Test Access Point (TAP) Aggregation
This section describes test access point (TAP) aggregation and the data structures that it requires. Topics in this section include:
- TAP Aggregation introduction
- TAP Aggregation Description
- TAP Aggregation Configuration
- TAP Aggregation Traffic Steering
- TAP Aggregation GUI
- TAP Aggregation Keyframe and Timestamp Configuration
- TAP Aggregation Commands
Port mirroring is described in Test Access Point (TAP) Aggregation.
TAP Aggregation introduction
Ethernet-based switches are commonly deployed in dedicated networks to support tool access point (TAP) and mirror port traffic toward one or more analysis applications. Ports configured to mirror data can simultaneously switch traffic to its primary destination while directing a copy of that traffic to analysis or test devices. TAP ports are typically part of a dedicated environment that allows for the aggregation of data streams from multiple sources that can be directed to multiple destinations.
Arista switches support port mirroring and TAP aggregation and the data structures required by these functions.
TAP Aggregation Description
These sections describe TAP aggregation, timestamps, and keyframes:
TAP Aggregation
Tool access point (TAP) aggregation is the accumulation of data streams and the subsequent dispersal of these streams to devices and applications that analyze, test, verify, parse, detect, or store data. TAP aggregation requires an environment free from switching operations. Arista switches operate in one of two device modes:
- Switching mode: the switch performs normal switching and routing operations. Data mirroring is supported in switching mode. Tap aggregation is not available in switching mode.
- TAP aggregation mode: The switch is a data-monitoring device and does not
provide normal switching and routing services. Data mirroring is not available in
tap aggregation mode.
Access control lists, port channels, LAGs, QoS, and VLANs function normally in both modes.
Ethernet and port channel interfaces are configured as TAP and tool ports to support tap aggregation.
- TAP ports: a tap port is an interface that receives a data stream that two
network ports exchange.
TAP ports prohibit egress traffic. MAC learning is disabled. All control plane interaction is prevented. Traps for inbound traffic are disabled. Tap ports are in STP forwarding mode.
- Tool ports: A tool port is an interface that replicates data streams received
by one or more tap ports. Tool ports connect to devices that process the monitored
data streams.
Tool ports prohibit ingress traffic. MAC learning is disabled. All control plane interaction is prevented. Tool ports are in STP forwarding mode.
TAP and tool ports are configured with the switchport mode command. These ports are active when the switch is in tap aggregation mode and error-disabled when the switch is in switching mode.
TAP and tool ports are designated through switchport mode commands and act similar to trunk ports, in that they can allow access to VLANs specified through allowed-VLAN lists. Tap ports also specify a native VLAN for handling untagged frames.
Access, trunk, and dot1q-tunnel mode ports are active when the switch is in switching mode and error-disabled when the switch is in tap aggregation mode.
TAP and tool mode ports are active when the switch is in TAP aggregation mode and error-disabled when the switch is in switching mode.
TAP aggregation groups are data structures that map a set of TAP ports to a set of tool ports. Both TAP and tool ports may belong to multiple TAP aggregation groups, and a TAP aggregation group may contain multiple TAP and tool ports.
Timestamps and Keyframes
FM6000 platform switches support packet timestamping of packets sent from any port at line rate. Timestamps are used to correlate network events and in performance analysis. Keyframes provide information to assist in the interpretation of timestamps.
The switch contains two 64-bit counters to maintain ASIC time and UTC time. ASIC time is based on an internal 350 MHz counter. UTC is absolute time that is maintained by a precision oscillator and synchronized through PTP.
Timestamps are derived from the least significant 31 bits of ASIC time. Based on the 350 MHz counter period and 31-bit resolution, timestamp values repeat every 6.135 seconds.
Keyframes are periodically inserted into the data stream to provide context for interpreting timestamps. Keyframes contain the 64-bit value of the ASIC time counter, the corresponding 64-bit value of the UTC time counter, and the elapsed time since the last PTP synchronization of the UTC counter. Inserting one keyframe every second into the data stream assures that the timestamp value in each egress packet can be associated with values of the complete 64-bit ASIC time counter and the corresponding UTC counter.
Timestamps
Timestamps are based on a frame’s ingress time and applied to frames sent on egress ports, ensuring that timestamps on monitored traffic reflect ingress timing of the original frames. Timestamping is configured on the egress port where the timestamp is applied to the frame.
A timestamp consists of the least significant 31 bits of the ASIC time counter. The most significant bit of the least significant byte is a 0 pad, resulting in a 32-bit timestamp with 31 bits of data. The keyframe mechanism provides recovery of the most significant 33 bits of the ASIC counters and a map to UTC time. Applications use this mechanism to determine the absolute time of the frame timestamp.
The switch supports three timestamp modes, which are configurable on individual Ethernet ports. The modes differ in the management of the egress frame’s 32-bit frame check sequence (FCS):
- Disabled: timestamping is disabled.
- FCS Replacement Mode: the original FCS is discarded, and the ingress timestamp is appended to frame data, followed by a new FCS that is based on the appended timestamp. The result is a valid Ethernet frame, but the headers of all nested protocols are not updated to reflect the timestamp.
- FCS Appending Mode: the original FCS is discarded and replaced by the ingress timestamp. The size of the original frame is maintained without any latency impact, but the FCS is not valid.
Keyframes
Keyframes contain routable IP packets that provide information to relate timestamps with the complete ASIC counter and absolute UTC time. Keyframes have valid L2 and L3 headers. Keyframes contain these header fields:
- MAC fields (12 bytes):
- Source MAC address is the address of the egress interface transmitting the keyframe.
- Destination MAC address is configured through a CLI command.
- IP Header (20 bytes):
- Source IP address is configured through CLI; default is management interface IP address.
- Destination IP address is configured through a CLI command.
- TTL is set to 64.
- TOS is set to 0.
- Protocol field is set to 253.
- IP header’s ID field is set to 0.
Keyframes contain these payload fields:
- ASIC time: (64 bits) ASIC time counter. (2.857 ns resolution).
- UTC time:(64 bits) Unix time that corresponds to ASIC time (ns).
- Last sync time: (64 bits) ASIC time of most recent PTP synchronization.
- Keyframe time: (64 bits) ASIC time of the keyframe’s egress (ns).
- Egress interface drops: (64 bits) Number of dropped frames on keyframe’s egress interface.
- Device ID: (16 bits) device ID (user defined).
- Egress interface: (16 bits) Keyframe’s egress switchport.
- FCS type (8 bits): Timestamping mode configured on keyframe’s egress port.
- 0: timestamping disabled.
- 1: timestamp is appended to payload; new FCS is added to the frame.
- 2: timestamp overwrites the existing FCS.
- Reserved (8 bits): reserved for future use.
- Skew numerator/skew denominator: form a ratio indicating the ASIC clock skew. If the ratio is greater than 1, the clock is skewed fast; if the ratio is less than 1, the clock is skewed slow.
Last sync time equals 0 when there was no previous synchronization or the time since the last synchronization is greater than 8 hours.
The 31-bit frame timestamp provides high-resolution timing, rolling over about every 6.135 seconds (31 bits at 2.857ns per tick). To obtain the full ASIC time and to correlate the timestamp to an absolute UTC time, the switch sends keyframes. Each keyframe contains the current ASIC time and UTC time; hence an application can compute the high order bits of the ASIC time (for precise, relative timing) from the ASIC to UTC time mapping, and then determine absolute time.
