Configuring Traffic Mirroring on the Cisco ASR 9000 Series Router

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router This module describes the configuration of traffic mirring on the Cisco ASR 9000 Series Router. Traffic mirring is sometimes called pt mirring, switched pt analyzer (SPAN). Feature Histy f Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Release Release 3.9.1 Release 4.0.1 Modification This feature was introduced on the Cisco ASR 9000 Series Router. The following traffic mirring features were added: Traffic mirring over a pseudowire Flow ACL-based traffic mirring Layer 3 interface suppt Partial packet mirring Contents Restrictions f Traffic Mirring, page 269 Infmation about Traffic Mirring, page 270 Configuring Traffic Mirring, page 275 Traffic Mirring Configuration Examples, page 288 Where to Go Next, page 295 Additional References, page 295 Restrictions f Traffic Mirring A maximum of eight moniting sessions, and 800 source pts are suppted. You can configure 800 source pts on a single moniting session, configure an aggregate total of 800 source pts on a maximum of eight moniting sessions. The following fms of traffic mirring are not suppted: Configuration Guide HR-269

Infmation about Traffic Mirring Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Mirring traffic to a GRE tunnel (also known as Encapsulated Remote Switched Pt Analyzer [ER-SPAN] in Cisco IOS Software). Mirring traffic from a full bridge domain (also known as VLAN-based SPAN in Cisco IOS Software). Mirring traffic on an individual bundle member interface is not suppted. SPAN must only be configured on a bundle interface and it is applied to all members. Perfmance Impact with Traffic Mirring Cisco recommends that you do not mirr me than 15% of your total transit traffic. On Ten Gigabit Ethernet interfaces bundle interfaces there is a limit of 1.5G on each ingress amount to be mirred and 1.5G on each egress amount to be mirred. Infmation about Traffic Mirring The following sections provide infmation about traffic mirring: Introduction to Traffic Mirring, page 270 Traffic Mirring Terminology, page 271 Suppted Traffic Mirring Types, page 273 Introduction to Traffic Mirring Traffic mirring, which is sometimes called pt mirring, Switched Pt Analyzer (SPAN) is a Cisco proprietary feature that enables you to monit Layer 2 Layer 3 netwk traffic passing in, out of, a set of Ethernet interfaces. You can then pass this traffic to a netwk analyzer f analysis. Traffic mirring copies traffic from one me Layer 3 interfaces Layer 2 interfaces sub-interfaces, including Layer 2 link bundle interfaces sub-interfaces, and sends the copied traffic to one me destinations f analysis by a netwk analyzer other moniting device. Traffic mirring does not affect the switching of traffic on the source interfaces sub-interfaces, and allows the mirred traffic to be sent to a destination interface sub-interface. Traffic mirring was introduced on switches because of a fundamental difference between switches and hubs. When a hub receives a packet on one pt, the hub sends out a copy of that packet from all pts except from the one to which the hub received the packet. In the case of switches, after a switch boots, it starts to build up a Layer 2 fwarding table on the basis of the source MAC address of the different packets that the switch receives. After this fwarding table is built, the switch fwards traffic that is destined f a MAC address directly to the cresponding pt. F example, if you want to capture Ethernet traffic that is sent by host A to host B, and both are connected to a hub, just attach a traffic analyzer to this hub. All other pts see the traffic between hosts A and B (Figure 17). HR-270

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Infmation about Traffic Mirring Figure 17 Traffic Mirring Operation on a Hub B A Hub Netwk analyzer 281711 On a switch router, after the host B MAC address is learned, unicast traffic from A to B is only fwarded to the B pt. Therefe, the traffic analyzer does not see this traffic (Figure 18). Figure 18 Netwk Analysis Does Not Wk on a Router Without Traffic Mirring B A Router Netwk analyzer 281709 In this configuration, the traffic analyzer only captures traffic that is flooded to all pts, such as: Broadcast traffic Multicast traffic with CGMP Internet Group Management Protocol (IGMP) snooping disabled Unknown unicast traffic on a switch An extra feature is necessary that artificially copies unicast packets that host A sends. This extra feature is traffic mirring. When traffic mirring is enabled, the traffic analyzer is attached to a pt that is configured to receive a copy of every packet that host A sends. This pt is called a traffic mirring pt. The other sections of this document describe how you can fine tune this feature. Implementing Traffic Mirring on the Cisco ASR 9000 Series Router Traffic Mirring Terminology Ingress traffic Traffic that enters the switch. Egress traffic Traffic that leaves the switch. Source pt A pt that is monited with the use of traffic mirring. It is also called a monited pt. Destination pt A pt that monits source pts, usually where a netwk analyzer is connected. It is also called a moniting pt. HR-271

