Mirror services
This chapter provides information to configure mirroring.
Service mirroring
When troubleshooting complex operational problems, customer packets can be examined as they traverse the network. Nokia’s service mirroring provides the capability to mirror customer packets to allow for trouble shooting and offline analysis.
This capability also extends beyond troubleshooting services. Telephone companies have the ability to obtain itemized calling records and wire-taps where legally required by investigating authorities. The process can be very complex and costly to carry out on data networks. Service Mirroring greatly simplifies these tasks, as well as reduces costs through centralization of analysis tools and skilled technicians.
Original packets are forwarded while a copy is sent out the mirrored port to the mirroring (destination) port. Service mirroring allows an operator to see the actual traffic on a customer’s service with a sniffer sitting in a central location. In many cases, this reduces the need for a separate, costly overlay sniffer network.
7210 SAS devices configured in access-uplink mode support only local mirroring.
When using local mirroring user has an option to use NULL SAP or a dot1q SAP or a Q1.* SAP as mirror destination. Use of Dot1q SAP or a Q1.* SAP as the mirror destination allows the mirrored traffic to share the same uplink as the service traffic (when the uplinks are L2 based).
On some 7210 SAS platforms, when using Dot1q SAP or a Q1.* SAP or MPLS SDP as the mirror destination user needs to dedicate the resources of a port for use with mirror application (see below for more details).
The following figure shows an example of service mirroring.
Mirror implementation
Mirroring can be configured on ingress or egress of certain service entities (For example, SAPs, ports, filter entries) and they are referred to as mirror sources. For more information, see the Mirror source and destinations.
Nokia’s implementation of packet mirroring is based on the following assumptions:
Ingress and egress packets are mirrored as they appear on the wire. This is important for troubleshooting encapsulation and protocol issues. When mirroring at ingress, an exact copy of the original ingress packet is sent to the mirror destination while normal forwarding proceeds on the original packet.
When mirroring is at egress, the system performs normal packet handling on the egress packet, encapsulating it for the destination interface. A copy of the forwarded packet (as seen on the wire) is forwarded to the mirror destination, as follows:
On the 7210 SAS-Mxp, 7210 SAS-Sx/S 1/10GE, 7210 SAS-R6 with IMMV2, 7210 SAS-R12, the mirror copy of the packet is a copy of the forwarded copy.
On the 7210 SAS-T and 7210 SAS-Sx 10/100GE, the mirror copy of the packet is not a exact copy of the forwarded copy in case of port egress mirroring.
On the 7210 SAS, mirroring at egress takes place before the packet is processed by egress QoS. Hence, there exists a possibility that a packet is dropped by egress QoS mechanisms (because of RED mechanisms and so on) and therefore not forwarded, but it is still mirrored.
Remote destinations are reached by encapsulating the ingress or egress packet within an SDP, like the traffic for distributed VPN connectivity services. At the remote destination, the tunnel encapsulation is removed and the packet is forwarded out a local SAP.
Mirror source and destinations
Mirror sources and destinations have the following characteristics for 7210 SAS devices operating in network mode:
Mirror source and mirror destination can be on the same node (local mirroring) or on different nodes (remote mirroring).
Each mirror destination should terminate on a distinct port carrying only null encapsulation or a Dot1q SAP or a Q1.* SAP or a MPLS SDP in case of remote mirroring.
Packets ingressing a port can have a mirror destination separate from packets egressing another or the same port (the ports must be on the same node).
Multiple mirror destinations are supported (local only) on a single chassis.
Listed below are the mirror source and destination characteristics for 7210 SAS devices configured in access-uplink mode:
Mirroring source and destination needs to be on the same node (that is, only local mirroring is supported).
A mirror destination can terminate on only one port (NULL SAP or dot1q SAP or a Q1.* SAP).
Packets ingressing a port can have a mirror destination separate from packets egressing another or the same port.
The following table lists the combinations of SAPs, spoke SDPs, and remote sources allowed in a mirror service using different mirror-source-type on 7210 SAS devices configured in network mode.
| Mirror-source-type | Mirror sources allowed | Mirror destination allowed |
|---|---|---|
Local |
Port Ingress Port Egress SAP ingress ACL ingress |
NULL SAP Dot1q SAP QinQ SAP Spoke-SDP |
Remote |
remote-source |
NULL SAP Dot1q SAP QinQ SAP |
Both |
Port Ingress Port Egress SAP ingress ACL ingress remote-source |
NULL SAP Dot1q SAP QinQ SAP |
Local and remote mirroring
Local mirroring is supported on all 7210 SAS platforms as described in this document, including those operating in access-uplink mode.
Remote mirroring is supported on all 7210 SAS platforms as described in this document, except those operating in access-uplink mode.
The 7210 SAS-Mxp does not support the use of segment routing tunnels for remote mirroring.
The 7210 SAS devices allows multiple concurrent mirroring sessions so traffic from more than one ingress mirror source can be mirrored to the same or different mirror destinations. For more information, see the Configuration notes.
Remote mirroring uses a service distribution path (SDP) which acts as a logical way of directing traffic from one router to another through a unidirectional (one-way) service tunnel. The SDP terminates at the far-end router which directs packets to the correct destination on that device.
The SDP configuration from the mirrored device to a far-end router requires a return path SDP from the far-end router back to the mirrored router. Each device must have an SDP defined for every remote router to which it provides mirroring services. SDPs must be created first, before services can be configured.
Mirroring performance
Replication of mirrored packets can, typically, affect performance and should be used carefully.
The following tables list the mirroring that can be performed based on the following criteria (that is, mirror sources).
| Mirroring | 7210 SAS-T |
|---|---|
Port (ingress and egress) |
✓ |
SAP (ingress only) |
✓ |
MAC filter (ingress only) |
✓ |
IP filter (ingress only) |
✓ |
| Platforms | Port (ingress and egress) | SAP (ingress only) | MAC filter (ingress only) | IP filter (ingress only) |
|---|---|---|---|---|
|
7210 SAS-T |
✓ |
✓ |
✓ |
✓ |
|
7210 SAS-Mxp |
✓ |
✓ |
✓ |
✓ |
|
7210 SAS-Sx/S 1/10GE |
✓ |
✓ |
✓ |
✓ |
|
7210 SAS-Sx 10/100GE |
✓ |
✓ |
✓ |
✓ |
|
7210 SAS-R6 |
✓ |
✓ |
✓ |
✓ |
Mirroring configuration
Configuring mirroring is similar to creating a unidirection service. Mirroring requires the configuration of:
mirror source - the traffic on specific points to mirror
mirror destination - the location to send the mirrored traffic, where the sniffer will be located
The following figure shows a local mirror service configured on ALA-A:
Port 1/1/2 is specified as the source. Mirrored traffic ingressing and egressing this port will be sent to port 1/1/3.
SAP 1/1/3 is specified as the destination. The sniffer is physically connected to this port. Mirrored traffic ingressing and egressing port 1/1/2 is sent here. SAP, encapsulation requirements, and mirror classification parameters are configured.
Figure 2. Local mirroring example 
The following figure shows a remote mirror service configured as ALA B as the mirror source and ALA A as the mirror destination. Mirrored traffic ingressing and egressing port 5/2/1 (the source) on ALA B is handled the following ways:
Port 5/2/1 is specified as the mirror source port. Parameters are defined to select specific traffic ingressing and egressing this port.
Destination parameters are defined to specify where the mirrored traffic is sent. In this case, mirrored traffic sent to a SAP configured as part of the mirror service on port 3/1/3 on ALA A (the mirror destination).
ALA A decodes the service ID and sends the traffic out of port 3/1/3.
The sniffer is physically connected to this port (3/1/3). SAP, encapsulation requirements, packet slicing, and mirror classification parameters are configured in the destination parameters.
Figure 3. Remote mirroring example 
Configuration process overview
The following figure shows the process to provision basic mirroring parameters.
Configuration notes
This section describes mirroring configuration restrictions, as follows:
-
Multiple mirroring service IDs (mirror destinations) may be created within a single system.