ASIC to UTC time conversion is not quite immediate, so the UTC time in the frame will not be the current time. A keyframe timestamp is provided for this purpose. The frame also includes the timestamping mode (FCS type) so applications can dynamically determine the timestamp’s byte offset. Each field is shown in the following table.
0 7 | 8 15 | 16 31 |
ASIC time | ||
UTC time | ||
Last sync time | ||
Skew numerator | ||
Skew denominator | ||
Keyframe timestamp | ||
Drop count | ||
Device ID | Egress interface | |
FCS type | Reserved |
TAP Aggregation Configuration
These sections describe TAP aggregation configuration tasks:
Enabling Tap Aggregation Mode
The switch supports switching mode and TAP aggregation mode. In switching mode, normal switching and routing functions are supported while TAP aggregation functions are disabled. In TAP aggregation mode, TAP aggregation functions are enabled while normal switching and routing functions are disabled. By default, the switch is in switching mode.
A ports switchport status depends on its switchport mode and the switch’s TAP aggregation mode.
- Tap aggregation mode enabled: TAP and tool ports are enabled. Switching ports are errdisabled.
- Tap aggregation mode disabled: TAP and tool ports are errdisabled. Switching ports are enabled.
To enable the switch to carry out TAP aggregation, first enter TAP aggregation configuration mode using the tap aggregation command, then set the mode to exclusive.
Example
- These commands enter TAP aggregation configuration mode, then place
the switch in TAP aggregation exclusive mode.
switch(config)#tap aggregation switch(config-tap-agg)#mode exclusive switch(config-tap-agg)#show active tap aggregation mode exclusive switch(config-tap-agg)#
To return the switch to switching mode, remove the mode command from running-config.
Examples
- These commands enter TAP aggregation configuration mode, then place
the switch in switching
mode.
switch(config)#tap aggregation switch(config-tap-agg)#no mode switch(config-tap-agg)#show active switch(config-tap-agg)#
- These commands enter switching mode and remove all TAP aggregation
configuration mode
statements.
switch(config)#no tap aggregation switch(config)#
TAP Aggregation Mixed Mode
On a modular switch, the user can configure TAP Aggregation on some linecards and leave other linecards to operate normally. This is referred to as TAP aggregation mixed mode.
Mixed Mode Platform Compatibility
The following platforms support TAP Aggregation Mixed Mode.
- DCS-7500R
- DCS-7500R2
Mixed Mode Configuration
TAP Port Configuration
TAP ports function when the switch is in TAP aggregation mode. TAP ports receive traffic for replication to one or more tool ports. In TAP aggregation mode, TAP ports are in STP forwarding state and prohibit egress traffic. MAC learning, control plane interaction and traps for inbound traffic are disabled.
TAP mode ports are configured through switchport mode commands. TAP mode command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP aggregation mode.
This section describes the following tap port configuration steps.
- Configuring an Interface as a TAP Mode Port
- TAP Port Allowed VLAN List Configuration
- TAP Port Native VLAN
- TAP Port Packet Truncation
Configuring an Interface as a Tap Mode Port
Ethernet and port-channel interfaces are configured as TAP ports with the switchport mode command.
Example
- These commands configure Ethernet interfaces 41 through 43 as TAP mode
ports.
switch(config)#interface ethernet 41-43 switch(config-if-Et41-43)#switchport mode tap switch(config-if-Et41-43)#show interface ethernet 41-43 tap PortConfigured Status Native Id Truncation Default ModeVlan VlanGroup ----------------------------------------------------------------------- Et41taptap110--- Et42taptap110--- Et43taptap110--- switch(config-if-Et41-43)#
TAP Port Allowed VLAN List Configuration
By default, TAP mode interfaces handle tagged traffic for all VLANs. The switchport tap allowed vlan command creates or modifies the set of VLANs for which a TAP port handles tagged traffic.
Example
switch(config)#interface ethernet 41
switch(config-if-Et41)#switchport tap allowed vlan 401-410
switch(config-if-Et41)#interface ethernet 42
switch(config-if-Et42)#switchport tap allowed vlan 411-420
switch(config-if-Et41)#interface ethernet 41-42
switch(config-if-Et41-42)#show active
interface Ethernet41
switchport mode tap
switchport tap allowed vlan 401-410
interface Ethernet42
switchport mode tap
switchport tap allowed vlan 411-420
switch(config-if-Et41-42)#
TAP Port Native VLAN
Tap mode Interfaces associate untagged frames with the tap mode native VLAN. The switchport tap native vlan command specifies the TAP-mode native VLAN for the configuration-mode interface. The default TAP-mode native VLAN for all interfaces is VLAN 1.
Example
switch(config)#interface ethernet 41
switch(config-if-Et41)#switchport tap native vlan 400
switch(config-if-Et41)#show interface ethernet 41-43 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et41taptap40010---
Et42taptap110---
Et43taptap110---
switch(config-if-Et41)#
TAP Port Packet Truncation
TAP ports can be configured to truncate inbound packets. The switchport tap truncation command configures the configuration-mode interface, as a TAP port, to truncate inbound packets to the specified packet size. By default, TAP ports do not truncate packets.
Examples
- These commands configure Ethernet interface 41 to truncate packets to 150
bytes.
switch(config)#interface ethernet 41 switch(config-if-Et41)#switchport tap truncation 150 switch(config-if-Et41)#show interface ethernet 41-43 tap PortConfigured Status Native Id Truncation Default ModeVlan VlanGroup ----------------------------------------------------------------------- Et41taptap4001150--- Et42taptap110--- Et43taptap110--- switch(config-if-Et41)#
- These commands configure Ethernet interface 41 to send complete packets for
replication.
switch(config-if-Et41)#no switchport tap truncation switch(config-if-Et41)#show interface ethernet 41 tap PortConfigured Status Native Id Truncation Default ModeVlan VlanGroup ----------------------------------------------------------------------- Et41taptap40010--- switch(config-if-Et41)#
Tool Port Configuration
Tool ports replicate traffic received by TAP ports. Tool ports are mapped to the TAP ports through TAP aggregation groups. A tool port may belong to multiple aggregation groups and an aggregation group may contain multiple tool ports.
Tool ports function when the switch is in TAP aggregation mode. In this switch mode, tool ports are in STP forwarding state and ingress traffic is prohibited. MAC learning, control plane interaction, and traps for inbound traffic are disabled. All control plane interaction is prevented and L2 agents do not send PDUs to tool-mode interfaces. When the switch is in switching mode, tool ports are error-disabled.
Tool-mode ports are configured through switchport commands. Tool-mode command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP aggregation mode.
This section describes the following tool port configuration steps.
- Configuring an Interface as a Tool-mode Port
- Tool Port Allowed VLAN List Configuration
- Tool Port Packet Truncation
Configuring an Interface as a Tool-mode Port
Ethernet and port channel interfaces are configured as tool ports with the switchport mode command.
Example
switch(config)#interface port-channel 101-103
switch(config-if-Po101-103)#switchport mode tool
switch(config-if-Po101-103)#show interface port-channel 101-103 tool
PortConfigured Status Allowed Id Timestamp
ModeVlans TagMode
-----------------------------------------------------------------------
Po101 tool tool All Off---
Po102 tool tool All Off---
Po103 tool tool All Off---
switch(config-if-Po101-103)#
Tool Port Allowed VLAN List Configuration
By default, tool mode interfaces handle tagged traffic for all VLANs. The switchport tool allowed vlan command creates or modifies the set of VLANs for which a tool port handles tagged traffic.