Infmation about Traffic Mirring Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Monit session A designation f a collection of traffic mirring configurations consisting of a single destination and, potentially, many source interfaces. Characteristics of the Source Pt A source pt, also called a monited pt, is a switched routed pt that you monit f netwk traffic analysis. In a single local remote traffic mirring session, you can monit source pt traffic, such as received (Rx) f ingress traffic, transmitted (Tx) f egress traffic, bidirectional (f both ingress and egress traffic). Your router suppts any number of source pts (up to the maximum number of 800). A source pt has these characteristics: It can be any pt type, such as Bundle Interface, Gigabit Ethernet, 10-Gigabit Ethernet, EFPs. Note Bridge group virtual interfaces (BVIs) are not suppted. Each source pt can be monited in one traffic mirring session. It cannot be a destination pt. Each source pt can be configured with a direction (ingress, egress, both) to monit. F bundles, the monited direction applies to all physical pts in the group. Figure 19 Netwk Analysis on a Cisco ASR 9000 Router With Traffic Mirring B A Router Netwk analyzer 281709 In Figure 19, the netwk analyzer is attached to a pt that is configured to receive a copy of every packet that host A sends. This pt is called a traffic mirring pt. Characteristics of the Monit Session A monit session is a collection of traffic mirring configurations consisting of a single destination and, potentially, many source interfaces. F any given monit session, the traffic from the source interfaces (called source pts) is sent to the moniting pt (called the destination pt). Some optional operations such as VLAN tag imposition and ACL filtering can be perfmed on the mirred traffic streams. If there is me than one source pt in a moniting session, the traffic from the several mirred traffic streams is combined at the destination pt. The result is that the traffic that comes out of the destination pt is a combination of the traffic from one me source pts, and the traffic from each source pt may may not have VLAN push operations ACLs applied to it. Monit sessions have the following characteristics: A single Cisco ASR 9000 Router can have a maximum of eight monit sessions. HR-272

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Infmation about Traffic Mirring A single monit session can have only one destination pt. A single destination pt can belong to only one monit session. A single Cisco ASR 9000 Router can have a maximum of 800 source pts. A monit session can have a maximum of 800 source pts, as long as the maximum number of source pts from all moniting sessions does not exceed 800. Characteristics of the Destination Pt Each local session remote destination session must have a destination pt (also called a moniting pt) that receives a copy of the traffic from the source pts. A destination pt has these characteristics: A destination pt must reside on the same router as the source pt. A destination pt can be any Ethernet physical pt, EFP, pseudowire, but not a bundle interface. A destination pt can only be a Layer 2 transpt interface. A Layer 3 interface as a SPAN destination is not suppted on the Cisco ASR 9000 Series Router. A destination pt and can be a trunk (main) interface a subinterface. At any one time, a destination pt can participate in only one traffic mirring session. A destination pt in one traffic mirring session cannot be a destination pt f a second traffic mirring session. In other wds, no two monit sessions can have the same destination pt. A destination pt cannot also be a source pt. Figure 20 Netwk Analysis on a Cisco ASR 9000 Router With Traffic Mirring Egress 1 traffic 2 Ingress traffic Router Netwk analyzer 281710 1 Source traffic mirring pts (can be ingress egress traffic pts) 2 Destination traffic mirring pt Suppted Traffic Mirring Types The following traffic mirring types are suppted: Local traffic mirring. This is the most basic fm of traffic mirring. The netwk analyzer sniffer is directly attached to the destination interface. In other wds, all monited pts are all located on the same switch as the destination pt. HR-273

Infmation about Traffic Mirring Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Pseudowire Traffic Mirring Remote traffic mirring (known as R-SPAN). In this case, the netwk analyzer is not attached directly to the destination interface, but is on a VLAN accessible to the switch. F example, the destination interface is a sub-interface with a VLAN encapsulation. A restricted fm of remote traffic mirring can be implemented by sending traffic to a single destination pt that pushes a VLAN tag, instead of switching via a bridge domain. Allows decoupling the netwk analyzer and destination, but there is no on-the-box redundancy. Allows multiple remote netwk analyzers as long as they can attach to the traffic mirring VLAN. This is suppted on Cisco IOS XR software, because the destination pt is an EFP that can push a VLAN tag. Pseudowire traffic mirring (known as PW-SPAN in Cisco IOS Software). Instead of using a standard destination interface, traffic is mirred to a remote site via an MPLS pseudowire. ACL-based traffic mirring. Traffic is mirred based on the configuration of the global interface ACL. Partial Packet Mirring. The first 64 to 256 bytes of the packet can be mirred. Layer 2 Layer 3 traffic mirring. Both Layer 2 and Layer 3 source pts can be mirred. The traffic mirring destination pt can be configured to be a pseudowire rather than a physical pt. In this case, the designated traffic on the source pt is mirred over the pseudowire to a central location. This allows the centralization of expensive netwk traffic analysis tools. Because the pseudowire is carrying only the mirred traffic, this traffic is generally unidirectional. There should not be any traffic coming from the remote provider edge. To protect the pseudowire traffic mirring path against netwk failures, it is possible to configure a traffic engineering tunnel as the preferred path and enable fast reroute protection f the pseudowire. Figure 21 Pseudowire Traffic Mirring Centralized NOC Netwk Pseudowire over EoMPLS Pseudowire to NOC Mirring to Pseudowire GE Pt Cisco ASR 9000 Series Router GE Pt 281600 HR-274

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Configuring Traffic Mirring ACL-Based Traffic Mirring You can mirr traffic based on the definition of a global interface access list (ACL). If you are mirring Layer 2 traffic, the ACL is configured using the ethernet-services access-list command with the capture keywd. If you are mirring Layer 3 traffic, the ACL is configured using the ipv4 access-list ipv6 access-list command with the capture keywd. The permit and deny commands determine the behavi of regular traffic. The capture keywd designates that the packet is to be mirred to the destination pt. Configuring Traffic Mirring The following tasks describe how to configure traffic mirring: How to Configure Local Traffic Mirring, page 275 How to Configure Remote Traffic Mirring, page 277 How to Configure Traffic Mirring over Pseudowire, page 279 How to Configure ACL-Based Traffic Mirring, page 283 How to Configure Partial Packet Mirring, page 286 How to Configure Local Traffic Mirring SUMMARY STEPS 1. configure 2. monit-session session-name 3. destination interface dest-interface 4. exit 5. interface source-interface 6. l2transpt 7. monit-session session-name [direction {rx-only tx-only] 8. end commit 9. show monit-session [session-name] status [detail] [err] HR-275

