Traffic Mirroring Commands


Note

All commands applicable for the Cisco NCS 5500 Series Router are also supported on the Cisco NCS 540 Series Router that is introduced from Cisco IOS XR Release 6.3.2. References to earlier releases in Command History tables apply to only the Cisco NCS 5500 Series Router.


Note

  • Starting with Cisco IOS XR Release 6.6.25, all commands applicable for the Cisco NCS 5500 Series Router are also supported on the Cisco NCS 560 Series Routers.

  • Starting with Cisco IOS XR Release 6.3.2, all commands applicable for the Cisco NCS 5500 Series Router are also supported on the Cisco NCS 540 Series Router.

  • References to releases before Cisco IOS XR Release 6.3.2 apply to only the Cisco NCS 5500 Series Router.

  • Cisco IOS XR Software Release 7.0.1 specific updates are not applicable for the following variants of Cisco NCS 540 Series Routers:

    • N540-28Z4C-SYS-A

    • N540-28Z4C-SYS-D

    • N540X-16Z4G8Q2C-A

    • N540X-16Z4G8Q2C-D

    • N540X-16Z8Q2C-D

    • N540-12Z20G-SYS-A

    • N540-12Z20G-SYS-D

    • N540X-12Z16G-SYS-A

    • N540X-12Z16G-SYS-D

This module provides command line interface (CLI) commands for traffic mirroring commands.

For detailed information about traffic mirroring concepts, configuration tasks, and examples, refer to the Interface and Hardware Component Configuration Guide for Cisco NCS 5500 Series RoutersInterface and Hardware Component Configuration Guide for Cisco NCS 540 Series RoutersInterface and Hardware Component Configuration Guide for Cisco NCS 560 Series Routers.

acl

To configure ACL-based traffic mirroring, use the acl command in the monitor session configuration mode. To stop ACL-based traffic mirroring, use the no form of this command.

acl

Command Default

No default behavior or values

Command Modes

Monitor session configuration

Command History

Release

Modification

Release 6.1.3

This command was introduced.

Usage Guidelines

If you use the acl command, traffic is mirrored according to the definition of the global interface access list (ACL) defined in one of the following commands: ipv4 access-list , ipv6 access-list .

Even when the acl command is configured on the source mirroring port, if the ACL configuration command does not use the capture keyword, no traffic gets mirrored.

If the ACL configuration uses the capture keyword, but the acl command is not configured on the source port, although traffic is mirrored, no access list configuration is applied.

Examples

This example shows how to configure ACL-based traffic mirroring on the interface: 


Router(config)# monitor-session tm_example 
Router(config-es-acl)# 10 deny 0000.1234.5678 0000.abcd.abcd any capture 
Router(config-es-acl)# exit 
Router(config)# interface GigabitEthernet0/2/0/0 
Router(config-if)# monitor-session tm_example direction rx-only 
Router(config-if)# acl 
Router(config-if)# l2transport 
Router(config-if-l2)# exit 
Router(config-if)# end

acl mpls

To mirror the MPLS traffic based on the global interface access list (ACL) defined in the mpls access-list configuration, use the acl mpls command in monitor session configuration mode.

acl mpls acl_name

Syntax Description

acl_name

Specifies the ACL name specified in the mpls access-list definition.

Command Default

None

Command Modes

Monitor session configuration mode

Command History

Release Modification
Release 24.4.1

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID Operation

ethernet-services

read, write

Examples

This example provides the monitor session to be used on the configured interface. Use the direction keyword to specify that only ingress MPLS traffic is mirrored. 

Router(config)# interface tenGigE 0/0/0/14
Router(config-if)#monitor-session S1 ethernet direction rx-only port-level
Router(config-if-mon)#acl mpls mp

clear monitor-session counters

To clear the traffic mirroring session statistics, use the clear monitor-session counters command in EXEC mode.

clear monitor-session counters [session-name] [interface type interface-path-id]

Syntax Description

interface

Identifies the interface for which the counters are to be cleared.

type

Interface type. For more information, use the question mark (? ) online help function.

interface-path-id

Physical interface or virtual interface.