Example
switch(config)#interface port-channel 101-103
switch(config-if-Po101-103)#switchport tool allowed vlan 1010-1020
switch(config-if-Po101-103)#interface port-channel 101
switch(config-if-Po101)#switchport tool allowed vlan add 1001-1009
switch(config-if-Po103)#interface port-channel 102
switch(config-if-Po102)#switchport tool allowed vlan remove 1016-1020
switch(config-if-Po102)#interface port-channel 103
switch(config-if-Po103)#switchport tool allowed vlan add 1021-1030
switch(config-if-Po103)#show interface port-channel 101-103 tool
PortConfigured Status Allowed Id Timestamp
ModeVlans TagMode
-----------------------------------------------------------------------
Po101 tool tool 1001-1020 Off---
Po102 tool tool 1010-1015 Off---
Po103 tool tool 1010-1030 Off---
switch(config-if-Po103)#
Tool Port Packet Truncation
Tool ports can be configured to truncate outbound packets. The switchport tool truncation command configures the configuration-mode interface, as a tool port, to truncate outbound packets to 160 bytes. By default, tool ports do not truncate packets.
Tool port packet truncation is supported only on the 7150 series platform.
Examples
- These commands configure Ethernet interface 41, as a tool port, to truncate
packets on egress to 160
bytes.
switch(config)#interface ethernet 41 switch(config-if-Et41)#switchport mode tool switch(config-if-Et41)#switchport tool truncation 160 switch(config-if-Et41)#
- These commands configure Ethernet interface 41 to send complete
packets.
switch(config-if-Et41)#no switchport tool truncation switch(config-if-Et41)#
Per-linecard TCAM Profile Configuration
This feature gives the ability to specify different profiles for different linecards in mixed mode. The following platforms support per-linecard TCAM profile configuration:
- DCS-7500
- DCS-7500R
- DCS-7500R2
To enable the TAP aggregation mode and configure a TCAM profile for a linecard set, complete the following steps:
- Enable the switch for
configuration.
switch>configure terminal
- Enable TAP aggregation
mode.
switch(config)#tap aggregation
- Configure the TCAM profile for a linecard
set.
switch(config-tap-agg)#mode mixed module linecard 3,4 profile tap-aggregation-default switch(config-tap-agg)#mode mixed module linecard 5,6 profile tap-aggregation-extended switch(config-tap-agg)#
To disable TAP aggregation on a linecard set, complete the following steps:
- Enable the switch for
configuration.
switch>configure terminal
- Enable TAP aggregation
mode.
switch(config)#tap aggregation
- Disable TAP aggregation for a linecard
set.
switch(config-tap-agg)#no mode mixed module linecard 3,4 switch(config-tap-agg)#
Two-Way Ports for TAP Aggregation
While in TAP aggregation mode, there is support for traffic only in one direction through either TAP ports that receive packets from mirroring, or through optical TAP or tool ports that send out packets to customer devices. Two-way ports for TAP aggregation allow bidirectional transmit and receive capability on a single port in TAP aggregation mode. Using the TAP-tool switchport mode enables both TAP and tool configurations simultaneously on an interface.
Two-Way Ports Platform Compatibility
The following platforms support two-way ports for TAP aggregation.
- DCS-7280R
- DCS-7280R2
- DCS-7500R
- DCS-7500R2
Two-Way Ports Configuration
To enable a two-way port, use the tap-tool option of the switchport mode command.
Example
switch(config)#interface ethernet 4/1
switch(config-if-Et4/1)#switchport mode tap-tool
switch(config-if-Et4/1)#
Additional configurations for TAP and tool functionality on the interface remain the same. Once the user enables the TAP-tool switchport mode on the interface, they can use the existing TAP and tool mode commands to enable their respective configurations.
Arista recommends using this feature with unidirectional send-receive enabled on the interface, which allows the receiver and transmitter for the interface to operate independently. If one goes down, the other remains active. To enable unidirectional send-receive on an interface, use the unidirectional send-receive command.
Example
switch(config)#interface ethernet 4/1
switch(config-if-Et4/1)#unidirectional send-receive
switch(config-if-Et4/1)#
TAP Aggregation QoS Handling on TAP Ports
Before eos 4.20.5F, QoS behavior was not enforced for TAP aggregation ports, meaning that QoS behavior for packets passing through the device was not changed.
QoS Handling Platform Compatibility
The following platforms support QoS handling on TAP ports.
- DCS-7280E
- DCS-7280R
- DCS-7500E
- DCS-7500R
- DCS-7280R2
QoS Handling Configuration
Trust Mode of TAP Ports
TAP ports are in QoS untrusted mode by default. This means that the QoS marking of an incoming packet is not trusted when determining the QoS attributes of the packet. Therefore, the default QoS handling takes place. Consider the default CoS to traffic class mapping in the following example.
switch(config)#show qos maps
[...]
Cos-tc map:
cos:01234567
----------------------------
tc: 10234567
[...]
The Class of Service (CoS) field of incoming packets is ignored and is assumed to be zero. In this example, all packets are assigned to traffic class 1 when using the above mapping.
To override the default trust mode behavior on a TAP port, use the qos trust command.
Example
switch(config-if-Et1)#qos trust cos
switch(config-if-Et1)#
Class of Service Rewrite of TAP Ports
By default, TAP ports do not override the existing Class of Service (CoS) field of incoming packets. In other words, the CoS marking of steered packets is not changed in any way.
However, the CoS field of added tags may change according to the traffic class to CoS mapping. For example, the identity tag added by TAP ports may have the CoS value from the global traffic class to CoS mapping. Consider the following mapping:
switch(config)#show qos maps
[...]
Tc-cos map:
tc: 01234567
----------------------------
cos:17234560
[...]
Using
this mapping, the added tag CoS field of packets assigned to traffic class 1 may be set
to 7.Displaying QoS Handling Status
Use the Displaying QoS Handling Status to see the active QoS mappings.
Example
switch#show qos maps
Number of Traffic Classes supported: 8
Number of Transmit Queues supported: 8
Cos Rewrite:Disabled
Dscp Rewrite:Disabled
Cos-tc map:
cos:01234567
----------------------------
tc: 10234567
Dscp-tc map:
d1 :d2 0123456789
--------------------------------------
0 : 1111111100
1 : 0000002222
2 : 2222333333
3 : 3344444444
4 : 5555555566
5 : 6666667777
6 : 7777
Tc-cos map:
tc: 01234567
----------------------------
cos:10234567
Tc-dscp map:
tc:01234567
-----------------------------
dscp:80 16 24 32 40 48 56
Tc - tx-queue map:
tc:01234567
---------------------------------
tx-queue:01234567
switch#
Identity VLAN Tagging
By default, tool port output packets are identical to the replicated packets they receive from the tap ports to which they are associated. Identity tagging modifies packets sent by tool ports by adding a dot1q VLAN tag that identifies the originating TAP port. Each TAP port is associated with an identity number. Tool ports that are configured to add an identity tag append the originating TAP port’s identity number in the outer layer (or s-VLAN) tag.
The following sections describe identity VLAN tagging on TAP and tool ports.
Tap Port Identity Value Configuration
The switchport tap identity command configures the TAP port identity value for the configuration-mode interface. The default identity value for all TAP ports is 1.
Example
switch(config)#interface ethernet 42
switch(config-if-Et42)#switchport tap identity 1042
switch(config-if-Et42)#show interface ethernet 41-43 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et41taptap40010---
Et42taptap11042 0---
Et43taptap110---
switch(config-if-Et42)#
Tool Port Identity Tag Configuration
The switchport tool identity command configures the configuration-mode interface to include a tier-1 VLAN tag (dot1q) in packets it transmits. The VLAN number on the dot1q tag is the identity value configured for the TAP port that supplies the packets. By default, tool ports do not encapsulate packets with the tier-1 VLAN tag.
Example
switch(config)#interface port-channel 102
switch(config-if-Po102)#switchport tool identity dot1q
switch(config-if-Po102)#show interface port-channel 101-103 tool
PortConfigured Status Allowed Id Timestamp
ModeVlans TagMode
-----------------------------------------------------------------------
Po101 tool tool 1001-1020 Off---
Po102 tool tool 1010-1015 On ---
Po103 tool tool 1010-1030 Off---
switch(config-if-Po102)#
TAP Aggregation Group Configuration
TAP aggregation groups associate a set of TAP ports with a set of tool ports. A tool port replicates packets it receives from TAP ports that are in the aggregation groups to which it belongs. A TAP port can be configured to send data to multiple TAP aggregation groups. Tool ports may belong to multiple TAP aggregation groups. TAP aggregation groups may contain multiple TAP ports and multiple tool ports.
The following sections describe the configuration of TAP aggregation groups:
- Assigning a Tool Port to a TAP Aggregation Group
- Assigning TAP Ports to a TAP Aggregation Group
- Viewing TAP Aggregation Group Assignments
- LAGs in Tool Groups
Assigning a Tool Port to a TAP Aggregation Group
Tool ports are assigned to a TAP aggregation group through the switchport tool group command. Each command either creates a list or alters the existing list of groups to which a tool port belongs.
Examples
- These commands create the list of TAP aggregation groups for
port-channel interface
101.
switch(config)#interface port-channel 101 switch(config-if-Po101)#switchport tool group set analyze1 analyze2 analyze3 switch(config-if-Po101)#show active interface Port-Channel101 switchport mode tool switchport tap identity 2101 switchport tool allowed vlan 1001-1020 switchport tap default group tag-9 switchport tool group set analyze3 analyze1 analyze2 switch(config-if-Po101)#
- These commands remove “analyze-1” from port channel 101’s TAP
aggregation group
list.
switch(config-if-Po101)#switchport tool group remove analyze1 switch(config-if-Po101)#show active interface Port-Channel101 switchport mode tool switchport tap identity 2101 switchport tool allowed vlan 1001-1020 switchport tap default group tag-9 switchport tool group set analyze3 analyze2 switch(config-if-Po101)#
Assigning TAP Ports to a TAP Aggregation Group
TAP ports are assigned to a TAP aggregation group using the switchport tap default group command. Multiple ports are added to a group by entering the command in interface configuration mode for each port.
Example
switch(config)#interface ethernet 41-42
switch(config-if-Et41-42)#switchport tap default group analyze2
switch(config-if-Et41-42)#interface ethernet 43
switch(config-if-Et43)#switchport tap default group analyze3
switch(config-if-Et43)#show interface ethernet 41-43 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et41taptap40010analyze2
Et42taptap11042 0analyze2
Et43taptap110analyze3
switch(config-if-Et43)#
Viewing TAP Aggregation Group Assignments
TAP aggregation group membership is displayed by show tap aggregation groups. Options allow the display of individual groups or of all configured groups. The command displays active tool and TAP ports by default, and provides an option to display configured ports that are not active.
Example
switch#show tap aggregation groups
Group NameTool Members
---------------------------------------------------------
analyze2Po101, Po102
analyze3Po101, Po103
Group NameTap Members
---------------------------------------------------------
analyze2Et41, Et42
analyze3Et43
switch#
LAGs in Tool Groups
Link Aggregation Groups (LAGs) can be included in tool groups for load balancing. A tool group can contain both LAGs and regular ports. Each member of a tool group receives one copy of the traffic destined to the group. Traffic is replicated to tool group members using multicast replication. The traffic replicated to LAGs is then load balanced to their members as per load-balance policies configured on the system.
If a tool group has no more than 60 members with at least one hardware LAG, then the replication mode of the tool group is set to ingress-only. Otherwise, the replication mode of the tool group is set to the configured system default multicast replication mode. See platform sand multicast replication default for more information on configuration of the system default replication mode.
Example
switch(config)#platform sand multicast replication default ingress
switch(config)#
TAP Aggregation Traffic Steering
Traffic steering is a TAP aggregation process that uses class maps and policy maps to direct data streams at tool ports that are not otherwise associated to the ingress TAP port. A policy map is a data structure that filters data streams upon which identity VLAN tagging or TAP aggregation group assignment is implemented.
TAP-aggregation class maps and policy maps are similar to QoS and control-plane maps. However, policy maps and their components are not interchangeable among function types.
TAP Aggregation Policies
A policy map filters data packets by using classes and match rules. Each class contains an eponymous class map and a traffic resolution command. Each match rule contains packet content descriptors and a traffic resolution parameter.
- A class map uses ACLs that identify packets that comprise a specified data stream
- Packet content descriptors specify packet field values that are compared to inbound packets.
- A traffic resolution command or parameter specifies data handling methods for filtered traffic.
Each data packet entering an entity to which a policy map is assigned is managed as defined by the traffic resolution command of the highest priority class or rule that matches the packet.
Class maps are user-created and can be edited or deleted. They filter traffic with IPv4 ACLs and are listed in running-config. TAP aggregation traffic resolution commands do one the following:
- specify a TAP aggregation group to direct the packet.
- specify a VLAN number for identity tagging the packet.
TAP aggregation policy maps do not define an implicit deny statement. Packets that do not match a policy map class or rule are replicated and sent out tool ports specified by the default aggregation group assigned to the ingress TAP port. If no default group is selected, these packets are dropped.
Configuring TAP Aggregation Traffic Policies
TAP aggregation traffic policies are implemented by creating class maps and policy maps, then applying the policy maps to Ethernet and port-channel interfaces.
Creating Class Maps
A class map is an ordered list of IPv4 access control lists (ACLs). Each ACL is assigned a sequence number that specifies its priority in the class map. TAP aggregation class maps utilize ACL permit rules to pass packets and deny rules to drop packets.
Class maps are created and modified in class-map configuration mode, which is entered using the class-map type tapagg. The match (class-map (tapagg)) command inserts a specified ACL into the class map, assigning it a sequence number that denotes its placement.
Class-map configuration mode is a group-change mode. Changes made in a group-change mode are saved by exiting the mode. The show active command displays the saved version of class map. The exit command returns the switch to global configuration mode and saves pending class-map changes. The abort command returns the switch to global configuration mode and discards pending changes.