Configuring Traffic Mirring Configuring Traffic Mirring on the Cisco ASR 9000 Series Router DETAILED STEPS Step 1 Command Action configure Purpose Enters global configuration mode. Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 monit-session session-name RP/0/RSP0/CPU0:router(config)# monit-session mon1 RP/0/RSP0/CPU0:router(config-mon)# destination interface dest-interface RP/0/RSP0/CPU0:router(config-mon)# destination interface gigabitethernet0/0/0/15 exit RP/0/RSP0/CPU0:router(config-mon)# exit RP/0/RSP0/CPU0:router(config)# interface source-interface RP/0/RSP0/CPU0:router(config)# interface gigabitethernet0/0/0/11 l2transpt RP/0/RSP0/CPU0:router(config-if)# l2transpt monit-session session-name [direction {rx-only tx-only] RP/0/RSP0/CPU0:router(config-if-l2)# monit-session mon1 Defines a monit session, and enters monit session configuration mode. Specifies the destination interface to which traffic should be replicated. This interface must be a Layer 2 transpt interface. Exits monit session configuration mode, and returns to global configuration mode. Enters interface configuration mode f the specified interface. The interface number is entered in rack/slot/module/pt notation. F me infmation about the syntax f the router, use the question mark (?) online help function. (Optional) Enables Layer 2 transpt mode on the interface and enters Layer 2 transpt configuration mode. Note F Layer 3 traffic mirring, do not use the l2transpt command. Specifies the monit session to be used on this interface. Use the direction keywd to specify that only ingress only egress traffic is mirred. HR-276

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Configuring Traffic Mirring Step 8 Step 9 Command Action end commit RP/0/RSP0/CPU0:router(config-if-l2)# end RP/0/RSP0/CPU0:router(config-if-l2)# commit show monit-session [session-name] status [detail] [err] Purpose Saves configuration changes. When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Entering cancel leaves the router in the current configuration session without exiting committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Displays infmation about the monit session. RP/0/RSP0/CPU0:router# show monit-session How to Configure Remote Traffic Mirring SUMMARY STEPS 1. configure 2. monit-session session-name 3. destination interface dest-subinterface 4. exit 5. interface dest-subinterface l2transpt 6. encapsulation dot1q vlan 7. rewrite ingress tag pop tag-to-remove 8. interface source-interface [l2transpt] 9. monit-session session-name [direction {rx-only tx-only] 10. end commit 11. show monit-session [session-name] status [detail] [err] HR-277

Configuring Traffic Mirring Configuring Traffic Mirring on the Cisco ASR 9000 Series Router DETAILED STEPS Step 1 Command Action configure Purpose Enters global configuration mode. Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 monit-session session-name RP/0/RSP0/CPU0:router(config)# monit-session mon1 RP/0/RSP0/CPU0:router(config-mon)# destination interface dest-subinterface RP/0/RSP0/CPU0:router(config-mon)# destination interface gigabitethernet0/0/0/15 exit RP/0/RSP0/CPU0:router(config-mon)# exit RP/0/RSP0/CPU0:router(config)# interface dest-subinterface l2transpt RP/0/RSP0/CPU0:router(config)# interface gigabitethernet0/0/0/11.10 l2transpt encapsulation dot1q vlan RP/0/RSP0/CPU0:router(config-if)# encapsulation dot1q 1 rewrite ingress tag pop tag-to-remove Defines a monit session, and enters monit session configuration mode. Specifies the destination subinterface to which traffic should be replicated. This interface must be a Layer 2 transpt interface. Exits monit session configuration mode, and returns to global configuration mode. Enters interface configuration mode f the specified sub-interface. The interface number is entered in rack/slot/module/pt notation. F me infmation about the syntax f the router, use the question mark (?) online help function. The l2transpt keywd is used to enable Layer 2 transpt mode on the destination subinterface. Specifies 802.1Q encapsulation and the VLAN number that is used. Specifies to remove the outer tag only f the EFP. RP/0/RSP0/CPU0:router(config-if)# rewrite ingress tag pop 1 HR-278

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Configuring Traffic Mirring Step 8 Step 9 Step 10 Step 11 Command Action interface source-subinterface [l2transpt] RP/0/RSP0/CPU0:router(config)# interface gigabitethernet0/0/0/11.10 l2transpt monit-session session-name [direction {rx-only tx-only] RP/0/RSP0/CPU0:router(config-if-l2)# monit-session mon1 end commit RP/0/RSP0/CPU0:router(config-if)# end RP/0/RSP0/CPU0:router(config-if)# commit show monit-session [session-name] status [detail] [err] Purpose Enters interface configuration mode f the specified subinterface. The interface number is entered in rack/slot/module/pt notation. F me infmation about the syntax f the router, use the question mark (?) online help function. To configure a Layer 2 subinterface to be the source interface, use the l2transpt keywd to enable Layer 2 transpt mode on the subinterface. Specifies the monit session to be used on this interface. Use the direction keywd to specify that only ingress egress traffic is mirred. Saves configuration changes. When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Entering cancel leaves the router in the current configuration session without exiting committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Displays infmation about the traffic mirring session. RP/0/RSP0/CPU0:router# show monit-session How to Configure Traffic Mirring over Pseudowire SUMMARY STEPS 1. configure 2. monit-session session-name 3. destination pseudowire HR-279

