Example: Configuring CLI-Based Interface-Specific Packet Mirroring

This example shows the configuration of a CLI-based packet mirroring session for a particular static IP interface. The configuration results in all traffic through the interface being replicated and the replicated traffic then sent through an IPSec tunnel to the analyzer device.

1. Enable the visibility and use of the packet mirroring CLI commands.
   host1#mirror-enable
2. Configure the analyzer interface and a route to reach the analyzer device at 192.168.125.29.

   Note: If the analyzer interface is Ethernet-based, you must configure a static ARP entry for the analyzer device.

   host1(config)#virtual-router vr1 host1:vr1(config)#interface tunnel ipsec:Diag transport-virtual-router default host1:vr1(config-if)#ip analyzer host1:vr1(config-if)#exit host1:vr1(config)#ip route 192.168.125.29 255.255.255.255 tunnel ipsec:Diag
3. Configure the secure IP policy that forwards the mirrored traffic to the analyzer device at 192.168.125.29.

   In this example, the configured mirror rule does not include the analyzer-udp-port keyword. Therefore, the rule sets the mirror header to disable, which means that the mirror header is not prepended to the mirrored packets. See Understanding the Prepended Header During a Packet Mirroring Session for information about the prepended mirror header. The classifier-group command uses a previously configured classifier list, secClassA.

   host1:vr1(config)#secure ip policy-list secureIpPolicy1 host1:vr1(config-policy-list)#classifier-group secClassA host1:vr1(config-policy-list-classifier-group)#mirror analyzer-ip-address 192.168.125.29 analyzer-virtual-router vr1
4. Attach the secure policy to the interfaces whose traffic you want to mirror. This example mirrors input traffic at interface ATM 5/0.1 and output traffic at interface ATM 5/0.2.
   host1:vr1(config)#interface atm 5/0.1 host1:vr1(config-if)#ip policy secure-input secureIpPolicy1
   host1:vr1(config)#interface atm 5/0.2 host1:vr1(config-if)#ip policy secure-output secureIpPolicy1
5. Verify the secure policy configuration.

   host1# show secure policy-list name secureIpPolicy1
                                     Policy Table
                                     ------ -----
   Secure IP Policy secureIpPolicy1
    Administrative state: enable
    Reference count:      2
    Classifier control list: secClassA
     mirror analyzer-ip-address 192.168.125.29 analyzer-virtual-router vr1
    Referenced by interface(s): 
     ATM5/0.1  secure-input policy, virtual-router vr1
     ATM5/0.2  secure-output policy, virtual-router vr1