Introduction to Traffic Mirroring
Traffic mirroring, also referred to as Port mirroring or Switched Port Analyzer (SPAN), is a Cisco proprietary feature that enables you to monitor network traffic passing in or out of a set of ports on a router. You can then mirror this traffic to a remote destination or a destination port on the same router.
Traffic mirroring copies traffic from one or more source ports and sends the copied traffic to one or more destinations for analysis by a network analyzer or other monitoring devices. Traffic mirroring does not affect the flow of traffic on the source interfaces or sub-interfaces. It allows the mirrored traffic to be sent to a destination interface or sub-interface.
For example, you can attach a traffic or network analyzer to the router and capture the ethernet traffic that is sent by host A to host B.
![](/c/dam/en/us/td/i/200001-300000/280001-290000/281001-282000/281709.eps/_jcr_content/renditions/281709.jpg)
Traffic Mirroring Terminology
-
Ingress Traffic — Traffic that comes into the router.
-
Egress Traffic — Traffic that goes out of the router.
-
Source port—A port that is monitored with the use of traffic mirroring. It is also called a monitored port.
-
Destination port—A port that monitors source ports, usually where a network analyzer is connected. It is also called a monitoring port.
-
Monitor session—A designation for a collection of SPAN configurations consisting of a single destination and, potentially, one or many source ports.
Traffic Mirroring Types
The following types of traffic mirroring are supported:
Characteristics of Source Port
A source port, also called a monitored port, is a routed port that you monitor for network traffic analysis. In a single traffic mirroring session, you can monitor source port traffic. The Cisco NCS 5500 Series routers support a maximum of up to 800 source ports.
A source port has these characteristics:
-
It can be any data port type, such as Bundle Interface, 100 Gigabit Ethernet physical port, or 10 Gigabit Ethernet physical port.
-
Each source port can be monitored in only one traffic mirroring session.
-
When a port is used as a source port, the same port cannot be used as a destination port.
-
Each source port can be configured with a direction (ingress, egress, or both) to monitor local traffic mirroring. Remote traffic mirroring is supported both in the ingress and egress directions. For bundles, the monitored direction applies to all physical ports in the group.
Characteristics of Destination Port
Each session must have a destination port or file that receives a copy of the traffic from the source ports.
A destination port has these characteristics:
-
A destination port cannot be a source port.
-
A destination port must reside on the same router as the source port for local traffic mirroring. For remote mirroring, the destination is always a GRE tunnel.
-
For remote mirroring, the destination is a GRE tunnel.
From Release 7.4.1, the destination can be an L2 sub-interface on NC57 line cards.
-
A destination port for local mirroring can be any Ethernet physical port, EFP, GRE tunnel interface, or bundle interface. It can be a Layer 2 or Layer 3 transport interface.
-
At any time, a destination port can participate in only one traffic mirroring session. A destination port in one traffic mirroring session cannot be a destination port for a second traffic mirroring session. In other words, no two monitor sessions can have the same destination port.
Characteristics of Monitor Session
A monitor session is a collection of traffic mirroring configurations consisting of a single destination and, potentially, many source interfaces. For any given monitor session, the traffic from the source interfaces (called source ports) is sent to the monitoring port or destination port. If there are more than one source port in a monitoring session, the traffic from the several mirrored traffic streams is combined at the destination port. The result is that the traffic that comes out of the destination port is a combination of the traffic from one or more source ports.
Monitor sessions have these characteristics:
-
A single monitor session can have only one destination port.
-
A single destination port can belong to only one monitor session.
-
A monitor session can have a maximum of 800 source ports. This maximum limit is applicable only when the maximum number of source ports from all monitoring sessions does not exceed 800.
Supported Scale
This list provides scale supported on the NCS 5500 routers and NC57 line cards for traffic mirroring.
-
For NCS 5500 line cards in NCS 5500 modular routers, a sub-interface with only one VLAN is supported as source for traffic mirroring. A maximum of four source sub-interfaces at system level are supported on NCS 5500.
-
Prior to Cisco IOS XR Software Release 7.8.1, a single router could support up to four monitor sessions. However, configuring SPAN and CFM on the router reduced the maximum number of monitor sessions to two, as both shared the mirror profiles.