Configuring Traffic Mirring Configuring Traffic Mirring on the Cisco ASR 9000 Series Router 4. exit 5. interface source-interface 6. l2transpt 7. monit-session session-name 8. exit 9. exit 10. exit 11. l2vpn 12. pw-class class-name 13. encapsulation mpls 14. exit 15. exit 16. xconnect group group-name 17. p2p xconnect-name 18. monit-session session-name 19. neighb peer-ip pw-id pseudowire-id 20. pw-class class-name 21. end commit 22. show monit-session [session-name] status [detail] [err] DETAILED STEPS Step 1 Command Action configure Purpose Enters global configuration mode. Step 2 Step 3 monit-session session-name RP/0/RSP0/CPU0:router(config)# monit-session mon1 RP/0/RSP0/CPU0:router(config-mon)# destination psuedowire RP/0/RSP0/CPU0:router(config-mon)# destination pseudowire Defines a monit session, and enters monit session configuration mode. Specifies that the traffic should be replicated to a pseudowire. HR-280

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Configuring Traffic Mirring Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Command Action exit RP/0/RSP0/CPU0:router(config-mon)# exit RP/0/RSP0/CPU0:router(config)# interface source-interface RP/0/RSP0/CPU0:router(config)# interface gigabitethernet0/0/0/11.10 l2transpt RP/0/RSP0/CPU0:router(config-if)# l2transpt monit-session session-name [direction {rx-only tx-only] RP/0/RSP0/CPU0:router(config-if-l2)# monit-session mon1 exit RP/0/RSP0/CPU0:router(config-if-mon)# exit RP/0/RSP0/CPU0:router(config-if-l2)# exit RP/0/RSP0/CPU0:router(config-if-l2)# exit RP/0/RSP0/CPU0:router(config-if)# exit RP/0/RSP0/CPU0:router(config-if)# exit RP/0/RSP0/CPU0:router(config)# l2vpn Purpose Exits monit session configuration mode and returns to global configuration mode. Enters interface configuration mode f the specified interface. The interface number is entered in rack/slot/module/pt notation. F me infmation about the syntax f the router, use the question mark (?) online help function. (Optional) Enables Layer 2 transpt mode on the subinterface and enters Layer 2 transpt configuration mode. Note F Layer 3 traffic mirring, do not use the l2transpt command. Specifies the monit session to be used on this interface. Use the direction keywd to specify that only ingress egress traffic is mirred. Exits monit session configuration mode and returns to l2transpt configuration mode. Exits l2transpt configuration mode and returns to interface configuration mode. Exits interface configuration mode and returns to global configuration mode. Enters Layer 2 VPN configuration mode. Step 12 RP/0/RSP0/CPU0:router(config)# l2vpn RP/0/RSP0/CPU0:router(config-l2vpn)# pw-class class-name RP/0/RSP0/CPU0:router(config-l2vpn)# pw-class pw1 Configures a pseudowire class template and enters pseudowire class template configuration mode. HR-281

Configuring Traffic Mirring Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Step 13 Command Action encapsulation mpls Purpose Configures the pseudowire encapsulation to MPLS. Step 14 RP/0/RSP0/CPU0:router(config-l2vpn-pwc)# encapsulation mpls exit Exits pseudowire encapsulation configuration mode. Step 15 RP/0/RSP0/CPU0:router(config-l2vpn-pwc-mpls)# exit RP/0/RSP0/CPU0:router(config-l2vpn-pwc) exit Exits pseudowire class template configuration mode. Step 16 RP/0/RSP0/CPU0:router(config-l2vpn-pwc)# exit RP/0/RSP0/CPU0:router(config-l2vpn) xconnect group group-name Configures a group cross connect. Step 17 RP/0/RSP0/CPU0:router(config-l2vpn)# xconnect group g1 p2p xconnect-name Configures a point-to-point cross connect. Step 18 Step 19 RP/0/RSP0/CPU0:router(config-l2vpn-xc)# p2p xc1 monit-session session-name RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# monit-session mon1 neighb peer-ip pw-id pseudowire-id Attaches a traffic mirring session to the point-to-point cross connect. Configures the point-to-point cross connect. Step 20 RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# neighb 192.168.2.2 pw-id 3 pw-class class-name RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# pw-class pw1 Specifies the pseudowire class template to use f this cross connect. HR-282

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Configuring Traffic Mirring Step 21 Step 22 Command Action end commit RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)# end RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)# commit show monit-session [session-name] status [detail] [err] Purpose Saves configuration changes. When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Entering cancel leaves the router in the current configuration session without exiting committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Displays infmation about the traffic mirring session. RP/0/RSP0/CPU0:router# show monit-session How to Configure ACL-Based Traffic Mirring Prerequisites SUMMARY STEPS The global interface ACL should be configured using one of the following commands with the capture keywd: ipv4 access-list ipv6 access-list ethernet-services access-list F me infmation, refer to the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Command Reference the ASR 9000 Series Aggregation Services Router Layer_2 VPN and Ethernet Services Command Reference. 1. configure 2. monit-session session-name 3. destination interface dest-interface 4. exit HR-283

