Configure Flow-Based Mirroring in a Multi-Tenant Architecture

Procedure

  1. Run the following commands to configure access control list applications on ethernet or port channel and VLAN or virtual ethernet:
    efa tenant epg create --name <epg-name> --tenant <tenant-name>
       --switchport --switchport-mode trunk –ctag-range <ctag-range>
       --port <mirror-source-port-list> --po <mirror-source-po-list>
    
       --pp-mac-acl-in <acl-name> --pp-mac-acl-out <acl-name>
       --pp-acl-in <acl-name> --pp-ip-acl-out <acl-name>
    
       --np-mac-acl-in <ctag:acl-name> --np-mac-acl-out <ctag:acl-name>
       --np-ip-acl-in <ctag:acl-name> --np-ip-acl-out <ctag:acl-name>
    
  2. Run the following commands to configure a mirror session:
    efa tenant service mirror session create –name? <session-name> --tenant <tenant-name>
       --source {<device-ip>,<eth | po | vlan>,<if-name>}
       --type {<source-device-ip>,<eth | po | vlan>,<source-if-name>:<port-based | flow-based>}
                    
       --destination {<source-device-ip>,<eth | po | vlan>,<source-if-name> : 
    		   <destination-device-ip>,<eth | po | vlan>,<destination-if-name}
       --destination-type {<source-device-ip>,< eth | po | vlan>,<source-if-name>:<span>}
    
       --direction {<source-device-ip>,< eth | po | vlan>,<source-if-name> : <tx | rx | both>}
    
    (efa:root)root@node-2:~# efa tenant show
    +--------------+---------+------+------+------+------+-------+----------------------+-------------------+
    |     Name     |  Type   | VLAN | L2VNI| L3VNI| VRF  | Enable|         Ports        | Mirroring Ports   |
    |              |         | Range| Range| Range| Count| BD    |                      |                   |
    +--------------+---------+------+------+------+------+-------+----------------------+-------------------+
    | sharedTenant | shared  |      |      |      |   0  | false |                      | 10.20.246.15[0/31]|
    |              |         |      |      |      |      |       |                      | 10.20.246.16[0/31]|
    |              |         |      |      |      |      |       |                      | 10.20.246.21[0/31]|
    |              |         |      |      |      |      |       |                      | 10.20.246.22[0/31]|
    |              |         |      |      |      |      |       |                      | 10.20.246.25[0/31]|
    |              |         |      |      |      |      |       |                      | 10.20.246.26[0/31]|
    +--------------+---------+------+------+------+------+-------+----------------------+-------------------+
    |     ten1     | private |11-20 |      |      |   10 | false | 10.20.246.15[0/1-10] |                   | 
    |              |         |      |      |      |      |       | 10.20.246.16[0/1-10] |                   |
    +--------------+---------+------+------+------+------+-------+----------------------+-------------------+
    |     ten2     | private |21-30 |      |      |   10 | false | 10.20.246.15[0/11-20]|                   |
    |              |         |      |      |      |      |       | 10.20.246.16[0/11-20]|                   |
    +--------------+---------+------+------+------+------+-------+----------------------+-------------------+
    
    
    (efa:root)root@node 2:~# efa tenant po show
    +---------+------+----+------+-----+------------+---------+-------+-------------------+------------+------------+------------+
    |   Name  |Tenant| ID |Speed | MTU |Negotiation |Min Link | Lacp  |        Ports      |    State   | Dev State  | App State  |
    |         |      |    |      |     |            |  Count  |Timeout|                   |            |            |            |
    +---------+------+----+------+-----+------------+---------+-------+-------------------+------------+------------+------------+
    | ten1po1 |ten1  |  2 |10Gbps|     |   active   |   1     |  long | 10.20.246.15[0/1] | po-created |provisioned |cfg-in-sync |
    |         |      |    |      |     |            |         |       | 10.20.246.16[0/1] |            |            |            |
    +---------+------+----+------+-----+------------+---------+-------+-------------------+------------+------------+------------+
    | ten2po1 |ten2  |  3 |10Gbps|     |   active   |   1     |  long | 10.20.246.15[0/11]| po-created |provisioned |cfg-in-sync |
    |         |      |    |      |     |            |         |       | 10.20.246.16[0/11]|            |            |            |
    +---------+------+----+------+-----+------------+---------+-------+-------------------+------------+------------+------------+
    Example
    efa tenant epg create –name ten1epg1 –tenant ten1
      --switchport-mode trunk --po ten1po1 --ctag-range 11
      --pp-ip-acl-in ext-ip-permit-any-mirror-acl
      --pp-ip-acl-out  ext-ip-permit-any-mirror-acl 
    
    efa tenant service mirror session create –name ten1mirrorsession1 --tenant ten1
      --source 10.20.246.15,po,ten1po1
      --type 10.20.246.15,po,ten1po1:flow-based
    
