Traffic Mirroring Commands

This module describes the commands used to configure and monitor traffic mirroring.

To use commands of this module, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using any command, contact your AAA administrator for assistance.

acl

To configure ACL-based traffic mirroring, use the acl command in monitor session configuration mode. To stop ACL-based traffic mirroring, use the no form of this command.

acl

Syntax Description

This command has no keywords or arguments.

Command Default

No default behavior or values

Command Modes

Monitor session configuration

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

If you use the acl command, traffic is mirrored according to the definition of the global interface access list (ACL) defined in one of the following commands: ipv4 access-list , ipv6 access-list , ethernet-services access-list .

Even when the acl command is configured on the source mirroring port, if the ACL configuration command does not use the capture keyword, no traffic gets mirrored.

If the ACL configuration uses the capture keyword, but the acl command is not configured on the source port, although traffic is mirrored, no access list configuration is applied.

Examples

This example shows how to configure ACL-based traffic mirroring on the interface:


RP/0/RP0/CPU0:router(config)# monitor-session tm_example 
RP/0/RP0/CPU0:router(config)# ethernet-services access-list tm_filter 
RP/0/RP0/CPU0:router(config-es-acl)# 10 deny 0000.1234.5678 0000.abcd.abcd any capture 
RP/0/RP0/CPU0:router(config-es-acl)# exit 
RP/0/RP0/CPU0:router(config)# interface HundredGigabitEthernet0/2/0/0 
RP/0/RP0/CPU0:router(config-if)# monitor-session tm_example direction rx-only 
RP/0/RP0/CPU0:router(config-if)# acl  
RP/0/RP0/CPU0:router(config-if-l2)# exit 
RP/0/RP0/CPU0:router(config-if)# ethernet-services access-group tm_filter ingress 
RP/0/RP0/CPU0:router(config-if)# end 

acl mpls

To mirror the MPLS traffic based on the global interface access list (ACL) defined in the mpls access-list configuration, use the acl mpls command in monitor session configuration mode.

acl mpls acl_name

Syntax Description

acl_name

Specifies the ACL name specified in the mpls access-list definition.

Command Default

None

Command Modes

Monitor session configuration mode

Command History

Release Modification
Release 24.4.1

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID Operation

ethernet-services

read, write

Examples

This example provides the monitor session to be used on the configured interface. Use the direction keyword to specify that only ingress MPLS traffic is mirrored.

Router(config)# interface tenGigE 0/0/0/14
Router(config-if)#monitor-session S1 ethernet direction rx-only port-level
Router(config-if-mon)#acl mpls mp

clear monitor-session counters

To clear the traffic mirroring session statistics, use the clear monitor-session counters command in XR EXEC mode .

clear monitor-session counters [interface type interface-path-id]

Syntax Description

interface

Identifies the interface for which the counters are to be cleared.

type

Interface type. For more information, use the question mark (? ) online help function.

interface-path-id

Physical interface or virtual interface.

Note

 

Use the show interfaces command to see a list of all interfaces currently configured on the router.

For more information about the syntax for the router, use the question mark (? ) online help function.

session-name

Name of the monitor session to clear.

Command Default

All stored statistics for all interfaces are cleared.

Command Modes

XR EXEC mode

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID

Operations

interface

read

Examples

This example shows how to clear the traffic mirroring statistic counters:


 RP/0/RP0/CPU0:routerclear monitor-session mon1 ipv6 counters
   

destination file

To associate a destination file with a traffic mirroring session, use the destination file command in monitor-session configuration mode.

destination file [ size kbytes ] [ buffer-type linear ] [ format pcapng ] [always-on] [ periodic-write interval ] [ capacity capacity { KB | MB | GB } ]

Syntax Description

file

Configures a file destination for the current monitor-session.

size

Configures a non-default value for the size of buffer. If not configured, a platform-specific default value is used.

kbytes

Specifies the size of buffer in kilobytes.

buffer-type

Configures a non-default value for the type of buffer. If not configured, circular is used as the default buffer type.

linear

Configures the type of buffer as linear .

format

Configures a non-default value for the format of the file written. If not configured, pcap is used as the default output file format.

pcapng

Configures the format of the file written as pcapng.

always-on

If the file destination is configured to be always-on, the packet collection begins immediately and does not stop when the contents of the packet buffer are written. When the always-on config is removed, packet collection starts and stops based on packet-collection action commands.

periodic-write

Configures periodic write of the packet buffer to a file.

interval

Configures the interval in seconds at which the packet buffer is written to a file.