Configuring Traffic Mirring Configuring Traffic Mirring on the Cisco ASR 9000 Series Router 5. interface source-interface 6. l2transpt 7. exit 8. ethernet-services access-group access-list-name ingress 9. acl 10. monit-session session-name 11. end commit 12. show monit-session [session-name] status [detail] [err] DETAILED STEPS Step 1 Command Action configure Purpose Enters global configuration mode. Step 2 Step 3 Step 4 Step 5 Step 6 monit-session session-name RP/0/RSP0/CPU0:router(config)# monit-session mon1 RP/0/RSP0/CPU0:router(config-mon)# destination interface dest-interface RP/0/RSP0/CPU0:router(config-mon)# destination interface gigabitethernet0/0/0/15 exit RP/0/RSP0/CPU0:router(config-mon)# exit RP/0/RSP0/CPU0:router(config)# interface source-interface RP/0/RSP0/CPU0:router(config)# interface gigabitethernet0/0/0/11 l2transpt RP/0/RSP0/CPU0:router(config-if)# l2transpt Defines a monit session and enters monit session configuration mode. Specifies the destination interface to which traffic should be replicated. This interface must be a Layer 2 transpt interface. Exits monit session configuration mode and returns to global configuration mode. Enters interface configuration mode f the specified interface. The interface number is entered in rack/slot/module/pt notation. F me infmation about the syntax f the router, use the question mark (?) online help function. (Optional) Enables Layer 2 transpt mode on the subinterface and enters Layer 2 transpt configuration mode. Note F Layer 3 traffic mirring, do not use the l2transpt command. HR-284

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Configuring Traffic Mirring Step 7 Step 8 Command Action exit RP/0/RSP0/CPU0:router(config-if-l2)# exit RP/0/RSP0/CPU0:router(config-if)# ethernet-services access-group access-list-name [ingress egress] Purpose Exits Layer 2 transpt configuration mode and returns to interface configuration mode. Associates the access list definition with the interface being mirred. Step 9 Step 10 RP/0/RSP0/CPU0:router(config-if)# ethernet-services access-group acl1 ingress acl RP/0/RSP0/CPU0:router(config-if-mon)# acl monit-session session-name Specifies that the traffic mirred is accding to the defined global interface ACL. Specifies the monit session to be used on this interface. Step 11 Step 12 RP/0/RSP0/CPU0:router(config-if)# monit-session mon1 end commit RP/0/RSP0/CPU0:router(config-if)# end RP/0/RSP0/CPU0:router(config-if)# commit show monit-session [session-name] status [detail] [err] Saves configuration changes. When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Entering cancel leaves the router in the current configuration session without exiting committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Displays infmation about the monit session. RP/0/RSP0/CPU0:router# show monit-session HR-285

Configuring Traffic Mirring Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Troubleshooting ACL-Based Traffic Mirring Note the following configuration issues: Even when the acl command is configured on the source mirring pt, if the ACL configuration command does not use the capture keywd, no traffic gets mirred. If the ACL configuration uses the capture keywd, but the acl command is not configured on the source pt, although traffic is mirred, no access list configuration is applied. All ingress traffic is mirred, regardless of the ACL definition; only egress traffic permitted in the ACL definition is mirred. The following example crectly shows both the capture keywd in the ACL definition and the acl command configured on the interface: monit-session tm_example! ethernet-services access-list tm_filter 10 deny 0000.1234.5678 0000.abcd.abcd any capture! interface GigabitEthernet0/2/0/0 monit-session tm_example direction rx-only acl! l2transpt! ethernet-services access-group tm_filter ingress! end How to Configure Partial Packet Mirring SUMMARY STEPS 1. configure 2. monit-session session-name 3. destination interface dest-interface 4. exit 5. interface source-interface 6. monit-session session-name 7. mirr first bytes 8. end commit 9. show monit-session [session-name] status HR-286

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Configuring Traffic Mirring DETAILED STEPS Step 1 Command Action configure Purpose Enters global configuration mode. Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 monit-session session-name RP/0/RSP0/CPU0:router(config)# monit-session mon1 RP/0/RSP0/CPU0:router(config-mon)# destination interface dest-interface RP/0/RSP0/CPU0:router(config-mon)# destination interface gigabitethernet0/0/0/15 exit RP/0/RSP0/CPU0:router(config-mon)# exit RP/0/RSP0/CPU0:router(config)# interface source-interface RP/0/RSP0/CPU0:router(config)# interface gigabitethernet0/0/0/11.10 monit-session session-name [direction {rx-only tx-only] RP/0/RSP0/CPU0:router(config-if-l2)# monit-session mon1 mirr first bytes RP/0/RSP0/CPU0:router(config-if-mon)# mirr first bytes Defines a monit session, and enters monit session configuration mode. Specifies the destination interface to which traffic should be replicated. This interface must be a Layer 2 transpt interface. Exits monit session configuration mode and returns to global configuration mode. Enters interface configuration mode f the specified interface. The interface number is entered in rack/slot/module/pt notation. F me infmation about the syntax f the router, use the question mark (?) online help function. Specifies the monit session to be used on this interface. Use the direction keywd to specify that only ingress egress traffic is mirred. Specifies the number of bytes of the packet to mirr. Values can range from 64 to 256 bytes. HR-287

