Table Of Contents
Configuring Traffic Mirroring on the Cisco ASR 9000 Series Router
Contents
Restrictions for Traffic Mirroring
Performance Impact with Traffic Mirroring
Information about Traffic Mirroring
Introduction to Traffic Mirroring
Implementing Traffic Mirroring on the Cisco ASR 9000 Series Router
Traffic Mirroring Terminology
Characteristics of the Source Port
Characteristics of the Monitor Session
Characteristics of the Destination Port
Supported Traffic Mirroring Types
Pseudowire Traffic Mirroring
ACL-Based Traffic Mirroring
Configuring Traffic Mirroring
How to Configure Local Traffic Mirroring
How to Configure Remote Traffic Mirroring
How to Configure Traffic Mirroring over Pseudowire
How to Configure ACL-Based Traffic Mirroring
Prerequisites
Troubleshooting ACL-Based Traffic Mirroring
How to Configure Partial Packet Mirroring
Traffic Mirroring Configuration Examples
Traffic Mirroring with Physical Interfaces (Local): Example
Traffic Mirroring with EFPs (Remote): Example
Viewing Monitor Session Status: Example
Monitor Session Statistics: Example
Traffic Mirroring over Pseudowire: Example
Layer 3 ACL-Based Traffic Mirroring: Example
Layer 2 ACL-Based Traffic Mirroring: Example
Partial Packet Mirroring: Example
Troubleshooting Traffic Mirroring
Where to Go Next
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Configuring Traffic Mirroring on the Cisco ASR 9000 Series Router
This module describes the configuration of traffic mirroring on the Cisco ASR 9000 Series Router. Traffic mirroring is sometimes called port mirroring, or switched port analyzer (SPAN).
Feature History for Configuring Traffic Mirroring on the Cisco ASR 9000 Series Router
Release
|
Modification
|
Release 3.9.1
|
This feature was introduced on the Cisco ASR 9000 Series Router.
|
Release 4.0.1
|
The following traffic mirroring features were added:
• Traffic mirroring over a pseudowire
•Flow or ACL-based traffic mirroring
•Layer 3 interface support
•Partial packet mirroring
|
Contents
•Restrictions for Traffic Mirroring
•Information about Traffic Mirroring
•Configuring Traffic Mirroring
•Traffic Mirroring Configuration Examples
•Where to Go Next
•Additional References
Restrictions for Traffic Mirroring
A maximum of eight monitoring sessions, and 800 source ports are supported.
You can configure 800 source ports on a single monitoring session, or configure an aggregate total of 800 source ports on a maximum of eight monitoring sessions.
The following forms of traffic mirroring are not supported:
•Mirroring traffic to a GRE tunnel (also known as Encapsulated Remote Switched Port Analyzer [ER-SPAN] in Cisco IOS Software).
•Mirroring traffic from a full bridge domain (also known as VLAN-based SPAN in Cisco IOS Software).
Performance Impact with Traffic Mirroring
It is recommended that you do not mirror more than 15% of your total transit traffic. On the
Cisco ASR 9000 Ethernet Line Card, that uses Ten Gigabit Ethernet interfaces or bundle interfaces there is a limit of 1.5G of data on each of the ingress and egress traffic that can be mirrored. This limitation is not applicable on the Cisco ASR 9000 Enhanced Ethernet Line Card.
Information about Traffic Mirroring
The following sections provide information about traffic mirroring:
•Introduction to Traffic Mirroring
•Traffic Mirroring Terminology
•Supported Traffic Mirroring Types
Introduction to Traffic Mirroring
Traffic mirroring, which is sometimes called port mirroring, or Switched Port Analyzer (SPAN) is a Cisco proprietary feature that enables you to monitor Layer 2 or Layer 3 network traffic passing in, or out of, a set of Ethernet interfaces. You can then pass this traffic to a network analyzer for analysis.
Traffic mirroring copies traffic from one or more Layer 3 interfaces or Layer 2 interfaces or sub-interfaces, including Layer 2 link bundle interfaces or sub-interfaces, and sends the copied traffic to one or more destinations for analysis by a network analyzer or other monitoring device. Traffic mirroring does not affect the switching of traffic on the source interfaces or sub-interfaces, and allows the mirrored traffic to be sent to a destination interface or sub-interface.
Traffic mirroring was introduced on switches because of a fundamental difference between switches and hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet from all ports except from the one to which the hub received the packet. In the case of switches, after a switch boots, it starts to build up a Layer 2 forwarding table on the basis of the source MAC address of the different packets that the switch receives. After this forwarding table is built, the switch forwards traffic that is destined for a MAC address directly to the corresponding port.
For example, if you want to capture Ethernet traffic that is sent by host A to host B, and both are connected to a hub, just attach a traffic analyzer to this hub. All other ports see the traffic between hosts A and B ().
Figure 17 Traffic Mirroring Operation on a Hub
On a switch or router, after the host B MAC address is learned, unicast traffic from A to B is only forwarded to the B port. Therefore, the traffic analyzer does not see this traffic ().
