Traffic Mirroring Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

PDF

Local SPAN with ACLs

Updated: February 5, 2026

Overview

This section explains how local SPAN uses Access Control Lists (ACLs) to filter and mirror ingress traffic based on specific capture criteria. It details the benefits of selective mirroring for both permitted and denied packets to enhance network monitoring and security.

Local SPAN with an Access Control List (ACL) is a traffic mirroring feature that:

  • filters and mirrors ingress traffic

  • considers only Access Control Entries (ACEs) with capture keyword for traffic mirroring

  • captures both permit and deny packets if the ACE contains the capture keyword, and

  • allows one IPv4 ingress ACL and one IPv6 ingress ACL per interface.

Benefits of local SPAN with ACL

These are the benefits of local SPAN with ACL:

  • Traffic Filtering: Local SPAN with ACL allows precise filtering of ingress traffic, ensuring that only relevant data is mirrored based on specific criteria.

  • Selective Mirroring: By using the capture keyword in ACEs, you can selectively mirror both permitted and denied packets, providing flexibility in monitoring.

  • Efficient Monitoring: Specifying one IPv4 and one IPv6 ingress ACL per interface streamlines monitoring processes and reduces unnecessary data capture.

  • Enhanced Network Security: Filtering and mirroring ingress traffic can help identify and analyze potential security threats or anomalies in network traffic.

Configure local SPAN with IPv4 ACLs

Use these steps to configure local SPAN using IPv4 ACLs.

Procedure

1.

Configure IPv4 ACLs for traffic mirroring.

Example:

Router(config)# ipv4 access-list acl1
Router(config-ipv4-acl)# 10 permit ipv4 25.0.0.0 0.0.0.255 any capture
Router(config-ipv4-acl)# 20 permit ipv4 20.0.0.0 0.0.0.255 any
Router(config-ipv4-acl)# 30 permit ipv4 131.1.1.0 0.0.0.255 any capture
Router(config-ipv4-acl)# 40 permit ipv4 191.1.1.0 0.0.0.255 any capture
2.

Apply the traffic monitoring to an interface.

Example:

Router(config)# interface HundredGigE0/1/0/2
Router(config-if)# ipv4 address 131.1.1.2 255.255.255.0
Router(config-if)# monitor-session mon1 ethernet direction rx-only port-level
Router(config-if-mon)# acl
Router(config-if-mon)# ipv4 access-group acl1 ingress
3.

Verify the configuration.

Example:

Router#show running-config ipv4 access-list acl1
Thu Aug 13 20:22:54.388 UTC
ipv4 access-list acl1
10 permit ipv4 22.0.0.0 0.0.0.255 any capture
20 permit ipv4 20.0.0.0 0.0.0.255 any
30 permit ipv4 131.1.1.0 0.0.0.255 any capture
40 deny ipv4 181.1.1.0 0.0.0.255 any capture
!

Configure local SPAN with IPv6 ACLs

Use these steps to configure local SPAN using IPv6 ACLs.

Procedure

1.

Configure IPv6 ACLs for traffic mirroring.

Example:

Router(config)# ipv6 access-list acl2
Router(config-ipv6-acl)# 10 permit ipv6 10:1:1::2/64 any capture
Router(config-ipv6-acl)# 20 permit ipv6 10:1:1::3/64 any
Router(config-ipv6-acl)# 30 permit ipv6 10:1:1::4/64 any capture
2.

Apply the traffic monitoring to an interface.

Example:

Router(config)# interface HundredGigE0/1/0/3
Router(config-if)# ipv6 address 10:1:1::5/64
Router(config-if)# monitor-session mon2 ethernet direction rx-only port-level
Router(config-if-mon)# acl
Router(config-if-mon)# ipv6 access-group acl2 ingress
3.

Verify the configuration.

Example:

Router#show running-config ipv6 access-list acl2
Thu Aug 14 20:22:54.388 UTC
ipv6 access-list acl2
10 permit ipv6 10:1:1::2/64 any capture
20 permit ipv6 10:1:1::3/64 any
30 permit ipv6 10:1:1::4/64 any capture
!