Configure 802.1BR Tag-Stripping

Follow this procedure to strip 802.1BR tags to support the encapsulation type expected by your traffic-analysis tools.

About this task

  • The vn-tag cannot be enabled if the br-tag is already enabled in the same listener policy.
  • If a tunneled frame has an 802.1BR tag in the outer L2 header, VXLAN, NVGRE, or GTP header-stripping also deletes the 802.1BR tag.

Procedure

  1. Enter the Config mode.
    The command line changes to the configuration mode.
    device(config)# 
  2. Configure an ACL of type IPv4, IPv6, or MAC and any actions.
    device(config)# ip access-list acl5-ipv4
    device(config-ip-acl)# seq 10 permit ip any any count
    The specified ACL and configured actions are bound to a listener policy.
  3. Create the listener policy, including any action subcommands for the policy.
    Note

    Note

    A listener policy supports only one IPv4 ACL, IPv6 ACL, or MAC ACL.
    device(config)# listener-policy lp-2 24
    device(config-listener-policy)# match ip access-list acl5-ipv4
    device(config-listener-policy)# strip br-tag
    device(config-listener-policy)# description "Strips 802.1BR tags"
  4. Configure an egress policy, and bind the listener policy, specifying any additional egress actions.
    Note

    Note

    An egress can be associated with only one listener policy.
    device(config)# egress e2
    device(config-egress)# set listener-policy lp-2
    device(config-egress)# description DirectTool
    device(config-egress)# set encap encap-1 
    device(config-egress)# precedence 1 interface ethernet 1/14
  5. Configure an egress group and associate it with the egress policy.
    device(config)# egress-group eg_1 
    device(config-egress-group)# description e-group_1
    device(config-egress-group)# set egress e2
  6. Configure the route-map and set any other parameters, such as forwarding actions, match IP access list, and the egress-group.
    Note

    Note

    A route-map policy supports only one match-ACL per layer.
    device(config)# route-map R1 10 
    device(config-route-map)# match ip access-list acl5-ipv4
    device(config-route-map)# set egress-group eg_1
    device(config-route-map)# forward-action permit
  7. Configure an ingress group and associate a route map.
    Note

    Note

    An ingress group can be associated with only one route map.
    device(config)# ingress-group TAP_TRAFFIC
    device(config-ingress-group)# set route-map R1
  8. Configure the interface port and channel for ingress traffic.
    Note

    Note

    In the following example, traffic is coming in on slot/port number 2/3.
    interface ethernet 2/3
    description From_TAP
    set ingress-group TAP_TRAFFIC
    no shutdown
  9. Configure the interface port and channel for egress traffic.
    Note

    Note

    In the following example, traffic is leaving on slot/port number 2/14.
    interface ethernet 2/14
    speed 100000
    description To_Tool
    no shutdown