Note

 

Use the show interfaces command to see a list of all interfaces currently configured on the router.

For more information about the syntax for the router, use the question mark (? ) online help function.

session-name

Name of the monitor session to clear.

Command Default

All stored statistics for all interfaces are cleared.

Command Modes

EXEC

Command History

Release

Modification

Release 6.1.1 This command was introduced.

Task ID

Task ID

Operations

interface

read

Examples

This example shows how to clear the traffic mirroring statistic counters: 

clear monitor-session mon1 counters

destination interface

To associate a destination interface with a traffic mirroring session, use the destination interface command in monitor session configuration mode. To remove the designated destination, use the no form of this command.

destination interface type interface-path-id

no destination interface type interface-path-id

Syntax Description

type

Interface type. For more information, use the question mark (? ) online help function.

interface-path-id

Physical interface or virtual interface.

Note

 

Use the show interfaces command to see a list of all interfaces currently configured on the router.

For more information about the syntax for the router, use the question mark (? ) online help function.

Command Default

No default behavior or values

Command Modes

Monitor sessions configuration

Command History

Release

Modification

Release 6.1.1

This command was introduced.
Release 6.1.3

The abillity to specify a GRE tunnel interface as a destination was added.

Usage Guidelines

Use the destination interface command to assign a traffic monitoring session to a specific destination interface. This is the port to which a network analyzer is connected. This is generally called the monitoring port.

A destination port has these characteristics:

  • A destination port must reside on the same switch as the source port.
  • A destination port can be any Ethernet physical port, nV Satellite ICL port, or EFP, but not a bundle interface. Also, the ICL must not be a bundle interface.
  • A destination port can be any Ethernet physical port, nV Satellite ICL port, EFP, or a GRE tunnel interface, but not a bundle interface. Also, the ICL must not be a bundle interface.
  • At any one time a destination port can participate in only one traffic mirroring session. A destination port in one traffic mirroring session cannot be a destination port for a second traffic mirroring session. In other words, no two monitor sessions can have the same destination port.
  • A destination port cannot also be a source port.

Examples

This example shows how to configure a monitoring port for a traffic mirroring session: 


RP/0/RP0/CPU0:router(config)# monitor-session mon1 
RP/0/RSP0/CPU0:router(config-mon)# destination interface gigabitethernet0/0/0/15

forward-drop rx

To mirror forward-drop packets at the ingress of a router to a configured destination, use the forward-drop rx command in XR Config mode.

forward-drop rx

Syntax Description

This command has no keywords or arguments.

Command Default

Mirroring forward-drop packets is disabled.

Command Modes

XR Config mode

Command History

Release Modification
Release 7.5.4

This command was introduced.

Usage Guidelines

The forward-drop rx command is not available on management interface.

Task ID

Task ID Operation
ethernet-services

read, write

Examples

This example shows how to configure a global traffic mirroring session for forward-drop packets.

Router(config)# interface tunnel-ip 2
Router(config-if)# tunnel mode gre ipv4
Router(config-if)# tunnel source 20.20.20.20
Router(config-if)# tunnel destination 192.1.1.3 
Router(config-if)!
Router(config)# monitor-session mon2 ethernet 
Router(config-mon)#destination interface tunnel-ip2 
Router(config-mon)#forward-drop rx
Router(config-mon)#!

hw-module profile span-filter l2-rx-enable

To enable SPAN filtering on Layer 2 incoming (rx) traffic, use the hw-module profile span-filter l2-rx-enable command in monitor session configuration mode. To remove the filtering, use the no form of this command.

hw-module profile span-filter l2-rx-enable

Syntax Description

span-filter

Specifies SPAN filtering.

l2-rx-enable

Enables intra-bridge layer 2 incoming (rx) traffic for filtering.

