Classifier-based mirroring configuration

  1. Evaluate the types of traffic in your network and identify the traffic types that you want to mirror.

  2. Create an IPv4 or IPv6 traffic class using the class command to select the packets that you want to mirror in a session on a preconfigured local or remote destination device.

    A traffic class consists of match criteria, which consist of match and ignore commands.

    • match commands define the values that header fields must contain for a packet to belong to the class and be managed by policy actions.
    • ignore commands define the values which, if contained in header fields, exclude a packet from the policy actions configured for the class.
    NOTE:

    Be sure to enter match/ignore statements in the precise order in which you want their criteria to be used to check packets.

    The following match criteria are supported in match/ignore statements for inbound IPv4/IPv6 traffic:
    1. IP source address (IPv4 and IPv6)
    2. IP destination address (IPv4 and IPv6)
    3. IP protocol (such as ICMP or SNMP)
    4. Layer 3 IP precedence bits
    5. Layer 3 DSCP codepoint
    6. Layer 4 TCP/UDP application port (including TCP flags)
    7. VLAN ID

  3. Enter one or more match or ignore commands from the class configuration context to filter traffic and determine the packets on which policy actions will be performed.

  4. Create a mirroring policy to configure the session and destination device to which specified classes of inbound traffic are sent by entering the policy mirror command from the global configuration context.
    NOTE:

    Be sure to enter each class and its associated mirroring actions in the precise order in which you want packets to be checked and processed.

  5. To configure the mirroring actions that you want to execute on packets that match the criteria in a specified class, enter one or more class action mirror commands from the policy configuration context.

    You can configure only one mirroring session (destination) for each class. However, you can configure the same mirroring session for different classes.

    A packet that matches the match criteria in a class is mirrored to the exit (local or remote) port that has been previously configured for the session, where session is a value from 1 to 4 or a text string (if you configured the session with a name when you entered the mirror command.)

    Prerequisite: The local or remote exit port for a session must be already configured before you enter the mirror session parameter in a class action statement:

    • In a local mirroring session, the exit port is configured with the mirror <SESSION-NUMBER> port command.

    • In a remote mirroring session, the remote exit port is configured with the mirror endpoint ip and mirror <SESSION-NUMBER> remote ip commands.

    Restriction: In a policy, you can configure only one mirroring session per class. However, you can configure the same session for different classes.

    Mirroring is not executed on packets that match ignore criteria in a class.

    The execution of mirroring actions is performed in the order in which the classes are numerically listed in the policy.

    The complete no form of the class action mirror command or the no <SEQ-NUMBER> command removes a class and mirroring action from the policy configuration.

  6. To manage packets that do not match the match or ignore criteria in any class in the policy, and therefore have no mirroring actions performed on them, you can enter an optional default class. The default class is placed at the end of a policy configuration and specifies the mirroring actions to perform on packets that are neither matched nor ignored.

  7. (Optional) To configure a default-class in a policy, enter the default-class command at the end of a policy configuration and specify one or more actions to be executed on packets that are not matched and not ignored.

    Prerequisite: The local or remote exit port for a session must be already configured with a destination device before you enter the mirror <SESSION> parameter in a default-class action statement.

  8. Apply the mirroring policy to inbound traffic on a port (interface service-policy in command) or VLAN (vlan service-policy in command) interface.
    CAUTION:

    After you apply a mirroring policy for one or more preconfigured sessions on a port or VLAN interface, the switch immediately starts to use the traffic-selection criteria and exit port to mirror traffic to the destination device connected to each exit port.

    In a remote mirroring session that uses IPv4 encapsulation, if the remote switch is not already configured as the destination for the session, its performance may be adversely affected by the stream of mirrored traffic.

    For this reason, Switch strongly recommends that you first configure the exit switch in a remote mirroring session, as described in Configure a mirroring destination on a remote switch and Configure a mirroring session on the source switch, before you apply a mirroring service policy on a port or VLAN interface.

Restrictions: The following restrictions apply to a mirroring service policy:
  • Only one mirroring policy is supported on a port or VLAN interface.
  • If you apply a mirroring policy to a port or VLAN interface on which a mirroring policy is already configured, the new policy replaces the existing one.
  • A mirroring policy is supported only on inbound traffic.
Because only one mirroring policy is supported on a port or VLAN interface, ensure that the policy you want to apply contains all the required classes and actions for your configuration.