      --destination 10.20.246.15,po,ten1po1:10.20.246.15,eth,0/31
      --destination-type 10.20.246.15,po,ten1po1:span
    
      --direction 10.20.246.15,po,ten1po1:both
    
    efa tenant service mirror session create –name ten2mirrorsession1 --tenant ten2
      --source 10.20.246.15,po,ten2po1
      --type 10.20.246.15,po,ten2po1:flow-based
    
      --destination 10.20.246.15,po,ten2po1:10.20.246.15,eth,0/31
      --destination-type 10.20.246.15,po,ten2po1:span
    
      --direction 10.20.246.15,po,ten2po1:both
    efa tenant epg create –name ten2epg1 –tenant ten2
      --switchport-mode trunk --po ten2po1 --ctag-range 21
      --pp-ip-acl-in ext-ip-permit-any-mirror-acl
      --pp-ip-acl-out ext-ip-permit-any-mirror-acl
    
    
    efa tenant service mirror session create –name ten1mirrorsession2 --tenant ten1
      --source 10.20.246.16,po,ten1po1
      --type 10.20.246.16,po,ten1po1:flow-based
    
      --destination 10.20.246.16,po,ten1po1:10.20.246.16,eth,0/31
      --destination-type 10.20.246.16,po,ten1po1:span
    
      --direction 10.20.246.16,po,ten1po1:both
    
    efa tenant service mirror session create –name ten2mirrorsession2 --tenant ten2
      --source 10.20.246.16,po,ten2po1
      --type 10.20.246.16,po,ten2po1:flow-based                          
                           
      --destination 10.20.246.16,po,ten2po1:10.20.246.16,eth,0/31
      --destination-type 10.20.246.16,po,ten2po1:span
    
      --direction 10.20.246.16,po,ten2po1:both
  3. Verify the switch configuration on the SLX device.
    10.20.246.15
    SLX# show running-config ip access-list
    ip access-list extended ext-ip-permit-any-mirror-acl
     seq 10 permit ip any any mirror
    !
    SLX# show running-config interface Port-channel 2,3
    interface Port-channel 2
     description EFA Port-channel ten1po1
     cluster-client auto
     switchport
     switchport mode trunk
     switchport trunk allowed vlan add 11
     no switchport trunk tag native-vlan
     ip access-group ext-ip-permit-any-mirror-acl in
     ip access-group ext-ip-permit-any-mirror-acl out
     no shutdown
    ! 
    interface Port-channel 3
     description EFA Port-channel ten2po1
     cluster-client auto
     switchport
     switchport mode trunk
     switchport trunk allowed vlan add 21
     no switchport trunk tag native-vlan
     ip access-group ext-ip-permit-any-mirror-acl in
     ip access-group ext-ip-permit-any-mirror-acl out
     no shutdown
    ! 
    SLX#
    10.20.246.16
    SLX# show running-config ip access-list
    ip access-list extended ext-ip-permit-any-mirror-acl
     seq 10 permit ip any any mirror
    !
    SLX# show running-config interface Port-channel 2,3
    interface Port-channel 2
     description EFA Port-channel ten1po1
     cluster-client auto
     switchport
     switchport mode trunk
     switchport trunk allowed vlan add 11
     no switchport trunk tag native-vlan
     ip access-group ext-ip-permit-any-mirror-acl in
     ip access-group ext-ip-permit-any-mirror-acl out
     no shutdown
    ! 
    interface Port-channel 3
     description EFA Port-channel ten2po1
     cluster-client auto
     switchport
     switchport mode trunk
     switchport trunk allowed vlan add 21
     no switchport trunk tag native-vlan
     ip access-group ext-ip-permit-any-mirror-acl in
     ip access-group ext-ip-permit-any-mirror-acl out
     no shutdown
    ! 
    SLX#
    10.20.246.15
    SLX# show running-config monitor session
    monitor session 1
     source port-channel 2 destination ethernet 0/31 direction both
    !monitor session 2
     source port-channel 3 destination ethernet 0/31 direction both
    !
    SLX# show monitor session 1
    Session                : 1
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Po 2 (Down)
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Both
    Type                   : flow-based
    
    SLX# show monitor session 2
    Session                : 2
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Po 3 (Down)
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Both
    Type                   : flow-based
    10.20.246.16
    SLX# show running-config monitor session
    monitor session 1
     source port-channel 2 destination ethernet 0/31 direction both
    !monitor session 2
     source port-channel 3 destination ethernet 0/31 direction both
    !
    SLX# show monitor session 1
    Session                : 1
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Po 2 (Down)
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Both
    Type                   : flow-based
    
    SLX# show monitor session 2
    Session                : 2
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Po 3 (Down)
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Both
    Type                   : flow-based