Mirror services
When troubleshooting complex operational problems, customer packets can be examined as they traverse the network. Nokia’s service mirroring provides the capability to mirror customer packets to allow for trouble shooting and offline analysis. One way to accomplish this is with an overlay of network analyzers established at multiple PoPs, together with skilled technicians to operate them to decode the data provided. This method of traffic mirroring often requires setting up complex filters in multiple switches or routers. These, at best, are only able to mirror from one port to another on the same device.
Nokia’s service mirroring extends and integrates these capabilities into the network and provides significant operational benefits. Each router can mirror packets from a specific service to any destination point in the network, regardless of interface type or speed.
This capability also extends beyond troubleshooting services. Telephone companies can obtain itemized calling records and wire-taps where legally required by investigating authorities. The process can be very complex and costly to carry out on data networks. Service mirroring greatly simplifies these tasks, as well as reduces costs through centralization of analysis tools and skilled technicians.
Nokia routers support service-based mirroring. While some Layer 3 switches and routers can mirror on a per-port basis within the device, Nokia routers can mirror on an n-to-1 unidirectional service basis and re-encapsulate the mirrored data for transport through the core network to another location, using either IP or MPLS tunneling as required (Service mirroring).
Original packets are forwarded while a copy is sent out the mirrored port to the mirroring (destination) port. Service mirroring allows an operator to see the actual traffic on a customer’s service with a sniffer sitting in a central location. In many cases, this reduces the need for a separate, costly overlay sniffer network.
The mirrored frame size that is to be transmitted to the mirror destination can be explicitly configured by using slicing features. This enables mirroring only the parts needed for analysis. For example, only the headers can be copied for analysis, protecting the integrity and security of customer data, or conversely, copying the full packet, including customer data.
Mirror implementation
Mirroring can be implemented on SAPs or ingress network interfaces. The Flexible Fast Path processing complexes preserve the original packet throughout the forwarding and mirroring process, making any necessary packet changes, such as adding encapsulation, on a separate copy.
Mirroring supports multiple types of destinations including local SAPs, remote tunnels, and FTP servers in PCAP format.
Nokia’s implementation of packet mirroring is based on the following assumptions:
Ingress and egress packets are mirrored as they appear on the wire. This is important for troubleshooting encapsulation and protocol issues.
When mirroring at ingress, the Flexible Fast Path network processor array (NPA) sends an exact copy of the original ingress packet to the mirror destination while normal forwarding proceeds on the original packet.
When mirroring is at egress, the system performs normal packet handling on the egress packet, encapsulating it for the destination interface. A copy of the forwarded packet is forwarded to the mirror destination. Because the mirror copy of the packet is created before egress queuing, the mirrored packet stream may include copies of packets that are discarded in egress queues, such as during congestion or rate limiting.
Remote destinations are reached by encapsulating the ingress or egress packet within an SDP, like the traffic for distributed VPN connectivity services. At the remote destination, the tunnel encapsulation is removed and the packet is forwarded out a local SAP.
Mirror components
Mirroring a packet consists of two components:
mirror destinations
This is where to send the mirrored packet. Various mirror destinations are available and each mirror destination consists of a service ID. Mirrored packets can be sent to a single mirror destination only.
mirror sources
Specify the packets to be mirrored. A mirror source can be configured through debug or service commands.
Mirror source
Mirror sources have the following properties:
When config>mirror>mirror-source and debug>mirror-source reference the same mirror source (for example, sap 1/1/1), config always takes precedence over debug, and config removes the debug configuration.
A mirror source can only be mirrored once. It is not possible to send a mirror source to two different mirror destinations.
Ports configured as host ports for satellite and ESA applications are not supported as mirror-source.
Internal ports such as ISA and ESA do not support config>mirror>mirror-source and there is only limited support for debug>mirror.
Types and sources
The following commands are supported for debug configuration:
ingress-label
ip-filter
ipv6-filter
isa-aa-group
mac-filter
port
sap
-
subscriber
The following commands are supported for config>mirror>mirror-source:
ip-filter
ipv6-filter
mac-filter
port
sap
subscriber
Enhanced subscriber management associates subscriber hosts with queuing and filtering resources in a shared SAP environment. Mirroring used in subscriber aggregation networks for debugging is required. Subscriber mirroring capability allows the match criteria to include a subscriber ID.
Subscriber mirroring can also be based on the IP family and host type. The IP family determines if only IPv4 or IPv6 addresses should be mirrored and the host type determines if only IPoE or PPP hosts should be mirrored from the subscriber. To use the IP family and host type, the SAP anti-spoof filter must be set to ip-mac. If subscriber mirroring is performed on the L2TP LAC and the IP family is configured as IPv6, no traffic is mirrored for the PPPoE session, even if the LAC subscriber is dual stack. For L2TP LAC, it is recommended that the IP family not be configured or be configured for IPv4 only.
Subscriber mirroring creates a mirror source with subscriber information as match criteria. Specific subscriber packets can be mirrored when using ESM with a shared SAP without prior knowledge of their IP or MAC addresses and without concern that they may change. The subscriber mirroring decision is more specific than a SAP. If a SAP (or port) is placed in a mirror and a subscriber host of which a mirror was configured is mirrored on that SAP, packets matching the subscriber host are mirrored to the subscriber mirror destination.
The mirroring configuration can be limited to specific forwarding classes used by the subscriber. When a forwarding class (FC) map is placed on the mirror, only packets that match the specified FCs are mirrored. A subscriber can be referenced in maximum two different mirror-destinations: one for ingress and one for egress.
Subscriber-based criteria in a mirror source remains in the mirror source configuration even if the subscriber is deleted, removed, or logged off. When the subscriber returns (is configured, created, or logged in) the mirroring resumes. This also implies that a subscriber can be configured as a mirror source before the actual subscriber exists on the node and before the subscriber ID is active (the mirroring starts when the subscriber is created or logs in and the subscriber ID becomes active).
