Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1727
Views
0
Helpful
5
Replies

[IOS XR 6.1.4] Mirror traffic ACL-based

Go to solution
nguyen.duy1931
Level 1
Level 1

‎06-06-2019 01:42 AM - edited ‎06-06-2019 01:50 AM

Dear all,

 

Now I want to capture the traffic for analyzing the enrichment header in packets. The mirroring instance is based on Layer 3 ACL. After configuring, I've connected laptop to the router and used Wireshark for capturing. But the data is very little, and there's no IP address that is matched.

 

The configuration is below. Please support me for checking whether it's right or not. Thanks in advance.

 

RP/0/RP1/CPU0:ASR9K_PE01#show running-config ipv4 access-list ACL_MIRROR_FB

Thu Jun 6 02:46:55.387 UTC
ipv4 access-list ACL_MIRROR
5 permit ipv4 any host 173.252.127.252 capture
10 permit ipv4 any host 173.252.127.254 capture
1000 permit ipv4 any any
!

RP/0/RP1/CPU0:ASR9K_PE01#show running-config interface GigabitEthernet0/10/0/1

Thu Jun 6 02:46:44.399 UTC
interface GigabitEthernet0/10/0/1   ====> connect to laptop, capture by Wireshark
carrier-delay up 2000 down 0
!

RP/0/RP1/CPU0:ASR9K_PE01#show running-config monitor-session ACL_MIRROR

Thu Jun 6 02:46:34.767 UTC
monitor-session ACL_MIRROR ethernet
destination interface GigabitEthernet0/10/0/1
!

RP/0/RP1/CPU0:ASR9K_PE01#show running-config interface be21.70

Thu Jun 6 02:46:25.742 UTC
interface Bundle-Ether21.70   ====> connect to firewall, IP private-side
vrf Gi
ipv4 address 10.1.1.1 255.255.255.252
monitor-session ACL_MIRROR ethernet
acl
!
encapsulation dot1q 70
ipv4 access-group ACL_MIRROR egress
!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
xr-escalation
Level 1
Level 1

‎06-06-2019 02:26 AM

does it work better if you configure interface GigabitEthernet0/10/0/1 as l2transport interface?

/Aleksandar

View solution in original post

0 Helpful
5 Replies 5

Go to solution
xr-escalation
Level 1
Level 1

‎06-06-2019 02:26 AM

does it work better if you configure interface GigabitEthernet0/10/0/1 as l2transport interface?

/Aleksandar
0 Helpful

Go to solution
nguyen.duy1931
Level 1
Level 1
In response to xr-escalation

‎06-06-2019 02:56 AM

I will try your suggestion and feedback. Thanks.
0 Helpful

Go to solution
smilstea
Cisco Employee
Cisco Employee
In response to nguyen.duy1931

‎06-06-2019 09:50 AM

You sometimes also have to add a dot1q tag to the laptop connected interface. Just make sure wireshark is in promiscuous mode if you need to use the tag option, or even if you don't as your traffic should be tagged going towards the laptop as thats how it comes in.

 

Sam

0 Helpful

Go to solution
Jason M.
Level 1
Level 1

‎06-10-2019 08:44 AM

If you're capturing layer 3 traffic on a layer 3 interface then remove the "ethernet" portion of the command under the interface.

 

Use "ethernet" if you will be capturing on an l2transport interface and l2 acl.

0 Helpful

Go to solution
nguyen.duy1931
Level 1
Level 1
In response to Jason M.

‎06-12-2019 06:55 PM

I've configured "l2transport" option to the observing interface. And I can capture the traffic based on L3 ACL.

Thanks for your support.

0 Helpful
Customers Also Viewed These Support Documents