Command Default

No default behavior or values

Command Modes

Monitor session configuration

Command History

Release

Modification

Release 7.7.1

This command was introduced.

Usage Guidelines

To activate the filtering, you must reload the chassis or all the line cards.

Examples

This example shows how to enable SPAN filtering for incoming Layer 2 interface traffic: 


Router(config)# hw-module profile npu native-mode-enable
hw-module profile span-filter l2-rx-enable


interface Bundle-Ether1
 monitor-session mon1 ethernet direction rx-only port-level
!
interface Bundle-Ether1.1 l2transport
 encapsulation dot1q 1
 rewrite ingress tag pop 1 symmetric
!
interface Bundle-Ether1.2 l2transport
 encapsulation dot1q 2
 rewrite ingress tag pop 1 symmetric
!
l2vpn
 bridge group bg1
  bridge-domain bg1
   interface Bundle-Ether1.1
   !
   interface Bundle-Ether1.2
   !
   interface HundredGigE0/0/0/17
   !
   routed interface BVI100
   !
  !
 !

hw-module profile span-filter l2-l3-tx-enable

To enable SPAN filtering on Layer 2 outgoing (Tx) traffic, use the hw-module profile span-filter l2-l3-tx-enable command in monitor session configuration mode. To remove the filtering, use the no form of this command.

hw-module profile span-filter l2-l3-tx-enable

Syntax Description

span-filter

Specifies SPAN filtering.

l2-l3-tx-enable

Enables intra-bridge layer 2 outgoing (Tx) traffic for filtering.

Command Default

No default behavior or values

Command Modes

Monitor session configuration

Command History

Release

Modification

Release 7.8.1

This command was introduced.

Usage Guidelines

To activate the filtering, you must reload the chassis or all the line cards.

Examples

This example shows how to enable SPAN filtering for outgoing Layer 2 interface traffic: 


Router(config)# hw-module profile npu native-mode-enable
hw-module profile span-filter l2-l3-tx-enable


interface Bundle-Ether1
 monitor-session mon1 ethernet direction tx-only port-level
!
interface Bundle-Ether1.1 l2transport
 encapsulation dot1q 1
 rewrite ingress tag pop 1 symmetric
!
interface Bundle-Ether1.2 l2transport
 encapsulation dot1q 2
 rewrite ingress tag pop 1 symmetric
!
l2vpn
 bridge group bg1
  bridge-domain bg1
   interface Bundle-Ether1.1
   !
   interface Bundle-Ether1.2
   !
   interface HundredGigE0/0/0/17
   !
   routed interface BVI100
   !
  !
 !

hw-module profile tcam format

To add UDF field definitions to the ACL key definition that is sent to the hardware, use the hw-module profile tcam format command in monitor session configuration mode. To remove the UDF field definitions, use the no form of this command.

hw-module profile tcam format access-list {ipv4 | ipv6} [ acl-qualifiers] [ udf1 udf-name1 ... udf8 udf-name8]

no hw-module profile tcam format access-list {ipv4 | ipv6} [ acl-qualifiers] [ udf1 udf-name1 ... udf8 udf-name8]

Syntax Description

access-list

Specifies the access-list format.

ipv4

Specifies the IPv4 access list.

ipv6

Specifies the IPv6 access list.

acl-qualifiers

Specifies the ACL qualifiers.

udf1 udf-name1 ... udf8 udf-name8

Specifies the UDF-defined filter.

Note

 

The range is from 1 to 8.

Command Default

No default behavior or values

Command Modes

Monitor session configuration

Command History

Release

Modification

Release 6.1.3

This command was introduced.

Usage Guidelines

To activate the new IPv4 profile, you must manually reload the chassis or all the line cards.

Examples

This example shows how to add UDF to the ACL key definitions: 


Router(config)# hw-module profile tcam format access-list ipv4 src-addr dst-addr packet-length 
precedence proto udf1 udf-test

mirror first

To configure partial traffic mirroring, use the mirror first command in monitor session configuration mode and global configuration mode. To stop mirroring a portion of the packet, use the no form of this command.

mirror { first bytes }

Syntax Description

bytes

Number of bytes mirrored. The mirrored packet length value can range from 65 to 128.

