Table of Contents
Advertisement
Policy Management
When both interface-specific mirroring and user-specific mirroring are
configured on the same interface, the interface-specific secure policies take
precedence. The interface-specific secure policies, which you manually attach
using the CLI, override and remove any existing secure polices that were
attached by a trigger action. If the interface-specific secure polices are
subsequently deleted, the original trigger-based secure policies are not restored.
Typically, when configuring packet mirroring, you configure a static route to
reach the analyzer device through the analyzer port. If the analyzer port is an
IP-over-Ethernet interface, you must also configure a static Address Resolution
Protocol (ARP) entry to reach the analyzer device. However, because only a
single static ARP entry can be installed for a given address at any given time,
when you are using equal-cost multipath (ECMP) links to connect to the
analyzer device, the static ARP configuration does not provide failover if the link
being selected fails or is disconnected. Therefore, to provide continued
connectivity if the link fails when using ECMP, enable the ip proxy-arp
unrestricted command on the next-hop router for each ECMP interface. As a
result, when the link fails, the router sends an ARP request to identify the MAC
address of the analyzer device and gets a response over the new link.
Multiple Forwarding Solution Rules for a Single Classifier List in a Policy
Before Release 5.2.0, it was possible to configure a policy with multiple rules
that specified forwarding solutions where all of these rules were associated with
a single classifier list. This typically was a configuration error, but the CLI
accepted it. Beginning with Release 5.2.0, the CLI no longer accepts this
configuration.
Multiple forwarding rules behavior for releases numbered lower than
Release 5.2.0:
If multiple forward or filter rules were configured to reference the same
classifier list in a single policy, then all rules except the first rule
configured were marked as eclipsed in the show policy command
display. Next-interface and next-hop rules were treated in the same
manner. The eclipsed rules were not applied.
If a policy were configured with one rule from the [forward, filter] pair
and one rule from the [next-hop, next-interface] pair, and if both rules
referenced the same classifier list, then no visible eclipsed marking
occurred. However, these two rules were mutually exclusive, and only
one of them defined the forwarding behavior. The rule action that was
applied was in the order (from highest to lowest preference): next
interface, filter, next hop, forward. The applied rule was the rule whose
behavior was seen by forwarded packets.
For example, if a policy had both a next-interface and a filter rule, then
the next interface was applied. If a policy had a next-hop and a filter
rule, then the filter rule was applied.
Release 10.2.2
27
Known Behavior
Advertisement
Table of Contents