-
Starting Cisco IOS XR Software Release 7.8.1, up to three monitor sessions on are supported on the NCS 5500 router. But, if you configure SPAN and CFM on the router, the maximum number of monitor sessions decreases to one, as both functions use the same mirror profiles.
-
From Cisco IOS XR Software Release 7.2.1 to 7.3.1, Cisco NC57 line cards support only four Rx and three Tx monitor sessions in native mode. From 7.4.1 release, 24 sessions in total are supported in native mode. Sessions can be configured as Rx-only, Tx-only, or Rx/Tx.
Restrictions
Generic Restrictions
The following are the generic restrictions related to traffic mirroring:
-
Partial mirroring and sampled mirroring are not supported.
-
From Release 7.4.2, the Cisco NC57 line cards:
-
allow you to configure a sub-interface as a destination.
-
allow you to set destination sub-interfaces for remote SPAN only as L2 interfaces and not L3 interfaces.
To impose the required vlan tag, you must add rewrite ingress tag pop symmetric configuration on egress sub-interface destination.
-
-
The destination bundle interfaces flap when:
-
both the mirror source and destination are bundle interfaces in the Link Aggregation Control Protocol (LACP) mode.
-
mirror packets next-hop is a router or a switch instead of a traffic analyzer.
This behavior is observed due to a mismatch of LACP packets on the next-hop bundle interface due to the mirroring of LACP packets on the source bundle interface.
-
-
Sub-interface with only one VLAN is supported as source for traffic mirroring.
-
Bridge group virtual interfaces (BVIs) are not supported as source ports or destination ports.
-
Bundle members cannot be used as source ports in NC57 line cards.
-
Bundle members cannot be used as destination ports.
-
Fragmentation of mirror copies is not handled by SPAN when SPAN destination MTU is less than the packet size.Existing behaviour if the MTU of destination interface is less than the packet size is as below:
Platforms
Rx SPAN
Tx SPAN
NCS 5500
Mirror copies are not fragmented. Receives whole packets as mirror copies.
Mirror copies are fragmented.
NCS 5700
Mirror copies are not fragmented. Do not receive mirror copies.
Mirror copies are fragmented.
You can configure the SPAN destination with an MTU which is greater than the packet size.
-
Until Cisco IOS XR Software Release 7.6.1, SPAN only supports port-level source interfaces.
VLAN Sub-interface as Source Restrictions
Generic Restrictions
The following restrictions apply to VLAN sub-interface as source for traffic mirroring on NC57 line cards from Cisco IOS XR Release 7.6.1:
-
Supports a maximum of 24 reception and transmission sessions together for mirroring. This restriction is applicable for sub-intefaces and ports as source.
-
When the port is in Ethernet Truncate Mode (ETM), the outbound or transmission mirroring is possible only on the sub-interface for which outbound traffic mirroring is configured.
-
Transmission mirroring is applicable on ETM mode only. Reception mirroring is applicable on both the ETM and non-ETM modes.
SPAN Filtering on VLAN Interfaces Restrictions
These restrictions apply to SPAN filtering on Layer 2 and Layer 3 interfaces:
-
For routers that have NC57 line cards operating in the native mode, you can't choose to mirror only packets ingressing at a specific interface that’s part of a bundle.
Enable mirroring at the bundle level to mirror packets that ingress at a specific bundle interface. Packets that ingress other bundle members are also mirrored.
-
On a main interface, if span-acl isn't configured and only span is configured, then the router performs only L2-L2 SPAN port filtering if hw-module profile span-filter l2-rx-enable command is enabled.
-
Other Layer 2 point-to-point services such as Xconnect, VPWS, EVPN, and VPLS (PW) aren't supported.
-
You can't apply SPAN filtering for incoming (Rx) and outgoing (Tx) traffic on the same interface.
-
SPAN filtering for outgoing (Tx) traffic isn't supported for L3 traffic that is routed via a BVI.
