The last use case for localized data policies that we are going to examine in this section is how to configure a mirror instance that sends a copy of certain data traffic to a specified destination for analysis, as shown in figure 1 below.

Mirror Instance
Figure 1. Mirror Instance

The configuration process consists of two steps.

  1. First, we define the mirror instance by giving it a user-defined name.
  2. Then under the instance, we specify the remote-destination address that will receive the copy of the data and the router’s source address that will be used.

In our example, the mirror packet will be sourced from vEdge-5's Ge0/5 interface that has an IP address of and the remote destination would be Therefore, the mirror instance will have the following configuration:

 mirror MIRROR-1
  remote-dest source

After we configure the mirror instance, we invoke it in an ACL sequence as shown in the output below: 

 access-list ACL-VPN5
  sequence 11
    protocol       1
   action accept
    mirror MIRROR-1
  default-action accept

The last step is to apply the ACL under an interface. In our example, we are going to configure the access list under vEdge-5’s Ge0/5 interface.

vEdge-5# conf t
Entering configuration mode terminal
vEdge-5(config)# vpn 5 int ge0/5
vEdge-5(config-interface-ge0/5)# access-list ACL-VPN5 in
vEdge-5(config-interface-ge0/5)# commit 
Commit complete.

Once the ACL is applied, we can ping from to and make a Wireshark capture to see what the copied traffic looks like:

Wireshark capture of mirrored traffic
Figure 2. Wireshark capture of mirrored traffic

Notice that the copied packet has an additional outer IP header with the source/destination IP addresses configured in the mirror instance. Also, notice that the traffic is encapsulated neither with GRE nor with IPsec. This means that the copied traffic is sent through the underlay using the VPN0’s routing table.

Mirroring Traffic: Key Takeaways

  • Configuring traffic mirroring on a vEdge device is a two-step process:
    • First, we configure the mirror instance;
    • Then, we invoke the mirror instance in a match-action rule of an access list.
  • The mirrored traffic is encapsulated with a new IP header. Source and destination IP addresses are taken from the mirror instance configuration.
  • The mirrored traffic is sent using VPN0’s routing table on the underlay network.