Brocade FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide User Manual

Page 243

device(config-lag-test)#ports ethernet 1/1/1 to 1/1/2

device(config-lag-test)#primary-port 1/1/1

device(config-lag-test)#deploy

device(config-if-e-1/1/1)#acl-mirror-port ethernet 1/1/38

To delete the trunk, enter the following command.

device(config)#no lag test

Configuring ACL-based mirroring for ACLs bound to virtual interfaces

For configurations that have an ACL configured for ACL-based mirroring bound to a virtual interface,
you must use the ACL-mirror-port command on a physical port that is a member of the same VLAN as
the virtual interface. Additionally, only traffic that arrives at ports that belong to the same port group as
the physical port where the ACL-mirror-port command has been used is mirrored. This follows the
same rules described in

Ports from a port region must be mirrored to the same destination mirror port

on page 241.

For example, in the following configuration, ports 4/1, 4/2, and 5/3 are in VLAN 10 with ve 10. Ports 4/1
and 4/2 belong to the same port group, while port 5/3 belongs to another port group.

device(config)#vlan 10

device(config-vlan-10)#tagged ethernet 4/1 to 4/2

device(config-vlan-10)#tagged ethernet 5/3

device(config-vlan-10)#router-interface ve 10

device(config)#interface ethernet 4/1

device(config-if-e10000-4/1)#ACL-mirror-port ethernet 5/1

device(config)#interface ve 10

device(config-vif-10)#ip address 10.10.10.254/24

device(config-vif-10)#ip access-group 102 in

device(config)#access-list 102 permit ip any any mirror

In this configuration, the ACL-mirror-port command is applied to port 4/1, which is a member of ve 10.
Because of this, ACL-based mirroring will only apply to VLAN 10 traffic that arrives on ports 4/1 and 4/2.
It will not apply to VLAN 10 traffic that arrives on port 5/3 because that port belongs to a port group
differant from ports 4/1 and 4/2. This is because if you apply ACL-based mirroring on an entire VE, and
enable mirroring in only one port region, traffic that is in the same VE but on a port in a different port
region will not be mirrored.

To make the configuration apply ACL-based mirroring to VLAN 10 traffic arriving on port 5/3, you must
add the following commands to the configuration.

device(config)#interface ethernet 5/3

device(config-if-e10000-5/3)#ACL-mirror-port ethernet 5/1

If a port is in both mirrored and non-mirrored VLANs, only traffic on the port from the mirrored VLAN is
mirrored. For example, the following configuration adds VLAN 20 to the previous configuration. In this
example, ports 4/1 and 4/2 are in both VLAN 10 and VLAN 20. ACL-based mirroring is only applied to
VLAN 10. Consequently, traffic that is on ports 4/1 and 4/2 that belongs to VLAN 20 will not be mirrored.

device(config)#vlan 10

device(config-vlan-10)#tagged ethernet 4/1 to 4/2

device(config-vlan-10)#tagged ethernet 5/3

device(config-vlan-10)#router-interface ve 10

device(config)#vlan 20

device(config-vlan-20)#tagged ethernet 4/1 to 4/2