Figure 18 Network Analysis Does Not Work on a Router Without Traffic Mirroring
In this configuration, the traffic analyzer only captures traffic that is flooded to all ports, such as:
•Broadcast traffic
•Multicast traffic with CGMP or Internet Group Management Protocol (IGMP) snooping disabled
•Unknown unicast traffic on a switch
An extra feature is necessary that artificially copies unicast packets that host A sends. This extra feature is traffic mirroring. When traffic mirroring is enabled, the traffic analyzer is attached to a port that is configured to receive a copy of every packet that host A sends. This port is called a traffic mirroring port. The other sections of this document describe how you can fine tune this feature.
Implementing Traffic Mirroring on the Cisco ASR 9000 Series Router
Traffic Mirroring Terminology
•Ingress traffic—Traffic that enters the switch.
•Egress traffic—Traffic that leaves the switch.
•Source port—A port that is monitored with the use of traffic mirroring. It is also called a monitored port.
•Destination port—A port that monitors source ports, usually where a network analyzer is connected. It is also called a monitoring port.
•Monitor session—A designation for a collection of traffic mirroring configurations consisting of a single destination and, potentially, many source interfaces.
Characteristics of the Source Port
A source port, also called a monitored port, is a switched or routed port that you monitor for network traffic analysis. In a single local or remote traffic mirroring session, you can monitor source port traffic, such as received (Rx) for ingress traffic, transmitted (Tx) for egress traffic, or bidirectional (for both ingress and egress traffic). Your router supports any number of source ports (up to the maximum number of 800).
A source port has these characteristics:
•It can be any port type, such as Bundle Interface, Gigabit Ethernet, 10-Gigabit Ethernet, or EFPs.
Note Bridge group virtual interfaces (BVIs) are not supported.
•Each source port can be monitored in one traffic mirroring session.
•It cannot be a destination port.
•Each source port can be configured with a direction (ingress, egress, or both) to monitor. For bundles, the monitored direction applies to all physical ports in the group.
Figure 19 Network Analysis on a Cisco ASR 9000 Router With Traffic Mirroring
In Figure 19, the network analyzer is attached to a port that is configured to receive a copy of every packet that host A sends. This port is called a traffic mirroring port.
Characteristics of the Monitor Session
A monitor session is a collection of traffic mirroring configurations consisting of a single destination and, potentially, many source interfaces. For any given monitor session, the traffic from the source interfaces (called source ports) is sent to the monitoring port (called the destination port). Some optional operations such as VLAN tag imposition and ACL filtering can be performed on the mirrored traffic streams. If there is more than one source port in a monitoring session, the traffic from the several mirrored traffic streams is combined at the destination port. The result is that the traffic that comes out of the destination port is a combination of the traffic from one or more source ports, and the traffic from each source port may or may not have VLAN push operations or ACLs applied to it.
Monitor sessions have the following characteristics:
•A single Cisco ASR 9000 Router can have a maximum of eight monitor sessions.
•A single monitor session can have only one destination port.
•A single destination port can belong to only one monitor session.
•A single Cisco ASR 9000 Router can have a maximum of 800 source ports.
•A monitor session can have a maximum of 800 source ports, as long as the maximum number of source ports from all monitoring sessions does not exceed 800.
Characteristics of the Destination Port
Each local session or remote destination session must have a destination port (also called a monitoring port) that receives a copy of the traffic from the source ports.
A destination port has these characteristics:
•A destination port must reside on the same router as the source port.
•A destination port can be any Ethernet physical port, EFP, pseudowire, but not a bundle interface.
•A destination port can only be a Layer 2 transport interface. A Layer 3 interface as a SPAN destination is not supported on the Cisco ASR 9000 Series Router.
•A destination port and can be a trunk (main) interface or a subinterface.
•At any one time, a destination port can participate in only one traffic mirroring session. A destination port in one traffic mirroring session cannot be a destination port for a second traffic mirroring session. In other words, no two monitor sessions can have the same destination port.
•A destination port cannot also be a source port.
Figure 20 Network Analysis on a Cisco ASR 9000 Router With Traffic Mirroring
1
|
Source traffic mirroring ports (can be ingress or egress traffic ports)
|
2
|
Destination traffic mirroring port
|
Supported Traffic Mirroring Types
The following traffic mirroring types are supported:
•Local traffic mirroring. This is the most basic form of traffic mirroring. The network analyzer or sniffer is directly attached to the destination interface. In other words, all monitored ports are all located on the same switch as the destination port.
•Remote traffic mirroring (known as R-SPAN). In this case, the network analyzer is not attached directly to the destination interface, but is on a VLAN accessible to the switch. For example, the destination interface is a sub-interface with a VLAN encapsulation.
A restricted form of remote traffic mirroring can be implemented by sending traffic to a single destination port that pushes a VLAN tag, instead of switching via a bridge domain.
–Allows decoupling the network analyzer and destination, but there is no on-the-box redundancy.
–Allows multiple remote network analyzers as long as they can attach to the traffic mirroring VLAN.
This is supported on Cisco IOS XR software, because the destination port is an EFP that can push a VLAN tag.
•Pseudowire traffic mirroring (known as PW-SPAN in Cisco IOS Software). Instead of using a standard destination interface, traffic is mirrored to a remote site via an MPLS pseudowire.
•ACL-based traffic mirroring. Traffic is mirrored based on the configuration of the global interface ACL.
•Partial Packet Mirroring. The first 64 to 256 bytes of the packet can be mirrored.
•Layer 2 or Layer 3 traffic mirroring is supported. Both Layer 2 and Layer 3 source ports can be mirrored.
