Traffic Mirroring Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

Configure ACLs for traffic mirroring

Updated: March 2, 2026

Want to summarize with AI?

Overview

Use this procedure to create and apply IPv4 or IPv6 access control lists for traffic mirroring. This task explains how to define permit actions for specific traffic patterns and attach the monitoring configuration to a SPAN source interface for ingress traffic.

Use this procedure to configure IPv4 or IPv6 ACLs for traffic mirroring.

Procedure

	1.	Create SPAN IPv4 ACL for traffic mirroring. Example: `Router(config)# ipv4 access-list v4-monitor-acl Router(config-ipv4-acl)# 10 permit udp 20.1.1.0 0.0.0.255 eq 10 any Router(config-ipv4-acl)# 20 permit udp 30.1.1.0 0.0.0.255 eq 20 any Router(config-ipv4-acl)# exit Router(config)# commit` The router creates an ACL named `v4-monitor-acl` and applies the `permit` action for the traffic. Note If you specify `deny` action, the router drops the traffic for that interface. Mirroring happens only if you add the `icmp-off` keyword to the ACE as shown. You can use the `icmp-off` keyword only for security or hybrid ACLs. `ipv4 access-list acl1 10 deny ipv4 any 2.1.0.0/16 capture icmp-off 20 permit ipv4 any any !`
	2.	Create SPAN IPv6 ACL for traffic mirroring. Example: `Router(config)# ipv6 access-list v6-monitor-acl Router(config-ipv6-acl)# 10 permit ipv6 host 120:1:1::1 host 130:1:1::1 Router(config-ipv6-acl)# exit` The router creates an ACL named `v6-monitor-acl` and applies the `permit` action for the traffic.
	3.	Apply the traffic monitoring to SPAN source interface. Example: `Router(config)# interface HundredGigE0/0/0/12 Router(config-if)# monitor-session mon1 ethernet direction rx-only Router(config-if)# acl ipv4 v4-monitor-acl Router(config-if)# acl ipv4 v6-monitor-acl! !` For `v4-monitor-acl` and `v6-monitor-acl` ACLs, the router applies traffic mirroring for `HundredGigE0/0/0/12` interface. Note To enable traffic mirroring, include the `capture` keyword for security or hybrid ACLs.
	4.	Verify the ACL configuration on your router. Example: `Router# show access-lists ipv4 v4span1 hardware ingress span interface HundredGigE0/0/0/12 location 0/3/cpu0 ipv4 access-list v4-monitor-acl 10 permit ipv4 host 51.0.0.0 host 101.0.0.0 20 permit ipv4 host 51.0.0.1 host 101.0.0.1 30 permit ipv4 host 51.0.0.2 any 40 permit ipv4 any host 101.0.0.3 50 permit ipv4 51.0.1.0 0.0.0.255 101.0.1.0 0.0.0.255 60 permit ipv4 51.0.2.0 0.0.0.255 101.0.2.0 0.0.0.255 precedence critical`

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Configure ACLs for traffic mirroring

Overview

Procedure

Example:

Example:

Example:

Example:

Need help?