DANZ Tap Aggregation – Filtering on inner Q-in-Q header, and stripping outer header – At the same time

 

This article documents the ability, for the Arista 7150S in Tap Aggregation mode, to selectively filter on inner Q-in-Q header, and also strip the outer  header on egress, effectively allowing a granular selection of what Q-tagged traffic tools will be receiving.

Let’s take as traffic example some Q-in-Q traffic:

  • Outer Q-header (Eth-type 0x88a8) – STAG – VLAN ID = 100
  • Inner Q-header (Eth-type 0x8100) – CTAG – VLAN ID = 101, 102

 

Packet capture example for this Q-in-Q traffic:

 

7150S(config)#bash sudo tcpdump -nni mirror0
[...]
22:23:44.040896 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q-QinQ (0x88a8), length 1020: vlan 100, p 0, ethertype 802.1Q, vlan 101, p 0, ethertype IPv4, 10.0.0.15.1234 > 200.0.0.10.80: UDP, length 970

22:23:45.040931 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q-QinQ (0x88a8), length 1020: vlan 100, p 0, ethertype 802.1Q, vlan 102, p 0, ethertype IPv4, 172.16.0.1.69 > 6.0.0.10.3221: UDP, length 430

22:23:46.040965 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q-QinQ (0x88a8), length 1020: vlan 100, p 0, ethertype 802.1Q, vlan 101, p 0, ethertype IPv4, 10.0.0.15.1234 > 200.0.0.10.80: UDP, length 970

22:23:47.041000 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q-QinQ (0x88a8), length 1020: vlan 100, p 0, ethertype 802.1Q, vlan 102, p 0, ethertype IPv4, 172.16.0.1.69 > 6.0.0.10.3221: UDP, length 430

 

Illustration of the Q-in-Q traffic generated for this example, with the relevant headers:

Q-in-Q traffic

 

 

You can generate VLAN matches on IP ACLs, effectively allowing flexible Layer2/Layer3/Layer4 filtering:

!
ip access-list ACL-INNER-VLAN
   10 permit vlan inner 101 0x000 ip any any
!
interface ethernet 6
   switchport mode tool
   ip access-group ACL-INNER-VLAN out
!

 

Applying this ACL egress on a tool port filters out traffic with inner VLAN 102, only the traffic with inner VLAN 101 remains. Note that the traffic is still Q-in-Q (Eth type 0x88a8), CTAG 101 is the inner VLAN. STAG 100 is the outer VLAN.

 

7150S(config)#bash sudo tcpdump -nni mirror0
[...]
22:24:02.041521 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q-QinQ (0x88a8), length 1020: vlan 100, p 0, ethertype 802.1Q, vlan 101, p 0, ethertype IPv4, 10.0.0.15.1234 > 200.0.0.10.80: UDP, length 970

22:24:04.041591 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q-QinQ (0x88a8), length 1020: vlan 100, p 0, ethertype 802.1Q, vlan 101, p 0, ethertype IPv4, 10.0.0.15.1234 > 200.0.0.10.80: UDP, length 970

 

The tool port can can strip the outer Q-header off the egressing frames:

!
 interface Ethernet6
    switchport mode tool
    ip access-group ACL-INNER-VLAN out
    switchport tool dot1q remove outer 1
!

 

Resulting in traffic with a single 802.1Q header value of 101. The outer PVLAN ID 100 was stripped (eth-type is now 0x8100) and the inner VLAN ID 102 was previously filtered out:

 

7150S(config)#bash sudo tcpdump -nni mirror0
[...]
22:24:22.042216 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q (0x8100), length 1016: vlan 101, p 0, ethertype IPv4, 10.0.0.15.1234 > 200.0.0.10.80: UDP, length 970

22:24:24.042285 00:ab:00:00:02:23 > 00:1c:73:86:00:69, ethertype 802.1Q (0x8100), length 1016: vlan 101, p 0, ethertype IPv4, 10.0.0.15.1234 > 200.0.0.10.80: UDP, length 970

 

 

Illustration of the resulting traffic, inner-filtered and outer-stripped:

Inner-Filtered and outer stripped

Before:

Q-in-Q traffic

 

Note: This would work also with double-stacked CTAG 0x8100 Ether-type, instead of 0x88e8 + 0x8100 for standard Q-in-Q.