Configuring CLI-Based Packet Mirroring ! 161
Chapter 6: Packet Mirroring
! An interface cannot be both an analyzer port and a mirrored interface at the
same time.
! If you do not specify an analyzer port when using the ip mirror command, the
mirrored traffic is forwarded to the virtual router’s default analyzer port. The
command fails if a default analyzer port is not configured.
! An interface can be mirrored to only one analyzer port at a time.
! If the analyzer port is a shared medium (for example, Ethernet), you must
specify the next-hop address to the remote analyzer device.
! Example
host1(config)#ip mirror atm 3/0.2 fastEthernet 2/0 next-hop 192.168.1.2
! If the remote analyzer device is not directly connected to the E-series router,
you must specify a tunnel as the analyzer port.
! Example
host1(config)#ip mirror atm 3/0.2 tunnel gre:analyzer1
! Use the no version to disable mirroring on the interface.
ip policy
! Use with the secure-input or secure-output keyword to assign a secure IP or
L2TP policy list to the ingress or egress side of an interface.
! This command is visible only to authorized users—the mirror-enable
command must be enabled prior to using this command.
! If you enter the ip policy command with the secure-input or secure-output
keyword and the policy list does not exist, the router creates a policy list with a
default mirror rule that disables mirroring. If you attach this policy list to an
interface, there is no packet mirroring.
! When you use this command to create a secure policy list, statistics-related
keywords are not supported.
! Example
host1(config-if)#ip policy secure-input securePolicy2
! Use the no version to remove the policy list from the interface.
mirror acct-session-id
! Use to configure a packet mirroring session that is based on the Acct-Session-ID
attribute (RADIUS attribute 44) associated with an IP or L2TP subscriber, and to
specify the secure policy that is attached to the subscriber’s interface.
! This command is visible only to authorized users—the mirror-enable
command must be enabled prior to using this command.
! Use the ip keyword to specify an IP subscriber or the l2tp keyword for an L2TP
subscriber.
NOTE: The ip policy command used with the secure-input and secure-output
keywords replaces the ip mirror command, which has been deprecated.
To Next Page
Loading...
Need help?
General
