Configure VLAN Tag Stripping

Follow this procedure to strip VLAN tags to support the encapsulation type expected by your traffic-analysis tools.

About this task

The VLAN tag is not inside the packet and must be stripped at the ingress device before the encapsulated packet is sent into the network. You can configure VLAN tag stripping so it is performed at ingress or egress.
Note

Note

In the examples that follow the configuration commands for this task, bold font is used to show the relationship between the items you configure and then bind. The example parameters and optional settings are only a partial set of those available. For more information, see the Extreme 9920 Software Command Reference, 21.1.0.0 .

Procedure

  1. Run the configure terminal command to access Config mode.
    The command line changes to configuration mode.
    device(config)#
  2. Configure an ACL of type IPv4, IPv6, or MAC and any actions.
    ip access-list acl-name

    The specified ACL and configured actions will be bound to a listener policy.

    device(config)# ip access-list acl3-ipv4
device(config-ip-acl)# seq 12 permit ip any any count
  3. Create the listener policy, including any action subcommands for the policy.
    Note

    Note

    A listener policy supports only one of each of each ACL type: IP, IPv6, MAC .
    listener-policy name seq
    device(config)# listener-policy lp-10 5
device(config-listener-policy)# match ip access-list acl3-ipv4
device(config-listener-policy)# strip vlan-tag
device(config-listener-policy)# description "ipv4 listener policy, strip vlan tag"
  4. Configure an egress policy and bind the listener policy, specifying any additional egress actions.
    Note

    Note

    An egress can be associated with only one listener policy.
    egress name
    device(config-egress)# egress e3
device(config-egress)# set listener-policy lp-3
device(config-egress)# description DirectTool
device(config-egress)# precedence 1 interface ethernet 1/14
  5. Configure an egress group and associate it with the egress policy.
    egress-group group-name
    device(config)# egress-group eg_5 
device(config-egress-group)# description e-group_5
device(config-egress-group)# set egress e3
  6. Configure the route map and set any other parameters, such as forwarding actions, match ip access list, and the egress-group.
    Note

    Note

    A route-map policy supports only one match-ACL per layer.
    route-map map-name seq
    device(config)# route-map R2 10 
device(config-route-map)# match ip access-list acl3-ipv4
device(config-route-map)# set egress-group eg_5
device(config-route-map)# forward-action permit
  7. Configure an ingress group and associate a route map.
    Note

    Note

    An ingress group can be associated with only one route map.
    ingress-group group-name
    device(config)# ingress-group TAP_TRAFFIC
device(config-ingress-group)# set route-map R2
  8. Configure the interface port and channel for ingress traffic.
    interface slot / port-number
    Note

    Note

    In the following example, traffic is coming in on slot/port-number 2/3. 
    interface ethernet 1/3
description From_TAP
ingress-group TAP_TRAFFIC
no shutdown
  9. Configure the interface port and channel for egress traffic.
    interface slot / port-number
    Note

    Note

    In the following example, traffic is leaving on slot/port-number 2/14.
    interface ethernet 2/14
description To_Tool
no shutdown
9037100-00 Rev AA