Configuration Guide User guide
FastIron Configuration Guide 935
53-1002494-02
ACL-based inbound mirroring
Configuring ACL-based mirroring for ACLs bound to virtual interfaces
For configurations that have an ACL configured for ACL-based mirroring bound to a virtual interface,
you must use the ACL-mirror-port command on a physical port that is a member of the same VLAN
as the virtual interface. Additionally, only traffic that arrives at ports that belong to the same port
group as the physical port where the ACL-mirror-port command has been used is mirrored. This
follows the same rules described in “Ports from a port region must be mirrored to the same
destination mirror port” on page 933.
For example, in the following configuration, ports 4/1, 4/2, and 5/3 are in VLAN 10 with ve 10.
Ports 4/1 and 4/2 belong to the same port group, while port 5/3 belongs to another port group.
Brocade(config)#vlan 10
Brocade(config-vlan-10)#tagged ethernet 4/1 to 4/2
Brocade(config-vlan-10)#tagged ethernet 5/3
Brocade(config-vlan-10)#router-interface ve 10
Brocade(config)#interface ethernet 4/1
Brocade(config-if-e10000-4/1)#ACL-mirror-port ethernet 5/1
Brocade(config)#interface ve 10
Brocade(config-vif-10)#ip address 10.10.10.254/24
Brocade(config-vif-10)#ip access-group 102 in
Brocade(config)#access-list 102 permit ip any any mirror
In this configuration, the ACL-mirror-port command is applied to port 4/1, which is a member of ve
10. Because of this, ACL-based mirroring will only apply to VLAN 10 traffic that arrives on ports 4/1
and 4/2. It will not apply to VLAN 10 traffic that arrives on port 5/3 because that port belongs to a
port group differant from ports 4/1 and 4/2. This is because if you apply ACL-based mirroring on an
entire VE, and enable mirroring in only one port region, traffic that is in the same VE but on a port in
a different port region will not be mirrored.
To make the configuration apply ACL-based mirroring to VLAN 10 traffic arriving on port 5/3, you
must add the following commands to the configuration.
Brocade(config)#interface ethernet 5/3
Brocade(config-if-e10000-5/3)#ACL-mirror-port ethernet 5/1
If a port is in both mirrored and non-mirrored VLANs, only traffic on the port from the mirrored VLAN
is mirrored. For example, the following configuration adds VLAN 20 to the previous configuration. In
this example, ports 4/1 and 4/2 are in both VLAN 10 and VLAN 20. ACL-based mirroring is only
applied to VLAN 10. Consequently, traffic that is on ports 4/1 and 4/2 that belongs to VLAN 20 will
not be mirrored.
Brocade(config)#vlan 10
Brocade(config-vlan-10)#tagged ethernet 4/1 to 4/2
Brocade(config-vlan-10)#tagged ethernet 5/3
Brocade(config-vlan-10)#router-interface ve 10
Brocade(config)#vlan 20
Brocade(config-vlan-20)#tagged ethernet 4/1 to 4/2
Brocade(config)#interface ethernet 4/1
Brocade(config-if-e10000-4/1)#ACL-mirror-port ethernet 5/1
Brocade(config)#interface ve 10
Brocade(config-vif-10)#ip address 10.10.10.254/24
Brocade(config-vif-10)#ip access-group 102 in
Brocade(config)#access-list 102 permit ip any any mirror