Traffic Mirring Configuration Examples Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Step 8 Step 9 Command Action end commit RP/0/RSP0/CPU0:router(config-if)# end RP/0/RSP0/CPU0:router(config-if)# commit show monit-session [session-name] status Purpose Saves configuration changes. When you issue the end command, the system prompts you to commit changes: Uncommitted changes found, commit them befe exiting (yes/no/cancel)? [cancel]: Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode. Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes. Entering cancel leaves the router in the current configuration session without exiting committing the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session. Displays infmation about the traffic mirring session. RP/0/RSP0/CPU0:router# show monit-session Traffic Mirring Configuration Examples This section contains examples of how to configure traffic mirring: Traffic Mirring with Physical Interfaces (Local): Example, page 288 Traffic Mirring with EFPs (Remote): Example, page 289 Viewing Monit Session Status: Example, page 289 Monit Session Statistics: Example, page 290 Traffic Mirring over Pseudowire: Example, page 291 Layer 3 ACL-Based Traffic Mirring: Example, page 291 Layer 2 ACL-Based Traffic Mirring: Example, page 291 Traffic Mirring with Physical Interfaces (Local): Example The following example shows a basic configuration f traffic mirring with physical interfaces. When traffic flows over the point to point cross connect between gig0/2/0/19 and gig0/2/0/11, packets received and transmitted on gig0/2/0/19 are also mirred to gig0/2/0/15. RP/0/RSP0/CPU0:router(config)# monit-session ms1 RP/0/RSP0/CPU0:router(config-mon)# destination interface gig0/2/0/15 RP/0/RSP0/CPU0:router(config-mon)# commit HR-288

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Traffic Mirring Configuration Examples RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/11 RP/0/RSP0/CPU0:router(config-subif)# l2transpt RP/0/RSP0/CPU0:router(config-if-l2)# commit RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/15 RP/0/RSP0/CPU0:router(config-subif)# l2transpt RP/0/RSP0/CPU0:router(config-if-l2)# commit RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/19 RP/0/RSP0/CPU0:router(config-subif)# l2transpt RP/0/RSP0/CPU0:router(config-subif-l2)# monit-session ms1 RP/0/RSP0/CPU0:router(config-if-l2)# commit RP/0/RSP0/CPU0:router(config)# l2vpn RP/0/RSP0/CPU0:router(config-l2vpn)# xconnect group xg1 RP/0/RSP0/CPU0:router(config-l2vpn-xc)# p2p xg1_p1 RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# interface gig0/2/0/11 RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# interface gig0/2/0/19 RP/0/RSP0/CPU0:router(config-if-l2)# commit Traffic Mirring with EFPs (Remote): Example The following example shows a basic configuration f remote traffic mirring with EFP interfaces. When traffic flows over the point-to-point cross connect between gig0/2/0/19.10 and gig0/2/0/11.10, packets received and transmitted on gig0/2/0/19.10 are also mirred to gig0/2/0/10.1. RP/0/RSP0/CPU0:router#monit-session ms1 RP/0/RSP0/CPU0:router(config)# destination interface gig0/2/0/10.1 RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/10.1 l2transpt RP/0/RSP0/CPU0:router(config-if-l2)# encapsulation dot1q 1 RP/0/RSP0/CPU0:router(config-if-l2)# rewrite ingress tag pop 1 RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/11.10 l2transpt RP/0/RSP0/CPU0:router(config-if-l2)# encapsulation dot1q 10 RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/19.10 l2transpt RP/0/RSP0/CPU0:router(config-if-l2)# encapsulation dot1q 10 RP/0/RSP0/CPU0:router(config-if-l2)# monit-session ms1 RP/0/RSP0/CPU0:router(config)# l2vpn RP/0/RSP0/CPU0:router(config-l2vpn)# xconnect group xg1 RP/0/RSP0/CPU0:router(config-l2vpn-xc)# p2p xg1_p1 RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# interface gig0/2/0/11.10 RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# interface gig0/2/0/19.10 Viewing Monit Session Status: Example The following examples show sample output of the show monit-session command with the status keywd: RP/0/RSP0/CPU0:router# show monit-session status Fri Feb 20 14:56:04.233 UTC HR-289

Traffic Mirring Configuration Examples Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Monit-session cisco-rtp1 Destination interface GigabitEthernet0/5/0/38 ================================================================================ Source Interface Dir Status --------------------- ---- ---------------------------------------------------- Gi0/5/0/4 Both Operational Gi0/5/0/17 Both Operational RP/0/RSP0/CPU0:router# show monit-session status detail Monit-session sess1 Destination interface is not configured Source Interfaces ----------------- GigabitEthernet0/0/0/0 Direction: Both ACL match: Enabled Ption: Full packet Status: Not operational (destination interface not known). GigabitEthernet0/0/0/2 Direction: Both ACL match: Disabled Ption: First 100 bytes Status: Err: 'Viking SPAN PD' detected the 'warning' condition 'PRM connection creation failure'. RP/0/RSP0/CPU0:router# show monit-session status err Thu Jul 1 17:56:24.190 DST Monit-session ms1 Destination interface GigabitEthernet0/2/0/15 is not configured ================================================================================ Source Interface Dir Status --------------------- ---- ---------------------------------------------------- Monit-session ms2 Destination interface is not configured ================================================================================ Source Interface Dir Status --------------------- ---- ---------------------------------------------------- RP/0/RSP0/CPU0:router# Monit Session Statistics: Example Use the show monit-session command with the counters keywd to show the statistics/counters (received/transmitted/dropped) of different source pts. F each monit session, this command displays a list of all source interfaces and the replicated packet statistics f that interface. The full set of statistics displayed f each interface is: RX replicated packets and octets TX replicated packets and octets Non-replicated packet and octets RP/0/RSP0/CPU0:router# show monit-session counters Monit-session ms1 GigabitEthernet0/2/0/19.10 Rx replicated: 1000 packets, 68000 octets Tx replicated: 1000 packets, 68000 octets Non-replicated: 0 packets, 0 octets HR-290