-
This command creates a TAP aggregation class map named t-class_1 and places the switch in class-map configuration mode.
switch(config)#class-map type tapagg match-any t-class_1 switch(config-cmap-t-class_1)#
-
These commands add two IPv4 ACLs (tacl-1 and tacl-2) to the t-class_1 class map. The commands use the default method of assigning sequence numbers to the ACLs.
switch(config-cmap-t-class_1)#match ip access-group tacl-1 switch(config-cmap-t-class_1)#match ip access-group tacl-2 switch(config-cmap-t-class_1)#
-
These commands exit class-map configuration mode, store pending changes to running-config, then display the class map.
switch(config-cmap-t-class_1)#exit switch(config)#class-map type tapagg match-any t-class_1 switch(config-cmap-t-class_1)#show active class-map type tapagg match-any t-class_1 10 match ip access-group tacl-1 20 match ip access-group tacl-2 switch(config-cmap-t-class_1)#
Creating Policy Maps
Policy maps are created and modified in policy-map configuration mode. A policy map is an ordered list of classes and match rules. Policy maps are edited by adding or removing map elements. Data packets are managed by commands of the highest priority class or rule that matches the packet.
Classes
- The class map identifies a data stream by using an ordered list of ACLs. Class maps are configured in class-map (tapagg) configuration mode.
- The set command specifies the replication method for filtered data packets, either through an associated aggregation group or identity VLAN tagging.
- The sequence number specifies the class’s priority within the policy map. Lower sequence numbers denote higher priority.
Matching Rules
- The filter list identifies a data stream by using a set of packet field values.
- The action, (SET_VALUE parameter) specifies the replication method of filtered data packets, either through an associated aggregation group or identity VLAN tagging.
- The sequence number specifies the rule’s priority within the policy map. Lower sequence numbers denote higher priority.
Policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active and show pending commands display the saved and modified policy map versions respectively.
The class (policy-map (tapagg)) command enters policy-map configuration mode.
Example
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#
- specifies an aggregation group.
- specifies a VLAN identity tag for replicated packets.
- specifies an aggregation group and a VLAN identity tag.
- These commands add the t-class_1 class map to the t-policy_1 policy map, associate a set statement with the class, then save the policy map by exiting the modes. Packets filtered by the class map are identity tagged with VLAN 444 and replicated as specified by the t-grp aggregation group.
switch(config-pmap-t-policy_1)#class t-class_1 switch(config-pmap-c-t-policy_1-t-class_1)#set aggregation-group t-grp id-tag 444 switch(config-pmap-c-t-policy_1-t-class_1)#exit switch(config-pmap-t-policy_1)#exit switch(config)#policy-map type tapagg t-policy_1 switch(config-pmap-t-policy_1)#show active policy-map type tapagg t-policy_1 10 class t-class_1 set aggregation-group t-group id-tag 444 switch(config-pmap-t-policy_1)#
The match (policy-map (tapagg)) command adds a match rule to the configuration-mode TAP aggregation policy map.
-
This command enters policy-map configuration mode for t-policy_1, then creates a match rule for the policy map that filters OSPF packets and replicates them as specified by t-grp TAP aggregation group.
switch(config-pmap-t-policy_1)#match ip ospf any any set aggregation-group t-grp switch(config-pmap-t-policy_1)#
Applying Policy Maps to an Interface
The service-policy type tapagg (Interface mode) command applies a specified policy map to the configuration-mode interface.
Example
switch(config)#interface ethernet 17
switch(config-if-Et17)#service-policy type tapagg input tpolicy_1
switch(config-if-Et17)#
TAP Aggregation GUI
The switch provides a graphical user interface (GUI) for creating and viewing a TAP aggregation configuration and displaying LANZ traffic statistics.
All commands available on the GUI are accessible through the CLI. The TAP aggregation configuration created through either the CLI or the GUI can be viewed and modified through either medium.
This section provides a brief description of the TAP aggregation GUI.
Accessing the TAP Aggregation GUI
The URL for the TAP aggregation GUI is: https://hostname/apps/TapAgg/index.html where the hostname is the switch’s configured hostname. The “TAP Aggregation GUI Initial Panel” displays the initial TAP aggregation GUI panel for the switch with the hostname “ro402.”
-
The configuration section displays the TAP aggregation configuration, including the TAP interfaces, tool interfaces, and aggregation groups. Links are displayed to indicate interface group membership.
-
The component section displays information and control buttons for the active configuration entity. When an entity is not selected, the section displays information for the switch (device).
The configuration section displays TAP aggregation components only when the switch is in TAP aggregation mode. To enter TAP aggregation mode, click the TAP Aggregation icon in the component section for the device. The icon is a toggle mechanism; clicking it again disables TAP aggregation mode.

Viewing TAP Aggregation Component Details
“TAP Aggregation GUI Panel with TAP Aggregation Mode Enabled” displays the TAP aggregation panel when the switch is in TAP aggregation mode. The configuration section indicates that the TAP aggregation configuration consists of three tool interfaces, one TAP interface, and four aggregation groups. Ethernet port 10 is the active component; configuration control and traffic information for this interface is available in the component section.
The active component is changed by clicking on the desired component in the configuration section. To display device (switch) information, click on any configuration section outside of any component.
Modifying a TAP Aggregation Configuration
The TAP aggregation configuration can be modified only when the switch is in TAP aggregation mode, (see Accessing the TAP Aggregation GUI). The following is a partial list of configuration tasks that are available from the GUI:
- adding a TAP or tool interface: begin typing the interface name in the desired add-interface data entry area to access a drop-down list of available interfaces. Select the desired interface and press the Add button.
- removing an interface from the configuration: select the desired interface in the configuration section and click the deconfigure button in that interface’s component section.
- adding an aggregation group: type the desired name of the new group in the data entry area and press the Add button. The TAP aggregation group name can consist of alphanumeric characters and specific special characters (- _ [ ] { } :) only.
- adding an interface to an aggregation group: select the desired interface in the configuration section, then press the icon of the group in the group membership area of the interface’s component section.
Group icons are toggle buttons; clicking the icon of a group to which the interface belongs removes that interface from the group.

TAP Aggregation Keyframe and Timestamp Configuration
TAP Aggregation Keyframe Generation
Keyframes contain routable IP packets that provide information to relate timestamps with the complete ASIC counter and absolute UTC time. The switch supports a maximum of ten keyframes, which are distinguished by their name label. Each keyframe can egress from every Ethernet port.
Keyframe generation is enabled by the platform fm6000 keyframe command. Command options specify ports that transmit keyframes along with the destination MAC address and IP address in the keyframe’s header. Other keyframe commands specify the transmission rate and the frame’s source:
- the platform fm6000 keyframe rate command configures the keyframe’s transmission rate.
- the platform
fm6000 keyframe source command configures the source IP
address that is placed in each keyframe’s header. The management interface IP
address is the default source address.
The source MAC address is the MAC address of the egress interface transmitting the keyframe.
- the platform fm6000 keyframe device command configures the 16-bit number that keyframes list as the device ID in their payload.
- the platform fm6000 keyframe fields skew command enables the inclusion of clock skew fields in the keyframe.
- the show platform fm6000 keyframe command displays keyframe configuration information.
