Understanding the Prepended Header During a Packet Mirroring Session
During a packet mirroring session, the router prepends a special UDP/IP header to each mirrored packet that is sent to the analyzer interface. This prepended header is created by the policy-mirroring action, and is used for demultiplexing at the analyzer to sort through the multiple mirrored streams that arrive from different sources.
All mirrored L2TP session packets are prepended with UDP/IP header. However, for IP traffic mirroring, the prepend header is optional; the header is added if the mirroring-related VSAs (VSAs 59 and 61) are included in the RADIUS message. For CLI-based mirroring, the analyzer-udp-port keyword of the mirror analyzer-ip-address command creates the same information contained in the two VSAs. If you do not include the VSAs or the analyzer-udp-port keyword, an IP mirroring action is indicated, and the prepend header is not used.
 |
NOTE: For IP mirroring, both VSA 26-59 and 26-61 or neither must be included. If only one of the VSAs is used, the configuration fails. |
Figure 21 shows the structure of the prepended header. The values in parentheses indicate the fixed value for individual fields. For fields that do not have a fixed value listed, the value is dynamically created for each mirrored packet. Table 47 lists the fields in the prepended header and indicates the values and field length.
See Format of the Mirror Header Attributes for details |
||
See Format of the Mirror Header Attributes for details |
||
Format of the Mirror Header Attributes
The mirror header values are determined by the value that you configure in VSA 26-59. VSA 26-59 is declared as a hexadecimal string that can be either 8 bytes or 4 bytes long. The 8-byte format enables you to further specify the value that is used for the Session-ID field. If you use the 4-byte format, the router automatically determines the Session-ID field. The value in the 2-bit version field specifies the format that is used—0 indicates the 8-byte format, and 1 indicates the 4-byte format.
8-Byte Format
The 8-byte format of VSA 26-59 enables you to manually specify the Session-ID value in addition to the Mirror Identifier value. To use the 8-byte format, you configure the first two most significant bits of the first word of the VSA to a value of 0, which indicates two words in the VSA. The remaining 30 bits of the first word form the Mirror Identifier value, and the second word is the Session-ID field. You cannot change the order of these two words.
For example, a value of 0000030000000090 in VSA 26-59 configures the following fields in the mirror header, as shown in Figure 22:
4-Byte Format
To use the 4-byte format of VSA 26-59, you configure the first two most significant bits of the VSA to a value of 1, which indicates a single word in the VSA. The remaining 30 bits of the word form the Mirror Identifier value. The router then creates the Session-ID value based on the least significant 32 bits of the Acct-Session-ID (RADIUS attribute 44).
For example, a value of 40000010 for VSA 26-59 configures the following fields in the mirror header, as shown in Figure 23:
