Configure VLAN-Based Mirroring in a Multi-Tenant Architecture

Before you begin

VLAN-based mirroring applies only to VLAN-based tenants and not to BD (bridge domain)-based tenants.

Procedure

  1. Run the following commands to configure access control list applications on Ethernet or Port channel and VLAN or Virtual Ethernet:
    efa tenant epg create --name <epg-name> --tenant <tenant-name>
    
       --switchport --switchport-mode trunk –ctag-range <ctag-range>
       --port <mirror-source-port-list> --po <mirror-source-po-list>
    
       --pp-mac-acl-in <acl-name> --pp-mac-acl-out <acl-name>
       --pp-ip-acl-in <acl-name> --pp-ip-acl-out <acl-name>
    
       --np-mac-acl-in <ctag:acl-name> --np-mac-acl-out <ctag:acl-name>
       --np-ip-acl-in <ctag:acl-name> --np-ip-acl-out <ctag:acl-name>
  2. Run the following commands to configure a mirror session:
    efa tenant service mirror session create –name <session-name> --tenant <tenant-name>
    
       --source {<device-ip>,<eth | po | vlan>,<if-name>}
       --type {<source-device-ip>,<eth | po | vlan>,<source-if-name>:<port-based | flow-based>}
    
       --destination {<source-device-ip>,<eth | po | vlan>,<source-if-name> :
                   <destination-device-ip>,<eth | po | vlan>,<destination-if-name}
       --destination-type {<source-device-ip>,< eth | po | vlan>,<source-if-name>:<span>}
    
       --direction {<source-device-ip>,< eth | po | vlan>,<source-if-name> : <tx | rx | both>}
    
    
    (efa:root)root@node-2:~# efa tenant show
    +-------+-------+------+------+------+------+------+---------------------+------------------+
    |Name   | Type  | VLAN | L2VNI| L3VNI| VRF  |Enable|        Ports        |  Mirroring Ports |
    |       |       | Range| Range| Range| Count|BD    |                     |                  |
    +-------+-------+------+------+------+------+------+---------------------+------------------+
    |shared |Shared |      |      |      |   0  |false |                     |10.20.246.16[0/31]|
    |Tenant |       |      |      |      |      |      |                     |10.20.246.21[0/31]|
    |       |       |      |      |      |      |      |                     |10.20.246.22[0/31]|
    |       |       |      |      |      |      |      |                     |10.20.246.25[0/31]|
    |       |       |      |      |      |      |      |                     |10.20.246.26[0/31]|
    +-------+-------+------+------+------+------+------+---------------------+------------------+
    | ten1  |private| 11-20|      |      |   10 |false |10.20.246.15[0/1-10] |                  | 
    |       |       |      |      |      |      |      |10.20.246.16[0/1-10] |                  |
    |       |       |      |      |      |      |      |10.20.246.21[0/1-10] |                  |
    |       |       |      |      |      |      |      |10.20.246.22[0/1-10] |                  |
    +-------+-------+------+------+------+------+------+---------------------+------------------+
    | ten2  |private| 21-30|      |      |   10 |false |10.20.246.15[0/11-20]|                  |
    |       |       |      |      |      |      |      |10.20.246.16[0/11-20]|                  |
    |       |       |      |      |      |      |      |10.20.246.21[0/11-20]|                  |
    |       |       |      |      |      |      |      |10.20.246.22[0/11-20]|                  |
    +-------+-------+------+------+------+------+------+---------------------+------------------+
    
    
    (efa:root)root@node 2:~# efa tenant po show
    +--------+-------+-----------+-----+-----------+----------+-------+-------------------+-----------+-------------+-------------+
    |  Name  |Tenant |ID | Speed | MTU |Negotiation| Min Link | Lacp  |        Ports      |    State  |  Dev State  |  App State  |
    |        |       |   |       |     |           |   Count  |Timeout|                   |           |             |             |
    +--------+-------+-----------+-----+-----------+----------+-------+-------------------+-----------+-------------+-------------+
    |ten1po1 |ten1   | 2 | 10Gbps|     |   active  |    1     |  long | 10.20.246.15[0/1] | po-created| provisioned | cfg-in-sync |
    |        |       |   |       |     |           |          |       | 10.20.246.16[0/1] |           |             |             |
    +--------+-------+-----------+-----+-----------+----------+-------+-------------------+-----------+-------------+-------------+
    |ten2po1 |ten2   | 3 | 10Gbps|     |   active  |    1     |  long | 10.20.246.15[0/11]| po-created| provisioned | cfg-in-sync |
    |        |       |   |       |     |           |          |       | 10.20.246.16[0/11]|           |             |             |
    +--------+-------+-----------+-----+-----------+----------+-------+-------------------+-----------+-------------+-------------+
    |ten1po2 |ten1   | 2 | 10Gbps|     |   active  |    1     |  long | 10.20.246.21[0/1] | po-created| provisioned | cfg-in-sync |
    |        |       |   |       |     |           |          |       | 10.20.246.22[0/1] |           |             |             |
    +--------+-------+-----------+-----+-----------+----------+-------+-------------------+-----------+-------------+-------------+
    |ten2po2 |ten2   | 3 | 10Gbps|     |   active  |    1     |  long | 10.20.246.21[0/11]| po-created| provisioned | cfg-in-sync |
    |        |       |   |       |     |           |          |       | 10.20.246.22[0/11]|           |             |             |
    +--------+-------+---+-------+-----+-----------+----------+-------+-------------------+-----------+-------------+-------------+
    Example
    efa tenant epg create –name ten1epg1 –tenant ten1
       --switchport-mode trunk --po ten1po1,ten1po2  --ctag-range 11
       --np-mac-acl-in 11:ext-mac-permit-any-mirror-acl
       --np-mac-acl-out 11:ext-mac-permit-any-mirror-acl 
    
