Traffic Mirroring Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

ACL-based traffic mirroring

Updated: March 2, 2026

Want to summarize with AI?

Log in

Overview

This section explains how ACL-based traffic mirroring allows for selective monitoring of specific traffic flows based on characteristics like IP addresses and protocols.

ACL-based traffic mirroring is a feature that allows you to:

  • mirror traffic based on the configuration of the global interface ACL, and

  • monitor particular types of traffic that match certain characteristics, such as source or destination IP addresses, protocols, or port numbers.

Benefits of ACL-based traffic mirroring

  • Selective monitoring: Allows you to focus on specific traffic flows that are of interest, thereby reducing the amount of data that needs to be processed and analyzed.

  • Improved security: Enables the monitoring of suspicious or critical traffic patterns, helping to detect and respond to potential security threats more effectively.

  • Efficient resource usage: Mirrors only selected traffic and uses network resources such as bandwidth and processing power more efficiently, avoiding the overhead of capturing all traffic.

Configuration guidelines for ACL-based traffic mirroring

These configuration guidelines apply to ACL-based traffic mirroring:

Traffic mirroring on source interface

  • Configure ACLs on the source interface to avoid default mirroring of traffic.

  • Configure the ACLs on the bundle interface and not on bundle members, if a bundle interface is a source interface.

Restrictions for ACL-based traffic mirroring

These restrictions apply to ACL-based traffic mirroring:

  • You must remove and re-apply monitor-sessions on all interfaces after modifying the access control list (ACL).

  • SPAN ACL does not support User Defined Fields (UDF).

  • Deny action in SPAN ACL is ignored, and no packet drops from SPAN ACL. Deny ACEs will be internally converted to permit ACEs. Packets will also be mirrored.

  • There is no implicit deny-all entry in SPAN ACL.

  • IPV6 ACL is required for mirroring IPv6 packets and IPv4 ACL is required for IPv4 packets. This follows the same structure as security ACL with IPv4 and IPv6 mirror options.