Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding the Prepended Header During a Packet Mirroring Session

    During a packet mirroring session, the router prepends a special UDP/IP header to each mirrored packet that is sent to the analyzer interface. This prepended header is created by the policy-mirroring action, and is used for demultiplexing at the analyzer to sort through the multiple mirrored streams that arrive from different sources.

    All mirrored L2TP session packets are prepended with a UDP/IP header. However, for IP traffic mirroring, the prepend header is optional; the header is added if the mirroring-related VSAs (VSAs 26-59 and 26-61) are both included in the RADIUS message. For CLI-based mirroring, the analyzer-udp-port keyword of the mirror analyzer-ip-address command creates the same information contained in the two VSAs. If you do not include the VSAs or the analyzer-udp-port keyword, an IP mirroring action is indicated, and the prepend header is not used.

    Note: For IP mirroring, you must include both VSA 26-59 and VSA 26-61, or you must omit both of these VSAs. If you use only one of these VSAs, the configuration fails.

    Figure 1 shows the structure of the prepended header. The values in parentheses indicate the fixed value for individual fields. For fields that do not have a fixed value listed, the value is dynamically created for each mirrored packet. Table 1 lists the fields in the prepended header and indicates the values and field length.

    Figure 1: Prepended Header

    Prepended Header

    Table 1: Prepended Header Field Descriptions

    Field

    Value

    Length (Bits)

    IP Header

    Version

    4

    4

    IHL

    5

    4

    Type of Service

    0

    8

    Total Length

    Dynamically computed

    16

    Identification

    Dynamically computed

    16

    Flags

    Dynamically computed

    3

    Fragment Offset

    Dynamically computed

    13

    Time to Live

    255

    8

    Protocol

    17

    8

    Header Checksum

    Dynamically computed

    16

    Source Address

    Analyzer interface IP address

    32

    Destination Address

    VSA 26-60

    32

    UDP Header

    Source Port

    VSA 26-61

    16

    Destination Port

    VSA 26-61

    16

    Length

    Dynamically computed

    16

    Checksum

    0

    16

    Mirror Header

    MHV (mirror header value)

    0

    2

    Mirror Identifier

    See Format of the Mirror Header Attributes for details

    30

    Session-ID

    See Format of the Mirror Header Attributes for details

    32

    Format of the Mirror Header Attributes

    The mirror header values are determined by the value that you configure in VSA 26-59. VSA 26-59 is declared as a hexadecimal string that can be either 8 bytes or 4 bytes long. The 8-byte format enables you to further specify the value that is used for the Session-ID field. If you use the 4-byte format, the router automatically determines the Session-ID field. The value in the 2-bit version field specifies the format that is used—0 indicates the 8-byte format, and 1 indicates the 4-byte format.

    8-Byte Format

    The 8-byte format of VSA 26-59 enables you to manually specify the Session-ID value in addition to the Mirror Identifier value. To use the 8-byte format, you configure the first two most significant bits of the first word of the VSA to a value of 0, which indicates two words in the VSA. The remaining 30 bits of the first word form the Mirror Identifier value, and the second word is the Session-ID field. You cannot change the order of these two words.

    For example, a value of 0000030000000090 in VSA 26-59 configures the following fields in the mirror header, as shown in Figure 2:

    • MHV = 0
    • Mirror Identifier = 0x300
    • Session-ID = 0x90

      Figure 2: 8-Byte Format of VSA 26-59

      8-Byte Format of VSA 26-59

    4-Byte Format

    To use the 4-byte format of VSA 26-59, you configure the first two most significant bits of the VSA to a value of 1, which indicates a single word in the VSA. The remaining 30 bits of the word form the Mirror Identifier value. The router then creates the Session-ID value based on the least significant 32 bits of the Acct-Session-ID (RADIUS attribute 44).

    For example, a value of 40000010 for VSA 26-59 configures the following fields in the mirror header, as shown in Figure 3:

    • MHV = 1
    • Mirror Identifier = 0x10

      Figure 3: 4-Byte Format of VSA 26-59

      4-Byte Format of VSA 26-59

    Published: 2014-08-14