The value can range from 1 to 2147483647.

capacity

If this optional keyword is configured, the user-defined capacity is used as the maximum amount of disk memory to maintain periodic capture files for this session.

capacity

Specifes the storage capacity allocated to maintain periodic capture files for this session.

The value can range from 1 to 4294967295.

The capacity is converted into bytes when the units are specified and must be lower than the local-capture-capacity (the maximum capacity available for writing periodic capture files of all monitor sessions) in bytes. The default value is zero, which means the periodic files are written up to the local-capture-capacity limit.

KB | MB | GB

Specifies the unit in which the value configured for capacity is considered.

Command Default

See the syntax description table for the default values of each keyword.

Command Modes

monitor-session configuration submode

Command History

Release

Modification

Release 7.1.2

This command was introduced.

Release 24.4.1

The keywords always-on, periodic-write, and capacity were introduced.

Usage Guidelines

  • This class of destination is not supported on sessions with separate Rx and Tx destinations.

  • Storage Capacity Management: The capacity management is performed on the default directory and files with default file names. If manual changes are done on the location or file names where the files are written, they do not contribute towards the session limit.

Task ID

Task ID

Operations

ethernet-services

read, write

Examples

This example demonstrates how to link a destination file to a traffic mirroring session with always-on SPAN-to-File packet capture. The buffer is written every 300 seconds, and the maximum storage capacity for the captured files is set to 500 MB.

Router(config)#monitor-session test 
Router(config-mon)#destination file always-on periodic-write 300 capacity 500 MB 
Router(config-mon)#commit
   

destination interface

To associate a destination interface with a traffic mirroring session, use the destination interface command in monitor session configuration mode. To remove the designated destination, use the no form of this command.

destination interface type interface-path-id

Syntax Description

type

Interface type. For more information, use the question mark (? ) online help function.

interface-path-id

Physical interface or virtual interface.

Note

 

Use the show interfaces command to see a list of all interfaces currently configured on the router.

For more information about the syntax for the router, use the question mark (? ) online help function.

Command Default

No default behavior or values

Command Modes

Monitor sessions configuration

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

Use the destination interface command to assign a traffic monitoring session to a specific destination interface. This is the port to which a network analyzer is connected. This is generally called the monitoring port.

A destination port has these characteristics:

  • A destination port must reside on the same switch as the source port.
  • A destination port can be any Ethernet physical port, nV Satellite ICL port or EFP, but not a bundle interface. Also, the ICL must not be a bundle interface.
  • At any one time a destination port can participate in only one traffic mirroring session. A destination port in one traffic mirroring session cannot be a destination port for a second traffic mirroring session. In other words, no two monitor sessions can have the same destination port.
  • A destination port cannot also be a source port.

Examples

This example shows how to configure a monitoring port for a traffic mirroring session:


RP/0/RP0/CPU0:router(config)# monitor-session mon1 
RP/0/RSP0/CPU0:router(config-mon)# destination interface gigabitethernet0/0/0/15 
   

destination pseudowire

To direct mirrored traffic to a pseudowire, use the destination pseudowire command in monitor session configuration mode. To remove the pseudowire designation, use the no form of this command.

destination pseudowire

Syntax Description

This command has no keywords or arguments.

Command Default

No default behavior or values

Command Modes

Monitor session configuration

Command History

Release Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

Use the destination pseudowire command to direct the mirrored traffic to a pseudowire. A network analyzer in a central location can then be used to monitor the traffic. Use the monitor session command to define the exact pseudowire to which the monitored traffic should be replicated.

Examples

This example shows how to configure a monitoring port for a traffic mirroring session:


RP/0/RP0/CPU0:router(config)# monitor-session mon1 
RP/0/RSP0/CPU0:router(config-mon)# destination pseudowire 
   

drops

To mirror Traffic Management (TM) buffer drop packets or forward-drop packets at the ingress of a router to a configured destination, use the drops command in XR Config mode.

drops { traffic-management { rx | tx } | packet-processing { rx | tx } }

Syntax Description

traffic-management rx

Mirror TM buffer drop packets in the Rx direction only.

traffic-management tx

Mirror TM buffer drop packets in the Tx direction only.

packet-processing rx

Mirror forward-drop packets in the Rx direction only.

packet-processing tx

Mirror forward-drop packets in the Tx direction only.

Command Default

Mirroring TM buffer drop packets and forward-drop packets is disabled.

Command Modes

XR Config mode

Command History

Release Modification
Release 24.2.11

This command was introduced.

Usage Guidelines

The command is not available on management interface.