Mirror source priority
The user can configure multiple mirror source services, each asking for the same packets. For example, the user can configure two different mirror source services for a filter and SAPs from the same port. A packet is only mirrored once and in such cases the system selects the highest priority mirror. The mirror source priority for access ports, from lowest to highest priority, is the following:
-
port mirroring
-
SAP mirroring
-
subscriber mirroring
-
filter mirroring
For example, when mirroring is enabled on a port for both filter and SAP, packets that match the filter entries rule are mirrored first to the mirror destination for the filter. The rest of the packets that do not match the filter are mirrored to the mirror destination specified for the SAP.
The mirror source priority for network ports, from lowest to highest priority, is the following:
-
port mirroring
-
label mirroring
-
filter mirroring
Mirror destination
Mirror destinations have the following characteristics:
-
Mirror destinations can terminate on egress virtual ports which allows multiple mirror destinations to send to the same packet decode device, delimited by IEEE 802.1Q (referred to as Dot1q) tags. This is helpful when troubleshooting a multiport issue within the network.
When multiple mirror destinations terminate on the same egress port, the individual dot1q tags can provide a DTE/DCE separation between the mirror sources.
-
Packets ingressing a port can have a mirror destination separate from packets egressing another or the same port (the ports can be on separate nodes).
-
Multiple mirror destinations are supported (local or remote) on a single chassis.
-
The operational state of a mirror destination depends on the state of all the outputs of the mirror. The mirror destination goes operationally down if all the outputs are down (for example, all mirror-dest>sap and mirror-dest>spoke-sdp objects are down, and all gateways configured under mirror-dest>encap do not have a known route by which they can be reached). The state of a mirror destination does not depend on inputs such as SDPs configured under mirror-dest>remote-source or debug>mirror-source entries entries. Some examples of outputs include mirror-dest>sap and mirror-dest>spoke-sdp.
-
configure>mirror-source can re-use the mirror-destination service that is currently in use by a debug>mirror-source. In this scenario, the system automatically cleans up the debug>mirror-source entries before it can be re-used.
In classic CLI mode, mirror destination supports the following mirror-type values:
-
ether
-
ip-only
In mixed and MD-CLI mode, only the following mirror-type values are supported: ether and ip-only.
To switch from classic to mixed or MD-CLI mode, all mirror types other than ether and ip-only must be manually removed first.
The following mirror destinations are supported:
- sap
- mirroring to a local SAP
- spoke-sdp
- mirroring to a remote location using a SDP. The remote location uses the remote source to terminate the spoke SDP
- remote-source
- used at the remote location that is terminating the spoke SDP mirroring tunnel
- pcap
- mirroring to an FTP server as a PCAP file
- encap
- mirroring to a remote location as an IP encapsulated packet
- endpoint
- tunneling redundancy support
Mirror destination per-flow hashing support
By default, when mirroring to a SAP of type LAG or SDP with a LAG interface, the system only selects one of the port members to forward the mirrored packet.
It is possible to select per-flow hashing on the mirror destination to allow hashing of flows to all port members in a LAG.
General local and remote mirroring
Mirrored frames can be copied and sent to a specific local destination or service on the router (local mirroring) or copies can be encapsulated and sent to a different router (remote mirroring). This functionality allows network operators to centralize not only network analyzer (sniffer) resources, but also the technical staff who operate them.
The router allows multiple concurrent mirroring sessions so traffic from more than one ingress mirror source can be mirrored to the same or different egress mirror destinations.
Remote mirroring uses an SDP which acts as a logical way of directing traffic from one router to another through a unidirectional service tunnel. The SDP terminates at the far-end router which directs packets to the correct destination on that device.
The SDP configuration from the mirrored device to a far-end router requires a return path SDP from the far-end router back to the mirrored router. Each device must have an SDP defined for every remote router to which it wants to provide mirroring services. SDPs must be created first, before services can be configured.
Mirror destination type IP-only
The IP mirroring capability for the 7705 SAR Gen 2 allows a mirror to be created with a parameter that specifies that only the IP packet is mirrored without the original POS/Ethernet DLC header. This results in the mirrored IP packet becoming media-agnostic on the mirror service egress.
This option is configurable on SAP mirrors for IES, VPRN and VPLS services, and subscriber mirrors. It is not supported on VLL services such as Epipe, or on ports.
-
remote mirroring termination
With remote mirroring, the mirror destination configuration can allow IP packets to be mirrored from a source router. The packets are delivered to the destination in a spoke-terminated interface created in a VPRN service. IES interfaces are not supported. The interface can be configured with policy-based routing filters to allow sniffer selection based on incoming mirrored destination IP addresses. The interface cannot send traffic out as it is a destination-only feature. Packets arriving at the interface are routed based on the routing information within the VPRN. Policy-based routing should always be used unless only a sniffer is connected to the VPRN.
Figure 2. Remote mirroring termination 
-
local mirroring termination
Local mirroring is like remote mirroring but the source and destination of the mirror exist in the same local IP mirroring node. The configuration must include the source address and destination MAC addresses for the packets going to the sniffer. The destination SAP must be Ethernet.
Mirrored traffic transport using MPLS-TP SDPs
Bidirectional MPLS-TP spoke SDPs with a configured pw-path-id can transport a mirrored service. Mirror services are not supported on static PWs with an MPLS-TP pw-path-id bound to an SDP that uses an RSVP-TE LSP.
Mirror services using MPLS-TP spoke SDPs can be configured using CLI in the context mirror-dest>remote-source. For both the CPM and IOM, this enables reuse of spokes for mirror services and other services such as pipes.
Control channel status signaling is supported with PW redundancy on spoke SDPs in a mirror context.
The following is an example of PW redundancy for a mirror service. In this case, MPLS-TP spoke SDPs are used.