-
A mirrored source can only have one destination.
-
On the 7210 SAS-R6, 7210 SAS-R12, 7210 SAS-T, 7210 SAS-Mxp, 7210 SAS-Sx/S 1/10GE, and 7210 SAS-Sx 10/100GE before using a Dot1q SAP or Q1.* SAP as a mirror destination, the user must configure a port for use with this feature using the command config>system>loopback-no-svc-port mirror. The user has an option to use either one of the available virtual internal port resources or a front panel port. The virtual internal port resources available can be determined using the command show system internal-loopback-ports detail. See the 7210 SAS-Mxp, R6, R12, S, Sx, T Interface Configuration Guide for more information about both commands.
-
On 7210 SAS-R6, 7210 SAS-R12, 7210 SAS-T, 7210 SAS-Mxp, 7210 SAS-Sx/S 1/10GE, and 7210 SAS-Sx 10/100GE before using a MPLS SDP as a mirror destination, the user must configure a port for use with this feature using the command config> system> loopback-no-svc-port mirror. No services can be configured on this port. The user has an option to use either one of the available virtual internal port resources or a front panel port. The virtual internal port resources available can be determined using the command show system internal-loopback-ports detail. More details of both the commands can be found in the 7210 SAS-Mxp, R6, R12, S, Sx, T Interface Configuration Guide.
-
Spoke SDP is supported only on local mirror service type. Please see the Combinations of SAPs, spoke-SDPs, and remote sources allowed in a mirror service section for more information.
-
Remote source mirror type service accepts only MPLS labeled traffic from remote sources.
-
The destination mirroring service IDs and service parameters are persistent between router (re)boots and are included in the configuration saves.
Mirror source criteria configuration (defined in debug>mirror>mirror-source) is not preserved in a configuration save (admin save). Debug mirror source configuration can be saved using admin>debug-save.
-
Physical layer problems, such as collisions, jabbers, and so on, are not mirrored. Typically, only complete packets are mirrored.
-
Starting and shutting down mirroring:
-
Mirror destinations:
-
The default state for a mirror destination service ID is shutdown. You must issue a no shutdown command to enable the feature.
-
When a mirror destination service ID is shutdown, mirrored packets associated with the service ID are not accepted from its mirror source. The associated mirror source is put into an operationally down mode. Mirrored packets are not transmitted out the SAP. Each mirrored packet is silently discarded.
-
Issuing the shutdown command causes the mirror destination service or its mirror source to be put into an administratively down state. Mirror destination service IDs must be shut down first in order to delete a service ID, or SAP association from the system.
-
-
Mirror sources:
-
The default state for a mirror source for a given mirror-dest service ID is no shutdown. Enter a shutdown command to deactivate (disable) mirroring from that mirror-source.
-
Mirror sources do not need to be shutdown to remove them from the system. When a mirror source is shutdown, mirroring is terminated for all sources defined locally for the mirror destination service ID.
-
-
Configuring service mirroring with CLI
This section provides information about service mirroring.
Mirror configuration overview
7210 SAS node mirroring can be organized in the following logical entities:
The mirror source is defined as the location from where the traffic should be mirrored. A mirror source could be ingress of service entity or egress of a service entity. The list of mirror sources supported on a specific platform is listed preceding Mirror source port requirements .
A SAP is defined in local mirror services as the mirror destination to where the mirrored packets are sent.
Defining mirrored traffic
In some scenarios, or when multiple services are configured on the same port, specifying the port does not provide sufficient resolution to separate traffic. In Nokia’s implementation of mirroring, multiple source mirroring parameters can be specified to further identify traffic.
Mirroring of packets matching specific filter entries in an IP or MAC filter can be applied to refine what traffic is mirrored to flows of traffic within a service. The IP criteria can be combinations of:
source IP address/mask
destination IP address/mask
IP Protocol value
source port value (for example, UDP or TCP port)
destination port value (for example, UDP or TCP port)
DiffServ Code Point (DSCP) value
ICMP code
ICMP type
IP fragments
TCP ACK set/reset
TCP SYN set/reset
The MAC criteria can be combinations of:
IEEE 802.1p value/mask
source MAC address/mask
destination MAC address/mask
Ethernet Type II Ethernet type value
The list of packet fields that are available to match packets in IP and MAC ACLs for different platforms is different. For more information about the lists of packet fields available on different platforms, see the 7210 SAS-Mxp, R6, R12, S, Sx, T Router Configuration Guide.
Basic mirroring configuration
Destination mirroring parameters must include at least:
a mirror destination ID (same as the mirror source service ID)
a mirror destination SAP
Mirror source parameters must include at least:
a mirror service ID (same as the mirror destination service ID)
at least one source type (port, SAP, IP filter or MAC filter) specified
The following is a sample local mirrored service (ALA-A) configuration output.
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 103 create
sap 1/1/1 create
exit
no shutdown
exit
----------------------------------------------
*A:ALA-A>config>mirror#
The following is a sample mirror source configuration output.
*A:ALA-A>debug>mirror-source# show debug mirror
debug
mirror-source 103
port 1/1/24 egress ingress
no shutdown
exit
exit
*A:ALA-A>debug>mirror-source# exit
Mirror classification rules
The Nokia implementation of mirroring can be performed by configuring parameters to select network traffic according to any of the entities in this section.
Port
The port command associates a port to a mirror source. The port is identified by the port ID. The defined port can be Ethernet or a Link Aggregation Group (LAG) ID. When a LAG ID is specified as the port ID, mirroring is enabled on all ports making up the LAG.
Mirror sources can be ports in either access or network mode. Port mirroring is supported in the combinations described in the following table.
| Port type | Port mode | Port encapsulation type |
|---|---|---|
faste/gige/10gige |
access |
null, dot1q and QinQ |
faste/gige/10gige |
access uplink |
qinq |
faste/gige/10gige |
network |
null/dot1q |
faste/gige/10gige |
hybrid |
null/dot1q/qinq |
debug>mirror-source# port {port-id|lag lag-id}{[egress][ingress]}
*A:ALA-A>debug>mirror-source# port 1/1/2 ingress egress
SAP
More than one SAP can be associated within a single mirror source. Each SAP has its own ingress parameter keyword to define which packets are mirrored to the mirror-dest service ID. A SAP that is defined within a mirror destination cannot be used in a mirror source.
debug>mirror-source# sap sap-id {[ingress]}
*A:ALA-A>debug>mirror-source# sap 1/1/4:100 ingress
MAC filter
MAC filters are configured in the config>filter>mac-filter context. The mac-filter command causes all the packets matching the explicitly defined list of entry IDs to be mirrored to the mirror destination specified by the service-id of the mirror source.
debug>mirror-source# mac-filter mac-filter-id entry entry-id[entry-id …]
*A:ALA-2>debug>mirror-source# mac-filter 12 entry 15 20 25
IP filter
IP filters are configured in the config>filter>ip-filter context. The ip-filter command causes all the packets matching the explicitly defined list of entry IDs to be mirrored to the mirror destination specified by the service-id of the mirror source.
Ingress mirrored packets are mirrored to the mirror destination before any ingress packet modifications.
debug>mirror-source# ip-filter ip-filter-id entry entry-id[entry-id …]
*A:ALA-A>debug>mirror-source# ip-filter 1 entry 20
An IP filter cannot be applied to a mirror destination SAP.
Common configuration tasks
This section provides a brief overview of the tasks that must be performed to configure local mirror services and provides CLI command syntax. Note that the local mirror source and mirror destination components must be configured under the same service ID context.
Each local mirrored service (Local mirrored service tasks) (within the same router) requires the following configurations:
Specify mirror destination (SAP).
Specify mirror source (port, SAP, IP filter, MAC filter).
Figure 5. Local mirrored service tasks 
Configuring a local mirror service
To configure a local mirror service, the source and destinations must be located on the same router. Note that local mirror source and mirror destination components must be configured under the same service ID context.
