Configure Flow-Based Mirroring in a Multi-Tenant Architecture

Procedure

Run the following commands to configure access control list applications on ethernet or port channel and VLAN or virtual ethernet:

efa tenant epg create --name <epg-name> --tenant <tenant-name>
         --switchport --switchport-mode trunk –ctag-range <ctag-range>
         --port <mirror-source-port-list> --po <mirror-source-po-list>

         --pp-mac-acl-in <acl-name> --pp-mac-acl-out <acl-name>
         --pp-acl-in <acl-name> --pp-ip-acl-out <acl-name>

         --np-mac-acl-in <ctag:acl-name> --np-mac-acl-out <ctag:acl-name>
         --np-ip-acl-in <ctag:acl-name> --np-ip-acl-out <ctag:acl-name>

Run the following commands to configure a mirror session:

efa tenant service mirror session create –name? <session-name> --tenant <tenant-name>
            --source {<device-ip>,<eth | po | vlan>,<if-name>}
            --type {<source-device-ip>,<eth | po | vlan>,<source-if-name>:<port-based | flow-based>}
                 
	     --destination {<source-device-ip>,<eth | po | vlan>,<source-if-name> : 
		        <destination-device-ip>,<eth | po | vlan>,<destination-if-name}
            --destination-type {<source-device-ip>,< eth | po | vlan>,<source-if-name>:<span>}

            --direction {<source-device-ip>,< eth | po | vlan>,<source-if-name> : <tx | rx | both>}

(efa:root)root@node-2:~# efa tenant show
+--------------+---------+------+------+------+------+-------+----------------------+-------------------+
|     Name     |  Type   | VLAN | L2VNI| L3VNI| VRF  | Enable|         Ports        | Mirroring Ports   |
|              |         | Range| Range| Range| Count| BD    |                      |                   |
+--------------+---------+------+------+------+------+-------+----------------------+-------------------+
| sharedTenant | shared  |      |      |      |   0  | false |                      | 10.20.246.15[0/31]|
|              |         |      |      |      |      |       |                      | 10.20.246.16[0/31]|
|              |         |      |      |      |      |       |                      | 10.20.246.21[0/31]|
|              |         |      |      |      |      |       |                      | 10.20.246.22[0/31]|
|              |         |      |      |      |      |       |                      | 10.20.246.25[0/31]|
|              |         |      |      |      |      |       |                      | 10.20.246.26[0/31]|
+--------------+---------+------+------+------+------+-------+----------------------+-------------------+
|     ten1     | private |11-20 |      |      |   10 | false | 10.20.246.15[0/1-10] |                   | 
|              |         |      |      |      |      |       | 10.20.246.16[0/1-10] |                   |
+--------------+---------+------+------+------+------+-------+----------------------+-------------------+
|     ten2     | private |21-30 |      |      |   10 | false | 10.20.246.15[0/11-20]|                   |
|              |         |      |      |      |      |       | 10.20.246.16[0/11-20]|                   |
+--------------+---------+------+------+------+------+-------+----------------------+-------------------+


(efa:root)root@node 2:~# efa tenant po show
+---------+--------+--------------+-----+-------------+----------+---------+-------------------+------------+-------------+-------------+
|   Name  | Tenant | ID |  Speed  | MTU | Negotiation | Min Link |  Lacp   |        Ports      |    State   |  Dev State  |  App State  |
|         |        |    |         |     |             |   Count  | Timeout |                   |            |             |             |
+---------+--------+--------------+-----+-------------+----------+---------+-------------------+------------+-------------+-------------+
| ten1po1 | ten1   |  2 |  10Gbps |     |    active   |    1     |   long  | 10.20.246.15[0/1] | po-created | provisioned | cfg-in-sync |
|         |        |    |         |     |             |          |         | 10.20.246.16[0/1] |            |             |             |
+---------+--------+--------------+-----+-------------+----------+---------+-------------------+------------+-------------+-------------+
| ten2po1 | ten2   |  3 |  10Gbps |     |    active   |    1     |   long  | 10.20.246.15[0/11]| po-created | provisioned | cfg-in-sync |
|         |        |    |         |     |             |          |         | 10.20.246.16[0/11]|            |             |             |
+---------+--------+----+---------+-----+-------------+----------+---------+-------------------+------------+-------------+-------------+