    
    efa tenant service mirror session create –name ten1mirrorsession1 --tenant ten1
       --source vlan,11
       --type vlan,11:flow-based
       --destination-type vlan,11:span
       --destination vlan,11:10.20.246.15,eth,0/31
       --direction vlan,11:both
    efa tenant epg create –name ten2epg1 –tenant ten2
       --switchport-mode trunk --po ten2po1,ten2po2 --ctag-range 21
       --np-mac-acl-in 21:ext-mac-permit-any-mirror-acl
       --np-mac-acl-out 21:ext-mac-permit-any-mirror-acl
    
    
    efa tenant service mirror session create –name ten2mirrorsession1 --tenant ten2
       --source vlan,21
       --type vlan,21:flow-based
       --destination-type vlan,21:span
       --destination vlan,21:10.20.246.16,eth,0/31
       --direction vlan,21:both
  3. Verify the switch configuration on the SLX device.
    10.20.246.15
    SLX# show running-config mac access-list
    mac access-list extended ext-mac-permit-any-mirror-acl
     seq 10 permit any any mirror
    !
    SLX#
    
    SLX# show running-config vlan 11,21
    vlan 11
     description Tenant L2 Extended VLAN
     mac access-group ext-mac-permit-any-mirror-acl in
     mac access-group ext-mac-permit-any-mirror-acl out
    !
    vlan 21
     description Tenant L2 Extended VLAN
     mac access-group ext-mac-permit-any-mirror-acl in
     mac access-group ext-mac-permit-any-mirror-acl out
    !
    SLX#
    10.20.246.16
    SLX# show running-config mac access-list
    mac access-list extended ext-mac-permit-any-mirror-acl
     seq 10 permit any any mirror
    !
    SLX#
    
    SLX# show running-config vlan 11,21
    vlan 11
     description Tenant L2 Extended VLAN
     mac access-group ext-mac-permit-any-mirror-acl in
     mac access-group ext-mac-permit-any-mirror-acl out
    !
    vlan 21
     description Tenant L2 Extended VLAN
     mac access-group ext-mac-permit-any-mirror-acl in
     mac access-group ext-mac-permit-any-mirror-acl out
    !
    SLX#
    10.20.246.21
    SLX# show running-config mac access-list
    mac access-list extended ext-mac-permit-any-mirror-acl
     seq 10 permit any any mirror
    !
    SLX#
    
    SLX# show running-config vlan 11,21
    vlan 11
     description Tenant L2 Extended VLAN
     mac access-group ext-mac-permit-any-mirror-acl in
     mac access-group ext-mac-permit-any-mirror-acl out
    !
    vlan 21
     description Tenant L2 Extended VLAN
     mac access-group ext-mac-permit-any-mirror-acl in
     mac access-group ext-mac-permit-any-mirror-acl out
    !
    SLX#
    10.20.246.22
    SLX# show running-config mac access-list
    mac access-list extended ext-mac-permit-any-mirror-acl
     seq 10 permit any any mirror
    !
    SLX#
    
    SLX# show running-config vlan 11,21
    vlan 11
     description Tenant L2 Extended VLAN
     mac access-group ext-mac-permit-any-mirror-acl in
     mac access-group ext-mac-permit-any-mirror-acl out
    !
    vlan 21
     description Tenant L2 Extended VLAN
     mac access-group ext-mac-permit-any-mirror-acl in
     mac access-group ext-mac-permit-any-mirror-acl out
    !
    SLX#
    10.20.246.15-16
    SLX# show running-config monitor session  
    monitor session 1
     source vlan 11 destination ethernet 0/31 direction both flow-based
    !
    monitor session 2
     source vlan 21 destination ethernet 0/31 direction both flow-based
    !SLX#
    
    SLX# show monitor session 1
    Session                : 1
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Vlan 11
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Both
    Type                   : flow-based
    
    SLX# show monitor session 2
    Session                : 2
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Vlan 21
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Both
    Type                   : flow-based
    SLX#
    10.20.246.21-22
    SLX# show running-config monitor session  
    monitor session 1
     source vlan 11 destination ethernet 0/31 direction both flow-based
    !
    monitor session 2
     source vlan 21 destination ethernet 0/31 direction both flow-based
    !SLX
    
    #SLX# show monitor session 1
    Session                : 1
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Vlan 11
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Both
    Type                   : flow-based
    
    SLX# show monitor session 2
    Session                : 2
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Vlan 21
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Both
    Type                   : flow-based
    SLX#