[Enterprise SONiC] Mirroring function Follow
Everflow can mirror traffic that matches the ACL to a remote mirror server. This is an alternative to ERSPAN (Encapsulated Remote Switch Port Analysis).
SPAN (Switched Port Analysis) can mirror traffic in and out of physical ports.
Tested model & firmware version:
- Switch model name:
DCS204 (AS7726-32X)
DCS203 (AS7326-56X)
EPS202 (AS4630-54PE)
- Edgecore SONiC version:
202012.2 ~ 202012.4
202111.0 ~ 202111.8
Restriction:
- Everflow supports mirror only ingress traffic of source interface.
- There is no SONiC command for adding ACL rules for type MIRROR. (refer to this article)
- For mirror type, it didn’t support IPv6 destination setting on ACL rule.
- Mirror session become active status when the destination arp is learned on the ARP table.
- The destination port can not be an L3 interface
- Known issue.
- [SONIC-3404] When everflow packet send out, it does not follow the VLAN settings of the egress port. The traffic always send out with VLAN tag.
- [SONIC-3407] Remove port mirror session but switch still mirroring till re-connect cable
Everflow
Topology:
Procedure:
Step 1. Build the topology as picture. (refer to Management and front port IPv4 and IPv6 Address and VLAN & Inter-VLAN Routing)
Step 2. Create a mirror session to specify source and destination IP address.
admin@sonic:~$ sudo config mirror_session add ts1_everflow 192.168.10.1 192.168.50.2 63 255
Step 3: Create ACL tableadmin@sonic:~$ sudo config acl add table ACL_Mirror MIRROR --description 'mirror' --stage ingress --ports Ethernet0
admin@sonic:$ cat acl.json { "ACL_RULE": { "ACL_Mirror|ACE_Mirror": { "PRIORITY": "55", "IP_TYPE": "ipv4any", "MIRROR_ACTION": "ts1_everflow" } } } admin@sonic:$ sudo config load acl.json -y Running command: /usr/local/bin/sonic-cfggen -j acl.json --write-to-db admin@sonic:~$Note:
The value of ACL type must be MIRROR.
The value of MIRROR_ACTION is the name of the mirror session.
Result:
- Check the mirror status
admin@sonic:~$ show mirror_session ERSPAN Sessions Name Status SRC IP DST IP GRE DSCP TTL Queue Policer Monitor Port SRC Port Direction ------------ -------- ------------ ------------ ----- ------ ----- ------- --------- -------------- ---------- ----------- ts1_everflow inactive 192.168.10.1 192.168.50.2 63 255 Ethernet52 admin@sonic:~$ show acl table Name Type Binding Description Stage ---------- ------ --------- ------------- ------- ACL_Mirror MIRROR Ethernet0 mirror ingress admin@sonic:~$ show acl rule Table Rule Priority Action Match ---------- ---------- ---------- ---------------------------- ---------------- ACL_Mirror ACE_Mirror 55 MIRROR INGRESS: ts1_everflow IP_TYPE: ipv4any
Caution: Destination arp should be learned to arp table, otherwise the status is inactive.
admin@sonic:~$ show arp Address MacAddress Iface Vlan ------------- ----------------- ---------- ------ 192.168.10.2 04:f8:f8:8d:81:e1 Ethernet0 10 192.168.10.3 04:f8:f8:6b:06:91 Ethernet48 10 192.168.50.2 80:a2:35:d2:3b:b5 Ethernet52 - Total number of entries 5 admin@sonic:~$ show mirror_session ERSPAN Sessions Name Status SRC IP DST IP GRE DSCP TTL Queue Policer Monitor Port SRC Port Direction ------------ -------- ------------ ------------ ----- ------ ----- ------- --------- -------------- ---------- ----------- ts1_everflow active 192.168.10.1 192.168.50.2 63 255 Ethernet52 SPAN Sessions Name Status DST Port SRC Port Direction Queue Policer ------ -------- ---------- ---------- ----------- ------- ---------
SPAN
Topology:
Pre-configuration:
- VLAN configuration is as topology.