ACL-based SPAN Restrictions
Generic ACL-based SPAN Restrictions
The following restrictions apply to SPAN-ACL:
-
Table 1. SPAN-ACL Support Platforms
Rx Direction
Tx Direction
NCS 5500
Supported at the port level, that is, in the ingress direction for IPv4 or IPv6 ACLs.
Not supported.
NCS 5700
Supported on both the main interfaces and sub-interfaces from Cisco IOS XR Release 7.4.1.
Supported in ETM mode on both the main interfaces and sub-interfaces from Cisco IOS XR Release 7.10.1.
-
Multi-SPAN-ACL is supported in the Rx direction in Cisco IOS XR Release 7.5.4 and from Cisco IOS XR Release 7.10.1.
-
MPLS traffic cannot be captured with SPAN-ACL.
-
ACL for any MPLS traffic is not supported.
-
-
Traffic mirroring counters are not supported.
-
ACL-based traffic mirroring is not supported with Layer 2 (ethernet-services) ACLs.
-
Main interface as span source interface and ACL with the capture keyword on same main interface's sub-interface are not supported.
-
If a SPAN session with the acl keyword is applied on an interface with no ACL rule attached to that interface, SPAN happens without any filtering.
-
Configure one or more ACLs on the source interface or any interface on the same network processing unit as the source interface, to avoid default mirroring of traffic. If a Bundle interface is a source interface, configure the ACL on any interface on the same network processing unit as all active bundle-members. Bundle members can be on multiple NPUs. Also, ensure that the ACLs configured are of the same protocol type and direction as the SPAN configuration. For example, if you configure SPAN with ACL for IPv4 or IPv6, configure an ingress IPv4 or IPv6 ACL on that network processing unit respectively.
-
Starting from Cisco IOS XR Release 7.11.2, SPAN for MPLS traffic is supported using IPv4 and IPv6 ACLs on the following routers and line cards:
-
NCS-57B1-6D24-SYS
-
NCS-57B1-5DSE-SYS
-
NCS-57C3-MOD-S
-
NCS-57C3-MOD-SE-S
-
NC57-24DD
-
NC57-18DD-SE
-
NC57-36H-SE
-
NC57-36H6D
-
NC57-MOD-S
-
ACL-based SPAN for Outgoing Traffic (Tx) Restrictions
The following restrictions apply to traffic mirroring using ACLs for outgoing (Tx) traffic on Cisco NCS 5700 Series line cards and routers:
-
SPAN configuration with port mode on the main interface and Tx SPAN ACL configuration on the sub-interface of the same port isn't supported.
-
BVI interface as a SPAN source interface is not supported.
-
Hybrid ACLs with only compress level 3 are supported.
-
24 SPAN sessions are supported for both Rx and Tx destinations.
-
ACL-based traffic mirroring for the outgoing (Tx) traffic is supported on the following routers and line cards for L3 interfaces:
-
NCS-57B1-5DSE
-
NCS-57C3-MODS-SYS
-
NC57-18DD-SE
-
NC57-36H-SE
-
ERSPAN Restrictions
This section provides the restrictions that apply to ERSPAN, multiple ERSPAN sessions, and FlexiCLI for ERSPAN.
Generic ERSPAN Restrictions
The following restrictions apply to ERSPAN:
-
The value of ERSPAN session-ID is always zero. IOS XR command for configuring ERSPAN is not available.
-
ERSPAN next-hop must have ARP resolved. Any other traffic or protocol will trigger ARP.
-
ERSPAN doesn't work with MPLS.
-
Additional routers may encapsulate in MPLS.
-
-
ERSPAN sessions can be created only on physical interfaces. The sessions cannot be created on sub-interfaces.
-
ERSPAN supports a maximum of three sessions.
-
ERSPAN decapsulation is not supported.
-
ERSPAN does not work if the GRE next hop is reachable over sub-interface. For ERSPAN to work, the next hop must be reachable over the main interface.
-
When you use the same ACEs defined in both the IPv4 and IPv6 ACLs, the router doesn’t perform ERSPAN mirroring for the ACLs that have the priority set as 2 ms.
-
ERSPAN decapsulation is not supported. Tunnel destination should be network analyzer.
Multiple ERSPAN Restrictions
-
All sessions under the source port should have SPAN access control list (ACL) enabled.