Note

 

In global configuration mode, the mirrored packet length ranges from 1 to 10000.

Command Default

The entire packet is mirrored.

Command Modes

Monitor session configuration
Global configuration

Command History

Release

Modification

Release 6.1.1

This command was introduced.

Release 7.5.2

The mirror first option is introduced in the global configuration mode.

Usage Guidelines

To mirror the first 64 to 128 bytes of the packet, use the mirror first command. The actual mirrored packet is the configured partial packet monitoring size plus the 4-byte trailing CRC.

Examples

This example shows how to mirror the first 100 bytes of a packet: 


Router(config)# interface gigabitethernet0/0/0/11 
Router(config-if)# monitor-session mon1 
Router(config-if-mon)# mirror first 100

mirror enable

To copy files or directories automatically from /harddisk:/mirror location in active RP to /harddisk:/mirror location in standby RP or RSP without user intervention or EEM scripts, use mirror enable command. The mirror enable checksum command enables MD5 checksum across active to standby RP to check integrity of the files. This command is optional. A slight delay is observed in show mirror command output when mirror checksum configuration is enabled.

mirror enable

Command Default

The /harddisk:/mirror directory is created by default, but file mirroring functionality is only enabled by executing the mirror enable command from configuration terminal.

Command Modes

Monitor configuration

Command History

Release Modification

Release 7.2.1

This command was introduced.

Examples

File mirroring has to be enabled explicitly on the router. It is not enabled by default.

RP/0/RSP0/CPU0:router#show run mirror
Thu Jun 25 10:12:17.303 UTC
mirror enable
mirror checksum

monitor-session

To define a traffic mirroring session and enter monitor session configuration mode, use the monitor-session command in global configuration mode. To remove the traffic mirroring session, use the no form of this command.

monitor-session session-name { router-id id }

[ destination { rx | tx } ] [ discard class { 0-7 } ] [ traffic class { 0-7 } ] [ mirror { first | bytes } ] [ inject-interface { bvi | bundle-ether | EightHundredGigE | FastEthernet | FiftyGigE | FortyGigE | FourHundredGigE | GigabitEthernet | HundredGigE | TenGigE | TwentyFiveGigE | TwoHundredGigE } ]

Syntax Description

session-name

Name of the monitor session to configure.

router-id

Allows you to configure router id with a value that can range from 1 to 255.

destination

Allows you to configure the destination for the current monitor-session.

destination rx

Allows you to specify the incoming destination.

destination tx

Allows you to specify the outgoing destination.

discard-class

Allows you to specify the discard class value to be set on all traffic that is mirrored to the destination.
traffic-class

Allows you to specify the traffic class value to be set on all traffic that is mirrored to the destination.

mirror {first}

Specifies that only the first x bytes of a packet to be mirrored to the destination.

Command Default

No default behavior or values

Command Modes

Global configuration mode

Command History

Release

Modification

Release 6.1.1

This command was introduced.

Release 7.4.1

destination rx and destination tx keywords were added.

Usage Guidelines

Before you can assign a monitor session to a specific interface, you must configure it using the monitor-session command. The session-name should not be the same as any interface name.

In monitor session configuration mode, you should define the destination interface to be used in the traffic mirroring session using the destination command.

This commands triggers entry in to the monitor-session sub-mode and creates the session. The session will be non-operable until a destination is configured for the session. The destination can be either IPv4 or IPv6.

