S/N/K-Series Policy Based Mirroring overview

  • 0
  • 1
  • Article
  • Updated 4 years ago
  • (Edited)
Article ID: 12373 

S-Series, all firmware
Matrix N-Series DFE, firmware and higher
K-Series, all firmware 

Policy based mirroring allows certain data types to be matched by normal policy-based packet pattern classification, sending only that data as a source for a port mirror. This may be useful for analyzing only certain aspects of a conversation on the network; be it a protocol type, a user IP address, etc. 

Here are the affected commands. The  value in the 'set mirror' commands corresponds with the  value in the 'set policy' commands:
set mirror
[create ]
[ {[storage-type {non-volatile | volatile}] | [owner ]}
[ {[mirrorN <#frames>] | [storage-type {non-volatile | volatile}] | [owner ]} (requires f/w 8.x)
[enable {}]
[disable {}]
[ports [append]]

set policy profile [name ]
[pvid-status {enable | disable} {pvid }]
[cos-status {enable | disable} {cos }]
[mirror-destination ] | [clear-mirror] | [prohibit-mirror]
[egress-vlans ]
[forbidden-vlans ]
[untagged-vlans ]
[append] | [clear]
[tci-overwrite {enable | disable}]
[precedence ]
[syslog {enable | disable}]
[trap {enable | disable}]
[disable-port {enable | disable}]

set policy rule {admin-profile | }
{ [] [mask ]}
[port-string ]
[storage-type {non-volatile | volatile}]
[vlan ] | [drop | forward]
[cos ]
[mirror-destination ] | [clear-mirror] | [prohibit-mirror]
[admin-pid ]
[syslog {enable | disable | prohibit}]
[trap {enable |disable | prohibit}]
[disable-port {enable | disable | prohibit}]
Note: With S/K-Series firmware and higher, the mirror command supports the 'mirrorN' feature to specify mirroring a maximum of N frames. The maximum value for <#frames> is 4294967295, equivalent to 0xffffffff. 

Here is a sample configuration that uses policy profile 10 to check for ARP frames ingressing policy-applied port ge.5.2, sending them to mirror instance 2 which applies to destination port ge.5.1. Remember that policy rules examine ingress traffic only.
set mirror create 2
set mirror ports ge.5.1 2
set policy profile 10
set policy rule 10 ether 0x806 mirror-destination 2 forward
set policy port ge.5.2 10
Again, the source of the ingressing ARP frames is port ge.5.2 and the sniffer, IDS or other traffic analysis device would plug into port ge.5.1. 

In these commands, the 'mirror-destination' parameter may be considered to act similarly to what is already understood for the 'pvid/vlan' and 'cos' parameters. That is, if an underlying rule containing such a parameter (e.g. mirror-destination) is "hit" by a policy-traversing packet, then that rule-specified action is executed for the packet - otherwise the same parameter if present in the profile command is executed for the packet as a default action. Thus, the example presented above mirrors ARP-matching traffic. If instead we wanted to mirror non-ARP-matching traffic, then the 'mirror-destination 2' parameter would be moved from the rule to the profile. 

Also see this HowTo Video which provides further background regarding the policy-based mirroring feature.
Photo of FAQ User

FAQ User, Official Rep

  • 13,590 Points 10k badge 2x thumb

Posted 4 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.