Classifier policies and mirroring sessions
Network traffic can be mirrored to a destination interface in two ways:
Using a mirroring session alone.
Using Classifier Policies with mirror actions in conjunction with a mirroring session.
Basic mirroring sessions provide coarse control over the type of traffic mirrored from a source: all received, all transmitted, or both. However, a traffic class within a Classifier Policy applied to a source can provide much finer grained control of mirrored traffic. For example, a policy can match on many different aspects of the Ethernet or IPv4 or IPv6 header information in each frame or packet received or transmitted on an interface.
The steps to configure a policy and class with a mirror action are the following:
Configuring a mirroring session with a destination interface.
Enabling the mirroring session.
Configuring the Classifier Policy, specifying the mirroring session ID in the mirror action.
Any subsequent configuration changes to either the enabled mirroring session or the classifier policy can affect the behavior of the network monitoring that occurs. For examples, see Scenario 1 and Scenario 2.
Scenario 1
Mirroring session 1 is configured with destination interface 1/1/10 and source interface 1/1/5 in the
both
direction, then the session is enabled.Mirroring session 2 is configured with destination interface 1/1/20, then the session is enabled.
Policy
Policy_2
is configured with a class matching OSPF traffic from any source IPv4 address to any destination IPv4 address and an action ofmirror
, specifying mirroring session 2.Policy_2
is applied to interface 1/1/5 in the inbound direction.
This sequence of actions creates a situation where the interface 1/1/5 is effectively configured as a source for two separate enabled mirroring sessions. This configuration is not permitted if you attempt to configure and enable the two mirroring sessions through the CLI. However, mirroring may occur for both sessions because policies with mirror actions have priority over basic mirroring sessions.
In this example:
Because of
Policy_2
, all OSPF traffic ingressing interface 1/1/5 is mirrored to 1/1/20, which is the destination interface of mirroring session 2.After
Policy_2
is applied, and because of the mirroring session 1 is enabled, all non-OSPF traffic ingressing interface 1/1/5 is mirrored to 1/1/10, which is the destination interface of mirroring session 1.Because
Policy_2
does not match egressing traffic, and because mirroring session 1 is enabled, all traffic egressing interface 1/1/5 is mirrored to 1/1/10, which is the destination interface of mirroring session 1.
Scenario 2
Mirroring session 2 is configured with destination interface 1/1/20 and source interface 1/1/3, then the session is enabled.
Policy
Policy_2
is configured with a class matching OSPF traffic from any source IPv4 address to any destination IPv4 address and an action ofmirror
specifying mirroring session 2.Policy_2
is applied to interface 1/1/5 in the inbound direction.
In this scenario, a single mirroring session is configured with a source interface and is configured as the target of the mirror action of a policy applied to a different source interface. In this example, the destination interface 1/1/20 receives traffic from interface 1/1/3 and from interface 1/1/5.