Note that mirroring traffic is usually unidirectional, flowing from ‟source” nodes (B or C) to ‟destination” nodes (D or E). However, in case of MPLS-TP, the control channel status packets may flow in the reverse direction.
The following is an example of a mirror service configuration using MPLS-TP spoke SDPs:
Source node B
#--------------------------------------------------
echo "Mirror Configuration"
#--------------------------------------------------
mirror
mirror-dest 300 create
endpoint "X" create
revert-time 100
exit
endpoint "Y" create
revert-time 100
exit
remote-source
spoke-sdp 230:1300 endpoint "Y" icb create
ingress
vc-label 13301
exit
egress
vc-label 13301
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.2:13301
taii-type2 1:10.20.1.3:13301
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
exit
spoke-sdp 240:300 endpoint "X" create
ingress
vc-label 2401
exit
egress
vc-label 2401
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.2:2401
taii-type2 1:10.20.1.4:2401
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
spoke-sdp 250:300 endpoint "X" create
ingress
vc-label 6501
exit
egress
vc-label 6501
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.2:6501
taii-type2 1:10.20.1.5:6501
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
spoke-sdp 230:300 endpoint "X" icb create
ingress
vc-label 12301
exit
egress
vc-label 12301
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.2:12301
taii-type2 1:10.20.1.3:12301
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
no shutdown
exit
exit
exit all
Destination node C
#--------------------------------------------------
echo "Mirror Configuration"
#--------------------------------------------------
mirror
mirror-dest 300 create
endpoint "X" create
revert-time 100
exit
endpoint "Y" create
revert-time 100
exit
remote-source
spoke-sdp 230:1300 endpoint "Y" icb create
ingress
vc-label 13301
exit
egress
vc-label 13301
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.3:13301
taii-type2 1:10.20.1.2:13301
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
exit
spoke-sdp 340:300 endpoint "X" create
ingress
vc-label 6501
exit
egress
vc-label 6501
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.3:6501
taii-type2 1:10.20.1.4:6501
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
spoke-sdp 350:300 endpoint "X" create
ingress
vc-label 2401
exit
egress
vc-label 2401
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.3:2401
taii-type2 1:10.20.1.5:2401
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
spoke-sdp 230:300 endpoint "X" icb create
ingress
vc-label 12301
exit
egress
vc-label 12301
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.3:12301
taii-type2 1:10.20.1.2:12301
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
no shutdown
exit
exit
Source node D
#--------------------------------------------------
echo "Mirror Configuration”
#--------------------------------------------------
mirror
mirror-dest 300 create
endpoint "X" create
revert-time 100
exit
endpoint "Y" create
revert-time 100
exit
remote-source
spoke-sdp 240:300 endpoint "Y" create
ingress
vc-label 2401
exit
egress
vc-label 2401
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.4:2401
taii-type2 1:10.20.1.2:2401
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
spoke-sdp 340:300 endpoint "Y" create
ingress
vc-label 6501
exit
egress
vc-label 6501
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.4:6501
taii-type2 1:10.20.1.3:6501
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
spoke-sdp 450:1300 endpoint "Y" icb create
ingress
vc-label 13301
exit
egress
vc-label 13301
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.4:13301
taii-type2 1:10.20.1.5:13301
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
exit
sap lag-10:300.1 endpoint "X" create
exit
spoke-sdp 450:300 endpoint "X" icb create
ingress
vc-label 12301
exit
egress
vc-label 12301
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.4:12301
taii-type2 1:10.20.1.5:12301
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
no shutdown
exit
exit
Destination node E
#--------------------------------------------------
echo "Mirror Configuration"
#--------------------------------------------------
mirror
mirror-dest 300 create
endpoint "X" create
revert-time 100
exit
endpoint "Y" create
revert-time 100
exit
remote-source
spoke-sdp 250:300 endpoint "Y" create
ingress
vc-label 6501
exit
egress
vc-label 6501
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.5:6501
taii-type2 1:10.20.1.2:6501
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
spoke-sdp 350:300 endpoint "Y" create
ingress
vc-label 2401
exit
egress
vc-label 2401
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.5:2401
taii-type2 1:10.20.1.3:2401
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
spoke-sdp 450:1300 endpoint "Y" icb create
ingress
vc-label 13301
exit
egress
vc-label 13301
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.5:13301
taii-type2 1:10.20.1.4:13301
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
exit
sap lag-10:300.1 endpoint "X" create
exit
spoke-sdp 450:300 endpoint "X" icb create
ingress
vc-label 12301
exit
egress
vc-label 12301
exit
control-word
pw-path-id
agi 1:1
saii-type2 1:10.20.1.5:12301
taii-type2 1:10.20.1.4:12301
exit
control-channel-status
refresh-timer 10
no shutdown
exit
no shutdown
exit
no shutdown
exit
exit
Slicing and sampling
Slicing and sampling are available to all mirror destinations:
-
slicing
Slicing copies a specified packet size of each frame. This is useful to monitor network usage without having to copy the actual data. Slicing enables mirroring larger frames than the destination packet decode equipment can handle. It also conserves mirroring resources by limiting the size of the stream of packet through the router and core network.
When a mirror slice size is defined, a threshold that truncates a mirrored frame to a specific size is created. For example, if a value of 256 bytes is defined, up to the first 256 bytes of the frame are transmitted to the mirror destination. The original frame is not affected by the truncation. Mirrored frames, most likely, become larger as encapsulations are added when packets are transmitted through the network core or out the mirror destination SAP to the packet or protocol decode equipment.
The transmission of a sliced or non-sliced frame is also dependent on the mirror destination SDP path MTU and the mirror destination SAP physical MTU. Packets that require a larger MTU than the mirroring destination supports are discarded if the defined slice size does not truncate the packet to an acceptable size.
