Introduction to Traffic Mirroring
Traffic mirroring, also referred to as Port mirroring or Switched Port Analyzer (SPAN), is a Cisco proprietary feature that enables you to monitor network traffic passing in or out of a set of ports on a router. You can then mirror this traffic to a remote destination or a destination port on the same router.
Traffic mirroring copies traffic from one or more source ports and sends the copied traffic to one or more destinations for analysis by a network analyzer or other monitoring devices. Traffic mirroring does not affect the flow of traffic on the source interfaces or sub-interfaces. It allows the mirrored traffic to be sent to a destination interface or sub-interface.
For example, you can attach a traffic or network analyzer to the router and capture the ethernet traffic that is sent by host A to host B.
Traffic Mirroring Terminology
-
Ingress Traffic — Traffic that comes into the router.
-
Egress Traffic — Traffic that goes out of the router.
-
Source port—A port that is monitored with the use of traffic mirroring. It is also called a monitored port.
-
Destination port—A port that monitors source ports, usually where a network analyzer is connected. It is also called a monitoring port.
-
Monitor session—A designation for a collection of SPAN configurations consisting of a single destination and, potentially, one or many source ports.
Traffic Mirroring Types
These are the supported traffic mirroring types.
Characteristics of Source Port
A source port, also called a monitored port, is a routed port that you monitor for network traffic analysis. In a single traffic mirroring session, you can monitor source port traffic. The Cisco NCS 5500 Series routers support a maximum of up to 800 source ports.
A source port has these characteristics:
-
It can be any data port type, such as Bundle Interface, 100 Gigabit Ethernet physical port, or 10 Gigabit Ethernet physical port.
-
Each source port can be monitored in only one traffic mirroring session.
-
When a port is used as a source port, the same port cannot be used as a destination port.
-
Each source port can be configured with a direction (ingress, egress, or both) to monitor local traffic mirroring. Remote traffic mirroring is supported both in the ingress and egress directions. For bundles, the monitored direction applies to all physical ports in the group.
Characteristics of Destination Port
Each session must have a destination port or file that receives a copy of the traffic from the source ports.
A destination port has these characteristics:
-
A destination port cannot be a source port.
-
For local traffic mirroring, a destination port must reside on the same router as the source port.
-
For remote mirroring, the destination is always a GRE tunnel.
From Release 7.4.1, the destination can be an L2 sub-interface on Cisco NCS 5700 Series line cards and routers.
-
A destination port for local mirroring can be any Ethernet physical port, EFP, GRE tunnel interface, or bundle interface. It can be a Layer 2 or Layer 3 transport interface.
-
At any time, a destination port can participate in only one traffic mirroring session. A destination port in one traffic mirroring session cannot be a destination port for a second traffic mirroring session. In other words, no two monitor sessions can have the same destination port.
Characteristics of Monitor Session
A monitor session is a collection of traffic mirroring configurations consisting of a single destination and, potentially, many source interfaces. For any given monitor session, the traffic from the source interfaces (called source ports) is sent to the monitoring port or destination port. If there are more than one source port in a monitoring session, the traffic from the several mirrored traffic streams is combined at the destination port. The result is that the traffic that comes out of the destination port is a combination of the traffic from one or more source ports.
Monitor sessions have these characteristics:
-
A single monitor session can have only one destination port.
-
A single destination port can belong to only one monitor session.
-
A monitor session can have a maximum of 800 source ports. This maximum limit is applicable only when the maximum number of source ports from all monitoring sessions does not exceed 800.
Supported Scale
-
From Cisco IOS XR Software Release 7.2.1 to 7.3.1, Cisco NC57 line cards support only four Rx and three Tx monitor sessions in native mode. From 7.4.1 release, 24 sessions in total are supported in native mode. Sessions can be configured as Rx-only, Tx-only, or Rx/Tx.
-
Cisco NC57 line cards support a maximum of 23 SPAN to file sessions in native mode.
