• TAP Aggregation – Traffic Steering

 
 
Print Friendly, PDF & Email

Introduction

This article details the ability of the Tap Aggregator to redirect, or steer, traffic away from the aggregation group that the Tap port belongs to.  This capability allows for a more granular focus and control on individual, or multiple, traffic flows ingressing the Tap Aggregator. The traffic steering capability uses MQC (QoS style) policy and class maps combined with standard access-lists to perform this function.  The feature also allows for the configuration of an identity VLAN different from the identity VLAN associated with the Tap port.  This article details the configuration steps necessary to achieve this functionality.

The following other features might also be of interest, but are out of scope of this article:

Access-list overview

The well known IP, IPv6 and MAC access-list filtering is used to filter traffic in Tap Aggregation mode, just like it does in switching mode. Traffic steering also uses access-lists, classifying traffic with the use of class-maps. IPv6 and MAC steering policies are supported on the 7500E starting EOS-4.17.0F.

Access-list example:

# IP ACL - Match IP traffic conforming to RFC 1918
switch(config)#ip access-list matchRFC1918
switch(config-acl-matchRFC1918)#permit ip any 10.0.0.0/8 log
switch(config-acl-matchRFC1918)#permit ip any 172.0.0.0/12 log
switch(config-acl-matchRFC1918)#permit ip any 192.168.0.0/16 log

# MAC ACL - Match NON IP traffic
switch(config)#mac access-list matchNonIp
switch(config-acl-matchRFC1938)#permit vlan 4 0x00F any any
switch(config-acl-matchRFC1938)#permit any 0102.0304.0506 ffff.ffff.ffff

# IPv6 ACL - Match IP traffic
switch(config)#ipv6 access-list matchV6
switch(config-ipv6-acl-matchV6)#permit ipv6 any host 2fe1:b468:024a::
switch(config-ipv6-acl-matchV6)#permit ipv6 3891:3c58:6300::/64 any

Class-map overview

For traffic steering to match against traffic, the MQC standard mechanism is the class-map, which can match against one, or multiple access-lists. This follows the same CLI convention that is used in traditional switching modes. Class-maps are able to match one or many access-lists but upon a successful match, they will exit the class-map at that point.

Class-map example:

# Class-map - Match access-lists
switch(config)#class-map type tapagg match-any TAPMATCH
switch(config-cmap-TAPMATCH)#match ip access-group matchRFC1928
switch(config-cmap-TAPMATCH)#match ip access-group WWWACL
switch(config-cmap-TAPMATCH)#match mac access-group matchNonIp
switch(config-cmap-TAPMATCH)#match ipv6 access-group matchV6

The above class-map provides traffic classification for either matchRFC1928 or WWWACL or  matchRFC1938 traffic or matchV6.

Note that the class-map type must be configured as type “tapagg” for traffic steering to function on the Tap Aggregator

Policy-map overview

Traffic steering is executed by the policy-map, which binds a traffic match to an set ot action.
For convenience, two implementations methods are offers under the policy-map

  1. MQC (hierarchical)
    • The policy-map traffic match occur via class-maps
    • The set rules for that match reside under the class-map (set aggregation-group, id-tag)

    Policy-map example (MQC)

    # Policy-map - Match class-maps
    switch(config)#policy-map type tapagg POLICY-TAP1
    switch(config-pmap-TAPMATCH)#class TAPMATCH
    switch(config-pmap-c-POLICY-TAP1-TAPMATCH)#set aggregation-group SNIFFER-GROUP
    switch(config-pmap-c-POLICY-TAP1-TAPMATCH)#set id-tag 500
    
  2. Single-Line (flat)
    • The policy-map matches directly against an access-list (bypass the MQC class-map)
    • The rules (set aggregation-group, id-tag) are applied on the same line
    • A single line combines both access-list match and set rules

Policy-map example (flat)

# Policy-map - Raw match
switch(config)#policy-map type tapagg DIRECT-SET
switch(config-pmap-DIRECT-SET)#match ip 5.0.0.0/24 any set aggregation-group IDS-GROUP id-tag 4000
switch(config-pmap-DIRECT-SET)#match mac any any set aggregation-group IDS-GROUP id-tag 3000
switch(config-pmap-DIRECT-SET)#match ipv6 any any set aggregation-group IDS-GROUP id-tag 2000
Note that the policy-map type must be configured as type “tapagg” for traffic steering to function on the Tap Aggregator

Also note that as usual, policy-map have an implicit ending permit, as opposed to access-list that have an implicit ending deny.

Interface application

Finally, in order to apply the above configurations to an interface and steer the desired traffic into a new aggregation group or apply a new identity VLAN, the policy must be applied to the TAP port with a “service-policy” command.  Only a single service-policy can be applied to a physical interface.

Examples

# Service-policy - Interface application
switch(config)#interface ethernet5
switch(config-if-Et5)#service-policy type tapagg input TAPMATCH

Note that the service-policy type must be configured as type “tapagg” for traffic steering to function on the Tap Aggregator

The figure below represents a combination of multiple tap ports and tool ports. In this example, tap ports are mapped to the ToolsA group and tool ports are mapped to the ToolsA or the ToolsB group. Traffic steering is used to match specific traffic out of the default ToolsA group on Eth1 and re-direct that traffic to the ToolsB group while simultaneously re-setting the identity VLAN.

Slide08

Classification and filtering decision tree

The workflow diagram below represents the filtering decision tree, illustrating the logic flow

Slide09

Limitations

This feature is currently supported on:

  • 7150
    • MAC ACL in traffic steering matches only NON IP traffic
  • 7500E
    • Filtering on fragment rule and TCP established are not supported on 7500E
    • MAC ACL steering does not match IPv6 traffic
    • MAC ACL steering when using MPLS pop requires tool ports to enable identity tagging to avoid packet malformation, however identity tagging itself is not supported
Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: