If you apply a mirroring policy to a port or VLAN interface on which a mirroring policy is already configured, the new policy replaces the existing one.
A mirroring policy is supported only on inbound traffic.
Because only one mirroring policy is supported on a port or VLAN interface, ensure that the policy you want to apply contains all the required classes and actions for your configuration.
Classifier-based mirroring restrictions
The following restrictions apply to mirroring policies configured with the classifier-based model:
A mirroring policy is supported only on inbound IPv4 or IPv6 traffic.
A mirroring policy is not supported on a meshed port interface. (Classifier-based policies are supported only on a port, VLAN, or trunk interface.)
Only one classifier-based mirroring policy is supported on a port or VLAN interface. You can, however, apply a classifier-based policy of a different type, such as QoS.
You can enter multiple
class action mirror
statements in a policy.You can configure only one mirroring session (destination) for each class.
You can configure the same mirroring session for different classes.
If a mirroring session is configured with a classifier-based mirroring policy on a port or VLAN interface, no other traffic-selection criteria (MAC-based or all inbound and/or outbound traffic) can be added to the session.
If a mirroring session is already configured with one or more traffic-selection criteria (MAC-based or all inbound and/or outbound traffic), the session does not support the addition of a classifier-based policy.
About applying multiple mirroring sessions to an interface
You can apply a mirroring policy to an interface that is already configured with another traffic-selection method (MAC-based or all inbound and/or outbound traffic) for a different mirroring session.
The classifier-based policy provides a finer level of granularity that allows you to zoom in on a subset of port or VLAN traffic and select it for local or remote mirroring.
In the following example, traffic on Port b1 is used as the mirroring source for two different, local mirroring sessions:
Mirroring configuration examples
Local mirroring using traffic-direction criteria
An administrator wants to mirror the inbound traffic from workstation "X" on port A5 and workstation "Y" on port B17 to a traffic analyzer connected to port C24 (see Local mirroring topology.) In this case, the administrator chooses "1" as the session number. (Any unused session number from 1 to 4 is valid.) Because the switch provides both the source and destination for the traffic to monitor, local mirroring can be used. In this case, the command sequence is:
Configure the local mirroring session, including the exit port.
Configure the monitored source interfaces for the session.
Remote mirroring using a classifier-based policy
In the network shown in Sample topology in a remote mirroring session, an administrator has connected a traffic analyzer to port A15 (in VLAN 30) on switch C to monitor the TCP traffic to the server at 10.10.30.153 from workstations connected to switches A and B. Remote mirroring sessions are configured on switches A and B, and a remote mirroring endpoint on switch C. TCP traffic is routed through the network to the server from VLANs 10 and 20 on VLAN 30.
To configure this remote mirroring session using a classifier-based policy to select inbound TCP traffic on two VLAN interfaces, take the following steps:
On remote switch C, configure a remote mirroring endpoint using port A15 as the exit port (as described in Configure a mirroring destination on a remote switch.)
On source switch A, configure an association between the remote mirroring endpoint on switch C and a mirroring session on switch A (as described in Configure a mirroring session on the source switch.)
On switch A, configure a classifier-based mirroring policy to select inbound TCP traffic destined to the server at 10.10.30.153, and apply the policy to the interfaces of VLAN 10 (as described in About selecting inbound traffic using advanced classifier-based mirroring.)
On source switch B, repeat steps 2 and 3:
Configure an association between the remote mirroring endpoint on switch C and a mirroring session on switch B.
Configure a classifier-based mirroring policy to select inbound TCP traffic destined to the server at 10.10.30.153, and apply the policy to a VLAN interface for VLAN 20.
Because the remote session has mirroring sources on different switches, you can use the same session number (1) for both sessions.
Remote mirroring using traffic-direction criteria
In the network shown in Sample topology for remote mirroring from a port interface, the administrator connects another traffic analyzer to port B10 (in VLAN 40) on switch C to monitor all traffic entering switch A on port C12. For this mirroring configuration, the administrator configures a mirroring destination (with a remote exit port of B10) on switch C, and a remote mirroring session on switch A.
If the mirroring configuration in the proceeding example is enabled, it is necessary to use a different session number (2) and UDP port number (9400.) (The IP address of the remote exit port [10.10.40.7] connected to traffic analyzer 2 [exit port B10] can belong to a different VLAN than the destination IP address of the VLAN used to reach remote switch C [10.20.40.1]).
To configure this remote mirroring session using a directional-based traffic selection on a port interface, the operator must take the following steps:
On remote switch C, configure the remote mirroring endpoint using port B10 as the exit port for a traffic analyzer (as described in Configure a mirroring destination on a remote switch):
On source switch A, configure session 2 to use UDP port 9400 to reach the remote mirroring endpoint on switch C (10.10.40.1):
mirror 2 remote ip 10.10.10.119 9400 10.10.40.1
On source switch A, configure the local port C12 to select all inbound traffic to send to the preconfigured mirroring destination for session 2:
interface c12 monitor all in mirror 2