Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring CLI-Based Interface-Specific Packet Mirroring

    This example shows the configuration of a CLI-based packet mirroring session for a particular static IP interface. The configuration results in all traffic through the interface being replicated and the replicated traffic then sent through an IPSec tunnel to the analyzer device.

    1. Enable the visibility and use of the packet mirroring CLI commands.
    2. Configure the analyzer interface and a route to reach the analyzer device at

      Note: If the analyzer interface is Ethernet-based, you must configure a static ARP entry for the analyzer device.

      host1(config)#virtual-router vr1 host1:vr1(config)#interface tunnel ipsec:Diag transport-virtual-router default host1:vr1(config-if)#ip analyzer host1:vr1(config-if)#exit host1:vr1(config)#ip route tunnel ipsec:Diag
    3. Configure the secure IP policy that forwards the mirrored traffic to the analyzer device at

      In this example, the configured mirror rule does not include the analyzer-udp-port keyword. Therefore, the rule sets the mirror header to disable, which means that the mirror header is not prepended to the mirrored packets. See Understanding the Prepended Header During a Packet Mirroring Session for information about the prepended mirror header. The classifier-group command uses a previously configured classifier list, secClassA.

      host1:vr1(config)#secure ip policy-list secureIpPolicy1 host1:vr1(config-policy-list)#classifier-group secClassA host1:vr1(config-policy-list-classifier-group)#mirror analyzer-ip-address analyzer-virtual-router vr1
    4. Attach the secure policy to the interfaces whose traffic you want to mirror. This example mirrors input traffic at interface ATM 5/0.1 and output traffic at interface ATM 5/0.2.
      host1:vr1(config)#interface atm 5/0.1 host1:vr1(config-if)#ip policy secure-input secureIpPolicy1
      host1:vr1(config)#interface atm 5/0.2 host1:vr1(config-if)#ip policy secure-output secureIpPolicy1
    5. Verify the secure policy configuration.
      host1# show secure policy-list name secureIpPolicy1
                                        Policy Table
                                        ------ -----
      Secure IP Policy secureIpPolicy1
       Administrative state: enable
       Reference count:      2
       Classifier control list: secClassA
        mirror analyzer-ip-address analyzer-virtual-router vr1
       Referenced by interface(s): 
        ATM5/0.1  secure-input policy, virtual-router vr1
        ATM5/0.2  secure-output policy, virtual-router vr1

    Published: 2014-08-14