Pseudowire Traffic Mirroring
The traffic mirroring destination port can be configured to be a pseudowire rather than a physical port. In this case, the designated traffic on the source port is mirrored over the pseudowire to a central location. This allows the centralization of expensive network traffic analysis tools.
Because the pseudowire is carrying only the mirrored traffic, this traffic is generally unidirectional. There should not be any traffic coming from the remote provider edge.
To protect the pseudowire traffic mirroring path against network failures, it is possible to configure a traffic engineering tunnel as the preferred path and enable fast reroute protection for the pseudowire.
Figure 21 Pseudowire Traffic Mirroring
ACL-Based Traffic Mirroring
You can mirror traffic based on the definition of a global interface access list (ACL). If you are mirroring Layer 2 traffic, the ACL is configured using the ethernet-services access-list command with the capture keyword. If you are mirroring Layer 3 traffic, the ACL is configured using the ipv4 access-list or ipv6 access-list command with the capture keyword. The permit and deny commands determine the behavior of regular traffic. The capture keyword designates that the packet is to be mirrored to the destination port.
Configuring Traffic Mirroring
The following tasks describe how to configure traffic mirroring:
•How to Configure Local Traffic Mirroring
•How to Configure Remote Traffic Mirroring
•How to Configure Traffic Mirroring over Pseudowire
•How to Configure ACL-Based Traffic Mirroring
•How to Configure Partial Packet Mirroring
How to Configure Local Traffic Mirroring
SUMMARY STEPS
1. configure
2. monitor-session session-name
3. destination interface dest-interface
4. exit
5. interface source-interface
6. l2transport
7. monitor-session session-name [direction {rx-only | tx-only]
8. end
or
commit
9. show monitor-session [session-name] status [detail] [error]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure
Example:
RP/0/RSP0/CPU0:router# configure
|
Enters global configuration mode.
|
Step 2
|
monitor-session session-name
Example:
RP/0/RSP0/CPU0:router(config)# monitor-session
mon1
RP/0/RSP0/CPU0:router(config-mon)#
|
Defines a monitor session, and enters monitor session configuration mode.
|
Step 3
|
destination interface dest-interface
Example:
RP/0/RSP0/CPU0:router(config-mon)# destination
interface gigabitethernet0/0/0/15
|
Specifies the destination interface to which traffic should be replicated. This interface must be a Layer 2 transport interface.
|
Step 4
|
exit
Example:
RP/0/RSP0/CPU0:router(config-mon)# exit
RP/0/RSP0/CPU0:router(config)#
|
Exits monitor session configuration mode, and returns to global configuration mode.
|
Step 5
|
interface source-interface
Example:
RP/0/RSP0/CPU0:router(config)# interface
gigabitethernet0/0/0/11
|
Enters interface configuration mode for the specified interface. The interface number is entered in rack/slot/module/port notation. For more information about the syntax for the router, use the question mark (?) online help function.
|
Step 6
|
l2transport
Example:
RP/0/RSP0/CPU0:router(config-if)# l2transport
|
(Optional) Enables Layer 2 transport mode on the interface and enters Layer 2 transport configuration mode.
Note Use the l2transport command to mirror all traffic types.
|
Step 7
|
monitor-session session-name [direction
{rx-only | tx-only]
Example:
RP/0/RSP0/CPU0:router(config-if-l2)#
monitor-session mon1
|
Specifies the monitor session to be used on this interface. Use the direction keyword to specify that only ingress or only egress traffic is mirrored.
|
Step 8
|
end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if-l2)# end
or
RP/0/RSP0/CPU0:router(config-if-l2)# commit
|
Saves configuration changes.
•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
|
Step 9
|
show monitor-session [session-name] status
[detail] [error]
Example:
RP/0/RSP0/CPU0:router# show monitor-session
|
Displays information about the monitor session.
|
How to Configure Remote Traffic Mirroring
SUMMARY STEPS
1. configure
2. monitor-session session-name
3. destination interface dest-subinterface
4. exit
5. interface dest-subinterface l2transport
6. encapsulation dot1q vlan
7. rewrite ingress tag pop tag-to-remove
8. interface source-interface [l2transport]
9. monitor-session session-name [direction {rx-only | tx-only]
10. end
or
commit
11. show monitor-session [session-name] status [detail] [error]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure
Example:
RP/0/RSP0/CPU0:router# configure
|
Enters global configuration mode.
|
Step 2
|
monitor-session session-name
Example:
RP/0/RSP0/CPU0:router(config)# monitor-session
mon1
RP/0/RSP0/CPU0:router(config-mon)#
|
Defines a monitor session, and enters monitor session configuration mode.
|
Step 3
|
destination interface dest-subinterface
Example:
RP/0/RSP0/CPU0:router(config-mon)# destination
interface gigabitethernet0/0/0/15
|
Specifies the destination subinterface to which traffic should be replicated. This interface must be a Layer 2 transport interface.
|
Step 4
|
exit
Example:
RP/0/RSP0/CPU0:router(config-mon)# exit
RP/0/RSP0/CPU0:router(config)#
|
Exits monitor session configuration mode, and returns to global configuration mode.
|
Step 5
|
interface dest-subinterface l2transport
Example:
RP/0/RSP0/CPU0:router(config)# interface
gigabitethernet0/0/0/11.10 l2transport
|
Enters interface configuration mode for the specified sub-interface. The interface number is entered in rack/slot/module/port notation. For more information about the syntax for the router, use the question mark (?) online help function.
The l2transport keyword is used to enable Layer 2 transport mode on the destination subinterface.
|
Step 6
|
encapsulation dot1q vlan
Example:
RP/0/RSP0/CPU0:router(config-if)# encapsulation
dot1q 1
|
Specifies 802.1Q encapsulation and the VLAN number that is used.
|
Step 7
|
rewrite ingress tag pop tag-to-remove
Example:
RP/0/RSP0/CPU0:router(config-if)# rewrite
ingress tag pop 1
|
Specifies to remove the outer tag only for the EFP.
|
Step 8
|
interface source-subinterface [l2transport]
Example:
RP/0/RSP0/CPU0:router(config)# interface
gigabitethernet0/0/0/11.10 l2transport
|
Enters interface configuration mode for the specified subinterface. The interface number is entered in rack/slot/module/port notation. For more information about the syntax for the router, use the question mark (?) online help function.
To configure a Layer 2 subinterface to be the source interface, use the l2transport keyword to enable Layer 2 transport mode on the subinterface.
|
Step 9
|
monitor-session session-name [direction
{rx-only | tx-only]
Example:
RP/0/RSP0/CPU0:router(config-if-l2)#
monitor-session mon1
|
Specifies the monitor session to be used on this interface. Use the direction keyword to specify that only ingress or egress traffic is mirrored.
|
Step 10
|
end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
|
Saves configuration changes.
•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
|
Step 11
|
show monitor-session [session-name] status
[detail] [error]
Example:
RP/0/RSP0/CPU0:router# show monitor-session
|
Displays information about the traffic mirroring session.
|
How to Configure Traffic Mirroring over Pseudowire
SUMMARY STEPS
1. configure
2. monitor-session session-name
3. destination pseudowire
4. exit
5. interface source-interface
6. l2transport
7. monitor-session session-name
8. exit
9. exit
10. exit
11. l2vpn
12. pw-class class-name
13. encapsulation mpls
14. exit
15. exit
16. xconnect group group-name
17. p2p xconnect-name
18. monitor-session session-name
19. neighbor peer-ip pw-id pseudowire-id
20. pw-class class-name
21. end
or
commit
22. show monitor-session [session-name] status [detail] [error]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure
Example:
RP/0/RSP0/CPU0:router# configure
|
Enters global configuration mode.
|
Step 2
|
monitor-session session-name
Example:
RP/0/RSP0/CPU0:router(config)# monitor-session
mon1
RP/0/RSP0/CPU0:router(config-mon)#
|
Defines a monitor session, and enters monitor session configuration mode.
|
Step 3
|
destination psuedowire
Example:
RP/0/RSP0/CPU0:router(config-mon)# destination
pseudowire
|
Specifies that the traffic should be replicated to a pseudowire.
|
Step 4
|
exit
Example:
RP/0/RSP0/CPU0:router(config-mon)# exit
RP/0/RSP0/CPU0:router(config)#
|
Exits monitor session configuration mode and returns to global configuration mode.
|
Step 5
|
interface source-interface
Example:
RP/0/RSP0/CPU0:router(config)# interface
gigabitethernet0/0/0/11.10
|
Enters interface configuration mode for the specified interface. The interface number is entered in rack/slot/module/port notation. For more information about the syntax for the router, use the question mark (?) online help function.
|
Step 6
|
l2transport
Example:
RP/0/RSP0/CPU0:router(config-if)# l2transport
|
(Optional) Enables Layer 2 transport mode on the subinterface and enters Layer 2 transport configuration mode.
Note Use the l2transport command to mirror all traffic types.
|
Step 7
|
monitor-session session-name [direction
{rx-only | tx-only]
Example:
RP/0/RSP0/CPU0:router(config-if-l2)#
monitor-session mon1
|
Specifies the monitor session to be used on this interface. Use the direction keyword to specify that only ingress or egress traffic is mirrored.
|
Step 8
|
exit
Example:
RP/0/RSP0/CPU0:router(config-if-mon)# exit
RP/0/RSP0/CPU0:router(config-if-l2)#
|
Exits monitor session configuration mode and returns to l2transport configuration mode.
|
Step 9
|
exit
Example:
RP/0/RSP0/CPU0:router(config-if-l2)# exit
RP/0/RSP0/CPU0:router(config-if)#
|
Exits l2transport configuration mode and returns to interface configuration mode.
|
Step 10
|
exit
Example:
RP/0/RSP0/CPU0:router(config-if)# exit
RP/0/RSP0/CPU0:router(config)#
|
Exits interface configuration mode and returns to global configuration mode.
|
Step 11
|
l2vpn
Example:
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)#
|
Enters Layer 2 VPN configuration mode.
|
Step 12
|
pw-class class-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# pw-class
pw1
|
Configures a pseudowire class template and enters pseudowire class template configuration mode.
|
Step 13
|
encapsulation mpls
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pwc)#
encapsulation mpls
|
Configures the pseudowire encapsulation to MPLS.
|
Step 14
|
exit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pwc-mpls)#
exit
RP/0/RSP0/CPU0:router(config-l2vpn-pwc)
|
Exits pseudowire encapsulation configuration mode.
|
Step 15
|
exit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-pwc)# exit
RP/0/RSP0/CPU0:router(config-l2vpn)
|
Exits pseudowire class template configuration mode.
|
Step 16
|
xconnect group group-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn)# xconnect
group g1
|
Configures a group cross connect.
|
Step 17
|
p2p xconnect-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-xc)# p2p xc1
|
Configures a point-to-point cross connect.
|
Step 18
|
monitor-session session-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)#
monitor-session mon1
|
Attaches a traffic mirroring session to the point-to-point cross connect.
|
Step 19
|
neighbor peer-ip pw-id pseudowire-id
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)#
neighbor 192.168.2.2 pw-id 3
|
Configures the point-to-point cross connect.
|
Step 20
|
pw-class class-name
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)#
pw-class pw1
|
Specifies the pseudowire class template to use for this cross connect.
|
Step 21
|
end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)#
end
or
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)#
commit
|
Saves configuration changes.
•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
|
Step 22
|
show monitor-session [session-name] status
[detail] [error]
Example:
RP/0/RSP0/CPU0:router# show monitor-session
|
Displays information about the traffic mirroring session.
|
How to Configure ACL-Based Traffic Mirroring
Prerequisites
The global interface ACL should be configured using one of the following commands with the capture keyword:
•ipv4 access-list
•ipv6 access-list
•ethernet-services access-list
For more information, refer to the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command Reference or the ASR 9000 Series Aggregation Services Router L2 VPN and Ethernet Services Command Reference.
SUMMARY STEPS
1. configure
2. monitor-session session-name
3. destination interface dest-interface
4. exit
5. interface source-interface
6. l2transport
7. exit
8. ethernet-services access-group access-list-name ingress
9. acl
10. monitor-session session-name
11. end
or
commit
12. show monitor-session [session-name] status [detail] [error]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure
Example:
RP/0/RSP0/CPU0:router# configure
|
Enters global configuration mode.
|
Step 2
|
monitor-session session-name
Example:
RP/0/RSP0/CPU0:router(config)# monitor-session
mon1
RP/0/RSP0/CPU0:router(config-mon)#
|
Defines a monitor session and enters monitor session configuration mode.
|
Step 3
|
destination interface dest-interface
Example:
RP/0/RSP0/CPU0:router(config-mon)# destination
interface gigabitethernet0/0/0/15
|
Specifies the destination interface to which traffic should be replicated. This interface must be a Layer 2 transport interface.
|
Step 4
|
exit
Example:
RP/0/RSP0/CPU0:router(config-mon)# exit
RP/0/RSP0/CPU0:router(config)#
|
Exits monitor session configuration mode and returns to global configuration mode.
|
Step 5
|
interface source-interface
Example:
RP/0/RSP0/CPU0:router(config)# interface
gigabitethernet0/0/0/11
|
Enters interface configuration mode for the specified interface. The interface number is entered in rack/slot/module/port notation. For more information about the syntax for the router, use the question mark (?) online help function.
|
Step 6
|
l2transport
Example:
RP/0/RSP0/CPU0:router(config-if)# l2transport
|
(Optional) Enables Layer 2 transport mode on the subinterface and enters Layer 2 transport configuration mode.
Note Use the l2transport command to mirror all traffic types.
|
Step 7
|
exit
Example:
RP/0/RSP0/CPU0:router(config-if-l2)# exit
RP/0/RSP0/CPU0:router(config-if)#
|
Exits Layer 2 transport configuration mode and returns to interface configuration mode.
|
Step 8
|
ethernet-services access-group access-list-name
[ingress | egress]
Example:
RP/0/RSP0/CPU0:router(config-if)#
ethernet-services access-group acl1 ingress
|
Associates the access list definition with the interface being mirrored.
|
Step 9
|
acl
Example:
RP/0/RSP0/CPU0:router(config-if-mon)# acl
|
Specifies that the traffic mirrored is according to the defined global interface ACL.
|
Step 10
|
monitor-session session-name
Example:
RP/0/RSP0/CPU0:router(config-if)#
monitor-session mon1
|
Specifies the monitor session to be used on this interface.
|
Step 11
|
end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
|
Saves configuration changes.
•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
|
Step 12
|
show monitor-session [session-name] status
[detail] [error]
Example:
RP/0/RSP0/CPU0:router# show monitor-session
|
Displays information about the monitor session.
|
Troubleshooting ACL-Based Traffic Mirroring
Note the following configuration issues:
•Even when the acl command is configured on the source mirroring port, if the ACL configuration command does not use the capture keyword, no traffic gets mirrored.
•If the ACL configuration uses the capture keyword, but the acl command is not configured on the source port, although traffic is mirrored, no access list configuration is applied.
•All ingress traffic is mirrored, regardless of the ACL definition; only egress traffic permitted in the ACL definition is mirrored.