The mirror-source commands are used as traffic selection criteria to identify traffic to be mirrored at the source. Each of these criteria are independent. For example, use the debug>mirror-source>port {port-id | lag lag-id} {[egress] [ingress]} command and debug>mirror-source ip-filter ip-filter-id entry entry-id [entry-id…] command to capture (mirror) traffic that matches a specific IP filter entry and traffic ingressing and egressing a specific port. A filter must be applied to the SAP or interface if only specific packets are to be mirrored.
Use the following syntax to configure one or more mirror source parameters.
The mirror-dest commands are used to specify where the mirrored traffic is to be sent. Use the following syntax to configure mirror destination parameters.
config>mirror mirror-dest service-id [type {ether}] [create]
description string
sap sap-id [create]
no shutdown
debug# mirror-source service-id
ip-filter ip-filter-id entry entry-id [entry-id …]
ipv6-filter ip-filter-id entry entry-id [entry-id …]
mac-filter mac-filter-id entry entry-id [entry-id …]
port {port-id|lag lag-id} {[egress][ingress]}
sap sap-id {[ingress]}
no shutdown
The following is a sample local mirrored service using a NULL SAP configuration output. On ALA-A, mirror service 103 is mirroring traffic matching IP filter 2, entry 1 as well as egress and ingress traffic on port 1/1/23 and sending the mirrored packets to SAP 1/1/24.
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 103 create
sap 1/1/24 create
exit
no shutdown
exit
----------------------------------------------
*A:ALA-A>config>mirror#
The following is a sample local mirrored service using a dot1q SAP configuration output. User needs to configure a front-panel port for use with the mirroring application when the mirror destination is a Dot1q SAP or a Q1.* SAP, as follows.
*A:ALA-A>config>system>
------------------------------------------------------
loopback-no-svc-port mirror 1/1/14
-------------------------------------------------------
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 103 create
sap 1/1/10:100 create
exit
no shutdown
exit
----------------------------------------------
*A:ALA-A>config>mirror#
The following is sample debug mirroring information.
*A:ALA-A>debug>mirror-source# show debug mirror
debug
mirror-source 103
no shutdown
port 1/1/23 ingress
ip-filter 2 entry 1
exit
exit
*A:ALA-A>debug>mirror-source# exit
Configuring a remote mirror service
The source and destination are configured on different routers for remote mirroring. Note that mirror source and mirror destination parameters must be configured under the same service ID context.
Remote mirroring using MPLS SDP is supported on all 7210 SAS platforms as described in this document, except those operating in access-uplink mode.
The mirror-source commands are used as traffic selection criteria to identify traffic to be mirrored at the source. For example, use the port port-id [lag-id] {[egress] [ingress]} and mac-filter mac-filter-id entry entry-id [entry-id …] commands.
Use the following syntax to configure one or more mirror source parameters.
debug> mirror-source service-id
ip-filter ip-filter-id entry entry-id [entry-id …]
ipv6-filter ip-filter-id entry entry-id [entry-id …]
mac-filter mac-filter-id entry entry-id [entry-id …]
port {port-id|lag lag-id} {[egress][ingress]}
sap sap-id {[ingress]}
no shutdown
The mirror-dest commands are used to specify where the mirrored traffic is to be sent, the forwarding class, and the size of the packet. Use the following syntax to configure mirror destination parameters.
config>mirror#
mirror-dest service-id
[create] [type <mirror-type>][mirror-source-type <mirror-source-type>]
description string
fc fc-name [profile <profile>]
remote-source
far-end ip-address [vc-id vc-id] [ing-svc-label ingress-vc-label|tldp]
sap sap-id create
no shutdown
The following figure shows the mirror destination, which is on ALA-A, configuration for mirror service 1216. This configuration specifies that the mirrored traffic coming from the mirror source (10.10.0.91) is to be directed to SAP /1/58 and states that the service only accepts traffic from far end 10.10.0.92 (ALA-B) with an ingress service label of 5678. When a forwarding class is specified, then all mirrored packets transmitted to the destination SAP or SDP override the default (be) forwarding class.
The following example displays the CLI output showing the configuration of remote mirrored service 1216. The traffic ingressing and egressing port 1/1/60 on 10.10.0.92 (ALA-B) will be mirrored to the destination SAP 1/1/58:0 on ALA-A.
The following is a sample remote mirror destination configuring the front panel port with mirroring application.
*A:7210SAS>config>mirror# info
----------------------------------------------
mirror-dest 23 mirror-source-type remote create
description "Added by createMirrorDestination 23"
fc be
remote-source
far-end 2.2.2.2 ing-svc-label 14000
exit
sap 1/1/4 create
exit
no shutdown
exit
mirror-dest 1000 create
fc be
spoke-sdp 200:1000 create
egress
vc-label 15000
exit
no shutdown
exit
no shutdown
exit
----------------------------------------------
*A:7210SAS>config>mirror# /show system internal-loopback-ports
===============================================================================
Internal Loopback Port Status
===============================================================================
Port Loopback Application Service
Id Type Enabled
-------------------------------------------------------------------------------
1/1/9 Physical Dot1q-Mirror No
===============================================================================
The following is a sample mirror destination configuration output for mirror service 1216 on ALA-A.
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 1000 type ether mirror-source-type remote create
description "Receiving mirror traffic from .91"
remote-source
far-end 2.2.2.2 tldp
exit
sap 1/1/21:21 create
egress
qos 1
exit
exit
no shutdown
exit
----------------------------------------------
*A:ALA-A>config>mirror#
The following is a sample remote mirror destination output configured on ALA-B.
*A:ALA-B>config>mirror# info
----------------------------------------------
mirror-dest 2000 type ether mirror-source-type local create
no description
no service-name
fc be
no remote-source
spoke-sdp 200:2000 create
egress
no vc-label
exit
no shutdown
exit
no shutdown
exit
----------------------------------------------
*A:ALA-B>config>mirror#
The following is a sample mirror source configuration output for ALA-B.
*A:ALA-B# show debug mirror
debug
mirror-source 1000
no shutdown
exit
mirror-source 2000
no shutdown
exit
exit
*A:ALA-B#
The following is a sample SDP configuration output from ALA-A to ALA-B (SDP 2) and the SDP configuration output from ALA-B to ALA-A (SDP 4).
*A:ALA-A>config>service>sdp# info
---------------------------------------------
description "MPLS-10.10.0.91"
far-end 10.10.0.01
signalling tldp
no shutdown
---------------------------------------------
*A:ALA-A>config>service>sdp#
*A:ALA-B>config>service>sdp# info
----------------------------------------------
description "MPLS-10.10.20.92"
far-end 10.10.10.103
signalling tldp
no shutdown
----------------------------------------------
*A:ALA-B>config>service>sdp#
Service management tasks
This section describes the service management tasks.
The following shows the command usage to modify an existing mirrored service.
config>mirror#
mirror-dest service-id [type {ether}]
description description-string
no description
sap sap-id
no sap
[no] shutdown
debug
[no] mirror-source service-id
ip-filter ip-filter-id entry entry-id [entry-id...]
no ip-filter ip-filter-id
no ip-filter entry entry-id [entry-id...]
ipv6-filter ip-filter-id entry entry-id [entry-id...]
no ipv6-filter ip-filter-id
no ipv6-filter entry entry-id [entry-id...]
mac-filter mac-filter-id entry entry-id [entry-id...]
no mac-filter mac-filter-id
no mac-filter mac-filter-id entry entry-id [entry-id...]
[no] port {port-id|lag lag-id} {[egress][ingress]}
[no] sap sap-id {[ingress]}
[no] shutdown
Modifying a local mirrored service
Existing mirroring parameters can be modified in the CLI. The changes are applied immediately. The service must be shut down if changes to the SAP are made.
The following shows the command usage to modify parameters for a basic local mirroring service.
config>mirror# mirror-dest 103
config>mirror>mirror-dest# shutdown
config>mirror>mirror-dest# no sap
config>mirror>mirror-dest# sap 1/1/5 create
config>mirror>mirror-dest>sap$ exit
config>mirror>mirror-dest# no shutdown
debug# mirror-source 103
debug>mirror-source# no port 1/1/23
debug>mirror-source# port 1/1/7 ingress egress
The following is a sample of the local mirrored service modifications.
