19.1.2 Policy-Based Mirroring Behavior Specifications
- <Structure of this section>
(1) Basic Specifications
For traffic monitoring and analysis, set the port to which the analyzer is connected to the mirror port. The mirror port is a port dedicated to mirroring.
A combination of monitor ports and mirror ports is called a monitor session. You can configure multiple monitoring sessions on the Switch. In addition, received frames of the monitor port can be sent to different mirror ports.
Monitor and mirror ports can be used in any of the following combinations:
-
1 monitor port to 1 mirror port
-
Multiple monitor ports versus one mirror port
You can configure different speed ports for the monitor and mirror ports. Because mirrored frames are sent within the line band of the mirror port, frames that exceed the line band are discarded.
(2) Monitor port
You configure policy-based mirroring monitor ports with access lists that identify the flows that you want to target. When configuring the monitor port, set the flow detection mode on the receiving side to a mode that supports policy-based mirroring (layer-2-1-mirror or layer2-2-mirror).
Applies the access list specified for operation to an interface using the destination interface list for policy-based mirroring, and the applicable interface is used as the monitor port. The following table describes the configuration command parameters that are specified when an access list is applied to an interface.
Mirroring direction |
Parameter |
---|---|
Receiving-side |
in-mirror |
For details about the target interface, flow detection conditions, precautions, and other information, see "1 Filter".
(3) Mirror port
You configure mirror ports for policy-based mirroring on the destination interface list.
One of the following interfaces can be specified in the destination interface list:
-
Physical port interface
-
Port Channel Interface
The following table describes the functions of the mirror port.
-
VLAN function cannot be used. For this reason, functions that assume VLAN function cannot be used.
-
When the function to send control frames to the mirror port is set, control frames for the set functions are sent to the mirror port in addition to mirroring frames.
-
If you configure a sender filter for a mirror port, mirroring frames are also filtered. Therefore, if you configure discarding in the filter, the mirroring frame is discarded on the mirror port.
-
A mirroring frame is also sent if you use it as an uplink port for an uplink redundant and configure a mirror port for a port in the standby port state.
(4) Mirroring received frames
-
Of the frames received on the monitor port, frames that detect a flow in the access list for which policy-based mirroring is specified are subject to mirroring. However, frames discarded as shown below are not mirrored.
-
Discarded as an error frame on the received Ethernet interface
-
Unauthenticated disposal when using IEEE802.1X or Web authorization
-
Disposal by authentication-only IPv4 access list
-
Discarding DHCP snooping by Terminal Filters
-
-
Frames that are discarded by the reception filter set in the monitor port or by storm control are not forwarded but are mirrored.