Examples
- This command enables the generation of a keyframe
named “key-1” and configures it to egress from Ethernet
interfaces 11 through 15 with a source IP address of
10.21.1.4 and a MAC address of
10.4E21.9F11.
switch(config)#platform fm6000 keyframe key-1 interface ethernet 11-15 10.21.1.4 10.4E21.9F11 switch(config)#
- This command configures the generation rate for
the keyframe of 10 frames per second on each of the five
interfaces that it is configured to
egress.
switch(config)#platform fm6000 keyframe key-1 rate 10 switch(config)#
- This command enables the generation of a keyframe
named “key-1” and configures 100 as the value that is placed
in the keyframe’s device ID
field.
switch(config)#platform fm6000 keyframe key-1 device 100 switch(config)#
- This command enables the inclusion of clock skew
fields in the keyframe named
“key-1.”
switch(config)#platform fm6000 keyframe key-1 fields skew switch(config)#
- This command displays configuration information
for keyframe
“key-1.”
switch(config)#show platform fm6000 keyframe Keyframe key-1 ------------------------ Egress Interface(s): Ethernet11, Ethernet12, Ethernet13, Ethernet14, Ethernet15 Source IP: 172.22.30.142 Destination IP: 10.21.1.4 Destination MAC: 00:10:4e:21:9f:11 Device ID: 100 Rate: 10 packet(s) per second switch(config)#
Enabling Timestamp Insertion on an Interface
Timestamps are based on a frame’s ingress time and applied to frames sent on egress ports, ensuring that timestamps on monitored traffic reflect ingress timing of the original frames. Time-stamping is configured on the egress port where the timestamp is applied to the frame.
When timestamping is enabled on an egress interface, packets leave the interface with timestamps that were applied in hardware when the packet arrived at the switch. This is facilitated by applying a hardware timestamp to all frames arriving on all interfaces when timestamping is enabled on any interface, then removing timestamps on packets egressing interfaces where timestamping is not enabled.
The mac timestamp command enables time-stamping on the configuration-mode interface. The switch supports two timestamp modes, which differ in managing the egress frame’s 32-bit frame check sequence (FCS):
- before-fcs: the switch discards the original FCS, appends the ingress timestamp at the end of the frame data, recalculates a new FCS based on the appended timestamp, then appends the new FCS to the end of the frame. This creates a valid Ethernet frame but does not update headers of any nested protocols.
- replace-fcs: the switch replaces the original FCS with the timestamp. This mode maintains the size of the original frame without any latency impact, but the FCS is not valid.
Examples
- These commands enable timestamping in before-fcs mode on
Ethernet interface
44.
switch(config)#interface ethernet 44 switch(config-if-Et44)#mac timestamp before-fcs switch(config-if-Et44)#show active interface Ethernet44 mac timestamp before-fcs switch(config-if-Et44)#
- These commands disable timestamping on Ethernet interface
44.
switch(config-if-Et44)#no mac timestamp switch(config-if-Et44)#show active interface Ethernet44 switch(config-if-Et44)#
TAP Aggregation Commands
Global Configuration Commands
Interface Configuration Commands
Tap Aggregation Configuration Mode
Tap Aggregation Traffic Steering
Display Commands EXEC Mode
class (policy-map (tapagg))
The class (policy-map (tapagg)) command places the switch in policy-map-class (TAPagg) configuration mode, which is a group-change mode that defines a TAP aggregation class by associating the class’s eponymous class-map to a set statement. Upon exiting the policy-map-class mode, the class is placed in the policy-map as specified by an assigned sequence number.
-
The class map identifies a data stream by using an ordered list of ACLs. Class maps are configured in class-map (tapagg) configuration mode. Data packets are managed by commands of the highest priority class or rule that matches the packet.
-
set commands specify the replication method of filtered data packets, either through an associated aggregation group or identity VLAN tagging.
-
Sequence numbers specify the class’s priority within the policy map. Lower sequence numbers denote higher priority.
The exit command returns the switch to policy-map configuration mode. However, saving policymap-class changes also requires an exit from policy-map mode. This saves all pending policy map and policy-map-class changes to running-config and returns the switch to global configuration mode. The abort command discards pending changes and returns the switch to global configuration mode.
The no class and default class commands remove the class assignment from the configuration mode policy map by deleting the corresponding class configuration from running-config.
Command Mode
Policy-Map (tapagg) Configuration accessed through class (policy-map (tapagg))
Command Syntax
[SEQ_NUM] class class_name
default [SEQ_NUM] class class_name
no [SEQ_NUM] class class_name
- SEQ_NUM priority of the class within the policy map. Lower numbers denote higher priority.
- <no parameter> number is derived by adding 10 to number of the map’s last class or rule.
- 1 to 4294967295 number assigned to class.
- class_name name of the class.
Guidelines
When a class is not associated with a set (policy-map-class (tapagg)) command, the filtered traffic is managed as specified by the TAP port’s default aggregation group.
-
set (policy-map-class (tapagg)) assigns VLAN identity tag or tap aggregation group to class.
- exit returns the switch to parent policy map configuration mode.
- abort discards pending class map changes, then returns the switch to global configuration mode.
- class (policy-map (tapagg)) places the switch in policy-map (tapagg) configuration mode.
- match (policy-map (tapagg)) assigns a match rule to a TAP aggregation policy map.
Example
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#class t-class_1
switch(config-pmap-c-t-policy_1-t-class_1)#set id-tag 444
switch(config-pmap-c-t-policy_1-t-class_1)#exit
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
policy-map type tapagg t-policy_1
10 class t-class_1
set id-tag 444
switch(config-pmap-t-policy_1)#
class-map type tapagg
The class-map type tapagg command places the switch in class-map (tapagg) configuration mode, which is a group change mode that modifies a tapagg class map. A tapagg class map is a data structure that uses access control lists (ACLs) to define a data stream by specifying characteristics of data packets that comprise the stream. Tapagg policy maps use class maps to specify traffic that is managed by policy map criteria.
The exit command saves pending class map changes to running-config, then returns the switch to global configuration mode. Class map changes are also saved by entering a different configuration mode. The abort command discards pending changes and returns the switch to global configuration mode.
The no class-map type tapagg and default class-map type tapagg commands delete the specified class map by removing the corresponding class-map type qos command and its associated configuration.
Command Mode
Global Configuration
Command Syntax
class-map type tapagg match-any class_name
no class-map type tapagg match-any class_name
default class-map type tapagg match-any class_name
Parameters
class_name name of class map.
Related Commands
Example
switch(config)#class-map type tapagg match-any t-class_1
switch(config-cmap-t-class_1)#
mac timestamp
The mac timestamp command enables timestamping on the configuration mode interface.
When timestamping is enabled on an egress interface, packets leave the interface with timestamps that were applied in hardware upon arriving at the switch. This is facilitated by applying a hardware timestamp to all frames arriving on all interfaces when timestamping is enabled on any interface, then removing timestamps on packets egressing interfaces where timestamping is not enabled.
The switch supports two timestamp modes, which differ in managing the egress frame’s 32-bit frame check sequence (FCS):
- before-fcs: the switch discards the original FCS, appends the ingress timestamp at the end of the frame data, recalculates a new FCS based on the appended timestamp, then appends the new FCS to the end of the frame. This creates a valid Ethernet frame but does not update headers of any nested protocols.
- replace-fcs: the switch replaces the original FCS with the timestamp. This mode maintains the size of the original frame without any latency impact, but the FCS is not valid.
The no mac timestamp and default mac timestamp commands restore the default behavior of disabling timestamping on the configuration mode interface by removing the corresponding mac timestamp command from running-config.
Command Mode
Interface-Ethernet Configuration
Command Syntax
mac timestamp TS_PROPERTY
Parameters
- TS_PROPERTY specifies the timestamp
insertion mode. Options include:
- before-fcs the ingress timestamp is appended to the frame and the FCS is recalculated.
- replace-fcs the ingress timestamp replaces the original FCS.
