This article details the ability of the Tap Aggregator to redirect, or steer, traffic away from the aggregation group that the Tap port belongs to. This capability allows for a more granular focus and control on individual, or multiple, traffic flows ingressing the Tap Aggregator. The traffic steering capability uses MQC (QoS style) policy and class maps combined with standard access-lists to perform this function. The feature also allows for the configuration of an identity VLAN different from the identity VLAN associated with the Tap port. This article details the configuration steps necessary to achieve this functionality.
The following other features might also be of interest, but are out of scope of this article:
- TAP Aggregation Configuration: Quick Start
- Tap Aggregation – Filtering with Port ACLs
- Tap Aggregation – VLAN List Filtering
The well known IP, IPv6 and MAC access-list filtering is used to filter traffic in Tap Aggregation mode, just like it does in switching mode. Traffic steering also uses access-lists, classifying traffic with the use of class-maps. IPv6 and MAC steering policies are supported on the 7500E starting EOS-4.17.0F.
# IP ACL - Match IP traffic conforming to RFC 1918 switch(config)#ip access-list matchRFC1918 switch(config-acl-matchRFC1918)#permit ip any 10.0.0.0/8 log switch(config-acl-matchRFC1918)#permit ip any 184.108.40.206/12 log switch(config-acl-matchRFC1918)#permit ip any 192.168.0.0/16 log # MAC ACL - Match NON IP traffic switch(config)#mac access-list matchNonIp switch(config-acl-matchRFC1938)#permit vlan 4 0x00F any any switch(config-acl-matchRFC1938)#permit any 0102.0304.0506 ffff.ffff.ffff # IPv6 ACL - Match IP traffic switch(config)#ipv6 access-list matchV6 switch(config-ipv6-acl-matchV6)#permit ipv6 any host 2fe1:b468:024a:: switch(config-ipv6-acl-matchV6)#permit ipv6 3891:3c58:6300::/64 any
For traffic steering to match against traffic, the MQC standard mechanism is the class-map, which can match against one, or multiple access-lists. This follows the same CLI convention that is used in traditional switching modes. Class-maps are able to match one or many access-lists but upon a successful match, they will exit the class-map at that point.
# Class-map - Match access-lists switch(config)#class-map type tapagg match-any TAPMATCH switch(config-cmap-TAPMATCH)#match ip access-group matchRFC1928 switch(config-cmap-TAPMATCH)#match ip access-group WWWACL switch(config-cmap-TAPMATCH)#match mac access-group matchNonIp switch(config-cmap-TAPMATCH)#match ipv6 access-group matchV6
The above class-map provides traffic classification for either matchRFC1928 or WWWACL or matchRFC1938 traffic or matchV6.
Note that the class-map type must be configured as type “tapagg” for traffic steering to function on the Tap Aggregator
Traffic steering is executed by the policy-map, which binds a traffic match to an set ot action.
For convenience, two implementations methods are offers under the policy-map
- MQC (hierarchical)
- The policy-map traffic match occur via class-maps
- The set rules for that match reside under the class-map (set aggregation-group, id-tag)
Policy-map example (MQC)
# Policy-map - Match class-maps switch(config)#policy-map type tapagg POLICY-TAP1 switch(config-pmap-TAPMATCH)#class TAPMATCH switch(config-pmap-c-POLICY-TAP1-TAPMATCH)#set aggregation-group SNIFFER-GROUP switch(config-pmap-c-POLICY-TAP1-TAPMATCH)#set id-tag 500
- Single-Line (flat)
- The policy-map matches directly against an access-list (bypass the MQC class-map)
- The rules (set aggregation-group, id-tag) are applied on the same line
- A single line combines both access-list match and set rules
Policy-map example (flat)
# Policy-map - Raw match switch(config)#policy-map type tapagg DIRECT-SET switch(config-pmap-DIRECT-SET)#match ip 220.127.116.11/24 any set aggregation-group IDS-GROUP id-tag 4000 switch(config-pmap-DIRECT-SET)#match mac any any set aggregation-group IDS-GROUP id-tag 3000 switch(config-pmap-DIRECT-SET)#match ipv6 any any set aggregation-group IDS-GROUP id-tag 2000
Note that the policy-map type must be configured as type “tapagg” for traffic steering to function on the Tap Aggregator
Also note that as usual, policy-map have an implicit ending permit, as opposed to access-list that have an implicit ending deny.
Finally, in order to apply the above configurations to an interface and steer the desired traffic into a new aggregation group or apply a new identity VLAN, the policy must be applied to the TAP port with a “service-policy” command. Only a single service-policy can be applied to a physical interface.
# Service-policy - Interface application switch(config)#interface ethernet5 switch(config-if-Et5)#service-policy type tapagg input TAPMATCH
Note that the service-policy type must be configured as type “tapagg” for traffic steering to function on the Tap Aggregator
The figure below represents a combination of multiple tap ports and tool ports. In this example, tap ports are mapped to the ToolsA group and tool ports are mapped to the ToolsA or the ToolsB group. Traffic steering is used to match specific traffic out of the default ToolsA group on Eth1 and re-direct that traffic to the ToolsB group while simultaneously re-setting the identity VLAN.
Classification and filtering decision tree
The workflow diagram below represents the filtering decision tree, illustrating the logic flow
This feature is currently supported on:
- MAC ACL in traffic steering matches only NON IP traffic
- Filtering on fragment rule and TCP established are not supported on 7500E
- MAC ACL steering does not match IPv6 traffic
- MAC ACL steering when using MPLS pop requires tool ports to enable identity tagging to avoid packet malformation, however identity tagging itself is not supported