Mirror Filtered Packets to CPU

Mirroring to CPU with filter feature provides the ability to mirror filtered data plane packets to CPU. It enables sniffing of selected packets that match the programmed filter condition and real-time monitoring in the Network Operating System.

The mirrored packets can be viewed by running tcpdump in Linux shell to capture runtime traffic and inspect them for troubleshooting, monitoring, and analyzing network behavior at the interface level in real-time or can be subsequently saved as PCAP files for further analysis and offline detailed examination.

Feature Characteristics

The main characteristics of Mirroring to CPU are as follows:

Enables monitoring in the switching devices, such as leaf and spine switches.
Monitoring at the leaf provides visibility into north-south traffic (between endpoints and external networks or services).
Monitoring at the spine provides visibility into east-west traffic, i.e., between leaf switches.
Supports one or more source interfaces and one or more VLAN sources in the ingress direction.
Supports port-based mirroring on ingress and egress direction and filter based mirroring only on ingress direction
Works similar to monitor session and supports stop or delete function.
Overcomes the issue of latency or delay incurred on the path of mirrored traffic to reach its monitoring device while using SPAN, RSPAN, or ERSPAN.

Enabling only port-based mirroring, without selecting streams using filter rules on high traffic ports starves the protocol packets.

Benefits

This feature helps to overcome the situations mentioned below:

Latency or delay incurred on the path of mirrored traffic to reach its monitoring device.
Reserving switch ports bandwidth for the additional mirrored traffic.
If the port that forwards mirrored traffic is congested, the mirrored copy will not reach, impairing the monitoring ability to debug the issue.

Limitations

This feature does not capture VXLAN-OAM packets.
TTL and TCP flags are not supported on TR3 platforms.
Truncation of packets is not supported on TH2 platforms.
The BFD packets, original and mirrored, redirect to hw-bfd cpu-queue and are not captured in tcpdump on TH3 and TH2 devices

Supported Hardware

The following XGS platforms are supported:

Maverick2 (AS5835-54X)
TR3-X7 (AS7326-56X, AS7726-32X, S9110-32X)
TR3-X5 (S8901-54XC)
TH2 (AS7816-64X)
TH3 (AS9716-32D)