Controller Based WLANs

How to utilize 'mirror' option in acl?

Aruba Employee
Q:

How to utilize the 'mirror' option in user-roles?



A:

User-roles in Aruba OS has the filed 'mirror' which can be utilized to monitor traffic and help in troubleshooting purpose.

Below outputs are taken from Aruba 7010 controller running 6.4.3.9. This setup will show to how to mirror client/AP traffic to a laptop running sniffing software.

 

(Aruba) #show version
Aruba Operating System Software.
ArubaOS (MODEL: Aruba7010), Version 6.4.3.9


(Aruba) #show ap database

AP Database
-----------
Name               Group    AP Type  IP Address    Status             Flags  Switch IP     Standby IP
----               -----    -------  ----------    ------             -----  ---------     ----------
04:bd:88:c2:38:b0  default  205      10.17.169.94  Up 23d:8h:44m:18s         10.17.169.68  0.0.0.0


#Create an access-list as below:

(Aruba) #show ip access-list monitor

ip access-list session monitor
monitor
-------
Priority  Source        Destination   Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------        -----------   -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         10.17.169.94  any           any                   permit                           Low                           Yes                             4
2         any           10.17.169.94  any                   permit                           Low                           Yes                             4
3         any           any           any                   permit                           Low                                                           4


#Configure the ip-address of the laptop running sniffer to which the capture has to be sent.

(Aruba) #packet-capture destination ip-address 10.20.102.210

(Aruba) #show packet-capture

Active Capture Destination
--------------------------
Destination    IP         10.20.102.210


#Add the access-list to the Controller Interface as shown below:

(Aruba) #show port stat

Port Status
-----------
Slot-Port  PortType  AdminState  OperState  PoE      Trusted  SpanningTree  PortMode  Speed   Duplex
---------  --------  ----------  ---------  ---      -------  ------------  --------  -----   ------
0/0/15     GE        Enabled     Up         N/A      Yes      Disabled      Access    1 Gbps  Full

(ctrl-B) (config) #interface gigabitethernet 0/0/15
(ctrl-B) (config-if)#ip access-group monitor session
(ctrl-B) (config-if)#exit


Once the configuration has been done we need to make sure any existing session for that ip has to be deleted.

(Aruba) #session delete 10.17.169.94  ==> run this multiple times.


To confirm if the mirroring works or not, check for 'M' flag in the 'datapath session table' for the ip address.

(Aruba) #show datapath session table 10.17.169.94

Datapath Session Table Entries
------------------------------

Flags: M - mirror

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.17.169.94    10.17.169.70    17   8211  8419   1/0     0    0   1   0/0/15      7    0          0          FYMCI
10.17.169.94    10.17.169.70    17   8211  8222   1/0     0    0   1   0/0/15      8    0          0          FYMCI
10.17.169.70    10.17.169.94    17   8211  8211   0/0     0    0   0   0/0/15      8    0          0          FYMI
10.17.169.70    10.17.169.94    17   8222  8211   0/0     0    0   0   0/0/15      8    0          0          FYMI

10.17.169.70    10.17.169.94    47   0     0      0/0     0    0   0   0/0/15      46   68         5984       FM
10.17.169.94    10.17.169.70    47   0     0      0/0     0    40  0   0/0/15      46   73         6424       FMC
10.17.169.70    10.17.169.94    17   8419  8211   0/0     0    0   0   0/0/15      7    0          0          FYMI
10.17.169.94    10.17.169.70    17   8211  8211   1/0     0    0   0   0/0/15      8    17         16293      FMCI

(Aruba) #show acl hits

Port Based Session ACL
----------------------
Policy     Src           Dst  Service/Application  Action  Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
------     ---           ---  -------------------  ------  -----------  --------  ----------  -----  ---------
monitor    10.17.169.94  any  any                  permit               1242      1242        639    ipv4
monitor    any           any  any                  permit               4154      4154        641    ipv4

 

Version history
Revision #:
2 of 2
Last update:
‎03-20-2017 01:49 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.