Configuring CLI-Based Packet Mirroring ! 157
Chapter 6: Packet Mirroring
Configuring CLI-Based Interface-Specific Mirroring
This example shows the configuration of a CLI-based packet mirroring session for a
particular static IP interface. The configuration results in all traffic through the
interface being replicated and the replicated traffic then sent through an IPSec
tunnel to the analyzer device.
1. Enable the visibility and use of the packet mirroring CLI commands.
host1#mirror-enable
2. Configure the analyzer port and a route to reach the analyzer device at
192.168.125.29.
host1(config)#virtual-router vr1
host1:vr1(config)#interface tunnel ipsec:Diag transport-virtual-router default
host1:vr1(config-if)#ip analyzer
host1:vr1(config-if)#exit
host1:vr1(config)#ip route 192.168.125.29 255.255.255.255 tunnel ipsec:Diag
3. Configure the secure IP policy that forwards the mirrored traffic to the analyzer
device at 192.168.125.29.
In this example, the configured mirror rule does not include the
analyzer-udp-port keyword. Therefore, the rule sets the mirror header to
disable, which means that the mirror header is not prepended to the mirrored
packets. See Understanding the Prepended Header on page 174 for information
about the prepended mirror header.
host1:vr1(config)#secure ip policy-list secureIpPolicy1
host1:vr1(config-policy-list)#classifier-group *
host1:vr1(config-policy-list-classifier-group)#mirror analyzer-ip-address
192.168.125.29 analyzer-virtual-router vr1
4. Attach the secure policy to the interfaces whose traffic you want to mirror. This
example mirrors input traffic at interface ATM 5/0.1 and output traffic at
interface ATM 5/0.2.
host1:vr1(config)#interface atm 5/0.1
host1:vr1(config-if)#ip policy secure-input secureIpPolicy1
host1:vr1(config)#interface atm 5/0.2
host1:vr1(config-if)#ip policy secure-output secureIpPolicy1
NOTE: If the analyzer port is Ethernet-based, you must configure a static ARP entry
for the analyzer device.
To Next Page
Loading...
Need help?
General