-
sampling
Mirror sampling rate defines a packet sampling rate for a mirror service. The sampling rate is applicable to all endpoints in the mirror source ingress and egress and supported on FP4 and FP5-based cards.
This capability can be useful for analytics purposes, such as DDoS telemetry, to provide a subset of traffic while still maintaining statistical accuracy using packet sampling.
Packet sampling can be configured concurrently with mirror slicing to further limit the amount of traffic sent to the collector.
For endpoints in the mirror source on FP2- and FP3-based cards, all the packets are mirrored without sampling.
Mirror sampling rate
SR OS supports the following sampling rates:
-
High-rate sampling
High-rate sampling allows the sampling of 1 packet out of every 2 to 255 packets. Use the following command to configure high-rate sampling.
configure mirror global-sampling-rateOptionally, each mirror destination service can adopt the global sampling rate, allowing one single high-rate sampling rate for the entire system, by using the following command.
configure mirror mirror-dest use-global-sampling-rate -
Low-rate sampling
Low-rate sampling allows the sampling of 1 packet out of every 256 to 10,000 packets. Unlike high-rate sampling, each mirror destination can use a different low-sampling rate. Use the following command to configure low-rate sampling for each destination.
configure mirror mirror-dest sampling-rate -
No sampling
When neither the use-global-sampling-rate or sampling-rate commands under the mirror destination, the system mirrors all packets to the destination.
When both the low-rate and high-rate are configured under the same mirror destination, the low rate takes precedence. The system automatically samples using the low rate specified and ignores the global high rate.
Mirror destination per-flow hashing support
By default, when the system mirrors to a SAP of type LAG or SDP with a LAG interface, the system only forwards the mirror packet to one port member.
A user can select per-flow hashing on the mirror destination to allow hashing of flows to all port members in a LAG.
Mirroring performance
Replication of mirrored packets can, typically, affect performance and should be used carefully. Nokia routers minimize the impact of mirroring on performance by taking advantage of its distributed Flexible Fast Path technology. Flexible Fast Path forwarding allows efficient mirror service scaling and, at the same time, allows a large amount of data to be mirrored with minimal performance impact. When a mirror destination is configured, the packet slice option can truncate mirrored packets to the destination, which minimizes replication and tunneling overhead.
Pseudowire redundant mirror services
This section describes the implementation and configuration of redundant Mirror services using redundant pseudowires.
Regardless of the protection mechanism (MC-LAG, STP, or APS) the source switch only transmits on the active link and not simultaneously on the standby link. As a result, when configuring a redundant mirror service or a mirror service where the customer has a redundant service but the mirror service is not redundant the mirror source must be configured on both (A and B) PE nodes. In either case, the PE with a mirror source establishes a pseudowire to each eligible PE where the mirror service terminates.
It is important to note that to provide protection if the active SDP between node A and D fails and the need to limit the number of lost data, the ICB between node A and B must be supported. As a result, when the SDP connecting nodes A and D fails the data on its way from the source switch to node A and the data in node A must be directed by the ICB to node B and from there to node D.
This functionality is already supported in when providing pseudo wire redundancy for VLLs and must be extended to mirror service redundancy.
The notable difference with scenarios standard pseudo wire redundancy scenarios is that provided the customer service is redundant on nodes A and B (State engine for redundant service to a redundant mirror service and State engine for redundant service to a non-redundant mirror service) both aggregation node A and Aggregation node B maintain an active Pseudo wire to Node D who in turn has an active link to the destination switch. If in State engine for redundant service to a redundant mirror service, the link between D and the destination switch is disconnected, then both aggregation A and B must switch to use pseudowire connection to Node C.
In the case where a non-redundant service is being mirrored to a redundant mirror service (State engine for a non-redundant service to a redundant mirror service ) the source aggregation node (A) can only maintain a pseudo wire to the active destination aggregation node (D). Should the link between aggregation node D and the destination switch fail then the pseudo wire must switch to the new active aggregation node (C).
Redundant mirror source notes
A redundant remote mirror service destination is not supported for IP mirrors (a set of remote IP mirror destinations). The remote destination of an IP mirror is a VPRN instance, and an ‟endpoint” cannot be configured in a VPRN service.
A redundant mirror source is supported for IP mirrors, but the remote destination must be a single node (a set of mirror source nodes, each with a mirror destination that points to the same destination node). In this case the destination node would have a VPRN instance with multiple ip-mirror-interfaces.
Multi Chassis APS (MC-APS) groups cannot be used as the SAP for a redundant remote mirror destination service. APS cannot be used to connect the remote mirror destination SR nodes to a destination switch.
Multi Chassis APS (MC-APS) groups can be used as the SAP for a redundant mirror service source. APS can be used to redundantly connect the source of the mirrored traffic to the SR nodes that are behaving as the mirror-sources.
Configuration process overview
Mirroring can be performed based on the following criteria:
Configuring mirroring is like creating a unidirection service. Mirroring requires the configuration of:
- mirror source
- the traffic on specific points to mirror
- mirror destination
- the location to send the mirrored traffic, where the sniffer is to be located
Local mirroring example shows a local mirror service configured on ALA-A.
-
Port 2/1/2 is specified as the source. Mirrored traffic ingressing and egressing this port is sent to port 2/1/3.
-
SAP 2/1/3 is specified as the destination. The sniffer is physically connected to this port. Mirrored traffic ingressing and egressing port 2/1/2 is sent here. SAP, encapsulation requirements, packet slicing, and mirror classification parameters are configured. SDPs are not used in local mirroring.
Figure 7. Local mirroring example 
Remote mirroring example shows a remote mirror service configured as ALA B as the mirror source and ALA A as the mirror destination. Mirrored traffic ingressing and egressing port 5/2/1 (the source) on ALA B is handled the following ways:
-
Port 5/2/1 is specified as the mirror source port. Parameters are defined to select specific traffic ingressing and egressing this port.