-
A few sessions with SPAN ACL and a few without SPAN ACLs in the same source interface are not supported.
-
No two sessions should have the same ACL in the same source interface. Each session should have a different ACL.
-
Multiple sessions without ACL in the same interface are not supported.
-
One SPAN session with the keyword ACL (use security acl as the keyword) and other SPAN sessions with the keyword SPAN ACL are not supported.
-
At a time, you can make only one mirror copy of a packet.
-
Capturing keywords is not required.
-
Multiple sessions under the same interface cannot have a combination of directions. Only RX is supported.
FlexiCLI for ERSPAN Restrictions
Note the following restrictions when using flexible configuration groups:
-
Flexible CLI configuration groups are not supported in administration configurations and corresponding apply-groups are not supported in administration configurations.
-
Use of preconfigured interfaces in configuration groups is not supported.
-
Downgrading from an image that supports configuration groups to an image that does not support them is not supported.
-
Access lists, quality of service and route policy configurations do not support the use of configuration groups. Configurations such as these are not valid:
group g-not-supported ipv4 access-list ... ! ipv6 access-list ... ! ethernet-service access-list ... ! class-map ... ! policy-map ... ! route-policy ... ! end-group
You can, however, reference such configurations, as shown in this example:
group g-reference-ok router bgp 6500 neighbor 7::7 remote-as 65000 bfd fast-detect update-source Loopback300 graceful-restart disable address-family ipv6 unicast route-policy test1 in route-policy test2 out soft-reconfiguration inbound always ! ! ! interface Bundle-Ether1005 bandwidth 10000000 mtu 9188 service-policy output input_1 load-interval 30 ! end-group
Some regular expressions are not supported within groups. For example, ‘?’, ‘|’ and ‘$,’ are not supported within groups. Also some characters such as /d and /w are not supported.
-
The choice operator “|” to express multiple match expressions within a regular expression is not supported. For example, these expressions are not supported:
Gig.*|Gig.*\..*
—To match on either Gigabit Ethernet main interfaces or Gigabit Ethernet sub-interfaces.Gig.*0/0/0/[1-5]|Gig.*0/0/0/[10-20]
—To match on either Gig.*0/0/0/[1-5] or Gig.*0/0/0/[10-20].'TenGigE.*|HundredGigE.*
—To match on either TenGigE.* or HundredGigE.* .
-
-
Commands that require a node identifier for the location keyword are not supported. For example, this configuration is not supported:
lpts pifib hardware police location 0/RP0/CPU0
-
Overlapping regular expressions within a configuration group for the same configuration are not supported. For example:
group G-INTERFACE interface 'gig.*a.*' mtu 1500 ! interface 'gig.*e.* ' mtu 2000 ! end-group interface gigabitethernet0/0/0/* ---- where * is 0 to 31 apply-group G-INTERFACE
This configuration is not permitted because it cannot be determined whether the
interface GigabitEthernet0/0/0/*
configuration inheritsmtu 1500
ormtu 2000
. Both expressions in the configuration group match GigabitEthernet0/0/0/*. -
Up to eight configuration groups are permitted on one apply-group command.
SPAN over Pseudowire Restrictions
SPAN over Psedowire (PW-SPAN) does not support the listed functionalities:
-
Monitor session statistics
-
RSPAN
-
Partial packet SPAN
-
Sampled SPAN
-
ERSPAN Tunnel statistics
-
A destination port cannot be a source port.
SPAN-to-File Restrictions
SPAN to File has the following restrictions:
-
A maximum of 1000 source ports are supported across the system. Individual platforms may support lower numbers. The SPAN session may be any of these currently supported classes: Ethernet, IPv4, IPv6, MPLS-IPv4, and MPLS-IPv6.
-
Provides a buffer range of 1000-1000000 KB. The default buffer size is set to 1000 KB.
-
Provides support for SPAN source.
-
Each source port can be monitored in only one traffic mirroring session.
-
Each source port can be configured with a direction (ingress, egress, or both) to monitor local traffic mirroring.
-
-
Only supported on the Cisco NCS550x and Cisco NCS55Ax line cards.