Examples

This example shows how to enter monitor session configuration mode: 


Router(config)# monitor-session mon1
Router(config-mon)#

monitor-session (interface)

To associate a traffic mirroring session with a specific interface, use the monitor-session command in interface configuration mode or dynamic-template configuration mode. To remove the association between a traffic mirroring session and an interface, use the no form of this command.

monitor-session session-name

acl port-level [ destination { rx | tx } ] [ discard class { 0-7 } ] [ traffic class { 0-7 } ] [ mirror { first | bytes } ] [ inject-interface { bvi | bundle-ether | EightHundredGigE | FastEthernet | FiftyGigE | FortyGigE | FourHundredGigE | GigabitEthernet | HundredGigE | TenGigE | TwentyFiveGigE | TwoHundredGigE } ] [ direction { rx-only | tx-only | bytes } ] [ mirror-interval ]

[ { rx | interface | | tx | interface } ]

Syntax Description

session-name

Name of the monitor session to configure.

acl

Allows you to enable acl-based mirroring.

direction

Allows you to specify the direction of traffic to replicate.

ethernet

Allows you to replicate Ethernet traffic.

port-level

Specifies port-level mirroring.

mirror {first}

Specifies that only the first x bytes of a packet to be mirrored to the destination.

rx-only

Specifies that only ingress traffic is replicated.

tx-only

Specifies that only egress traffic is replicated.

rxinterface

Specifies the ingress traffic and its destination.

txinterface

Specifies the egress traffic and its destination.

mirror-interval

Specifies that sampling of traffic is performed on all sessions. Only the sampled packets are mirrored. Valid sampling intervals are generated one in every 2, 4, 8, 16, 32, 64, 128, 256, 512, 1k, 2k, 4k, 8k or 16k packets.

Command Default

Replicates both ingress and egress traffic.

Command Modes

Interface configuration

Command History

Release

Modification

Release 6.1.1

This command was introduced.
Release 7.4.1

The rxinterface and txinterface keywords were added.

Usage Guidelines

Before you can associate a traffic mirroring session to a specific interface, you must define it using the monitor-session global configuration command. After the traffic mirroring session is defined, use the monitor-session interface configuration command to associate this session with a specific source interface. When the session is associated, all specified traffic on the interface is then replicated to the destination location defined in the monitor session configuration.

The monitor-session interface configuration command also enters monitor session configuration mode for you to configure additional features of the mirroring session.

Task ID

Task ID

Operations

interface

read, write

config-services

read, write

Examples

This example shows a sample configuration of the monitor-session command in the interface configuration mode: 


Router# configure 
Router(config)# interface gigabitethernet0/0/0/11
Router(config-if)# monitor-session mon1 port-level direction rx-only
Router(config-if-mon)mirror first 101#

Examples

This example shows a sample to configure separate interface destination for incoming (rx) and outgoing (tx) traffic:
Router# configure
Router(config)# monitor-session mon1 ethernet
Router(config-mon)# monitor-session foo ethernet destination rx interface tenGigE 0/0/0/0
Router(config-mon)# monitor-session foo ethernet destination tx interface tenGigE 0/0/0/1
Router(config-if)# end
Router(config)#

monitor session ERSPAN ACL

This command defines a monitor session, and enters monitor session configuration mode.

monitor-session ERSPAN ethernet direction {rx-only | port-level | acl}

Syntax Description

ERSPAN

Name of the session.

ethernet

Replicates Ethernet traffic.

direction

Use the direction keyword to specify that only ingress or egress traffic is mirrored.

monitor-session session-name [direction { rx-only | tx-only ]

rx-only

Specifies that only ingress traffic is mirrored.

port-level

Use this port level command to mirror all traffic types.

acl

The ACL that is attached in the ingress interface.

  • Even when the acl command is configured on the source mirroring port, if the ACL configuration command does not use the capturekeyword, no traffic gets mirrored.

  • If the ACL configuration uses the capture keyword, but the acl command is not configured on the source port, although traffic is mirrored, no access list configuration is applied.

  • All ingress traffic is mirrored.

Command Default

No default behavior or values

Command Modes

Route-policy configuration

Command History

Release

Modification

Release 6.6.1

This command was introduced.