The following example correctly shows both the capture keyword in the ACL definition and the acl command configured on the interface:
monitor-session tm_example
ethernet-services access-list tm_filter
10 deny 0000.1234.5678 0000.abcd.abcd any capture
interface GigabitEthernet0/2/0/0
monitor-session tm_example direction rx-only
ethernet-services access-group tm_filter ingress
How to Configure Partial Packet Mirroring
SUMMARY STEPS
1. configure
2. monitor-session session-name
3. destination interface dest-interface
4. exit
5. interface source-interface
6. monitor-session session-name
7. mirror first bytes
8. end
or
commit
9. show monitor-session [session-name] status
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure
Example:
RP/0/RSP0/CPU0:router# configure
|
Enters global configuration mode.
|
Step 2
|
monitor-session session-name
Example:
RP/0/RSP0/CPU0:router(config)# monitor-session
mon1
RP/0/RSP0/CPU0:router(config-mon)#
|
Defines a monitor session, and enters monitor session configuration mode.
|
Step 3
|
destination interface dest-interface
Example:
RP/0/RSP0/CPU0:router(config-mon)# destination
interface gigabitethernet0/0/0/15
|
Specifies the destination interface to which traffic should be replicated. This interface must be a Layer 2 transport interface.
|
Step 4
|
exit
Example:
RP/0/RSP0/CPU0:router(config-mon)# exit
RP/0/RSP0/CPU0:router(config)#
|
Exits monitor session configuration mode and returns to global configuration mode.
|
Step 5
|
interface source-interface
Example:
RP/0/RSP0/CPU0:router(config)# interface
gigabitethernet0/0/0/11.10
|
Enters interface configuration mode for the specified interface. The interface number is entered in rack/slot/module/port notation. For more information about the syntax for the router, use the question mark (?) online help function.
|
Step 6
|
monitor-session session-name [direction
{rx-only | tx-only]
Example:
RP/0/RSP0/CPU0:router(config-if-l2)#
monitor-session mon1
|
Specifies the monitor session to be used on this interface. Use the direction keyword to specify that only ingress or egress traffic is mirrored.
|
Step 7
|
mirror first bytes
Example:
RP/0/RSP0/CPU0:router(config-if-mon)# mirror
first bytes
|
Specifies the number of bytes of the packet to mirror. Values can range from 64 to 256 bytes.
|
Step 8
|
end
or
commit
Example:
RP/0/RSP0/CPU0:router(config-if)# end
or
RP/0/RSP0/CPU0:router(config-if)# commit
|
Saves configuration changes.
•When you issue the end command, the system prompts you to commit changes:
Uncommitted changes found, commit them before
exiting (yes/no/cancel)?
[cancel]:
–Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
–Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
–Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.
|
Step 9
|
show monitor-session [session-name] status
Example:
RP/0/RSP0/CPU0:router# show monitor-session
|
Displays information about the traffic mirroring session.
|
Traffic Mirroring Configuration Examples
This section contains examples of how to configure traffic mirroring:
•Traffic Mirroring with Physical Interfaces (Local): Example
•Traffic Mirroring with EFPs (Remote): Example
•Viewing Monitor Session Status: Example
•Monitor Session Statistics: Example
•Traffic Mirroring over Pseudowire: Example
•Layer 3 ACL-Based Traffic Mirroring: Example
•Layer 2 ACL-Based Traffic Mirroring: Example
Traffic Mirroring with Physical Interfaces (Local): Example
The following example shows a basic configuration for traffic mirroring with physical interfaces. When traffic flows over the point to point cross connect between gig0/2/0/19 and gig0/2/0/11, packets received and transmitted on gig0/2/0/19 are also mirrored to gig0/2/0/15.
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# monitor-session ms1
RP/0/RSP0/CPU0:router(config-mon)# destination interface gig0/2/0/15
RP/0/RSP0/CPU0:router(config-mon)# commit
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/11
RP/0/RSP0/CPU0:router(config-subif)# l2transport
RP/0/RSP0/CPU0:router(config-if-l2)# commit
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/15
RP/0/RSP0/CPU0:router(config-subif)# l2transport
RP/0/RSP0/CPU0:router(config-if-l2)# commit
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/19
RP/0/RSP0/CPU0:router(config-subif)# l2transport
RP/0/RSP0/CPU0:router(config-subif-l2)# monitor-session ms1
RP/0/RSP0/CPU0:router(config-if-l2)# commit
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)# xconnect group xg1
RP/0/RSP0/CPU0:router(config-l2vpn-xc)# p2p xg1_p1
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# interface gig0/2/0/11
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# interface gig0/2/0/19
RP/0/RSP0/CPU0:router(config-if-l2)# commit
Traffic Mirroring with EFPs (Remote): Example
The following example shows a basic configuration for remote traffic mirroring with EFP interfaces. When traffic flows over the point-to-point cross connect between gig0/2/0/19.10 and gig0/2/0/11.10, packets received and transmitted on gig0/2/0/19.10 are also mirrored to gig0/2/0/10.1.