-
You can configure 23 SPAN-to-File sessions. The combined scale is listed in the table:
Combination Example
Scale
10 ERSPAN + 14 SPAN-to-File
24 sessions
13 RX ERSPAN + 11 SPAN-to-File
24 sessions
23 SPAN-to-File + 1 ERSPAN
24 sessions
Restrictions
Generic Restrictions
The following are the generic restrictions related to traffic mirroring:
-
Partial mirroring and sampled mirroring are not supported.
-
From Release 7.6.1, sub-interface configured as source interface is supported on SPAN.
-
The destination bundle interfaces flap when:
-
both the mirror source and destination are bundle interfaces in the Link Aggregation Control Protocol (LACP) mode.
-
mirror packets next-hop is a router or a switch instead of a traffic analyzer.
This behavior is observed due to a mismatch of LACP packets on the next-hop bundle interface due to the mirroring of LACP packets on the source bundle interface.
-
-
Bridge group virtual interfaces (BVIs) are not supported as source ports or destination ports.
-
Bundle members cannot be used as source ports in NC57 line cards.
-
Bundle members cannot be used as destination ports.
-
Fragmentation of mirror copies is not handled by SPAN when SPAN destination MTU is less than the packet size. Existing behaviour if the MTU of destination interface is less than the packet size is as below:
Platforms
Rx SPAN
Tx SPAN
NCS 5500
Mirror copies are not fragmented. Receives whole packets as mirror copies.
Mirror copies are fragmented.
NCS 5700
Mirror copies are not fragmented. Do not receive mirror copies.
Mirror copies are fragmented.
You can configure the SPAN destination with an MTU which is greater than the packet size.
-
SPAN only supports port-level source interfaces.
Restrictions on ACL-based SPAN
The following restrictions apply to SPAN-ACL:
Platforms |
Rx Direction |
Tx Direction |
---|---|---|
NCS 5500 |
Supported at the port level, that is, in the ingress direction for IPv4 or IPv6 ACLs. |
Not supported. |
NCS 5700 |
Supported on both the main interfaces and sub-interfaces from Cisco IOS XR Release 7.4.1. |
-
Multi-SPAN ACL is supported in the Rx direction in Cisco IOS XR Release 7.5.4 .
-
Multi-SPAN ACL sessions can be used only with 7-Tuples SPAN ACL.
-
MPLS traffic cannot be captured with SPAN-ACL.
-
ACL for any MPLS traffic is not supported.
-
-
Traffic mirroring counters are not supported.
-
ACL-based traffic mirroring is not supported with Layer 2 (ethernet-services) ACLs.
-
Main interface as span source interface and ACL with the capture keyword on same main interface's sub-interface are not supported.
-
If a SPAN session with the acl keyword is applied on an interface with no ACL rule attached to that interface, SPAN happens without any filtering.
-
Configure one or more ACLs on the source interface or any interface on the same network processing unit as the source interface, to avoid default mirroring of traffic. If a Bundle interface is a source interface, configure the ACL on any interface on the same network processing unit as all active bundle-members. Bundle members can be on multiple NPUs. Also, ensure that the ACLs configured are of the same protocol type and direction as the SPAN configuration. For example, if you configure SPAN with ACL for IPv4 or IPv6, configure an ingress IPv4 or IPv6 ACL on that network processing unit respectively.
Restrictions on ACL-based SPAN for Outgoing Traffic (Tx)
The following restrictions apply to traffic mirroring using ACLs for outgoing (Tx) traffic on Cisco NCS 5700 Series line cards and routers:
-
SPAN configuration with port mode on the main interface and Tx SPAN ACL configuration on the sub-interface of the same port isn't supported.
-
BVI interface as a SPAN source interface is not supported.
-
Hybrid ACLs with only compress level 3 are supported.
-
24 SPAN sessions are supported for both Rx and Tx destinations.
-
ACL-based traffic mirroring for the outgoing (Tx) traffic is supported on the following routers and line cards for L3 interfaces:
-
NCS-57B1-5DSE
-
NCS-57C3-MODS-SYS
-
NC57-18DD-SE
-
NC57-36H-SE
-
Restrictions on ERSPAN
This section provides the restrictions that apply to ERSPAN and multiple ERSPAN sessions.