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Traffic Mirring Configuration Examples Use the clear monit-session counters command to clear any collected statistics. By default this command clears all sted statistics; however, an optional interface filter can be supplied. RP/0/RSP0/CPU0:router# clear monit-session counters Traffic Mirring over Pseudowire: Example The following example shows how to configure traffic mirring over a pseudowire: RP/0/RSP0/CPU0:router(config)# interface GigabitEthernet0/11/0/1 RP/0/RSP0/CPU0:router(config-if)# l2transpt RP/0/RSP0/CPU0:router(config-if-l2)# monit-session pw-span-test RP/0/RSP0/CPU0:router(config)# monit-session pw-span-test RP/0/RSP0/CPU0:router(config-mon)# destination pseudowire RP/0/RSP0/CPU0:router(config)# l2vpn RP/0/RSP0/CPU0:router(config-l2vpn)# pw-class class1 RP/0/RSP0/CPU0:router(config-l2vpn-pwc)# encapsulation mpls RP/0/RSP0/CPU0:router(config-l2vpn)# xconnect group g1 RP/0/RSP0/CPU0:router(config-l2vpn-xc)# p2p x1 RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# monit-session pw-span-test RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p)# neighb 2.2.2.2 pw-id 1 RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)# pw-class class1 RP/0/RSP0/CPU0:router(config-l2vpn-xc-p2p-pw)# commit Layer 3 ACL-Based Traffic Mirring: Example The following example shows how to configure Layer 3 ACL-based traffic mirring: RP/0/RSP0/CPU0:router(config)# monit-session ms1 RP/0/RSP0/CPU0:router(config-mon)# destination interface gig0/2/0/15 RP/0/RSP0/CPU0:router(config-mon)# commit RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/11 RP/0/RSP0/CPU0:router(config-if)# ipv4 access-group span ingress RP/0/RSP0/CPU0:router(config-if)# monit-session ms1 RP/0/RSP0/CPU0:router(config-if)# acl RP/0/RSP0/CPU0:router(config-if-mon)# commit RP/0/RSP0/CPU0:router(config)# ipv4 access-list span RP/0/RSP0/CPU0:router(config-ipv4-acl)# 5 permit ipv4 any any dscp 5 capture RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 permit ipv4 any any RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit Layer 2 ACL-Based Traffic Mirring: Example The following example shows how to configure Layer 2 ACL-based traffic mirring: RP/0/RSP0/CPU0:router(config)# monit-session ms1 HR-291

Traffic Mirring Configuration Examples Configuring Traffic Mirring on the Cisco ASR 9000 Series Router RP/0/RSP0/CPU0:router(config-mon)# destination interface gig0/2/0/15 RP/0/RSP0/CPU0:router(config-mon)# commit RP/0/RSP0/CPU0:router(config)# interface gig0/2/0/11 RP/0/RSP0/CPU0:router(config-if)# l2transpt RP/0/RSP0/CPU0:router(config-if-l2)# exit RP/0/RSP0/CPU0:router(config-if)# ethernet-services access-group acl_mirr ingress RP/0/RSP0/CPU0:router(config-if)# acl RP/0/RSP0/CPU0:router(config-if)# monit-session ms1 RP/0/RSP0/CPU0:router(config-if-mon)# commit RP/0/RSP0/CPU0:router(config)# ipv4 access-list acl_mirr RP/0/RSP0/CPU0:router(config-ipv4-acl)# 5 permit ipv4 any any dscp 5 capture RP/0/RSP0/CPU0:router(config-ipv4-acl)# 10 permit ipv4 any any RP/0/RSP0/CPU0:router(config-ipv4-acl)# commit Partial Packet Mirring: Example The following example shows how to configure mirring of the first 100 bytes of the packet: RP/0/RP0/CPU0:router(config)# interface gigabitethernet0/0/0/11 RP/0/RP0/CPU0:router(config-if-l2)# monit-session mon1 RP/0/RSP0/CPU0:router(config-if-mon)# mirr first 100 Troubleshooting Traffic Mirring When you have issues with your traffic mirring, begin your troubleshooting by checking the output of the show monit-session status command. This command displays the recded state of all sessions and source interfaces: Monit-session sess1 <Session status> ================================================================================ Source Interface Dir Status --------------------- ---- ---------------------------------------------------- Gi0/0/0/0 Both <Source interface status> Gi0/0/0/2 Both <Source interface status> In the preceding example, the line marked as <Session status> can indicate one of the following configuration errs: Session Status Session is not configured globally Destination interface <intf> is not configured Explanation The session does not exist in global configuration. Check show run command output to ensure that a session with the right name has been configured. The interface that has been configured as the destination does not exist. F example, the destination interface may be configured to be a VLAN subinterface, but the VLAN subinterface may not have been created yet. HR-292

