For more details, please see ourCookie Policy.

Design & Build

How To: Configure VLAN Mirroring on the NetIron Platform

by on ‎01-08-2012 10:49 PM - edited on ‎05-12-2014 01:54 PM by (8,167 Views)




The configuration steps described in this wiki illustrate how to configure VLAN mirroring on the NetIron Platform.


Figure 1 illustrates a common scenario seen in the field, the ability to mirror on a specific VLAN.  Natively, the NetIron Platform does not have a command under the VLAN configuration that would allow mirroring to a specific VLAN or multiple VLANs. However, by using ACLs, one can accomplish VLAN mirroring. 


Figure 1: Typical Topology for Mirroring on VLAN



To view the full size image, click anywhere on the image.


Before You Begin

Overview of Configuration Steps for ACL VLAN Mirroring


The high-level procedures used configure VLAN mirroring are listed below:

  1. Create an L2 ACL that matches on a VLAN.

  2. Bind that L2 ACL created in Step 1 to the ingress trunk port.

  3. Enable ACL mirroring on the ingress trunk port and specify the mirror port.

  4. Tagged the mirrored port with the mirror VLAN. (Optional)


Steps 1-3 are mandatory, but step 4 is optional, but generally good practice.  Normally, a user does not want to alter the mirrored frame, so it’s a good idea to place the mirrored port in the same VLAN as the VLAN being mirrored.


Topic of Discussion

Configuration Steps for a Particular Scenario

Figure 2 is a node with VLAN 100, 200, 300 and 400 ingresing trunk port 1/1.  We would like to mirror VLAN 100, and mirror this traffic to port 2/19.


Figure 2: Node Topology View for VLAN Mirroring Scenario



To view the full size image, click anywhere on the image.



The steps below illustrate how to create this configuration.


Step 1: Create L2 ACL that Matches on a VLAN

Goto the Configuration mode and create a L2 ACL that matches on VLAN 100.  You can use a numbered L2 ACL or a named L2 ACL, but it must be a L2 ACL. In this example, a number L2 ACL is used.


telnet@NetIron MLX-4 Router>enable

telnet@NetIron MLX-4 Router#configure terminal

telnet@NetIron MLX-4 Router(config)#access-list 400 permit any any 100

telnet@NetIron MLX-4 Router(config)#access-list 400 permit any any


Step 2: Bind the L2 ACL to the Ingress Trunk Port

Goto the interface 1/1 and bind L2 ACL to it.


telnet@NetIron MLX-4 Router(config)#interface ethernet 1/1

telnet@NetIron MLX-4 Router(config-if-e1000-1/11)#mac access-group 400 in


Step 3: Enable ACL Mirroring and Specify Mirror Port

Under the ingress port specify that would you want the ACL to mirror traffic to port 2/19.


telnet@NetIron MLX-4 Router(config-if-e1000-1/1)#acl-mirror-port ethernet 2/19


Step 4: Tagged the Mirror Port with the Mirrored VLAN (Optional)

This is an optional step, but often necessary as we do not want the port to alter the traffic by removing the VLAN tag on the mirrored port.


telnet@NetIron MLX-4 Router(config)#vlan 100

telnet@NetIron MLX-4 Router(config-vlan-100)#tagged ethernet 2/19


In conclusion, this Wiki provides step by step procedures on how to configure VLAN mirroring using L2 ACLs on the NetIron platform.


Related Information



ACL Acccess Control List

VLAN Virtual Local Area Network



Some, but not all of the content in this site provided, reviewed, approved or endorsed by Brocade and is provided solely as a convenience of our customers. All postings and use of the content on this site are subject to the BROCADE EXTRANET TERMS AND CONDITIONS OF USE of the site. BROCADE ASSUMES NO LIABIITY WHATSOEVER, MAKES NO REPRESENTATION AND DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO THE CONTENT PROVIDED HEREIN, INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, CORRECTNESS, APPROPRIATENESS OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED EXPECT AS PROVIDED IN BROCADE’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, THIRD PARTIES USE THIS CONTENT AT THEIR OWN RISK. Content on this site may contain or be subject to specific guidelines or limitation on use. Third parties using this content agree to abide by any limitation or guidelines and to comply with the BROCADE EXTRANET TERMS AND CONDITIONS OF USE of this site. Brocade may make changes to this content, to specifications, or product design or descriptions at any time, or may remove content at its sole discretion without notice.

by krunal
on ‎01-12-2012 08:03 PM

Does this preserve layer 2 COS value when frames is mirrored from one port to another?? Or it rewrites the COS field with 0 when mirroring frames from eth1/1 to eth 2/19.

on ‎01-13-2012 11:43 AM

The COS value is preserved, it does not alter the COS value, the mirrored frames are an exact replica of the incoming frame.

For further information please visit

on ‎01-31-2012 01:23 PM

It appears that the "mirror" keyword is missing on the first line of the ACL.  I believe the first line of the ACL should be

telnet@NetIron MLX-4 Router(config)#access-list 400 permit any any 100 mirror

Additionally the ethernet interface numbering has a typo at step 2, Eth1/11 instead of Eth1/1 when you apply the mac access group - but that's being really pedantic