Task ID

Task ID Operation
ethernet-services

read, write

Examples

This example shows how to configure a global traffic mirroring session for TM buffer drop packets.

For ERSPAN destination

Router(config)# interface tunnel-ip2
Router(config-if)# tunnel mode gre ipv4
Router(config-if)# tunnel source 10.10.10.10
Router(config-if)# tunnel destination 192.0.2.1 
Router(config-if)# exit
Router(config)# monitor-session mon2 ethernet 
Router(config-mon)# destination interface tunnel-ip2
Router(config-mon)# drops traffic-management rx
Router(config)# commit

For SPAN To File destination

Router(config)# monitor-session mon1 ethernet
Router(config-mon)# destination file
Router(config-mon)# drops traffic-management rx
Router(config-mon)# commit

This example shows how to configure a global traffic mirroring session for forward-drop packets.

Router(config)# interface tunnel-ip2
Router(config-if)# tunnel mode gre ipv4
Router(config-if)# tunnel source 10.10.10.10
Router(config-if)# tunnel destination 192.0.2.1 
Router(config-if)# exit
Router(config)# monitor-session mon2 ethernet 
Router(config-mon)# destination interface tunnel-ip2 
Router(config-mon)# drops packet-processing rx
Router(config-mon)# commit

forward-drop rx

To mirror forward-drop packets at the ingress of a router to a configured destination, use the forward-drop rx command in XR Config mode.

forward-drop rx

Syntax Description

This command has no keywords or arguments.

Command Default

Mirroring forward-drop packets is disabled.

Command Modes

XR Config mode

Command History

Release Modification
Release 7.5.4

This command was introduced.

Release 24.2.11

This command was deprecated. Use the drops command to achieve the same functionality.

Usage Guidelines

The forward-drop rx command is not available on management interface.

Task ID

Task ID Operation
ethernet-services

read, write

Examples

This example shows how to configure a global traffic mirroring session for forward-drop packets.

Router(config)# interface tunnel-ip 2
Router(config-if)# tunnel mode gre ipv4
Router(config-if)# tunnel source 20.20.20.20
Router(config-if)# tunnel destination 192.1.1.3 
Router(config-if)# exit
Router(config)# monitor-session mon2 ethernet 
Router(config-mon)#destination interface tunnel-ip2 
Router(config-mon)#forward-drop rx
Router(config-mon)#commit

mirror enable

To copy files or directories automatically from /harddisk:/mirror location in active RP to /harddisk:/mirror location in standby RP or RSP without user intervention or EEM scripts, use mirror enable command. The mirror enable checksum command enables MD5 checksum across active to standby RP to check integrity of the files. This command is optional. A slight delay is observed in show mirror command output when mirror checksum configuration is enabled.

mirror enable

Command Default

The /harddisk:/mirror directory is created by default, but file mirroring functionality is only enabled by executing the mirror enable command from configuration terminal.

Command Modes

Monitor configuration

Command History

Release Modification

Release 7.2.1

Release 7.0.14

This command was introduced.

Examples

File mirroring has to be enabled explicitly on the router. It is not enabled by default.

RP/0/RSP0/CPU0:router#show run mirror
Thu Jun 25 10:12:17.303 UTC
mirror enable
mirror checksum

mirror first

To configure partial traffic mirroring, use the mirror first command in monitor session configuration mode. To stop mirroring a portion of the packet, use the no form of this command.

mirror first bytes

Syntax Description

bytes

Number of bytes mirrored. The mirrored packet length value can range from 65 to 128.

Command Default

The entire packet is mirrored.

Command Modes

Monitor session configuration

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

Use the mirror first command to mirror the first 64 to 128 bytes of the packet. The actual mirrored packet is the configured partial packet monitoring size plus the 4-byte trailing CRC.

Examples

This example shows how to mirror the first 100 bytes of the packet:


RP/0/RP0/CPU0:router(config)# interface hundredgigabitethernet0/0/0/11 
RP/0/RP0/CPU0:router(config-if)# monitor-session mon1 
RP/0/RP0/CPU0:router(config-if-mon)# mirror first 100 
  

monitor-session

To define a traffic mirroring session and enter monitor session configuration mode, use the monitor-session command in global configuration mode. To remove the traffic mirroring session, use the no form of this command.

monitor-session session-name

Syntax Description

session-name

Name of the monitor session to configure.

Command Default

No default behavior or values

Command Modes

Global configuration

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

Before you can assign a monitor session to a specific interface, you must configure it using the monitor-session command. The session-name should not be the same as any interface name.

In monitor session configuration mode, you should define the destination interface to be used in the traffic mirroring session using the destination command.

For more information about monitoring a session, see Configuring Traffic Monitoring chapter in Cisco 8000 Series Router Interface and Hardware Component Configuration Guide.

Examples

This example shows how to enter monitor session configuration mode:


RP/0/RP0/CPU0:router(config)# monitor-session mon1
RP/0/RP0/CPU0:router(config-mon)#
   

monitor-session (interface)

To associate a traffic mirroring session with a specific interface, use the monitor-session command in interface configuration mode or dynamic-template configuration mode. To remove the association between a traffic mirroring session and an interface, use the no form of this command.

monitor-session session-name [direction {rx-only | tx-only}] [port-level]

Syntax Description

session-name

Name of the monitor session to configure.

direction

Specifies that traffic replication is in only one direction.

rx-only

Specifies that only ingress traffic is replicated.

tx-only

Specifies that only egress traffic is replicated.

ethernet

Specifies ethernet interface as destination.

ipv4

Indicates that Ipv4 traffic needs to be monitored.

ipv6

Indicates that Ipv6 traffic needs to be monitored.

port-level

Specifies the configuration at port level.

Note

 
  • port-level mirroring is only supported in the ingress direction.

  • port-level mirroring is only supported in sampling mode with a minimal sampling rate of 1:512.

Command Default

Replicates both ingress and egress traffic.

Command Modes

Interface configuration

Dynamic template configuration (for BNG)

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

Before you can associate a traffic mirroring session to a specific interface, you must define it using the monitor-session global configuration command. After the traffic mirroring session is defined, use the monitor-session interface configuration command or dynamic template configuration command to associate this session with a specific source interface. For BNG sessions, the subscriber is attached to the monitor session, only when the dynamic template is applied to the subscriber. When the session is associated, all specified traffic on the interface is then replicated to the destination location defined in the monitor session configuration.

The monitor-session interface configuration command also enters monitor session configuration mode for you to configure additional features of the mirroring session.

If a physical interface is configured for Layer 3, then the traffic mirroring session can be associated on physical interfaces. Example:
interface TenGigE0/1/0/0
ipv4 address 10.0.0.1 255.255.255.0

If a physical interface has sub-interfaces configured for Layer 3, then the traffic mirroring session must be associated on each sub-interface. Example:

interface TenGigE0/1/0/1.601
ipv4 address 10.0.1.1 255.255.255.0
encapsulation dot1q 601

For more information about monitoring a session, see Configuring Traffic Monitoring chapter in Cisco ASR 8000 Series Router Interface and Hardware Component Configuration Guide.

Task ID

Task ID

Operations

interface

read, write

config-services

read, write

Examples

This example shows how to enter monitor session configuration mode:


RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router(config)# interface hundredgigabitethernet0/0/0/11
RP/0/RP0/CPU0:router(config-if)# monitor-session mon1
RP/0/RP0/CPU0:router(config-if-mon)#
   

This example shows how to configure monitor-session command in the dynamic-template configuration mode for BNG:


RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router(config)# dynamic-template type ppp ppp_template
RP/0/RP0/CPU0:router(config-dynamic-template-type)# monitor-session mon1 direction rx-only 
RP/0/RP0/CPU0:router(config-dynamic-template-type)# acl
RP/0/RP0/CPU0:router(config-dynamic-template-type)# mirror first 100

monitor-session default-capture-disable

To disable the default SPAN-to-File session, use the monitor-session default-capture-disable command in global configuration mode. A SPAN-to-File session for packet forwarding and buffer drops is enabled automatically by default.

monitor-session default-capture-disable

Syntax Description

default-capture-disable

Disables the default SPAN-to-File session.

Command Default

Default SPAN-to-File session for packet forwarding and buffer drops is enabled.

Command Modes

Global configuration

Command History

Release

Modification

Release 24.4.1

This command was introduced.

Usage Guidelines

If the default session has already been configured, configuring this command deletes the default session.

Task ID

Task ID

Operations

ethernet-services

read, write

Examples

This example shows how to disable the default SPAN-to-File session.

Router#configure
Router(config)#monitor-session default-capture-disable
Router(config)#commit

monitor-session local-capture-capacity

To set the storage capacity limit for all monitor-sessions, use monitor-session local-capture-capacity command in global configuration mode.

monitor-session local-capture-capacity capacity { kB | MB | GB }

Syntax Description

local-capture-capacity

Configures the maximum amount of memory on disk used to maintain periodic capture files for all sessions.

capacity

Specifies the maximum capacity available for writing periodic capture files of all monitor sessions.

