Monitoring and Analyzing Switch Operation
Traffic Mirroring
■ Intercepted or Injected Traffic: The mirroring feature does not protect
against either mirrored traffic being intercepted or traffic being injected
into a mirrored stream by an intermediate host.
■ Inbound Mirrored IPv4-Encapsulated Frames are Not Mirrored:
The switch does not mirror IPv4-encapsulated mirrored frames that it
receives on an interface. This prevents duplicate mirrored frames in
configurations where the port connecting the switch to the network path
for a mirroring destination is also a port whose inbound or outbound
traffic is being mirrored. For example, if traffic leaving the switch through
ports B5, B6, and B7 is being mirrored through port B7 to a network
analyzer, the mirrored frames from traffic on ports B5 and B6 will not be
mirrored a second time as they pass through port B7.
■ Switch Operation as Both Destination and Source: A switch config-
ured as remote destination switch can also be configured to mirror traffic
to one of its own ports (local mirroring) or to a destination on another
switch (remote mirroring).
■ Monitor Command Note: If session 1 is already configured with a
destination, you can enter the [no] vlan < vid > monitor or [no] interface
< port > monitor command without mirroring criteria and a mirror session
number. In this case, the switch automatically configures or removes
mirroring for inbound and outbound traffic from the specified VLAN or
port(s) to the destination configured for session 1.
■ Loss of Connectivity Suspends Remote Mirroring: When a remote
mirroring session is configured on a source switch, the switch sends an
ARP request to the configured destination approximately every 60 sec-
onds. If the source switch fails to receive the expected ARP response from
the destination for the session, transmission of mirrored traffic in the
session halts. However, because the source switch continues to send ARP
requests for each configured remote session, link restoration or discovery
of another path to the destination enables the source switch to resume
transmitting the session’s mirrored traffic after a successful ARP response
cycle occurs. Note that if a link’s connectivity is repeatedly interrupted
(“link toggling”), little or no mirrored traffic may be allowed for sessions
using that link. To verify the status of any mirroring session configured
on the source switch, use the show monitor command.
B-96