-
Destination parameters are defined to specify where the mirrored traffic is to be sent. In this case, mirrored traffic is sent to a SAP configured as part of the mirror service on port 3/1/3 on ALA A (the mirror destination).
-
ALA A decodes the service ID and sends the traffic out of port 3/1/3.
-
The sniffer is physically connected to this port (3/1/3). SAP, encapsulation requirements, packet slicing, and mirror classification parameters are configured in the destination parameters.
Figure 8. Remote mirroring example 
Mirror configuration and implementation flow shows the process to provision basic mirroring parameters.
Configuration notes
This section describes mirroring configuration restrictions:
-
Multiple mirroring service IDs (mirror destinations) may be created within a single system.
-
A mirrored source can only have one destination.
-
Both destination mirroring service IDs (including service parameters) and config mirror source (defined in config>mirror>mirror-source) are persistent between router (re)boots and are included in the configuration saves.
Debug mirror source (defined debug>mirror>mirror-source) criteria configurations are not preserved in a configuration save (admin save). Debug mirror source configuration can be saved using admin>debug-save.
-
Physical layer problems such as collisions, jabbers, and so on, are not mirrored. Typically, only complete packets are mirrored.
-
Starting and shutting down mirroring:
mirror destinations
-
The default state for a mirror destination service ID is shutdown. Execute a no shutdown command to enable the feature.
-
When a mirror destination service ID is shutdown, mirrored packets associated with the service ID are not accepted from its mirror source or remote source. The associated mirror source is put into an operationally down mode. Mirrored packets are not transmitted out the SAP or SDP. Each mirrored packet is silently discarded. If the mirror destination is a SAP, the SAP’s discard counters are incremented.
-
Issuing the shutdown command causes the mirror destination service or its mirror source to be put into an administratively down state. Mirror destination service IDs must be shut down first to delete a service ID, or SAP, or SDP association from the system.
mirror sources
-
The default state for a mirror source for a mirror-dest service ID is no shutdown. Enter a shutdown command to deactivate (disable) mirroring from that mirror-source.
-
Mirror sources do not need to be shutdown to remove them from the system. When a mirror source is shutdown, mirroring is terminated for all sources defined locally for the mirror destination service ID.
-
Configuring service mirroring with CLI
This section provides information about service mirroring.
Mirror configuration overview
SR OS mirroring can be organized in the following logical entities:
The mirror source is defined as the location where ingress or egress traffic specific to a port, SAP, MAC, or IP filter, ingress label or a subscriber is to be mirrored (copied). The original frames are not altered or affected in any way.
An SDP is used to define the mirror destination on the source router to point to a remote destination (another router).
A SAP is defined in local and remote mirror services as the mirror destination to where the mirrored packets are sent.
The subscriber contains hosts which are added to a mirroring service.
Defining mirrored traffic
In some scenarios, like using VPN services or when multiple services are configured on the same port, specifying the port does not provide a sufficient resolution to separate traffic. In Nokia’s implementation of mirroring, multiple source mirroring parameters can be specified to further identify traffic.
Mirroring of packets matching specific filter entries in an IP or MAC filter can be applied to refine what traffic is mirrored to flows of traffic within a service. The IP criteria can be combinations of:
source IP address and mask
destination IP address and mask
IP protocol value
source port value and range (for example, UDP, or TCP port)
destination port value and range (for example, UDP, or TCP port)
DiffServ Code Point (DSCP) value
ICMP code
ICMP type
IP fragments
IP option value and mask
single or multiple IP option fields present
IP option fields present
TCP ACK set/reset
TCP SYN set/reset
SAP ingress/egress labels
The MAC criteria can be combinations of:
IEEE 802.1p value and mask
source MAC address and mask
destination MAC address and mask
Ethernet Type II Ethernet type value
Ethernet 802.2 LLC DSAP value and mask
Ethernet 802.2 LLC SSAP value and mask
IEEE 802.3 LLC SNAP Ethernet frame OUI zero or non-zero value
IEEE 802.3 LLC SNAP Ethernet frame PID value
SAP ingress/egress labels
Basic mirroring configuration
Mirror destination parameters must include:
a mirror destination ID (same as the mirror source service ID)
-
a mirror destination SAP or SDP
Mirror source parameters must include:
a mirror service ID (same as the mirror destination service ID)
-
one source type (port, SAP, ingress label, IP filter, or MAC filter) specified
The following example shows a configuration of a local mirrored service where the source and destination are on the same device.
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 103 create
sap 2/1/25:0 create
egress
qos 1
exit
exit
no shutdown
exit
----------------------------------------------The following examples shows a mirror source configuration.
*A:ALA-A>debug>mirror-source# show debug mirror
----------------------------------------------
debug
mirror-source 103
port 1/1/24 egress ingress
no shutdown
exit
exit
----------------------------------------------The following example shows a configuration of a remote mirrored service where the source is a port on ALA-A and the destination is a SAP is on ALA-B.
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 1000 create
spoke-sdp 2:1 egr-svc-label 7000
no shutdown
exit
----------------------------------------------
*A:ALA-A>config>mirror# exit all
*A:ALA-A# show debug
debug
mirror-source 1000
port 2/1/2 egress ingress
no shutdown
exit
exit
*A:ALA-A#
*A:ALA-B>config>mirror# info
----------------------------------------------
mirror-dest 1000 create
remote-source
far-end 10.10.10.104 ing-svc-label 7000
exit
sap 3/1/2:0 create
egress
qos 1
exit
exit
no shutdown
exit
----------------------------------------------
*A:ALA-B>config>mirror#
Mirror classification rules
Nokia’s implementation of mirroring can be performed by configuring parameters to select network traffic according to any of the following entities.
Port
The port command associates a port to a mirror source. The port is identified by the port ID.
