S/N/K-Series Policy Based Mirroring overview

FAQ_User — Sat, 09 Nov 2013 04:56:00 GMT

Article ID: 12373

Products
S-Series, all firmware
Matrix N-Series DFE, firmware 7.11.01.0025 and higher
K-Series, all firmware

Discussion
Policy based mirroring allows certain data types to be matched by normal policy-based packet pattern classification, sending only that data as a source for a port mirror. This may be useful for analyzing only certain aspects of a conversation on the network; be it a protocol type, a user IP address, etc.

Here are the affected commands. The value in the 'set mirror' commands corresponds with the value in the 'set policy' commands:
set mirror
[create ]
[ {[storage-type {non-volatile | volatile}] | [owner ]}
[ {[mirrorN <#frames>] | [storage-type {non-volatile | volatile}] | [owner ]} (requires f/w 8.x)
[enable {}]
[disable {}]
[ports [append]]

set policy profile [name ]
[pvid-status {enable | disable} {pvid }]
[cos-status {enable | disable} {cos }]
[mirror-destination ] | [clear-mirror] | [prohibit-mirror]
[egress-vlans ]
[forbidden-vlans ]
[untagged-vlans ]
[append] | [clear]
[tci-overwrite {enable | disable}]
[precedence ]
[syslog {enable | disable}]
[trap {enable | disable}]
[disable-port {enable | disable}]

set policy rule {admin-profile | }
{ [] [mask ]}
[port-string ]
[storage-type {non-volatile | volatile}]
[vlan ] | [drop | forward]
[cos ]
[mirror-destination ] | [clear-mirror] | [prohibit-mirror]
[admin-pid ]
[syslog {enable | disable | prohibit}]
[trap {enable |disable | prohibit}]
[disable-port {enable | disable | prohibit}]Note: With S/K-Series firmware 8.01.01.0016 and higher, the mirror command supports the 'mirrorN' feature to specify mirroring a maximum of N frames. The maximum value for <#frames> is 4294967295, equivalent to 0xffffffff.

Here is a sample configuration that uses policy profile 10 to check for ARP frames ingressing policy-applied port ge.5.2, sending them to mirror instance 2 which applies to destination port ge.5.1. Remember that policy rules examine ingress traffic only.
set mirror create 2
set mirror ports ge.5.1 2
set policy profile 10
set policy rule 10 ether 0x806 mirror-destination 2 forward
set policy port ge.5.2 10Again, the source of the ingressing ARP frames is port ge.5.2 and the sniffer, IDS or other traffic analysis device would plug into port ge.5.1.

In these commands, the 'mirror-destination' parameter may be considered to act similarly to what is already understood for the 'pvid/vlan' and 'cos' parameters. That is, if an underlying rule containing such a parameter (e.g. mirror-destination) is "hit" by a policy-traversing packet, then that rule-specified action is executed for the packet - otherwise the same parameter if present in the profile command is executed for the packet as a default action. Thus, the example presented above mirrors ARP-matching traffic. If instead we wanted to mirror non-ARP-matching traffic, then the 'mirror-destination 2' parameter would be moved from the rule to the profile.

Also see this HowTo Video which provides further background regarding the policy-based mirroring feature.

topic S/N/K-Series Policy Based Mirroring overview in FAQs

S/N/K-Series Policy Based Mirroring overview