The value can range from 1 to 4294967295.

KB | MB | GB

Specifies the unit in which the value configured for capacity is considered.

Command Default

If the global storage capacity for all monitor sessions is not configured, a platform-specific default value is used for capacity management.

Command Modes

Global configuration

Command History

Release

Modification

Release 24.4.1

This command was introduced.

Usage Guidelines

Configure the global storage capacity larger than the capacity value in bytes for each session.

Task ID

Task ID

Operations

ethernet-services

read, write

Examples

This example shows how to configure 300 GB as the global storage capacity limit for all SPAN-to-File monitor-sessions.

Router#configure
Router(config)#monitor-session local-capture-capacity 300 MB
Router(config)#commit

show monitor-session status

To display status information about configured traffic mirroring sessions, use the show monitor-session status command in XR EXEC mode .

show monitor-session [session-name] status [detail] [errors]

Syntax Description

session-name

Name of the monitor session to configure.

detail

Displays the full error string for any errors.

errors

Displays all sessions, but only source interfaces with errors are displayed (if no source interfaces have errors, then 'No errors' is displayed).

Command Default

No default behavior or values

Command Modes

XR EXEC

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

The show monitor-sessions status command displays the following information:

  • Destination information for the session (including the name of the interface).
  • Destination status (interface state).
  • List of source interfaces.
  • Any other status information that may be pertinent, such as a software or hardware error that would stop sessions operating correctly. If an error is returned from interactions with another component, then the full error string is only displayed in detail output; standard tabular output reports that there has been an error but refers the user to the detailed output.

Examples

This example shows sample output from the show monitor-session status command:


RP/0/RP0/CPU0:router# show monitor-session status  

Monitor-session foo
Destination interface HundredGigabitEthernet 0/0/0/0
================================================================================
Source Interface      Dir   Status
--------------------- ----  ----------------------------------------------------
Gi0/1/0/0.10          Both  Operational
Gi0/1/0/0.11          Rx    Operational
Gi0/1/0/0.12          Tx    Operational
   

show monitor-session status internal

To display information about monitoring session statistics, use the show monitor-session status internal command in XR EXEC mode.

show monitor-session status internal

Command Default

No default behavior or values

Command Modes

XR EXEC

Command History

Release Modification

7.2.12

This command was introduced.

Examples

This example shows sample output from the show monitor-session status internal command:

RP/0/RP0/CPU0:router#show monitor-session status internal
Thu Aug 13 20:05:23.478 UTC
Information from SPAN Manager and MA on all nodes:
Monitor-session mon1 (ID 0x00000001) (Ethernet)
SPAN Mgr: Destination interface HundredGigE0/1/0/0 (0x00800190)
Last error: Success
0/1/CPU0: Destination interface HundredGigE0/1/0/0 (0x00800190)
0/RP0/CPU0: Destination interface HundredGigE0/1/0/0 (0x00800190)
Information from SPAN EA on all nodes:
Monitor-session 0x00000001 (Ethernet)
0/1/CPU0: Name 'mon1', destination interface HundredGigE0/1/0/0 (0x00800190)
Platform, 0/1/CPU0:
Monitor Session ID: 1
Monitor Session Packets: 32
Monitor Session Bytes: 4024
0/2/CPU0: Name 'mon1', destination interface HundredGigE0/1/0/0 (0x00800190)
Platform, 0/2/CPU0:
Monitor Session ID: 1
Monitor Session Packets: 0
Monitor Session Bytes: 0

show monitor-session counters

To display statistics regarding traffic mirroring sessions, use the show monitor-session counters command in XR EXEC mode .

show monitor-session [session-name] counters

Syntax Description

session-name

Name of the monitor session to configure.

Command Default

No default behavior or values

Command Modes

XR EXEC

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

The show monitor-sessions counters command displays a list of all source interfaces, and the replicated packet statistics for each interface. The full set of statistics displayed for each interface is:

  • Ingress replicated packets and octets
  • Egress replicated packets and octets
  • Non-replicated packets and octets

Examples

This example shows sample output from the show monitor-session counters command:


RP/0/RP0/CPU0:router show monitor-session 2 counters 

Monitor session 2
  HundredGigabitEthernet 0/3/0/0.100:
    Rx Replicated: 100 Packets 8000 Bytes
    Tx Replicated: 2 Packets 3000 Bytes
    Non Replicated: 0 Packets 0 Bytes