Traffic Mirroring Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

Multiple SPAN ACL sessions for MPLS

Updated: March 2, 2026

Want to summarize with AI?

Log in

Overview

This section explains the feature that allows monitoring and mirroring of ingress MPLS traffic by configuring multiple SPAN ACL sessions.

Multiple SPAN ACL sessions for MPLS is a feature that

  • monitors the MPLS traffic by configuring multiple SPAN ACL sessions for MPLS, and

  • mirrors ingress MPLS traffic through the monitor-session session-name ethernet direction rx-only port-level command.

Table 1. Feature History Table

Feature Name

Release Information

Description

Multiple SPAN ACL sessions for MPLS

Release 25.1.1

Introduced in this release on: Fixed Systems (8010 [ASIC: A100])(select variants only*)

*This feature is supported on Cisco 8011-4G24Y4H-I routers.

Multiple SPAN ACL sessions for MPLS

Release 24.4.1

Introduced in this release on: Fixed Systems(8200, 8700)(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*).

This feature verifies the overall network performance simultaneously from various network locations and ensures a better network visibility, network resource efficiency, and flexibility.

This feature allows to configure multiple SPAN ACL sessions for MPLS on Layer 3 interfaces configured on the Label-Switched Paths (LSPs) to monitor the MPLS traffic based on the labels and the EXP bit.

This MPLS SPAN ACL configuration is supported only in the ingress direction.

*This feature is now supported on:

  • 8212-48FH-M

  • 8711-32FH-M

  • 8712-MOD-M

  • 88-LC1-12TH24FH-E

  • 88-LC1-52Y8H-EM

  • 88-LC1-36EH

This feature introduces these changes:

CLI:

YANG Data Model: Cisco-IOS-XR-um-mpls-acl-cfg.yang (see Github, YANG Data Models Navigator).

Starting from Cisco IOS XR Release 24.4.1, you can monitor the MPLS traffic by configuring multiple SPAN ACL sessions for MPLS. With this feature, the ingressing MPLS traffic is mirrored. This is achieved with the monitor-session session-name ethernet direction rx-only port-level configuration.

This feature is supported on both the Physical and Bundle main and subinterfaces.

Benefits of using multiple MPLS SPAN ACL sessions

We recommend using multiple SPAN ACL sessions for MPLS because this approach:

  • Improves flexibility of the associated user interface.

  • Avoids redundancy.

  • Provides backward compatibility.

  • Minimises configuration size on the disk.

  • Reduces process memory in both the shared plane and local plane for scale configurations.

Configuration guidelines for multiple MPLS SPAN ACL sessions

Follow these guidelines when configuring multiple SPAN ACL sessions for MPLS:

  • Configure multiple ACL sessions for MPLS exclusively in the ingress (Rx) direction.

  • Configure up to four SPAN sessions.

  • Do not use the Deny action as it is not supported.

  • Use only GRE tunnel interfaces as the destination interfaces.

  • Specify the monitor sessions for the configured interfaces.

  • Use the SPAN session ID to distinguish between multiple SPAN sessions under the same source interface.

Configure multiple SPAN ACL sessions for MPLS

Use these steps to configure multiple SPAN ACL sessions for MPLS:

Procedure

1.

Define multiple SPAN ACLs for the incoming (Rx) traffic or the MPLS packets captured. In this example, multiple SPAN ACLs, mp1 and mp2, are defined for mirroring MPLS traffic.

Example:

Router(config)# mpls access-list mp1
Router(config-mpls-acl)# 10 permit label1 2000 label2 3000 label3 4000 exp1 5 exp2 5
exp3 7
Router(config-mpls-acl)# exit
Router(config)# mpls access-list mp2
Router(config-mpls-acl)# 10 permit label3 9000 exp3 5
Router(config-mpls-acl)# exit
Router(config)# commit
2.

Configure a monitor session on the specified destination interface for the incoming (Rx) traffic.

Example:

Router#config
Router(config)#interface tunnel-ip41
Router(config-if)#tunnel source 11.11.11.11
Router(config-if)#tunnel destination 22.22.22.22
Router(config-if)#ipv4 address 41.41.41.2 255.255.255.0
Router(config-if)#tunnel mode gre ipv4
Router(config-if)#commit
Router(config-if)#exit
!
Router(config)#monitor-session S1 ethernet destination interface tunnel-ipv41
Router(config-if)#commit
!
3.

Attach monitor session to source interface. This configuration attaches the MPLS SPAN ACL sessions to the specified source interface. Use the direction rx-only keyword so that only the ingress traffic is mirrored.

Example:

Router(config)# interface tenGigE 0/0/0/14
Router(config-if)# monitor-session S1 ethernet direction rx-only port-level
Router(config-if-mon)# acl mpls mp1
!!
4.

Execute this command to view the running configuration.

Example:

Router# show running-config interface tenGigE 0/0/0/14 
Mon Apr  1 13:16:47.430 UTC
interface TenGigE0/0/0/14
 ipv4 address 1.1.1.1 255.255.255.0
 ipv6 address 1111::1:1/96
 monitor-session S1 ethernet direction rx-only port-level
  acl mpls mp1
 !
Router#
5.

Verify the monitor session and details of the session.

Example:

Router# show monitor-session status
Mon Apr 1 13:16:40.408 UTC
Monitor-session S1
Destination interface tunnel-ip41
================================================================================
Source Interface Dir Status
--------------------- ---- ----------------------------------------------------
Te0/0/0/14 (port) Rx Operational

Router# show monitor-session status detail
Mon Apr 1 13:19:11.124 UTC
Monitor-session S1
Destination interface tunnel-ip41
Source Interfaces
-----------------
TenGigE0/0/0/14
Direction: Rx-only
Port level: True
ACL match: Disabled
IPv4 ACL: Disabled
IPv6 ACL: Disabled
MPLS ACL: Enabled (mp1)
Portion: Full packet
Interval: Mirror all packets
Mirror drops: Disabled
Status: Operational
RP/0/RP0/CPU0:ios#