Introduction to Traffic Mirroring
Traffic mirroring, which is sometimes called port mirroring, or Switched Port Analyzer (SPAN) is a Cisco proprietary feature that enables you to monitor Layer 3 network traffic passing in, or out of, a set of Ethernet interfaces. You can then pass this traffic to a network analyzer for analysis.
Traffic mirroring copies traffic from one or more Layer 3 interfaces or sub-interfaces and sends the copied traffic to one or more destinations for analysis by a network analyzer or other monitoring device. Traffic mirroring does not affect the switching of traffic on the source interfaces or sub-interfaces, and allows the mirrored traffic to be sent to a destination next-hop address .
Traffic mirroring was introduced on switches because of a fundamental difference between switches and hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet from all ports except from the one at which the hub received the packet. In the case of switches, after a switch boots, it starts to build up a Layer 2 forwarding table on the basis of the source MAC address of the different packets that the switch receives. After this forwarding table is built, the switch forwards traffic that is destined for a MAC address directly to the corresponding port.
Layer 2 SPAN is not supported on the Cisco CRS Router.
The difference from Layer 2 SPAN is that the destination for mirrored packets is specified as a next-hop IP address rather than an explicit interface, and only Layer 3 packets are mirrored. In the Cisco IOS XR Software Release 4.3.0, it is assumed that the next-hop IP address should be looked up in the default VRF routing table.
Implementing Traffic Mirroring on the Cisco ASR 9000 Series RouterCisco CRS Router
Traffic Mirroring Terminology
-
Ingress Traffic — Traffic that comes into the router.
-
Egress Traffic — Traffic that goes out of the router.
-
Source (SPAN) interface — An ingress interface that is monitored using the SPAN feature.
-
Destination (SPAN) Nexthop — An egress Nexthop address where a network analyzer is connected.
-
Monitor Session A designation for a collection of SPAN configurations consisting of many source interfaces and a set of destinations. In the Cisco IOS XR Software Release 4.3.0, only one destination is supported per monitor session.
Characteristics of the Source Port
A source port, also called a monitored port, is a routed port that you monitor for network traffic analysis. In a single traffic mirroring session, you can monitor source port traffic. Your router can support any number of source ports (up to a maximum number of 800).
A source port has these characteristics:
-
It can be any port type, such as Bundle Interface, Gigabit Ethernet, 10-Gigabit Ethernet, or EFPs.
Note
Bridge group virtual interfaces (BVIs) are not supported.
-
Each source port can be monitored in only one traffic mirroring session.
-
Interfaces over which mirrored traffic may be routed must not be configured as a source port.
-
ACL-based traffic mirroring. Traffic is mirrored based on the configuration of the global interface ACL. This is optional on the Cisco CRS Router.
In the figure above, the network analyzer is attached to a port that is configured to receive a copy of every packet that host A sends. This port is called a traffic mirroring port.
Characteristics of the Monitor Session
A monitor session is a collection of traffic mirroring configurations consisting of a single destination and, potentially, many source interfaces. For any given monitor session, the traffic from the source interfaces (called source ports) is sent to the destination. Some optional operations such as ACL filtering can be performed on the mirrored traffic streams. If there is more than one source port in a monitoring session, the traffic from the several mirrored traffic streams is combined at the destination. The result is that the traffic that comes out of the destination is a combination of the traffic from one or more source ports, and the traffic from each source port may or may not have ACLs applied to it.
Monitor sessions have these characteristics:
-
A single Cisco CRS Router can have a maximum of eight monitor sessions.
-
A single monitor session can have only one destination .
-
A single destination can belong to only one monitor session.
-
A single Cisco CRS Router can have a maximum of 800 source ports.
-
A monitor session can have a maximum of 800 source ports, as long as the maximum number of source ports from all monitoring sessions does not exceed 800.
Characteristics of the Destination
Each session must have a destination that receives a copy of the traffic from the source ports.
A destination has these characteristics:
1 |
Source traffic mirroring ports (can be ingress or egress traffic ports) |
2 |
Destination traffic mirroring port |