The following shows the port-id syntax for the port command:
| port-id: | slot/mda/port[.channel] | ||
|---|---|---|---|
|
eth-sat-id |
esat-id/slot/port |
||
|
esat |
keyword |
||
|
id |
1 to 20 |
||
|
pxc-id |
pxc-id.sub-port |
||
|
pxc |
keyword |
||
|
id |
1 to 64 |
||
|
sub-port |
a, b |
||
|
ccag-id - ccag-id.path-id[cc-type]:cc-id |
|||
|
ccag |
keyword |
||
|
id |
1 o 8 |
||
|
path-id |
a,b |
||
|
cc-type |
.sap-net, .net-sap |
||
|
cc-id |
0 to 4094 |
||
|
lag-id |
1 to 800 |
||
|
egress |
keyword |
||
|
ingress |
keyword |
||
The defined port can be an Ethernet port, a SONET/SDH path, a TDM channel, a Cross Connect Aggregation Group (CCAG), or a Link Aggregation Group (LAG) ID. If the port is a SONET/SDH or TDM channel, the channel ID must be specified to identify which channel is being mirrored. When a LAG ID is specified as the port ID, mirroring is enabled on all ports making up the LAG. Ports that are circuit-emulation (CEM) cannot be used in a mirror source.
Mirror sources can be ports in either access or network mode. Port mirroring is supported in the following combinations:
| Port type | Port mode | Port encapsulation type |
|---|---|---|
|
faste/gige/xgige Ethernet |
access |
dot1q, null, qinq |
|
faste/gige/xgige Ethernet |
network |
dot1q, null |
debug>mirror-source# port {port-id | lag lag-id}
{[egress][ingress]} *A:ALA-A>debug>mirror-source# port 2/2/2 ingress egressSAP
More than one SAP can be associated within a single mirror-source. Each SAP has its own ingress and egress parameter keywords to define which packets are mirrored to the mirror-dest service ID. A SAP that is defined within a mirror destination cannot be used in a mirror source.
debug>mirror-source# sap sap-id {[egress] [ingress]}*A:ALA-A>debug>mirror-source# sap 2/1/4:100 ingress
egressor debug>mirror-source# port 2/2/1.sts12 ingressIP filter
IP filters are configured in the config>filter>ip-filter or config>filter>ipv6-filter context. The ip-filter command causes all the packets matching the explicitly defined list of entry IDs to be mirrored to the mirror destination specified by the service-id of the mirror source.
Ingress mirrored packets are mirrored to the mirror destination before any ingress packet modifications. Egress mirrored packets are mirrored to the mirror destination after all egress packet modifications.
debug>mirror-source# ip-filter ip-filter-id entry entry-
id [entry-id …]
debug>mirror-source# ipv6-filter ipv6-filter-id entry
entry-id [entry-id...]*A:ALA-A>debug>mirror-source# ip-filter 1 entry 20 Ingress label
The ingress-label command is used to mirror ingressing MPLS frames with the specified MPLS labels. The supported MPLS labels are LDP, RSVP, and LDP over RSVP. The ingress label must be at the top of the label stack and can only be mirrored to a single mirror destination. If the same label is defined with multiple mirror destinations, an error is generated and the original mirror destination does not change. The ingress-label allows packets matching the ingress label to be duplicated (mirrored) and forwarded to the mirror destination. The ingress label must be active before it can be used as mirror source criteria. If the ingress label is not used in the router, the mirror source removes the ingress label automatically.
debug>mirror-source# ingress-label label [label...]*A:ALA-A>debug>mirror-source# ingress-label 103000 1048575Common configuration tasks
This section provides a brief overview of the tasks that must be performed to configure both local and remote mirror services and provides the CLI command syntax. Note that local and remote mirror source and mirror destination components must be configured under the same service ID context.
Configuring a local mirror service
To configure a local mirror service, the source and destinations must be located on the same router. Note that local mirror source and mirror destination components must be configured under the same service ID context.
The mirror-source commands are used as traffic selection criteria to identify traffic to be mirrored at the source. Each of these criteria are independent. For example, in the same mirror-source an entire port X could be mirrored at the same time as packets matching a filter entry applied to SAP Y could be mirrored. A filter must be applied to the SAP or interface if only specific packets are to be mirrored. Note that slice-size is not supported by CEM encap-types or IP-mirroring.
Use the CLI syntax to configure one or more mirror source parameters:
The mirror-dest commands are used to specify where the mirrored traffic is to be sent, the forwarding class, and the size of the packet.
The following output shows an example of a local mirrored service. On ALA-A, mirror service 103 is mirroring traffic matching IP filter 2, entry 1 as well as egress and ingress traffic on port 2/1/24 and sending the mirrored packets to SAP 2/1/25:
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 103 create
sap 2/1/25:0 create
egress
qos 1
exit
exit
no shutdown
exit
----------------------------------------------
*A:ALA-A>config>mirror#
The following output shows debug mirroring information:
*A:ALA-A>debug>mirror-source# show debug mirror
debug
mirror-source 103
no shutdown
port 2/1/24 egress ingress
ip-filter 2 entry 1
exit
exit
*A:ALA-A>debug>mirror-source# exit
The following output shows using config mirror source as an alternative:
*A:ALA-A>config>mirror# info
mirror-source 103
no shutdown
port 2/1/24 egress ingress
ip-filter 2 entry 1
exit
The IP filter and entry referenced by the mirror source must exist and must be applied to an object for traffic to be mirrored:
*A:ALA-A>config>service>vprn>if# info
----------------------------------------------
sap 1/1/3:63 create
ingress
filter ip 2
exit
exit
----------------------------------------------
Configuring SDPs for mirrors
This section provides a brief overview of the tasks that must be performed to configure SDPs and provides the CLI commands. For more information about service configuration, see the 7705 SAR Gen 2 Services Overview Guide.
Consider the following SDP characteristics:
Configure GRE, MPLS, MPLS-TP, or L2TPv3 SDPs.