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 103 create
no shutdown
sap 1/1/5 create
exit
*A:ALA-A>debug>mirror-source# show debug mirror
debug
mirror-source 103
no shutdown
port 1/1/7 egress ingress
exit
*A:ALA-A>debug>mirror-source#
Deleting a local mirrored service
Existing mirroring parameters can be deleted in the CLI. A shutdown must be issued on a service level to delete the service. It is not necessary to shut down or remove SAP or port references to delete a local mirrored service.
The following shows the command usage to delete a local mirrored service.
ALA-A>config>mirror# mirror-dest 103
config>mirror>mirror-dest# shutdown
config>mirror>mirror-dest# exit
config>mirror# no mirror-dest 103
config>mirror# exit
Modifying a remote mirrored service
Existing mirroring parameters can be modified in the CLI. The changes are applied immediately. The service must be shut down if changes to the SAP are made.
In the following example, the mirror destination is changed from 10.10.10.2 (ALA-B) to 10.10.10.3 (SR3). Note that the mirror-dest service ID on ALA-B must be shut down first before it can be deleted.
The following shows the command usage to modify parameters for a remote mirrored service.
*A:ALA-A>config>mirror# mirror-dest 104
config>mirror>mirror-dest# remote-source
config>mirror>mirror-dest>remote-source# no far-end 10.10.10.2
remote-source# far-end 10.10.10.3 ing-svc-label 3500
*A:ALA-B>config>mirror# mirror-dest 104
config>mirror>mirror-dest# shutdown
config>mirror>mirror-dest# exit
config>mirror# no mirror-dest 104
SR3>config>mirror# mirror-dest 104 create
config>mirror>mirror-dest# sdp 4 egr-svc-label 3500
config>mirror>mirror-dest# no shutdown
config>mirror>mirror-dest# exit all
SR3># debug
debug# mirror-source 104
debug>mirror-source# port 551/1/2 ingress egress
debug>mirror-source# no shutdown
*A:ALA-A>config>mirror# info
----------------------------------------------
mirror-dest 104 create
remote-source
far-end 2.2.2.2 tldp
exit
sap 1/1/21:21 create
egress
qos 1
exit
exit
no shutdown
exit
A:SR3>config>mirror# info
----------------------------------------------
mirror-dest 104 create
spoke-sdp 200:2000 create
no shutdown
exit
----------------------------------------------
A:SR3>config>mirror#
A:SR3# show debug mirror
debug
mirror-source 104
no shutdown
Deleting a remote mirrored service
Existing mirroring parameters can be deleted in the CLI. A shut down must be issued on a service level to delete the service. It is not necessary to shut down or remove SAP, or far-end references to delete a remote mirrored service.
To delete a mirror service, the spoke-SDP service has to be deleted from the service. Mirror destinations must be shut down first before they are deleted.
*A:ALA-A>config>mirror# mirror-dest 105
config>mirror>mirror-dest# shutdown
config>mirror>mirror-dest# exit
config>mirror# no mirror-dest 105
config>mirror# exit
*A:ALA-B>config>mirror# mirror-dest 105
config>mirror>mirror-dest# shutdown
config>mirror>mirror-dest# exit
config>mirror# no mirror-dest 105
config>mirror# exit
The mirror destination service ID 105 was removed from the configuration on ALA-A and ALA-B, therefore, does not appear in the info command output.
*A:ALA-A>config>mirror# info
----------------------------------------------
----------------------------------------------
*A:ALA-A>config>mirror# exit
*A:ALA-B>config>mirror# info
----------------------------------------------
----------------------------------------------
*A:ALA-B>config>mirror# exit
Because the mirror destination was removed from the configuration on ALA-B, the port information was automatically removed from the debug mirror-source configuration.
*A:ALA-B# show debug mirror
debug
exit
*A:ALA-B#
Mirror service command reference
Command hierarchies
Mirror configuration commands for 7210 SAS devices configured in access-uplink mode
config
- mirror
- mirror-dest service-id [type mirror-type] [create]
- no mirror-dest service-id
- description description-string
- no description
- [no] fc [fc-name] profile {profile}
- sap sap-id [create]
- no sap
- service-name service-name
- [no]service-name
- [no] shutdown
Mirror configuration commands for 7210 SAS-T, 7210 SAS-Sx/S 1/10GE, 7210 SAS-Sx 10/100GE, 7210 SAS-Mxp, 7210 SAS-R6, and 7210 SAS-R12 in network and standalone mode
config
- mirror
- mirror-dest service-id [type encap-type] [mirror-source-type mirror-source-type] [create]
- no mirror-dest service-id
- description description-string
- no description
- [no] fc [fc-name] profile profile
- no remote-source
- remote-source
- far-end ip-address [vc-id vc-id] [ing-svc-label ingress-vc-label| tldp]
- no far-end ip-address
- spoke-sdp sdp-id:vc-id [create]
- no spoke-sdp sdp-id:vc-id
- sap sap-id [create]
- no sap
- [no] egress
- [no] qos policy-id
- service-name service-name
- [no]service-name
- [no] shutdown
- no spoke-sdp sdp-id:vc-id
- spoke-sdp sdp-id:vc-id [create]
- egress
- no vc-label [egress-vc-label]
- vc-label egress-vc-label
- no shutdown
- shutdown
Show commands
show
- debug [application]
- mirror mirror-dest [service-id]
- service
- service-using mirror
Debug commands
debug
- [no] mirror-source service-id
- [no] ip-filter ip-filter-id [entry entry-id]
- [no] ipv6-filter ipv6-filter-id [entry entry-id]
- [no] mac-filter mac-filter-id [entry entry-id...]
- [no] port {port-id | lag lag-id} [egress] [ingress]
- [no] sap sap-id {[ingress] [egress]}
- [no] shutdown
Command descriptions
Configuration commands
Generic commands
description
Syntax
description description-string
no description
Context
config>mirror>mirror-dest
Platforms
Supported on all 7210 SAS platforms as described in this document, including platforms configured in the access-uplink operating mode
Description
This command creates a text description stored in the configuration file for a configuration context to help the administrator identify the content of the file.
The no form of this command removes the description string.
Parameters
- description-string
Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
shutdown
Syntax
[no] shutdown
Context
config>mirror>mirror-dest
config>mirror>mirror-dest>spoke-sdp>egress (not supported in the access-uplink operating mode)
debug>mirror-source
Platforms
Supported on all 7210 SAS platforms as described in this document, including platforms configured in the access-uplink operating mode
Description
This command administratively disables an entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command.
Unlike other commands and parameters where the default state is not indicated in the configuration file, shutdown and no shutdown are always indicated in system generated configuration files.
The no form of this command puts an entity into the administratively enabled state.
Default
See the following Special Cases.
Special Cases
- Mirror Destination
When a mirror destination service ID is shutdown, mirrored packets associated with the service ID are not accepted from the mirror source device. The associated mirror source is put into an operationally down mode. Mirrored packets are not transmitted out of the SAP. Each mirrored packet is silently discarded. If the mirror destination is a SAP, the SAP’s discard counters are increased.
The shutdown command places the mirror destination service or mirror source into an administratively down state. The mirror-dest service ID must be shut down to delete the service ID, SAP association from the system.
The default state for a mirror destination service ID is shutdown. A no shutdown command is required to enable the service.
- Mirror Source
Mirror sources do not need to be shutdown to remove them from the system.
When a mirror source is shutdown, mirroring is terminated for all sources defined locally for the mirror-dest service ID.
The default state for a mirror source for a specific mirror-dest service ID is no shutdown. A shutdown command is required to disable mirroring from that mirror-source.
Mirror destination configuration commands
mirror-dest
Syntax
mirror-dest service-id [type encap-type] [mirror-source-type mirror-source-type] [create]
no mirror-dest
Context
config>mirror
Platforms
Supported on all 7210 SAS platforms as described in this document, including platforms configured in the access-uplink operating mode
Description
This command sets up a service that is intended for packet mirroring. It is configured as a service to allow mirrored packets to be directed locally (within the same device), over the core of the network and have a far end device decode the mirror encapsulation.