Example

efa tenant epg create –name ten1epg1 –tenant ten1 --switchport-mode trunk --po ten1po1 --ctag-range 11 --pp-ip-acl-in ext-ip-permit-any-mirror-acl --pp-ip-acl-out ext-ip-permit-any-mirror-acl efa tenant service mirror session create –name ten1mirrorsession1 --tenant ten1 --source 10.20.246.15,po,ten1po1 --type 10.20.246.15,po,ten1po1:flow-based --destination 10.20.246.15,po,ten1po1:10.20.246.15,eth,0/31 --destination-type 10.20.246.15,po,ten1po1:span --direction 10.20.246.15,po,ten1po1:both efa tenant service mirror session create –name ten2mirrorsession1 --tenant ten2 --source 10.20.246.15,po,ten2po1 --type 10.20.246.15,po,ten2po1:flow-based --destination 10.20.246.15,po,ten2po1:10.20.246.15,eth,0/31 --destination-type 10.20.246.15,po,ten2po1:span --direction 10.20.246.15,po,ten2po1:both	efa tenant epg create –name ten2epg1 –tenant ten2 --switchport-mode trunk --po ten2po1 --ctag-range 21 --pp-ip-acl-in ext-ip-permit-any-mirror-acl --pp-ip-acl-out ext-ip-permit-any-mirror-acl efa tenant service mirror session create –name ten1mirrorsession2 --tenant ten1 --source 10.20.246.16,po,ten1po1 --type 10.20.246.16,po,ten1po1:flow-based --destination 10.20.246.16,po,ten1po1:10.20.246.16,eth,0/31 --destination-type 10.20.246.16,po,ten1po1:span --direction 10.20.246.16,po,ten1po1:both efa tenant service mirror session create –name ten2mirrorsession2 --tenant ten2 --source 10.20.246.16,po,ten2po1 --type 10.20.246.16,po,ten2po1:flow-based --destination 10.20.246.16,po,ten2po1:10.20.246.16,eth,0/31 --destination-type 10.20.246.16,po,ten2po1:span --direction 10.20.246.16,po,ten2po1:both

efa tenant epg create –name ten1epg1 –tenant ten1
            --switchport-mode trunk --po ten1po1 --ctag-range 11
            --pp-ip-acl-in ext-ip-permit-any-mirror-acl
            --pp-ip-acl-out  ext-ip-permit-any-mirror-acl 

efa tenant service mirror session create –name ten1mirrorsession1 --tenant ten1
            --source 10.20.246.15,po,ten1po1
            --type 10.20.246.15,po,ten1po1:flow-based

            --destination 10.20.246.15,po,ten1po1:10.20.246.15,eth,0/31
            --destination-type 10.20.246.15,po,ten1po1:span

            --direction 10.20.246.15,po,ten1po1:both

efa tenant service mirror session create –name ten2mirrorsession1 --tenant ten2
            --source 10.20.246.15,po,ten2po1
            --type 10.20.246.15,po,ten2po1:flow-based

            --destination 10.20.246.15,po,ten2po1:10.20.246.15,eth,0/31
            --destination-type 10.20.246.15,po,ten2po1:span

            --direction 10.20.246.15,po,ten2po1:both

efa tenant epg create –name ten2epg1 –tenant ten2
            --switchport-mode trunk --po ten2po1 --ctag-range 21
            --pp-ip-acl-in ext-ip-permit-any-mirror-acl
            --pp-ip-acl-out ext-ip-permit-any-mirror-acl



efa tenant service mirror session create –name ten1mirrorsession2 --tenant ten1
            --source 10.20.246.16,po,ten1po1
            --type 10.20.246.16,po,ten1po1:flow-based

            --destination 10.20.246.16,po,ten1po1:10.20.246.16,eth,0/31
            --destination-type 10.20.246.16,po,ten1po1:span

            --direction 10.20.246.16,po,ten1po1:both

efa tenant service mirror session create –name ten2mirrorsession2 --tenant ten2
            --source 10.20.246.16,po,ten2po1
            --type 10.20.246.16,po,ten2po1:flow-based                          
                       
            --destination 10.20.246.16,po,ten2po1:10.20.246.16,eth,0/31
            --destination-type 10.20.246.16,po,ten2po1:span

            --direction 10.20.246.16,po,ten2po1:both

Verify the switch configuration on the SLX device.