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Traffic Mirring Configuration Examples Session Status Destination interface <intf> (<down-state>) Destination pseudowire is not configured Destination pseudowire <name> (down) Explanation The destination interface is not in Up state in the Interface Manager. You can verify the state using the show interfaces command. Check the configuration to see what might be keeping the interface from coming up (f example, a sub-interface needs to have an appropriate encapsulation configured). The L2VPN configuration that is to set up the pseudowire is missing. Configure the traffic mirring session name as one segment of the xconnect p2p. The pseudowire is configured, but is down. Check the L2VPN configuration to identify why the pseudowire is not coming up. The <Source interface status> can rept the following messages: Source Interface Status Explanation Operational Everything appears to be wking crectly in traffic mirring PI. Please follow up with the platfm teams in the first instance, if mirring is not operating as expected. Not operational (Session is not configured globally) The session does not exist in global configuration. Check the show run command output to ensure that a session with the right name has been configured. Not operational (destination interface not known) The session exists, but it either does not have a destination interface specified, the destination interface named f the session does not exist (f example, if the destination is a sub-interface that has not been created). Not operational (source same as destination) The session exists, but the destination and source are the same interface, so traffic mirring does not wk. Not operational (destination not active) The destination interface pseudowire is not in the Up state. See the cresponding Session status err messages f suggested resolution. Not operational (source state <down-state>) The source interface is not in the Up state. You can verify the state using the show interfaces command. Check the configuration to see what might be keeping the interface from coming up (f example, a sub-interface needs to have an appropriate encapsulation configured). Err: see detailed output f explanation Traffic mirring has encountered an err. Run the show monit-session status detail command to display me infmation. HR-293

Traffic Mirring Configuration Examples Configuring Traffic Mirring on the Cisco ASR 9000 Series Router The show monit-session status detail command displays full details of the configuration parameters, and of any errs encountered. F example: RP/0/RSP0/CPU0:router#show monit-session status detail Monit-session sess1 Destination interface is not configured Source Interfaces ----------------- GigabitEthernet0/0/0/0 Direction: Both ACL match: Enabled Ption: Full packet Status: Not operational (destination interface not known). GigabitEthernet0/0/0/2 Direction: Both ACL match: Disabled Ption: First 100 bytes Status: Err: 'Viking SPAN PD' detected the 'warning' condition 'PRM connection creation failure'. This detailed output may give you a clear indication of what the problem is. Here are additional trace and debug commands: RP/0/RSP0/CPU0:router# show monit-session platfm trace? all Turn on all the trace errs Display errs events Display interesting events RP/0/RSP0/CPU0:router# show monit-session trace? process Filter debug by process RP/0/RSP0/CPU0:router# debug monit-session platfm? all Turn on all the debugs errs VKG SPAN EA errs event VKG SPAN EA event info VKG SPAN EA info RP/0/RSP0/CPU0:router# debug monit-session platfm all RP/0/RSP0/CPU0:router# debug monit-session platfm event RP/0/RSP0/CPU0:router# debug monit-session platfm info RP/0/RSP0/CPU0:router# show monit-session status? detail Display detailed output errs Display only attachments which have errs internal Display internal monit-session infmation Output Modifiers RP/0/RSP0/CPU0:router# show monit-session status RP/0/RSP0/CPU0:router# show monit-session status errs RP/0/RSP0/CPU0:router# show monit-session status internal HR-294

Configuring Traffic Mirring on the Cisco ASR 9000 Series Router Where to Go Next Where to Go Next When you have configured an Ethernet interface, you can configure individual VLAN subinterfaces on that Ethernet interface. F infmation about modifying Ethernet management interfaces f the shelf controller (SC), route process (RP), and distributed RP, see the Advanced Configuration and Modification of the Management Ethernet Interface on the Cisco ASR 9000 Series Router module later in this document. F infmation about IPv6 see the Implementing Access Lists and Prefix Lists on Cisco IOS XR Software module in the Cisco IOS XR IP Addresses and Services Configuration Guide. Additional References The following sections provide references related to implementing Gigabit and 10-Gigabit Ethernet interfaces. Related Documents Related Topic Ethernet L2VPN Cisco IOS XR master command reference Cisco IOS XR interface configuration commands Infmation about user groups and task IDs Document Title Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Configuration Guide Cisco ASR 9000 Series Aggregation Services Router L2VPN and Ethernet Services Command Reference Cisco ASR 9000 Series Aggregation Services Router Master Commands List Cisco ASR 9000 Series Aggregation Services Router Interface and Hardware Component Command Reference Cisco IOS XR Interface and Hardware Component Command Reference Standards Standards IEEE 802.1ag ITU-T Y.1731 Title HR-295

Additional References Configuring Traffic Mirring on the Cisco ASR 9000 Series Router MIBs MIBs IEEE CFM MIB MIBs Link To locate and download MIBs f selected platfms using Cisco IOS XR Software, use the Cisco MIB Locat found at the following URL: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs No new modified RFCs are suppted by this feature, and suppt f existing RFCs has not been modified by this feature. Title Technical Assistance Description The Cisco Technical Suppt website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even me content. Link http://www.cisco.com/techsuppt HR-296