RP/0/RSP0/CPU0:router#monitor-session ms1
RP/0/RSP0/CPU0:router(config)# destination interface gig0/2/0/10.1
RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/10.1 l2transport
RP/0/RSP0/CPU0:router(config-if-l2)# encapsulation dot1q 1
RP/0/RSP0/CPU0:router(config-if-l2)# rewrite ingress tag pop 1
RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/11.10 l2transport
RP/0/RSP0/CPU0:router(config-if-l2)# encapsulation dot1q 10
RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/19.10 l2transport
RP/0/RSP0/CPU0:router(config-if-l2)# encapsulation dot1q 10
RP/0/RSP0/CPU0:router(config-if-l2)# monitor-session ms1
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)# xconnect group xg1
RP/0/RSP0/CPU0:router(config-l2vpn-xc)# p2p xg1_p1
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# interface gig0/2/0/11.10
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# interface gig0/2/0/19.10
Viewing Monitor Session Status: Example
The following examples show sample output of the show monitor-session command with the status keyword:
RP/0/RSP0/CPU0:router# show monitor-session status
Fri Feb 20 14:56:04.233 UTC
Monitor-session cisco-rtp1
Destination interface GigabitEthernet0/5/0/38
================================================================================
Source Interface Dir Status
--------------------- ---- ----------------------------------------------------
Gi0/5/0/4 Both Operational
Gi0/5/0/17 Both Operational
RP/0/RSP0/CPU0:router# show monitor-session status detail
Destination interface is not configured
Status: Not operational (destination interface not known).
Status: Error: 'Viking SPAN PD' detected the 'warning' condition 'PRM connection
creation failure'.
RP/0/RSP0/CPU0:router# show monitor-session status error
Thu Jul 1 17:56:24.190 DST
Destination interface GigabitEthernet0/2/0/15 is not configured
================================================================================
Source Interface Dir Status
--------------------- ---- ----------------------------------------------------
Destination interface is not configured
================================================================================
Source Interface Dir Status
--------------------- ---- ----------------------------------------------------
Monitor Session Statistics: Example
Use the show monitor-session command with the counters keyword to show the statistics/counters (received/transmitted/dropped) of different source ports. For each monitor session, this command displays a list of all source interfaces and the replicated packet statistics for that interface.
The full set of statistics displayed for each interface is:
•RX replicated packets and octets
•TX replicated packets and octets
•Non-replicated packet and octets
RP/0/RSP0/CPU0:router# show monitor-session counters
GigabitEthernet0/2/0/19.10
Rx replicated: 1000 packets, 68000 octets
Tx replicated: 1000 packets, 68000 octets
Non-replicated: 0 packets, 0 octets
Use the clear monitor-session counters command to clear any collected statistics. By default this command clears all stored statistics; however, an optional interface filter can be supplied.
RP/0/RSP0/CPU0:router# clear monitor-session counters
Traffic Mirroring over Pseudowire: Example
The following example shows how to configure traffic mirroring over a pseudowire:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet0/11/0/1
RP/0/RSP0/CPU0:router(config-if)# l2transport
RP/0/RSP0/CPU0:router(config-if-l2)# monitor-session pw-span-test
RP/0/RSP0/CPU0:router(config)# monitor-session pw-span-test
RP/0/RSP0/CPU0:router(config-mon)# destination pseudowire
RP/0/RSP0/CPU0:router(config)# l2vpn
RP/0/RSP0/CPU0:router(config-l2vpn)# pw-class class1
RP/0/RSP0/CPU0:router(config-l2vpn-pwc)# encapsulation mpls
RP/0/RSP0/CPU0:router(config-l2vpn)# xconnect group g1
RP/0/RSP0/CPU0:router(config-l2vpn-xc)# p2p x1
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# monitor-session pw-span-test
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# neighbor 2.2.2.2 pw-id 1
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)# pw-class class1
RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)# commit
Layer 3 ACL-Based Traffic Mirroring: Example
The following example shows how to configure Layer 3 ACL-based traffic mirroring:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# monitor-session ms1
RP/0/RSP0/CPU0:router(config-mon)# destination interface gig0/2/0/15
RP/0/RSP0/CPU0:router(config-mon)# commit
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/11
RP/0/RSP0/CPU0:router(config-if)# ipv4 access-group span ingress
RP/0/RSP0/CPU0:router(config-if)# monitor-session ms1
RP/0/RSP0/CPU0:router(config-if-mon)# commit
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# ipv4 access-list span
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 5 permit ipv4 any any dscp 5 capture
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 permit ipv4 any any
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit
Layer 2 ACL-Based Traffic Mirroring: Example
The following example shows how to configure Layer 2 ACL-based traffic mirroring:
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# monitor-session ms1
RP/0/RSP0/CPU0:router(config-mon)# destination interface gig0/2/0/15
RP/0/RSP0/CPU0:router(config-mon)# commit
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/11
RP/0/RSP0/CPU0:router(config-if)# l2transport
RP/0/RSP0/CPU0:router(config-if-l2)# exit
RP/0/RSP0/CPU0:router(config-if)# ethernet-services access-group acl_mirror ingress
RP/0/RSP0/CPU0:router(config-if)# acl
RP/0/RSP0/CPU0:router(config-if)# monitor-session ms1
RP/0/RSP0/CPU0:router(config-if-mon)# commit
RP/0/RSP0/CPU0:router# configure
RP/0/RSP0/CPU0:router(config)# ipv4 access-list acl_mirror
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 5 permit ipv4 any any dscp 5 capture
RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 permit ipv4 any any
RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit
Partial Packet Mirroring: Example
The following example shows how to configure mirroring of the first 100 bytes of the packet:
RP/0/RP0/CPU0:router(config)# interface gigabitethernet0/0/0/11
RP/0/RP0/CPU0:router(config-if-l2)# monitor-session mon1
RP/0/RSP0/CPU0:router(config-if-mon)# mirror first 100
Troubleshooting Traffic Mirroring
When you have issues with your traffic mirroring, begin your troubleshooting by checking the output of the show monitor-session status command. This command displays the recorded state of all sessions and source interfaces:
================================================================================
Source Interface Dir Status
--------------------- ---- ----------------------------------------------------
Gi0/0/0/0 Both <Source interface status>
Gi0/0/0/2 Both <Source interface status>
In the preceding example, the line marked as <Session status> can indicate one of the following configuration errors:
Session Status
|
Explanation
|
Session is not configured globally
|
The session does not exist in global configuration. Check show run command output to ensure that a session with the right name has been configured.