Examples
- These commands enable timestamping in before-fcs mode on Ethernet
interface
44.
switch(config)#interface ethernet 44 switch(config-if-Et44)#mac timestamp before-fcs switch(config-if-Et44)#show active interface Ethernet44 mac timestamp before-fcs switch(config-if-Et44)#
- These commands disable timestamping on Ethernet interface
44.
switch(config-if-Et44)#no mac timestamp switch(config-if-Et44)#show active interface Ethernet44 switch(config-if-Et44)#
match (class-map (tapagg))
The match command adds an ACL to the configuration-mode class map and associates a sequence number to the ACL. A class map is an ordered list of ACLs that define a data stream; the sequence number specifies an ACL’s priority within the list. A class map is used by policy maps to filter data packets. Tapagg class maps utilize ACL permit rules to pass packets and deny rules to drop packets.
Class map (tapagg) configuration mode is a group change mode. Match statements are not saved to running-config until the edit session is completed by exiting the mode.
The no match and default match commands remove the specified match statement from the configuration-mode class map by deleting the corresponding match command from running-config.
Command Mode
Class-map (tagagg) Configuration accessed through class-map type tapagg command.
Command Syntax
[SEQ_NUM] match ip access-group list_name
no SEQ_NUM] match ip access-group list_name
default SEQ_NUM] match ip access-group list_name
Parameters
- SEQ_NUM sequence number assigned to the ACL.
Options include:
- <no parameter> number is derived by adding 10 to the number of the map’s last ACL.
- 1 to 4294967295 number assigned to ACL.
- list_name name of ACL assigned to class map.
Guidelines
match statements accept IPv4 ACLs.
Related Commands
- class-map type tapagg places the switch in Class-Map configuration mode.
- exit saves pending class map changes, then returns the switch to global configuration mode.
- abort discards pending class map changes, then returns the switch to global configuration mode.
- class (policy-map (tapagg)) assigns a class map to a policy map.
Example
switch(config)#class-map type tapagg match-any t-class_1
switch(config-cmap-t-class_1)#match ip access-group tacl-1
switch(config-cmap-t-class_1)#match ip access-group tacl-2
switch(config-cmap-t-class_1)#exit
switch(config)#class-map type tapagg match-any t-class_1
switch(config-cmap-t-class_1)#show active
class-map type tapagg match-any t-class_1
10 match ip access-group tacl-1
20 match ip access-group tacl-2
switch(config-cmap-t-class_1)#
match (policy-map (tapagg))
The match command adds a rule to the configuration-mode TAP aggregation policy map. A policy map is an ordered list of classes and rules. Each rule contains a filter list, an action, and a sequence number:
- The filter list identifies a data stream through a set of packet field values.
- The action, (SET_VALUE parameter) specifies the replication method of filtered data packets, either through an associated aggregation group or identity VLAN tagging.
- The sequence number specifies the rule’s priority within the policy map.
The no match and default match commands remove the match rule from the configuration-mode policy by deleting the corresponding statement from running-config.
Command Mode
Policy-Map (tapagg) Configuration accessed through class (policy-map (tapagg)).
Command Syntax
[SEQ_NUM] match [VLAN_TAG] SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT] [PROTOCOL] [FLAGS] [MESSAGE] [fragments] [tracked] [DSCP_FILTER] [TTL_FILTER] [log] SET_VALUE
no match [VLAN_TAG] SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT] [PROTOCOL] [FLAGS] [MESSAGE] [fragments] [tracked] [DSCP_FILTER] [TTL_FILTER] [log] SET_VALUE
default match [VLAN_TAG] SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT] [PROTOCOL] [FLAGS] [MESSAGE] [fragments] [tracked] [DSCP_FILTER] [TTL_FILTER] [log] SET_VALUE
Parameters
- SEQ_NUM priority of the rule within the policy map. Lower numbers denote higher priority.
- <no parameter> number derived by adding 10 to number of the map’s last class or rule.
- <1 to 4294967295> number assigned to class.
- VLAN_TAG VLAN field filter. Options include:
- <no parameter> packets are not filtered by VLAN field.
- vlan <1 to 4094> <0 to 4095> VLAN ID and mask.
- vlan inner <1 to 4094> <0 to 4095> VLAN ID and mask.
- vlan <1 to 4094> <0 to 4095> inner <1 to 4094> <0 to 4095> VLAN ID and mask.
- PROTOCOL protocol field filter. Values include:
- <no parameter> packets are not filtered by host name.
- ahp authentication header protocol (51).
- icmp internet control message protocol (1).
- igmp internet group management protocol (2).
- ip internet protocol IPv4 (4).
- ospf open shortest path first (89).
- pim protocol independent multicast (103).
- tcp transmission control protocol (6).
- udp user datagram protocol (17).
- vrrp virtual router redundancy protocol (112).
- protocol_num integer corresponding to an IP protocol. Values range from 0 to 255.
- SOURCE_ADDR and DEST_ADDR source and destination address filters. Options include:
- network_addr subnet address (CIDR or address-mask).
- any packets from all addresses are filtered.
- host
ip_addr IP address (dotted decimal notation).
Source and destination subnet addresses support discontiguous masks.
- SOURCE_PORT and DEST_PORT
source and destination port filters. Options include:
- any all ports.
- eq port-1 port-2 ... port-n a list of ports. Maximum list size is 10 ports.
- neq port-1 port-2 ... port-n the set of all ports not listed. Maximum list size is 10 ports.
- gt port the set of ports with larger numbers than the listed port.
- lt port the set of ports with smaller numbers than the listed port.
- range port_1 port_2 the set of ports whose numbers are between the range.
- fragments filters packets with FO bit set (indicates a non-initial fragment packet).
- FLAGS flag bit filters (TCP packets). Use CLI syntax assistance (?) to display options.
- MESSAGE message type filters (ICMP packets). Use CLI syntax assistance (?) to display options.
- tracked rule filters packets in existing ICMP,
UDP, or TCP connections.
- Valid in ACLs applied to the control plane.
- Validity in ACLs applied to data plane varies by switch platform.
- DSCP_FILTER rule filters packet by its DSCP value. Values include:
- <no parameter> rule does not use DSCP to filter packets.
- dscp dscp_value packets match if DSCP field in packet is equal to dscp_value.
- TTL_FILTER rule filters packet by its TTL (time-to-live) value. Values include:
- <no parameter> rule does not use TTL field to filter packets.
- ttl eq ttl_value packets match if ttle in packet is equal to ttl_value.
- ttl gt ttl_value packets match if ttl in packet is greater than ttl_value.
- ttl lt ttl_value packets match if ttl in packet is less than ttl_value.
- ttl neq ttl_value packets match if ttl in packet is not equal to ttl_value.
- log triggers an informational log message to the
console about the matching packet.
- Valid in ACLs applied to the control plane.
- Validity in ACLs applied to data plane varies by switch platform.
- SET_VALUE specifies the replication method for filtered packets.
- set aggregation group agg_group peplication specified by aggregation group.
- set id-tag <1 to 4094> packet is identity tagged with specified VLAN number.
- set aggregation group agg_group id-tag <1 to 4094> assigns agg group and identity tag.
Related Commands
- policy-map type tapagg places the switch in policy-map (tapagg) configuration mode.
- class (policy-map (tapagg)) assigns a class to the configuration-mode policy map.