admin@sonic:~$ show vlan brief +-----------+-----------------+-----------+----------------+---------------+---------------+-------------+-------------+ | VLAN ID | IP Address | Ports | Port Tagging | DHCP Helper | DHCP Source | DHCP Link | Proxy ARP | | | | | | Address | Interface | Selection | | +===========+=================+===========+================+===============+===============+=============+=============+ | 10 | 192.168.10.1/24 | Ethernet4 | untagged | | | | disabled | | | | Ethernet5 | untagged | | | | | +-----------+-----------------+-----------+----------------+---------------+---------------+-------------+-------------+
- IP binding is as topology.
admin@sonic:~$ show ip interfaces Interface Master IPv4 address/mask Admin/Oper BGP Neighbor Neighbor IP ----------- -------- ------------------- ------------ -------------- ------------- Ethernet6 192.168.2.1/24 up/up N/A N/A Loopback0 10.1.0.1/32 up/up N/A N/A Vlan10 192.168.10.1/24 up/up N/A N/A docker0 240.127.1.1/24 up/down N/A N/A eth0 192.168.254.1/24 up/up N/A N/A lo 127.0.0.1/16 up/up N/A N/A
Procedure:
Steps 1. Create a mirror session for SPAN.
admin@sonic:~$ sudo config mirror_session span add span_mirror Ethernet6 Ethernet4
Result:
- Check the mirror table
admin@sonic:~$ show mirror_session ERSPAN Sessions Name Status SRC IP DST IP GRE DSCP TTL Queue Policer Monitor Port SRC Port Direction ------ -------- -------- -------- ----- ------ ----- ------- --------- -------------- ---------- ----------- SPAN Sessions Name Status DST Port SRC Port Direction Queue Policer ----------- -------- ---------- ---------- ----------- ------- --------- span_mirror active Ethernet6 Ethernet4 both
- Packet captured.
Frequently Asked Question
How to mirror the packets of the specified VLAN ID.
Tested model & firmware version:
- Switch model name:
DCS201 (AS5835-54X) - Edgecore SONiC version:
202111.0
202111.3
Restriction:
- This method can only be used on the ingress stage.
Problem description:
Mirroring from Vlan interface is not acceptable, because it will get traffic from all ports in VLAN.
For example:
I want to mirror the traffic from Ethernet8 to Ethernet12, and the traffic only for VLAN 20.
Topology:
Solution
Step 1: Create a mirror session, ACL table
admin@sonic:~$ sudo config mirror_session span add test Ethernet12
admin@sonic:~$ sudo config acl add table Test MIRROR -p Ethernet8 -s ingress
Step 2: Create ACL JSON file and load it to the configuration database for Mirror
admin@sonic:~$ cat acl.json
{
"ACL_RULE": {
"Test|Forward": {
"PRIORITY": "2",
"MIRROR_ACTION": "test",
"VLAN_ID": "20"
}
}
}
admin@sonic:$ sudo config load acl.json -y
Running command: /usr/local/bin/sonic-cfggen -j acl.json --write-to-db
After version 202111.5, the ACL rule can be added by sonic command, based on the acl.json above, the corresponding command is below
admin@sonic:$sudo config acl add rule --priority 2 --mirror-ingress test --vlan-id 20 Test permit
Step 3: Check the status
admin@sonic:~$ show mirror_session
ERSPAN Sessions
Name Status SRC IP DST IP GRE DSCP TTL Queue Policer Monitor Port SRC Port Direction
------ -------- -------- -------- ----- ------ ----- ------- --------- -------------- ---------- -----------
SPAN Sessions
Name Status DST Port SRC Port Direction Queue Policer
------ -------- ---------- ---------- ----------- ------- ---------
test active Ethernet12
admin@sonic:~$ show acl table
Name Type Binding Description Stage
------ ------ --------- ------------- -------
Test MIRROR Ethernet8 Test ingress
admin@sonic:~$ show acl rule
Table Rule Priority Action Match
------- ------- ---------- -------------------- -----------
Test Forward 2 MIRROR INGRESS: test VLAN_ID: 20
Result: Capture the packet from the Server.
Comments
1 comment
May I ask for the whole parameters which are supported in the Json file? I have search for a while but with no result.
Thanks.
Please sign in to leave a comment.