Each distributed service must have an SDP defined for every remote SR to provide Epipe, VPLS, or mirrored services.
A distributed service must be bound to an SDP. By default, no SDP is associated with a service. After an SDP is created, services can be associated with that SDP.
An SDP is not specific to any one service or any type of service. An SDP can have more than one service bound to it.
When using L2TPv3, MPLS-TP, or LDP IPv6 LSP SDPs in a remote mirroring solution, configure the destination node with remote-src>spoke-sdp entries. For all other types of SDPs use remote-src>far-end entries.
To configure an MPLS SDP, LSPs must be configured first and then the LSP-to-SDP association must be explicitly created.
Configuring basic SDPs
To configure a basic SDP, perform the following steps:
- Select an originating node.
- Create an SDP ID.
- Select an encapsulation type.
- Select the far-end node.
Configuring return path SDPs
To configure the return path SDP, perform the same steps on the far-end router:
- Select an originating node.
- Create an SDP ID.
- Select an encapsulation type.
- Select the far-end node.
config>service# sdp sdp-id [gre | mpls | l2tpv3 | gre-eth-bridged] create
description description-string
far-end ip-address|ipv6-address
lsp lsp-name [lsp-name]
path-mtu octets
no shutdown
keep-alive
hello-time seconds
hold-down-time seconds
max-drop-count count
message-length octets
no shutdown
timeout timeoutOn the mirror source router, configure an SDP pointing toward the mirror destination router (or use an existing SDP).
On the mirror destination router, configure an SDP pointing toward the mirror source router (or use an existing SDP).
The following example shows SDP configurations on both the mirror source and mirror destination routers.
*A:ALA-A>config>service# info
-------------------------------------------
sdp 1 create
description "to-10.10.10.104"
far-end 10.10.10.104
no shutdown
exit
-------------------------------------------
*A:ALA-A>config>service#
*A:ALA-B>config>service# info
----------------------------------------------
sdp 4 create
description "to-10.10.10.103"
far-end 10.10.10.103
no shutdown
exit
-------------------------------------------
*A:ALA-B>config>service#
Configuring a remote mirror service
For remote mirroring, the source and destination are configured on the different routers. Note that mirror source and mirror destination parameters must be configured under the same service ID context.
When using L2TPv3, MPLS-TP or LDP IPv6 LSP spoke SDPs in a remote mirroring solution, configure the destination node with remote-src>spoke-sdp entries. For all other types of SDPs use remote-src>far-end entries.
Remote mirrored service tasks shows the mirror destination, which is on ALA-A, configuration for mirror service 1216. This configuration specifies that the mirrored traffic coming from the mirror source (10.10.0.91) is to be directed to SAP 4/1/58 and states that the service only accepts traffic from far end 10.10.0.92 (ALA-B) with an ingress service label of 5678. When a forwarding class is specified, then all mirrored packets transmitted to the destination SAP or SDP override the default (be) forwarding class. The slice size limits the size of the stream of packet through the router and the core network.
The following example shows the CLI output showing the configuration of remote mirrored service 1216. The traffic ingressing and egressing port 1/1/60 on 10.10.0.92 (ALA-B) is mirrored to the destination SAP 1/1/58:0 on ALA-A.
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 1216 create
description "Receiving mirror traffic from .91"
remote-source
far-end 10.10.0.91 ing-svc-label 5678
exit
sap 1/1/58:0 create
egress
qos 1
exit
exit
no shutdown
exit
----------------------------------------------
*A:ALA-A>config>mirror#
The following example shows the remote mirror destination configured on ALA-B:
*A:ALA-B>config>mirror># info
----------------------------------------------
mirror-dest 1216 create
description "Sending mirrored traffic to .92"
fc h1
spoke-sdp 4:60 create
egress
vc-label 5678
exit
no shutdown
exit
slice-size 128
no shutdown
exit
----------------------------------------------
*A:ALA-B>config>mirror#
The following example shows the mirror source configuration for ALA-B:
*A:ALA-B# show debug mirror
debug
mirror-source 1216
port 1/1/60 egress ingress
no shutdown
exit
exit
*A:ALA-B#
The following example is an alternative for mirror source configuration:
*A:ALA-B# config>mirror#info
mirror-source 1216
port 1/1/60 egress ingress
no shutdown
exit
*A:ALA-B#
The following example shows the SDP configuration from ALA-A to ALA-B (SDP 2) and the SDP configuration from ALA-B to ALA-A (SDP 4):
*A:ALA-A>config>service>sdp# info
---------------------------------------------
description "GRE-10.10.0.91"
far-end 10.10.0.01
no shutdown
---------------------------------------------
*A:ALA-A>config>service>sdp#
*A:ALA-B>config>service>sdp# info
----------------------------------------------
description "GRE-10.10.20.92"
far-end 10.10.10.103
no shutdown
----------------------------------------------
*A:ALA-B>config>service>sdp#
Pseudowire redundancy for mirror services configuration example
A configuration based on State engine for redundant service to a redundant mirror service is described in this section.
The mirror traffic needs to be forwarded from configured debug mirror-source together with mirror-dest/remote-source (ICB or non-ICB) to either SAP endpoint or SDP endpoint.
A SAP endpoint is an endpoint with a SAP and with or without an additional ICB spoke. An SDP endpoint is an endpoint with regular and ICB spokes.
Only one tx-active can be chosen for either SAP endpoint or SDP endpoint. Traffic ingressing into a remote-source ICB has only ingressing traffic while an ICB spoke has only egressing traffic.
The ingressing traffic to a remote-source ICB cannot be forwarded out of another ICB spoke.