The mirror-dest service comprises destination parameters that define where the mirrored packets are to be sent. It also specifies whether the defined service-id receives mirrored packets from far end devices over the network core.
The mirror-dest service IDs are persistent between boots of the router and are included in the configuration backups. The local sources of mirrored packets for the service ID are defined within the debug mirror mirror-source command that references the same service-id.
The mirror-dest command is used to create or edit a service ID for mirroring purposes. If the service-id does not exist within the context of all defined services, the mirror-dest service is created and the context of the CLI is changed to that service ID. If the service-id exists within the context of defined mirror-dest services, the CLI context is changed for editing parameters on that service ID. If the service-id exists within the context of another service type, an error message is returned and CLI context is not changed from the current context.
The no form of this command removes a mirror destination from the system. The mirror-source associations with the mirror-dest service-id do not need to be removed or shutdown first. The mirror-dest service-id must be shutdown before the service ID can be removed. When the service ID is removed, all mirror-source commands that have the service ID defined are also removed from the system.
Parameters
- service-id
Specifies the service ID that identifies the service in the service domain. This ID is unique to this service and cannot be used by any other service, regardless of service type. The same service ID must be configured on every device that this particular service is defined on.
If a particular service ID already exists for a service, the same value cannot be used to create a mirror destination service ID with the same value.
For example:
If an Epipe service-ID 11 exists, a mirror destination service-ID 11 cannot be created. If a VPLS service-ID 12 exists, a mirror destination service-ID 12 cannot be created.
If an IES service-ID 13 exists, a mirror destination service-ID 13 cannot be created.
- type encap-type
Specifies the type describes the encapsulation supported by the mirror service.
- mirror-source-type
Allows scaling of mirror services that can be used only with remote mirror sources, while limiting the mirror services that can be used by local mirror sources or by both local and remote mirror sources. For more information, see Combinations of SAPs, spoke-SDPs, and remote sources allowed in a mirror service. This parameter is not supported in the access-uplink operating mode.
- local
Indicates that the mirror service can only be used by local mirror sources.
- remote
Indicates that the mirror service can only be used by remote mirror sources.
- both
Indicates that the mirror service can be used by both local and remote mirror sources.
fc
Syntax
fc fc-name
no fc
Context
config>mirror>mirror-dest
Platforms
7210 SAS-T (network and access-uplink), 7210 SAS-Sx/S 1/10GE (standalone and standalone-VC), and 7210 SAS-Sx 10/100GE
Description
This command specifies a forwarding class for all mirrored copies of the packets transmitted to the destination SAP overriding the default (be) forwarding class. All packets are sent with the same class of service to minimize out-of-sequence issues. The mirrored copy of the packet does not inherit the forwarding class of the original packet.
When the destination is on a SAP, it pulls buffers from the queue associated with the FC name and the shaping and scheduling treatment given to the packet is as per the user configuration for that queue.
The FC can be assigned only when the mirror source is local. When the mirror source is remote, the network QoS ingress policies that are applied to all the traffic received on the network port and network IP interface are also applied to mirror traffic.
On the 7210 SAS-T, 7210 SAS-Sx/S 1/10GE (standalone and standalone-VC), and 7210 SAS-Sx 10/100GE, all SAPs configured on a port use the port-based egress queues. If the mirror destination SAP (that is, dot1q SAP or a Q1.* SAP) is configured to share an uplink with service traffic, the mirrored copy of the traffic sent out of the Dot1q or Q1.* SAP shares the port-based egress queues with the other service traffic. The user is provided an option to assign the profile mirrored copy to the packet, so that during congestion, the mirrored copy of the packets marked as out-of-profile is dropped before in-profile service traffic (and possibly in-profile mirrored traffic, if the user has configured mirrored traffic to be in-profile). The profile is used to determine the slope policy to use for the packet and determines the packet drop precedence. Additionally, if marking is enabled, it determines the marking value to be used in the packet header.
On the 7210 SAS-Mxp, 7210 SAS-R6 and 7210 SAS-R12, SAP-based egress queue QoS policy is used when the port-based egress queuing is disabled on the mirrored destination SAP, allowing users to control the amount of bandwidth allocated for mirrored traffic. If port-based queuing is enabled, all SAPs configured on a port use the port-based egress queues.
The no form of this command returns the mirror-dest service ID forwarding class to the default forwarding class.
Default
The best effort (be) forwarding class is associated with the mirror-dest service ID and profile is out.
Parameters
- fc-name
Specifies the name of the forwarding class with which to associate mirrored service traffic. The forwarding class name must already be defined within the system. If the FC name does not exist, an error is returned and the fc command has no effect. If the FC name does exist, the forwarding class associated with fc-name overrides the default forwarding class.
- profile
Specifies the profile to assign to the mirrored copy of the service traffic. The profile is used to determine the slope policy to use for the packet and determines the packet's drop precedence. Additionally, if marking is enabled, it determines the marking value to be used in the packet header. A value of in marks the traffic as in-profile traffic and results in the use of high slope parameters. A value of out marks the traffic as out-of-profile and results in the use of low slope parameters.
far-end
Syntax
far-end ip-address [vc-id vc-id] [ing-svc-label ing-vc-label | tldp]
no far-end ip-addr
Context
config>mirror>mirror-dest>remote-source
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command defines the remote device and configures parameters for mirror destination services on other devices that are allowed to mirror to the mirror destination service ID.
The far-end command is used within the context of the remote-source node. It allows the definition of accepted remote sources for mirrored packets to this mirror destination service ID. If a far-end router is not specified, packets sent to the router are discarded.
The far-end command is used to define a remote source that may send mirrored packets to this 7210 SAS for handling by this mirror-dest service-id.
When using LDP IPv6 LSP SDPs in the remote mirroring solution, the user must configure the destination node with config>mirror>mirror-dest>remote-source>spoke-sdp entries. For all other types of SDPs, config>mirror>mirror-dest>remote-source>far-end entries are used.
The ing-svc-label keyword must be entered to manually define the expected ingress service label. This ingress label must also be manually defined on the far-end address through the mirror-dest SDP binding keyword egr-svc-label.
The no form of this command deletes a far-end address from the allowed remote senders to this mirror-dest service. All far-end addresses are removed when no remote-source is executed. All signaled ingress service labels are withdrawn from the far-end address affected. All manually defined ing-svc-label configurations are removed.
Parameters
- ip-address
Specifies the service IP address (system IP address) of the remote device sending mirrored traffic to this mirror destination service. If 0.0.0.0 is specified, any remote is allowed to send to this service.
- vc-id vc-id
Specifies the virtual circuit identifier.
- ing-svc-label ing-vc-label
Specifies the ingress service label for mirrored service traffic on the far-end device for manually configured mirror service labels.
The defined ing-svc-label is entered into the ingress service label table which causes ingress packet with that service label to be handled by this mirror-dest service.
The specified ing-svc-label must not have been used for any other service ID and must match the far end expected specific egr-svc-label for this 7210 SAS. It must be within the range specified for manually configured service labels defined on this 7210 SAS. It may be reused for other far end addresses on this mirror-dest-service-id.
- tldp
Specifies that the label is obtained through signaling via the LDP.
remote-source
Syntax
[no] remote-source
Context
config>mirror>mirror-dest
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures remote devices to mirror traffic to this device for mirror service egress. Optionally, this command deletes all previously defined remote mirror ingress devices.
The remote-source context allows the creation of a ‛sniffer farm’ to consolidate expensive packet capture and diagnostic tools to a central location. Remote areas of the access network can be monitored via normal service provisioning techniques.
Specific far-end routers can be specified with the far-end command allowing them to use this router as the destination for the same mirror-dest-service-id.
The remote-source node allows the source of mirrored packets to be on remote 7210 SAS devices. The local 7210 SAS configures its network ports to forward packets associated with the service-id to the destination SAP. When remote-source far-end addresses are configured, an SDP is not allowed as a destination.