Task ID

Task ID

Operations

route-policy

read, write

Examples

RP/0/RP0/CPU0: pyke-008#sh run monitor-session ERSPAN
monitor-session ERSPAN ethernet
destination interface tunnel-ip1
!
 
RP/0/RP0/CPU0:pyke-008#sh run int tunnel-ip 1
interface tunnel-ip1
ipv4 address 4.4.4.1 255.255.255.0
tunnel mode gre ipv4
tunnel source 20.1.1.1
tunnel destination 20.1.1.2
!

show monitor-session status

To display status information about configured traffic mirroring sessions, use the show monitor-session status command in XR EXEC mode.

show monitor-session [session-name] status [detail] [errors]

Syntax Description

session-name

Name of the monitor session to configure.

detail

Displays the full error string for any errors.

errors

Displays all sessions, but only source interfaces with errors are displayed (if no source interfaces have errors, then 'No errors' is displayed).

Command Default

No default behavior or values

Command Modes

XR EXEC mode

Command History

Release

Modification

Release 6.1.1

This command was introduced.

Usage Guidelines

The show monitor-sessions status command displays the following information:

  • Destination information for the session (including the name of the interface).
  • Destination status (interface state).
  • List of source interfaces.
  • Any other status information that may be pertinent, such as a software or hardware error that would stop sessions operating correctly. If an error is returned from interactions with another component, then the full error string is only displayed in detail output; standard tabular output reports that there has been an error but refers the user to the detailed output.

Examples

This example shows sample output from the show monitor-session status command: 


Router# show monitor-session status  

Monitor-session foo
Destination interface GigabitEthernet 0/0/0/0
================================================================================
Source Interface      Dir   Status
--------------------- ----  ----------------------------------------------------
Gi0/1/0/0.10          Both  Operational
Gi0/1/0/0.11          Rx    Operational
Gi0/1/0/0.12          Tx    Operational

This example shows the sample output for the show monitor-session status detail command: 


Router show monitor-session status detail

Monitor-session foo
  Destination interface GigabitEthernet 0/0/0/0
  Source Interfaces
  -----------------
  GigabitEthernet 0/1/0/0.100:
    Direction: Both
    Status:    Operating
  GigabitEthernet 0/2/0/0.200:
    Direction: Rx
    Status:    Error: <blah>

Monitor session bar
  No destination configured
  Source Interfaces
  -----------------
  GigabitEthernet 0/3/0/0.100:
    Direction: Rx
    Status:    Not operational(no destination interface)

Examples

This example shows a sample output for the show monitor-session status command for mirror-first option:
Monitor-session foo mirror-first 101
Destination interface GigabitEthernet 0/0/0/0
================================================================================
Source Interface      Dir   Status
--------------------- ----  ----------------------------------------------------

udf

To configure user-defined fields (UDFs), use the udf command in monitor session configuration mode. To remove the UDF field definitions, use the no form of this command.

udf udf-name header {inner | outer} {l2 | l3 | l4} offset offset-in-bytes length length-in-bytes

no udf udf-name header {inner | outer} {l2 | l3 | l4} offset offset-in-bytes length length-in-bytes

Syntax Description

udf-name

Name of the UDF.

header

Specifies the header.

inner

Specifies the offset base from inner header.

outer

Specifies the offset base from outer header.

l2

Specifies the offset base from Layer 2 header.

l3

Specifies the offset base from Layer 3 header.

l4

Specifies the offset base from Layer 4 header.

offset offset-in-bytes

Specifies the offset from the offset base, in bytes.

Note

 

The maximum offset is 63 bytes from the start of any header.

length length-in-bytes

Specifies the length from the offset, in bytes. Range: 1 to 4 bytes.

Command Default

No default behavior or values

Command Modes

Monitor session configuration

Command History

Release

Modification

Release 6.1.3

This command was introduced.

Usage Guidelines

UDFs for Layer 2 inner header is not supported.

Examples

This example shows how to confgure UDFs: 


Router(config)# udf udf-test header outer l3 offset 4 length 4