The following example shows a high-level summary of a configuration; it is not intended to be syntactically correct:
Node A:
config mirror mirror-dest 100
endpoint X
sdp to-C endpoint X
sdp to-D endpoint X
sdp to-B endpoint X icb // connects to B’s remote-source IP-A, traffic A->B only
remote-source IP-B icb // connects to B’s sdp to-A, traffic B->A only
Node B:
config mirror mirror-dest 100
endpoint X
sdp to-C endpoint X
sdp to-D endpoint X
sdp to-A endpoint X icb // connects to A’s remote-source IP-B, traffic B->A only
remote-source IP-A icb // connects to Node A’s sdp to-B, traffic A->B only
Node C:
config mirror mirror-dest 100
endpoint X
sap lag-1:0 endpoint X
sdp to-D endpoint X icb // connects to D’s remote-source IP-C, traffic C->D only
remote-source IP-A
remote-source IP-B
remote-source IP-D icb // connects to D’s sdp to-C, traffic D->C only
Node D:
config mirror mirror-dest 100
endpoint X
sap lag-1:0 endpoint X
sdp to-C endpoint X icb // connects to C’s remote-source IP-D, traffic D->C only
remote-source IP-A
remote-source IP-B
remote-source IP-C icb // connects to C’s sdp to-D, traffic C->D only
Service management tasks
This section describes service management tasks related to service mirroring.
Modifying a local mirrored service
Existing mirroring parameters can be modified in the CLI. The changes are applied immediately. The service must be shut down if changes to the SAP are made.
The following example shows the commands to modify parameters for a basic local mirroring service:
config>mirror# mirror-dest 103
config>mirror>mirror-dest# shutdown
config>mirror>mirror-dest# no sap
config>mirror>mirror-dest# sap 3/1/5:0 create
config>mirror>mirror-dest>sap$ exit
config>mirror>mirror-dest# fc be
config>mirror>mirror-dest# slice-size 128
config>mirror>mirror-dest# no shutdowndebug# mirror-dest 103
debug>mirror-source# no port 2/1/24 ingress egress
debug>mirror-source# port 3/1/7 ingress egressThe following output shows the local mirrored service modifications:
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 103 create
no shutdown
fc be
remote-source
exit
sap 3/1/5:0 create
egress
qos 1
exit
exit
slice-size 128
exit
*A:ALA-A>debug>mirror-source# show debug mirror
debug
mirror-source 103
no shutdown
port 3/1/7 egress ingress
exit
*A:ALA-A>debug>mirror-source#
Deleting a local mirrored service
Existing mirroring parameters can be deleted in the CLI. A shutdown command must be issued at the service level to delete the service. It is not necessary to shut down or remove SAP or port references to delete a local mirrored service.
Command usage to delete a local mirrored service
- ALA-A>config>mirror# mirror-dest 103
- config>mirror>mirror-dest# shutdown
- config>mirror>mirror-dest# exit
- config>mirror# no mirror-dest 103
- config>mirror# exitModifying a remote mirrored service
Existing mirroring parameters can be modified in the CLI. The changes are applied immediately. The service must be shut down if changes to the SAP are made.
In the following example, the mirror destination is changed from 10.10.10.2 (ALA-B) to 10.10.10.3 (SR3). Note that the mirror-dest service ID on ALA-B must be shut down first before it can be deleted.
The following example shows the commands to modify parameters for a remote mirrored service:
*A:ALA-A>config>mirror# mirror-dest 104
config>mirror>mirror-dest# remote-source
config>mirror>mirror-dest>remote-source# no far-end
10.10.10.2
remote-source# far-end 10.10.10.3 ing-svc-label 3500
*A:ALA-B>config>mirror# mirror-dest 104
config>mirror>mirror-dest# shutdown
config>mirror>mirror-dest# exit
config>mirror# no mirror-dest 104
SR3>config>mirror# mirror-dest 104 create
config>mirror>mirror-dest# spoke-sdp 4:60 egress vc-
label 3500
config>mirror>mirror-dest# no shutdown
config>mirror>mirror-dest# exit all
SR3># debug
debug# mirror-source 104
debug>mirror-source# port 551/1/2 ingress egress
debug>mirror-source# no shutdown*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 104 create
remote-source
far-end 10.10.10.3 ing-svc-label 3500
exit
sap 2/1/15:0 create
egress
qos 1
exit
exit
no shutdown
exit
A:SR3>config>mirror# info
----------------------------------------------
mirror-dest 104 create
spoke-sdp 4:60 egress vc-label 3500
no shutdown
exit
----------------------------------------------
A:SR3>config>mirror#
A:SR3# show debug mirror
debug
mirror-source 104
no shutdown
port 5/1/2 egress ingress
exit
exit
A:SR3#
Deleting a remote mirrored service
Existing mirroring parameters can be deleted by using the CLI. A shut down must be issued on a service level to delete the service. It is necessary to shut down and remove SAP or SDP references to delete a remote mirrored service.
Mirror destinations must be shut down before they can be deleted.
Deleting a remote mirrored service
*A:ALA-A>config>mirror# mirror-dest 105
config>mirror>mirror-dest# shutdown
config>mirror>mirror-dest# exit
config>mirror# no mirror-dest 105
config>mirror# exit
*A:ALA-B>config>mirror# mirror-dest 105
config>mirror>mirror-dest# shutdown
config>mirror>mirror-dest# exit
config>mirror# no mirror-dest 105
config>mirror# exitIn the preceding example, the mirror destination service ID 105 was removed from the configuration on ALA-A and ALA-B; therefore, it does not appear in the following info command output.
Mirror info command output
*A:ALA-A>config>mirror# info
----------------------------------------------
----------------------------------------------
*A:ALA-A>config>mirror# exit
*A:ALA-B>config>mirror# info
----------------------------------------------
----------------------------------------------
*A:ALA-B>config>mirror# exit
Debug mirror output
In the following example, because the mirror destination was removed from the configuration on ALA-B, the port information was automatically removed from the debug mirror source configuration.
*A:ALA-B# show debug mirror
debug
exit