The following restrictions apply to ERSPAN:
-
ERSPAN next-hop must have ARP resolved.
-
ERSPAN packets with outgoing interface having MPLS encapsulation are not supported. The next-hop router or any router in the path can encapsulate in MPLS.
-
Additional routers may encapsulate in MPLS.
-
-
ERSPAN sessions can be created only on physical interfaces. The sessions cannot be created on sub-interfaces.
-
ERSPAN decapsulation is not supported.
-
ERSPAN does not work if the GRE next hop is reachable over sub-interface. For ERSPAN to work, the next hop must be reachable over the main interface.
-
When you use the same ACEs defined in both the IPv4 and IPv6 ACLs, the router doesn’t perform ERSPAN mirroring for the ACLs that have the priority set as 2 ms.
-
ERSPAN decapsulation is not supported. Tunnel destination should be network analyzer.
Restricitons on Multiple ERSPAN ACL on a Single Interface
-
All sessions under the source port should have SPAN access control list (ACL) enabled.
-
A few sessions with SPAN ACL and a few without SPAN ACLs in the same source interface are not supported.
-
No two sessions should have the same ACL in the same source interface. Each session should have a different ACL.
-
Multiple sessions without ACL in the same interface are not supported.
-
Multi-SPAN ACL does not support the Deny action.
-
One SPAN session with the keyword ACL (use security acl as the keyword) and other SPAN sessions with the keyword SPAN ACL are not supported.
-
At a time, you can make only one mirror copy of a packet.
-
Capturing keywords is not required.
-
Multiple sessions under the same interface cannot have a combination of directions. Only RX is supported.
Restrictions on SPAN over Pseudowire
SPAN over Psedowire (PW-SPAN) has the following restrictions:
-
PW-SPAN does not support the listed functionalities:
-
Monitor session statistics
-
Partial packet SPAN
-
Sampled SPAN
-
Restrictions on SPAN-to-File
SPAN to File has the following restrictions:
-
A maximum of 1000 source ports are supported across the system. Individual platforms may support lower numbers. The SPAN session may be any of these currently supported classes: Ethernet, IPv4, IPv6, MPLS-IPv4, and MPLS-IPv6.
-
Provides a buffer range of 1000-1000000 KB. The default buffer size is set to 1000 KB.
-
Provides support for SPAN source.
-
Each source port can be monitored in only one traffic mirroring session.
-
Each source port can be configured with a direction (ingress, egress, or both) to monitor local traffic mirroring.
-
-
Only supported on the Cisco NCS550x and Cisco NCS55Ax line cards.
-
Only port-level is supported.
-
VLAN interface as source port is not supported.
-
Bundle members as source interfaces are not supported.
-
Filtering based on Egress ACL is not supported.
-
Source port statistics is not supported.
-
Span to file mirror packets are punted from NPU to CPU at a maximum shaper rate of 40 mbps.
-
From Cisco IOS XR Software Release 24.3.1, Cisco NC57 line cards support Span-to-File feature.
-
You cannot use egress SPAN-to-File on a sub-interface of NC57 line cards when the interface is not in ETM mode.
-
When you configure egress SPAN-to-File on a sub-interface or an egress ACL-based SPAN-to-File in ETM mode on NC57 line cards, the interface name is not available in pcapng.
Restrictions on File Mirroring
The following restrictions apply to file mirroring:
-
Supported only on Dual RP systems.
-
Supports syncing only from active to standby RP. If files are copied into standby
/harddisk:/mirror
location, it won’t be synced to active RP. -
A slight delay is observed in
show mirror
command output when mirror checksum configuration is enabled. -
Not supported on multichassis systems.
Restrictions on Forward-Drop Packets Mirroring
These are some restrictions for Forward-Drop packets mirroring:
-
Only one global forward-drop session can be configured on a router.
-
When traffic-class is configured under monitor-session for forward-drop, the type of service (ToS) byte of the outgoing ERSPAN packet is overwritten with the configured traffic-class value.
-
In-band traffic destined to router management interface cannot be captured using this functionality.
-
Forward-drop packets mirroring does not support access control lists (ACL) drops.