-
Only port-level is supported.
-
VLAN interface as source port is not supported.
-
Bundle members as source interfaces are not supported.
-
Filtering based on Egress ACL is not supported.
-
Source port statistics is not supported.
-
Not supported on Cisco NC57 line cards.
-
Span to file mirror packets are punted from NPU to CPU at a maximum shaper rate of 40 mbps.
File Mirroring Restrictions
The following restrictions apply to file mirroring:
-
Supported only on Dual RP systems.
-
Supports syncing only from active to standby RP. If files are copied into standby
/harddisk:/mirror
location, it won’t be synced to active RP. -
A slight delay is observed in
show mirror
command output when mirror checksum configuration is enabled. -
Not supported on multichassis systems.
Forward-Drop Packets Mirroring Restrictions
These are some restrictions for Forward-Drop packets mirroring:
-
Only one global forward-drop session can be configured on a router.
-
When traffic-class is configured under monitor-session for forward-drop, the type of service (ToS) byte of the outgoing ERSPAN packet is overwritten with the configured traffic-class value.
-
In-band traffic destined to router management interface cannot be captured using this functionality.
Traffic Mirroring with DSCP
Differentiated Service Code Point (DSCP) value of Differentiated Services (DS) field in IP packet is used to classify the traffic in the network. DS field formerly known as Type of Service (ToS).You can set the DSCP value in the six most significant bits of the differentiated services (DS) field of the IP header, thereby giving 2^6 = 64 different values (0 to 63). These six bits affect the Per Hop Behavior (PHB) and hence affects how a packet is moved forward. The default value of DSCP is zero (0). DSCP was defined under RFC 2474.
Following the principle of traffic classification, DSCP places a particular packet into a limited number of traffic classes. Similarly, the router is also informed about the DSCP values and the router can prioritize thepacket in traffic flow.
Refer the table to know more about the service class names defined in RFC 2474.
DSCPValue in Decimal | DS Binary | DSHex | DSCPName | DS/ToSValue | ServiceClass |
0 | 000000 | 0x00 | DF/CS0 | 0 | Standard |
- | - | - | none | 2 | |
1 | 000001 | 0x01 | None | 4 | |
1 | 000001 | 0x01 | LE | 4 | Lower-effort |
2 | 000010 | 0x02 | None | 8 | |
4 | 000100 | 0x04 | None | 16 | |
8 | 001 000 | 0x08 | CS1 | 32 | Low-priority data |
10 | 001 010 | 0x0a | AF11 | 40 | High-throughput data |
12 | 001 100 | 0x0c | AF12 | 48 | High-throughput data |
14 | 001 110 | 0x0e | AF13 | 56 | High-throughput data |
16 | 010 000 | 0x10 | CS2 | 64 | OAM |
18 | 010 010 | 0x12 | AF21 | 72 | Low-latency data |
20 | 010 100 | 0x14 | AF22 | 80 | Low-latency data |
22 | 010 010 | 0x16 | AF23 | 88 | Low-latency data |
24 | 011 000 | 0x18 | CS3 | 96 | Broadcastvideo |
26 | 011 000 | 0x1a | AF31 | 104 | Multimedia streaming |
28 | 011 100 | 0x1c | AF32 | 112 | Multimedia streaming |
30 | 011 110 | 0x1e | AF33 | 120 | Multimedia streaming |
32 | 100 000 | 0x20 | CS4 | 128 | Real-timeinteractive |
34 | 100 010 | 0x22 | AF41 | 136 | Multimedia conferencing |
36 | 100 100 | 0x24 | AF42 | 144 | Multimedia conferencing |
38 |
100 110 |
0x26 | AF43 | 152 | Multimedia conferencing |
40 | 101 000 | 0x28 | CS5 | 160 | Signaling(IP telephony, etc) |
44 | 101 100 | 0x2c | Voice-admit | 176 | |
46 | 101 110 | 0x2e | EF | 184 | Telephony |
48 | 110 000 | 0x30 | CS6 | 192 | Networkrouting control |
56 | 111 000 | 0x38 | CS7 | 224 | “reserved” |