By default, the remote-source context contains no far-end addresses. When no far-end addresses have been specified, network remote devices are not allowed to mirror packets to the local 7210 SAS as a mirror destination. Packets received from unspecified far-end addresses are discarded at network ingress.
The no form of this command restores the service-id to the default condition to not allow a remote 7210 SAS access to the mirror destination. The far-end addresses are removed without warning.
sap
Syntax
sap sap-id [create]
no sap
Context
config>mirror>mirror-dest
Platforms
Supported on all 7210 SAS platforms as described in this document, including platforms configured in the access-uplink operating mode
Description
This command creates a service access point (SAP) within a mirror destination service. The SAP is owned by the mirror destination service ID.
The SAP is defined with port and encapsulation parameters to uniquely identify the (mirror) SAP on the interface and within the box. The specified SAP must define an Ethernet port with a null SAP or a Dot1q SAP or a Q1.* SAP.
Only one SAP can be created within a mirror-dest service ID. If the defined SAP has not been created on any service within the system, the SAP is created and the context of the CLI changes to the newly created SAP. In addition, the port cannot be a member of a multi-link bundle, LAG, APS group or IMA bundle.
If the defined SAP exists in the context of another service ID, mirror-dest or any other type, an error is generated.
Mirror destination SAPs can be created on Ethernet interfaces that have been defined as an access port or access-uplink port. If the interface is defined as network, the SAP creation returns an error.
When using a dot1q SAP or a Q1.* SAP as a mirror destination, users must allocated resources of another port for use by this features. Refer the mirror configuration notes preceding Configuration notes.
The no form of this command used on a SAP created by a mirror destination service ID, deletes the SAP with the specified port and encapsulation parameters.
Parameters
- sap-id
Specifies the physical port identifier portion of the SAP definition. See Common CLI command descriptions for command syntax.
service-name
Syntax
service-name service-name
no service-name
Context
config>mirror>mirror-dest
Platforms
Supported on all 7210 SAS platforms as described in this document, including platforms configured in the access-uplink operating mode
Description
This command configures an optional service name, up to 64 characters, which adds a name identifier to a specific service to use that service name in configuration references as well as display and use service names in show commands throughout the system. This helps the service provider/administrator to identify and manage services within the 7210 SAS platforms.
All services are required to assign a service ID to initially create a service. However, either the service ID or the service name can be used to identify and reference a specific service when it is initially created.
Parameters
- service-name
Specifies a unique service name to identify the service. Service names may not begin with an integer (0-9).
spoke-sdp
Syntax
spoke-sdp sdp-id:vc-id [create] [no-endpoint]
spoke-sdp sdp-id:vc-id [create] endpoint name
spoke-sdp sdp-id:vc-id [create]
no sdp sdp-id:vc-id
Context
config>mirror>mirror-dest
config>mirror>mirror-dest>remote-source (only supported on the 7210 SAS-Mxp (standalone mode))
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command binds an existing (mirror) service distribution path (SDP) to the mirror destination service ID.
The operational state of the SDP dictates the operational state of the SDP binding to the mirror destination. If the SDP is shutdown or operationally down, SDP binding is down. When the binding is defined and the service and SDP are operational, the far-end router defined in the config service sdp sdp-id far-end parameter is considered part of the service ID.
Only one SDP can be associated with a mirror destination service ID. If a second sdp command is executed after a successful SDP binding, an error occurs and the command has no effect on the existing configuration. A no sdp command must be issued before a new SDP binding can be attempted.
An SDP is a logical mechanism that ties a far end router to a specific service without having to define the far-end SAP. Each SDP represents a method to reach a router.
The other method is Multi-Protocol Label Switching (MPLS) encapsulation. Routers support both signaled and non-signaled LSPs (Label Switched Path) though the network. Non-signaled paths are defined at each hop through the network. Signaled paths are protocol communicated from end to end using RSVP. Paths may be manually defined or a constraint based routing protocol (OSPF-TE or CSPF) can be used to determine the best path with specific constraints.
SDPs are created and then bound to services. Many services can be bound to a single SDP. The operational and administrative state of the SDP controls the state of the SDP binding to the service.
An egress service label (Martini VC-Label), used by the SDP to differentiate each service bound to the SDP to the far-end router, must be obtained manually or though signaling with the far end. If manually configured, it must match the ing-svc-label defined for the local router.
No default SDP ID is bound to a mirror destination service ID. If no SDP is bound to the service, the mirror destination is local and cannot be to another router over the core network.
When using remote mirroring with spoke-SDP configured as a mirror destination, users must allocated resources of another port for use by this features. Refer the mirror configuration notes preceding Configuration notes.
The no form of this command removes the SDP binding from the mirror destination service. When removed, no packets are forwarded to the far-end (destination) router from that mirror destination service ID.
Parameters
- sdp-id[:vc-id]
Specifies a locally unique SDP identification (ID) number. The SDP ID must exist. If the SDP ID does not exist, an error occurs and the command does not execute.
For mirror services, the vc-id defaults to the service-id. However, there are scenarios where the vc-id is being used by another service. In this case, the SDP binding cannot be created. So, to avoid this, the mirror service SDP bindings now accepts vc-ids.
- vc-id
Specifies the virtual circuit identifier.
- endpoint name
Specifies the name of the endpoint associated with the SAP.
- no endpoint
Removes the association of a SAP or a SDP with an explicit endpoint name.
egress
Syntax
egress
Context
config>mirror>mirror-dest>spoke-sdp
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure spoke SDP egress parameters.
vc-label
Syntax
vc-label egress-vc-label
no vc-label [egress-vc-label]
Context
config>mirror>mirror-dest>spoke-sdp>egress
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the spoke-SDP egress VC label.
Parameters
- egress-vc-label
Specifies a VC egress value that indicates a specific connection.
egress
Syntax
egress
Context
config>mirror>sap
Platforms
7210 SAS-Mxp, 7210 SAS-R6, and 7210 SAS-R12
Description
Commands in this context configure QoS egress policies for this SAP.
qos
Syntax
[no] qos policy-id
Context
config>mirror>sap>egress
Platforms
7210 SAS-Mxp, 7210 SAS-R6, and 7210 SAS-R12
Description
This command configures the QoS policy for the mirror destination SAP egress. The SAP egress QoS policy to use is specified using the policy ID and must have been configured before associating this policy with the SAP. The SAP egress policy can be configured using the commands under the context config>qos>sap-egress.
When a SAP egress policy is associated with the SAP configured as a mirror destination, the queue associated with FC specified with the CLI command config>mirror>mirror-dest>fc is used for traffic sent out of the mirror destination SAP. The policy allows the user to specify the amount of buffers, the WRED policy, the shaping rate and the marking values to use for the mirrored copy.
On the 7210 SAS-Mxp, 7210 SAS-R6, and 7210 SAS-R12, this command is available only when SAP-based egress queuing is configured. The command is not available when port-based egress queuing is configured.
The no form of this command associates the default SAP egress QoS policy with the SAP.
Default
no qos
Parameters
- policy-id
Specifies the QoS policy to be associated with SAP egress. The QoS policy referred to by the policy-id is configured using the commands under config>qos>sap-egress.
Mirror source configuration commands
mirror-source
Syntax
[no] mirror-source service-id
Context
debug
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures mirror source parameters for a mirrored service.
The mirror-source command is used to enable mirroring of packets specified by the association of the mirror-source to sources of packets defined within the context of the mirror-dest-service-id. The mirror destination service must already exist within the system.
A mirrored packet cannot be mirrored to multiple destinations. If a mirrored packet is correctly referenced by multiple mirror sources (for example, a SAP on one mirror-source and a port on another mirror-source), the packet is mirrored to a single mirror-dest-service-id based on the following hierarchy:
Filter entry
Service access port (SAP)
Physical port
The hierarchy is structured so the most specific match criteria has precedence over a less specific match. For example, if a mirror-source defines a port and a SAP on that port, the SAP mirror-source is accepted and the mirror-source for the port is ignored because of the hierarchical order of precedence.