10.20.246.15 SLX# show running-config ip access-list ip access-list extended ext-ip-permit-any-mirror-acl seq 10 permit ip any any mirror ! SLX# show running-config interface Port-channel 2,3 interface Port-channel 2 description EFA Port-channel ten1po1 cluster-client auto switchport switchport mode trunk switchport trunk allowed vlan add 11 no switchport trunk tag native-vlan ip access-group ext-ip-permit-any-mirror-acl in ip access-group ext-ip-permit-any-mirror-acl out no shutdown ! interface Port-channel 3 description EFA Port-channel ten2po1 cluster-client auto switchport switchport mode trunk switchport trunk allowed vlan add 21 no switchport trunk tag native-vlan ip access-group ext-ip-permit-any-mirror-acl in ip access-group ext-ip-permit-any-mirror-acl out no shutdown ! SLX#	10.20.246.16 SLX# show running-config ip access-list ip access-list extended ext-ip-permit-any-mirror-acl seq 10 permit ip any any mirror ! SLX# show running-config interface Port-channel 2,3 interface Port-channel 2 description EFA Port-channel ten1po1 cluster-client auto switchport switchport mode trunk switchport trunk allowed vlan add 11 no switchport trunk tag native-vlan ip access-group ext-ip-permit-any-mirror-acl in ip access-group ext-ip-permit-any-mirror-acl out no shutdown ! interface Port-channel 3 description EFA Port-channel ten2po1 cluster-client auto switchport switchport mode trunk switchport trunk allowed vlan add 21 no switchport trunk tag native-vlan ip access-group ext-ip-permit-any-mirror-acl in ip access-group ext-ip-permit-any-mirror-acl out no shutdown ! SLX#
10.20.246.15 SLX# show running-config monitor session monitor session 1 source port-channel 2 destination ethernet 0/31 direction both !monitor session 2 source port-channel 3 destination ethernet 0/31 direction both ! SLX# show monitor session 1 Session : 1 Type : SPAN Description : [None] State : Enabled Source Interface : Po 2 (Down) Destination Interface : Eth 0/31 (Down) Direction : Both Type : flow-based SLX# show monitor session 2 Session : 2 Type : SPAN Description : [None] State : Enabled Source Interface : Po 3 (Down) Destination Interface : Eth 0/31 (Down) Direction : Both Type : flow-based	10.20.246.16 SLX# show running-config monitor session monitor session 1 source port-channel 2 destination ethernet 0/31 direction both !monitor session 2 source port-channel 3 destination ethernet 0/31 direction both ! SLX# show monitor session 1 Session : 1 Type : SPAN Description : [None] State : Enabled Source Interface : Po 2 (Down) Destination Interface : Eth 0/31 (Down) Direction : Both Type : flow-based SLX# show monitor session 2 Session : 2 Type : SPAN Description : [None] State : Enabled Source Interface : Po 3 (Down) Destination Interface : Eth 0/31 (Down) Direction : Both Type : flow-based

10.20.246.15

SLX# show running-config ip access-list
ip access-list extended ext-ip-permit-any-mirror-acl
 seq 10 permit ip any any mirror
!
SLX# show running-config interface Port-channel 2,3
interface Port-channel 2
 description EFA Port-channel ten1po1
 cluster-client auto
 switchport
 switchport mode trunk
 switchport trunk allowed vlan add 11
 no switchport trunk tag native-vlan
 ip access-group ext-ip-permit-any-mirror-acl in
 ip access-group ext-ip-permit-any-mirror-acl out
 no shutdown
! 
interface Port-channel 3
 description EFA Port-channel ten2po1
 cluster-client auto
 switchport
 switchport mode trunk
 switchport trunk allowed vlan add 21
 no switchport trunk tag native-vlan
 ip access-group ext-ip-permit-any-mirror-acl in
 ip access-group ext-ip-permit-any-mirror-acl out
 no shutdown
! 
SLX#

10.20.246.16

SLX# show running-config ip access-list
ip access-list extended ext-ip-permit-any-mirror-acl
 seq 10 permit ip any any mirror
!
SLX# show running-config interface Port-channel 2,3
interface Port-channel 2
 description EFA Port-channel ten1po1
 cluster-client auto
 switchport
 switchport mode trunk
 switchport trunk allowed vlan add 11
 no switchport trunk tag native-vlan
 ip access-group ext-ip-permit-any-mirror-acl in
 ip access-group ext-ip-permit-any-mirror-acl out
 no shutdown
! 
interface Port-channel 3
 description EFA Port-channel ten2po1
 cluster-client auto
 switchport
 switchport mode trunk
 switchport trunk allowed vlan add 21
 no switchport trunk tag native-vlan
 ip access-group ext-ip-permit-any-mirror-acl in
 ip access-group ext-ip-permit-any-mirror-acl out
 no shutdown
! 
SLX#

10.20.246.15

SLX# show running-config monitor session
monitor session 1
 source port-channel 2 destination ethernet 0/31 direction both
!monitor session 2
 source port-channel 3 destination ethernet 0/31 direction both
!
SLX# show monitor session 1
Session                : 1
Type                   : SPAN
Description            : [None]
State                  : Enabled
Source Interface       : Po 2 (Down)
Destination Interface  : Eth 0/31 (Down)
Direction              : Both
Type                   : flow-based

SLX# show monitor session 2
Session                : 2
Type                   : SPAN
Description            : [None]
State                  : Enabled
Source Interface       : Po 3 (Down)
Destination Interface  : Eth 0/31 (Down)
Direction              : Both
Type                   : flow-based

10.20.246.16

SLX# show running-config monitor session
monitor session 1
 source port-channel 2 destination ethernet 0/31 direction both
!monitor session 2
 source port-channel 3 destination ethernet 0/31 direction both
!
SLX# show monitor session 1
Session                : 1
Type                   : SPAN
Description            : [None]
State                  : Enabled
Source Interface       : Po 2 (Down)
Destination Interface  : Eth 0/31 (Down)
Direction              : Both
Type                   : flow-based

SLX# show monitor session 2
Session                : 2
Type                   : SPAN
Description            : [None]
State                  : Enabled
Source Interface       : Po 3 (Down)
Destination Interface  : Eth 0/31 (Down)
Direction              : Both
Type                   : flow-based