|
Destination interface <intf> is not configured
|
The interface that has been configured as the destination does not exist. For example, the destination interface may be configured to be a VLAN subinterface, but the VLAN subinterface may not have been created yet.
|
Destination interface <intf> (<down-state>)
|
The destination interface is not in Up state in the Interface Manager. You can verify the state using the show interfaces command. Check the configuration to see what might be keeping the interface from coming up (for example, a sub-interface needs to have an appropriate encapsulation configured).
|
Destination pseudowire is not configured
|
The L2VPN configuration that is to set up the pseudowire is missing. Configure the traffic mirroring session name as one segment of the xconnect p2p.
|
Destination pseudowire <name> (down)
|
The pseudowire is configured, but is down. Check the L2VPN configuration to identify why the pseudowire is not coming up.
|
The <Source interface status> can report the following messages:
Source Interface Status
|
Explanation
|
Operational
|
Everything appears to be working correctly in traffic mirroring PI. Please follow up with the platform teams in the first instance, if mirroring is not operating as expected.
|
Not operational (Session is not configured globally)
|
The session does not exist in global configuration. Check the show run command output to ensure that a session with the right name has been configured.
|
Not operational (destination interface not known)
|
The session exists, but it either does not have a destination interface specified, or the destination interface named for the session does not exist (for example, if the destination is a sub-interface that has not been created).
|
Not operational (source same as destination)
|
The session exists, but the destination and source are the same interface, so traffic mirroring does not work.
|
Not operational (destination not active)
|
The destination interface or pseudowire is not in the Up state. See the corresponding Session status error messages for suggested resolution.
|
Not operational (source state <down-state>)
|
The source interface is not in the Up state. You can verify the state using the show interfaces command. Check the configuration to see what might be keeping the interface from coming up (for example, a sub-interface needs to have an appropriate encapsulation configured).
|
Error: see detailed output for explanation
|
Traffic mirroring has encountered an error. Run the show monitor-session status detail command to display more information.
|
The show monitor-session status detail command displays full details of the configuration parameters, and of any errors encountered. For example:
RP/0/RSP0/CPU0:router#show monitor-session status detail
Destination interface is not configured
Status: Not operational (destination interface not known).
Status: Error: 'Viking SPAN PD' detected the 'warning' condition 'PRM connection
creation failure'.
This detailed output may give you a clear indication of what the problem is.
Here are additional trace and debug commands:
RP/0/RSP0/CPU0:router# show monitor-session platform trace ?
all Turn on all the trace
events Display interesting events
RP/0/RSP0/CPU0:router# show monitor-session trace ?
process Filter debug by process
RP/0/RSP0/CPU0:router# debug monitor-session platform ?
all Turn on all the debugs
errors VKG SPAN EA errors
RP/0/RSP0/CPU0:router# debug monitor-session platform all
RP/0/RSP0/CPU0:router# debug monitor-session platform event
RP/0/RSP0/CPU0:router# debug monitor-session platform info
RP/0/RSP0/CPU0:router# show monitor-session status ?
detail Display detailed output
errors Display only attachments which have errors
internal Display internal monitor-session information
RP/0/RSP0/CPU0:router# show monitor-session status
RP/0/RSP0/CPU0:router# show monitor-session status errors
RP/0/RSP0/CPU0:router# show monitor-session status internal
Where to Go Next
When you have configured an Ethernet interface, you can configure individual VLAN subinterfaces on that Ethernet interface.
For information about modifying Ethernet management interfaces for the shelf controller (SC), route processor (RP), and distributed RP, see the Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router module later in this document.
For information about IPv6 see the Implementing Access Lists and Prefix Lists on
Cisco IOS XR Software module in the Cisco IOS XR IP Addresses and Services Configuration Guide.
Additional References
The following sections provide references related to implementing Gigabit and 10-Gigabit Ethernet interfaces.
Related Documents
Related Topic
|
Document Title
|
Ethernet L2VPN
|
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide
Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Command Reference
|
Cisco IOS XR master command reference
|
Cisco ASR 9000 Series Aggregation Services Router Master Commands List
|
Cisco IOS XR interface configuration commands
|
Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Command Reference
|
Information about user groups and task IDs
|
Cisco IOS XR Interface and Hardware Component Command Reference
|
Standards
Standards
|
Title
|
IEEE 802.1ag
ITU-T Y.1731
|
—
|
MIBs
MIBs
|
MIBs Link
|
IEEE CFM MIB
|
To locate and download MIBs for selected platforms using
Cisco IOS XR Software, use the Cisco MIB Locator found at the following URL:
http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
|
RFCs
RFCs
|
Title
|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
|
—
|
Technical Assistance
Description
|
Link
|
The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
|
http://www.cisco.com/support
|
Feedback