The mirror-source configuration is not saved when a configuration is saved. A mirror-source manually configured within an ASCII configuration file is not preserved if that file is overwritten by a save command. Define the mirror-source within a file associated with a config exec command to make a mirror-source persistent between system reboots.
By default, all mirror-dest service IDs have a mirror-source associated with them. The mirror-source is not technically created with this command. Instead the service ID provides a contextual node for storing the current mirroring sources for the associated mirror-dest service ID. The mirror-source is created for the mirror service when the operator enters the debug>mirror-source svcId for the first time. The mirror-source is also automatically removed when the mirror-dest service ID is deleted from the system.
The no form of this command deletes all related source commands within the context of the mirror-source service-id. The command does not remove the service ID from the system.
Parameters
- service-id
Specifies the mirror destination service ID for which match criteria is defined. The service-id must already exist within the system.
ip-filter
Syntax
ip-filter ip-filter-id entry entry-id [entry-id …]
no ip-filter ip-filter-id entry entry-id
Context
debug>mirror-source
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables mirroring of packets that match specific entries in an existing IP filter.
The ip-filter command directs packets which match the defined list of entry IDs to be mirrored to the mirror destination referenced by the mirror-dest-service-id of the mirror-source.
The IP filter must already exist in order for the command to execute. Filters are configured in the config>filter context. If the IP filter does not exist, an error occurs. If the filter exists but has not been associated with a SAP or IP interface, an error is not generated but mirroring is not enabled (there are no packets to mirror). When the IP filter is defined to a SAP or IP interface, mirroring is enabled.
If the IP filter is defined as ingress, only ingress packets are mirrored. Ingress mirrored packets are mirrored to the mirror destination before any ingress packet modifications.
If the IP filter is defined as egress, only egress packets are mirrored. Egress mirrored packets are mirrored to the mirror destination after all egress packet modifications.
An entry-id within an IP filter can only be mirrored to a single mirror destination. If the same entry-id is defined multiple times, an error occurs and only the first mirror-source definition is in effect.
By default, no packets matching any IP filters are mirrored. Mirroring of IP filter entries must be explicitly defined.
The no ip-filter command, without the entry keyword, removes mirroring on all entry-id’s within the ip-filter-id.
The no command executed with the entry keyword and one or more entry-id’s, terminates mirroring of that list of entry-ids within the ip-filter-id. If an entry-id is listed that does not exist, an error occurs and the command does not execute. If an entry-id is listed that is not currently being mirrored, no error occurs for that entry-id and the command executes.
Parameters
- ip-filter-id
Specifies the IP filter ID whose entries are mirrored. If the ip-filter-id does not exist, an error occurs and the command does not execute. Mirroring of packets commences when the ip-filter-id is defined on a SAP or IP interface.
- entry entry-id [entry-id…]
Specifies the IP filter entries to use as match criteria for packet mirroring. The entry keyword begins a list of entry-ids for mirroring. Multiple entry-id entries may be specified with a single command. Each entry-id must be separated by a space.
If an entry-id does not exist within the IP filter, an error occurs and the command does not execute.
If the filter’s entry-id is renumbered within the IP filter definition, the old entry-id is removed but the new entry-id must be manually added to the configuration to include the new (renumbered) entry’s criteria.
ipv6-filter
Syntax
ipv6-filter ip-filter-id entry entry-id [entry-id …]
no ipv6-filter ip-filter-id entry entry-id
Context
debug>mirror-source
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables mirroring of packets that match specific entries in an existing IPv6 filter.
The ipv6-filter command directs packets which match the defined list of entry IDs to be mirrored to the mirror destination referenced by the mirror-dest-service-id of the mirror-source.
The IPv6 filter must already exist in order for the command to execute. Filters are configured in the config>filter context. If the IPv6 filter does not exist, an error occurs. If the filter exists but has not been associated with a SAP or IP interface, an error is not generated but mirroring is not enabled (there are no packets to mirror). When the IPv6 filter is defined to a SAP or IP interface, mirroring is enabled.
If the IPv6 filter is defined as ingress, only ingress packets are mirrored. Ingress mirrored packets are mirrored to the mirror destination before any ingress packet modifications.
If the IPv6 filter is defined as egress, only egress packets are mirrored. Egress mirrored packets are mirrored to the mirror destination after all egress packet modifications.
An entry-id within an IPv6 filter can only be mirrored to a single mirror destination. If the same entry-id is defined multiple times, an error occurs and only the first mirror-source definition is in effect.
By default, no packets matching any IPv6 filters are mirrored. Mirroring of IPv6 filter entries must be explicitly defined.
The no ipv6-filter command, without the entry keyword, removes mirroring on all entry-ids within the ipv6-filter-id.
When the no command is executed with the entry keyword and one or more entry-ids, mirroring of that list of entry-ids is terminated within the ipv6-filter-id. If an entry-id is listed that does not exist, an error occurs and the command does not execute. If an entry-id is listed that is not currently being mirrored, no error occurs for that entry-id and the command executes.
Parameters
- ipv6-filter-id
The IPv6 filter ID whose entries are mirrored. If the ipv6-filter-id does not exist, an error occurs and the command does not execute. Mirroring of packets commences when the ipv6-filter-id is defined on a SAP or IP interface.
- entry entry-id [entry-id…]
Specifies the IPv6 filter entries to use as match criteria for packet mirroring. The entry keyword begins a list of entry-ids for mirroring. Multiple entry-id entries may be specified with a single command. Each entry-id must be separated by a space.
If an entry-id does not exist within the IPv6 filter, an error occurs and the command does not execute.
If the filter’s entry-id is renumbered within the IPv6 filter definition, the old entry-id is removed but the new entry-id must be manually added to the configuration to include the new (renumbered) entry’s criteria.
mac-filter
Syntax
mac-filter mac-filter-id entry entry-id [entry-id …]
no mac-filter mac-filter-id
no mac-filter mac-filter-id entry entry-id [entry-id …]
Context
debug>mirror-source
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables mirroring of packets that match specific entries in an existing MAC filter.
The mac-filter command directs packets which match the defined list of entry IDs to be mirrored to the mirror destination referenced by the mirror-dest-service-id of the mirror-source.
The MAC filter must already exist in order for the command to execute. Filters are configured in the config>filter context. If the MAC filter does not exist, an error occurs. If the filter exists but has not been associated with a SAP or IP interface, an error is not generated but mirroring is not enabled (there are no packets to mirror). When the filter is defined to a SAP or MAC interface, mirroring is enabled.
If the MAC filter is defined as ingress, only ingress packets are mirrored. Ingress mirrored packets are mirrored to the mirror destination before any ingress packet modifications.
The no mac-filter command, without the entry keyword, removes mirroring on all entry-ids within the mac-filter-id.
When the no command is executed with the entry keyword and one or more entry-ids, mirroring of that list of entry-id’s is terminated within the mac-filter-id. If an entry-id is listed that does not exist, an error occurs and the command does not execute. If an entry-id is listed that is not currently being mirrored, no error occurs for that entry-id and the command executes.
Parameters
- mac-filter-id
Specifies the MAC filter ID whose entries are mirrored. If the mac-filter-id does not exist, an error occurs and the command does not execute. Mirroring of packets commences when the mac-filter-id is defined on a SAP.
- entry entry-id [entry-id…]
Specifies the MAC filter entries to use as match criteria for packet mirroring. The entry keyword begins a list of entry-id’s for mirroring. Multiple entry-id entries may be specified with a single command. Each entry-id must be separated by a space. Up to 8 entry IDs may be specified in a single command.
Each entry-id must exist within the mac-filter-id. If the entry-id is renumbered within the MAC filter definition, the old entry-id is removed from the list and the new entry-id needs to be manually added to the list if mirroring is still wanted.
If no entry-id entries are specified in the command, mirroring does not occur for that MAC filter ID. The command has no effect.
port
Syntax
port {port-id | lag lag-id} {[egress] [ingress]}
no port {port-id | lag lag-id} [egress] [ingress]
Context
debug>mirror-source
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables mirroring of traffic ingressing or egressing a port (Ethernet port, or Link Aggregation Group (LAG)).
The port command associates a port or LAG to a mirror source. The port is identified by the port-id. The defined port may be Ethernet, access or access uplink. access. A port may be a single port or a Link Aggregation Group (LAG) ID. When a LAG ID is specified as the port-id, mirroring is enabled on all ports making up the LAG. Either a LAG port member or the LAG port can be mirrored.
The port is only referenced in the mirror source for mirroring purposes. If the port is removed from the system, the mirroring association is removed from the mirror source.
The same port may not be associated with multiple mirror source definitions with the ingress parameter defined. The same port may not be associated with multiple mirror source definitions with the egress parameter defined.
If a SAP is mirrored on an access port, the SAP mirroring has precedence over the access port mirroring when a packet matches the SAP mirroring criteria. Filter and label mirroring destinations have precedence over a port-mirroring destination.
If the port is not associated with a mirror-source, packets on that port are not mirrored. Mirroring may still be defined for a SAP or filter entry, which mirrors based on a more specific criteria.
The no form of this command disables port mirroring for the specified port. Mirroring of packets on the port may continue because of more specific mirror criteria. If the egress or ingress parameter keywords are specified in the no command, only the ingress or egress mirroring condition are removed.
Parameters
- port-id
Specifies the port ID.
- lag-id
Specifies the LAG identifier, expressed as a decimal integer.
- egress
Specifies that packets egressing the port should be mirrored. Egress packets are mirrored to the mirror destination after egress packet modification.
- ingress
Specifies that packets ingressing the port should be mirrored. Ingress packets are mirrored to the mirror destination before ingress packet modification.
sap
Syntax
no sap sap-id {[ingress]}
no sap sap-id {[ingress]}
Context
debug>mirror-source
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables mirroring of traffic ingressing or egressing a service access port (SAP). A SAP that is defined within a mirror destination cannot be used in a mirror source. The mirror source SAP referenced by the sap-id is owned by the service ID of the service in which it was created. The SAP is only referenced in the mirror source name for mirroring purposes. The mirror source association does not need to be removed before deleting the SAP from its service ID. If the SAP is deleted from its service ID, the mirror association is removed from the mirror source.
More than one SAP can be associated within a single mirror-source. Each SAP has its own ingress parameter keywords to define which packets are mirrored to the mirror destination.
The SAP must be valid and correctly configured. If the associated SAP does not exist, an error occurs and the command does not execute.
The same SAP cannot be associated with multiple mirror source definitions for ingress packets.
If a particular SAP is not associated with a mirror source name, that SAP does not have mirroring enabled for that mirror source.
The no form of this command disables mirroring for the specified SAP. All mirroring for that SAP on ingress and egress is terminated. Mirroring of packets on the SAP can continue if more specific mirror criteria is configured. If the egress or ingress parameter keywords are specified in the no command, only the ingress or egress mirroring condition is removed.
Parameters
- sap-id
Specifies the physical port identifier portion of the SAP definition. See Common CLI command descriptions for command syntax.
- ingress
Specifies that packets ingressing the SAP should be mirrored. Ingress packets are mirrored to the mirror destination before ingress packet modification.
Show commands
debug
Syntax
debug [application]
Context
show
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays set debug points.
Parameters
- application
Displays which debug points have been set.
Output
The following output is an example of debug point information.
Sample output*A:alu1# show debug
debug
mirror-source 101
port 1/1/1 ingress
no shutdown
exit
mirror-source 102
port 1/1/3 egress
no shutdown
exit
exit
*A:alu1#
service-using
Syntax
service-using [mirror]
Context
show>service
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays mirror services.
If no optional parameters are specified, all services defined on the system are displayed.
Parameters
- mirror
Displays mirror services.
Output
The following output is an example of mirror services information, and Output Fields: service-using describes the output fields.
Sample outputA:ALA-48# show service service-using mirror
===============================================================================
Services [mirror]
===============================================================================
ServiceId Type Adm Opr CustomerId Last Mgmt Change
-------------------------------------------------------------------------------
218 Mirror Up Down 1 04/08/2007 13:49:57
318 Mirror Down Down 1 04/08/2007 13:49:57
319 Mirror Up Down 1 04/08/2007 13:49:57
320 Mirror Up Down 1 04/08/2007 13:49:57
1000 Mirror Down Down 1 04/08/2007 13:49:57
1216 Mirror Up Down 1 04/08/2007 13:49:57
1412412 Mirror Down Down 1 04/08/2007 13:49:57
-------------------------------------------------------------------------------
Matching Services : 7
===============================================================================
A:ALA-48#
| Label | Description |
|---|---|
Service Id |
The service identifier. |
Type |
Specifies the service type configured for the service ID. |
Adm |
The desired state of the service. |
Opr |
The operating state of the service. |
CustomerID |
The ID of the customer who owns this service. |
Last Mgmt Change |
The date and time of the most recent management-initiated change to this service. |
mirror
Syntax
mirror mirror-dest service-id
Context
show
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays mirror configuration and operation information.
Parameters
- service-id
Specifies the mirror service ID.
Output
The following outputs are examples of mirroring information, and Output fields: mirror describes the output fields.
Sample output*A:7210SAS>config>mirror>mirror-dest$ show mirror mirror-dest
===============================================================================
Mirror Services
===============================================================================
Id Type Adm Opr Destination SDP Lbl/
SAP QoS Src
Allowed
-------------------------------------------------------------------------------
1 Ether Down Down None n/a 0 Local
1000 Ether Up Down SDP 400 (1.1.1.1) Pending 0 Local
2000 Ether Up Up SAP 1/1/17:17 1 0 Remote
===============================================================================
*A:7210SAS>config>mirror>mirror-dest$
*A:7210SAS>config>mirror>mirror-dest$ show mirror mirror-dest 1
===============================================================================
Mirror Service
===============================================================================
Service Id : 1 Type : Ether
Description : (Not Specified)
Admin State : Down Oper State : Down
Mirror Sources Allowed : Local
Forwarding Class : be Remote Sources: No
Profile : out
==============================================================
Mirror Services SDP
==============================================================
SdpId IP Addr CfgLabel Signal EgrLabel
--------------------------------------------------------------
No Matching Entries
==============================================================
-------------------------------------------------------------------------------
Local Sources
-------------------------------------------------------------------------------
Admin State : Up
No Mirror Sources configured
===============================================================================
*A:7210SAS>config>mirror>mirror-dest$
*A:7210SAS# show mirror mirror-dest 1000
===============================================================================
Mirror Service
===============================================================================
Service Id : 1000 Type : Ether
Description : (Not Specified)
Admin State : Up Oper State : Down
Mirror Sources Allowed : Local
Profile : out
Destination SAP : 1/1/1
-------------------------------------------------------------------------------
Local Sources
-------------------------------------------------------------------------------
Admin State : Up
-Port 1/1/1 Ing
===============================================================================
*A:7210SAS#
| Label | Description |
|---|---|
Service Id |
The service ID associated with this mirror destination. |
Type |
Entries in this table have an implied storage type of ‟volatile”. The configured mirror source information is not persistent. |
Admin State |
Up — The mirror destination is administratively enabled. |
Down — The mirror destination is administratively disabled. |
|
Oper State |
Up — The mirror destination is operationally enabled. |
Down — The mirror destination is operationally disabled. |
|
Forwarding Class |
The forwarding class for all packets transmitted to the mirror destination. |
Remote Sources |
Yes — A remote source is configured. |
No — A remote source is not configured. |
|
Destination SAP |
The ID of the access port where the Service Access Point (SAP) associated with this mirror destination service is defined. |
Egr QoS Policy |
This value indicates the egress QoS policy ID. A value of 0 indicates that no QoS policy is specified. |
mirror sources allowed |
This value tells the user the type of mirror sources allowed to be configured. |