Example
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#match ip ospf any any set aggregation-group t-group
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
policy-map type tapagg t-policy_1
10 match ip ospf any any set aggregation-group t-group
switch(config-pmap-t-policy_1)#
mode (tap-agg configuration mode)
The mode command configures the switch’s TAP aggregation mode. The mode exclusive command enables TAP aggregation. When TAP aggregation is enabled, TAP and tool ports are enabled, switching mode is disabled, and switching ports are errdisabled. TAP aggregation is disabled by default.
The no mode and default mode commands disable TAP aggregation mode and enable switching mode by removing the mode command from running-config.
Command Mode
TAP Aggregation Configuration
Command Syntax
mode exclusive
no mode exclusive
default mode exclusive
Parameters
exclusive TAP aggregation is enabled.
Related Command
tap aggregation places the switch in TAP-aggregation configuration mode.
Examples
- These commands place the switch in TAP-aggregation configuration
mode, enable TAP aggregation mode, and display the
results.
switch(config)#tap aggregation switch(config-tap-agg)#mode exclusive switch(config-tap-agg)#show active tap aggregation mode exclusive switch(config-tap-agg)#
- These commands disable TAP-aggregation mode by removing the
mode command from running-config, then
display the
results.
switch(config)#tap aggregation switch(config-tap-agg)#no mode switch(config-tap-agg)#show active switch(config-tap-agg)#
mode exclusive no-errdisable (tap-agg configuration mode)
The mode exclusive no-errdisable command configures the specified interface to remain enabled, regardless of its switchport mode, when TAP aggregation is enabled. This command is used primarily to configure a port to support PTP functions while the switch operates as a TAP aggregator.
Each command configures one Ethernet or port-channel interface. Subsequent mode exclusive no-errdisable commands add to the list of ports that remain enabled when TAP aggregation is enabled.
The no mode exclusive no-errdisable and default mode exclusive no-errdisable commands configure the specified interface to be error-disabled when programmed in access, trunk, or dot1q-tunnel switching mode (when TAP aggregation is enabled) by removing the corresponding mode exclusive no-errdisable command from running-config.
Command Mode
TAP Aggregation Configuration
Command Syntax
mode exclusive no-errdisable INT_NAME
Parameters
- INT_NAME interface type and number. Options include:
- ethernet e_num Ethernet interface specified by e_num.
- port-channel p_num port-channel interface specified by p_num.
Related Commands
- tap aggregation places the switch in TAP-aggregation configuration mode.
- mode (tap-agg configuration mode) configures the switch’s TAP-aggregation mode.
Guidelines
In order for a TAP-aggregation switch to receive PTP traffic, the upstream device to which it is connected should be set to statically send PTP multicast traffic to the connected port on the switch.
Since IGMP snooping is disabled on TAP-aggregation switches and with no configuration to support sending upstream join messages in such a state, the messages are transmitted statically from the upstream device. Once the upstream messages are received, the port will move to the slave state and follow the standard PTP mechanism.
Example
switch(config)#tap aggregation
switch(config-tap-agg)#mode exclusive
switch(config-tap-agg)#mode exclusive no-errdisable ethernet 21/4
switch(config-tap-agg)#
platform fm6000 keyframe device
The platform fm6000 keyframe device command configures the 16-bit number that the specified keyframe lists as the device ID in its payload. By default, the device value placed in the specified keyframes is 0.
The no platform fm6000 keyframe device and default platform fm6000 keyframe device commands restore the default device ID insertion value of 0 for the specified keyframe by removing the corresponding platform fm6000 keyframe device command from running-config. The no platform fm6000 keyframe and default platform fm6000 keyframe command also removes the corresponding platform fm6000 keyframe device command from running-config.
Command Mode
Global Configuration
Command Syntax
platform fm6000 keyframe kf_name device device_id
no platform fm6000 keyframe kf_name device
default platform fm6000 keyframe kf_name device
Parameters
- kf_name keyframe name.
- device_id value inserted in keyframe’s device ID field. Values range from 0 to 65535. Default is 0.
Example
switch(config)#platform fm6000 keyframe key-1 interface ethernet 11-15 10.21.1.4 10.4E21.9F11
switch(config)#platform fm6000 keyframe key-1 device 100
switch(config)#
platform fm6000 keyframe fields skew
Keyframes may optionally include skew numerator and skew denominator fields. These skew fields form a ratio indicating the ASIC clock skew. If the ratio is greater than 1, the clock is skewed fast; if the ratio is less than 1, the clock is skewed slow. Clock skew fields are omitted by default.
The platform fm6000 keyframe fields skew command enables the inclusion of clock skew fields in the keyframe.
The no platform fm6000 keyframe fields skew and default platform fm6000 keyframe fields skew commands remove the clock skew fields from the keyframe.
Command Mode
Global Configuration
Command Syntax
platform fm6000 keyframe kf_name fields skew
Parameters
kf_name keyframe name.
Example
switch(config)#platform fm6000 keyframe key-1 fields skew
switch(config)#
platform fm6000 keyframe rate
The platform fm6000 keyframe rate command specifies the transmission rate for the specified keyframe from each interface from which it is configured to egress. By default, one keyframe is sent per second.
The no platform fm6000 keyframe rate and default platform fm6000 keyframe rate commands restore the default transmission rate for the specified keyframe of one per second by removing the corresponding platform fm6000 keyframe rate command from running-config. The no platform fm6000 keyframe and default platform fm6000 keyframe command also removes the corresponding platform fm6000 keyframe rate command from running-config.
Command Mode
Global Configuration
Command Syntax
platform fm6000 keyframe kf_name rate tx_rate
Parameters
- kf_name the keyframe’s name.
- tx_rate keyframe transmission rate (frames per second). Values range from 1 to 100. Default value is 1.
Example
switch(config)#platform fm6000 keyframe key-1 interface ethernet 11-15 10.21.1.4
10.4E21.9F11
switch(config)#platform fm6000 keyframe key-1 rate 10
switch(config)#
platform fm6000 keyframe source
The platform fm6000 keyframe source command configures the source IP address that the specified keyframe lists in its IP header. By default, keyframes use the IP address of the management interface as their source address.
The no platform fm6000 keyframe source and default platform fm6000 keyframe source commands restore the management interface IP address as the specified keyframe’s source IP address by removing the corresponding platform fm6000 keyframe source command from running-config. The no platform fm6000 keyframe and default platform fm6000 keyframe command also removes the corresponding platform fm6000 keyframe source command from running-config.
Command Mode
Global Configuration
Command Syntax
platform fm6000 keyframe kf_name source ip ipv4_addr
no platform fm6000 keyframekf_name source ip
default platform fm6000 keyframe kf_name source ip
Parameters
- kf_name keyframe’s name.
- ipv4_addr keyframe’s source IPv4 address (dotted decimal notation).
Example
switch(config)#platform fm6000 keyframe key-1 interface ethernet 11-15 10.21.1.4 10.4E21.9F11
switch(config)#platform fm6000 keyframe key-1 source 10.1.1.101
switch(config)#
platform fm6000 keyframe
The platform fm6000 keyframe command enables keyframe generation for data streams transmitted from specified ethernet interfaces. Keyframes are routable IP packets that the switch inserts into a data stream to provide contextual information that correlate timestamps inserted into data packets with absolute UTC time and the switch’s complete ASIC time counter.
The switch supports a maximum of ten keyframes. The keyframe name is the label that distinguishes different keyframes. Each keyframe can egress from every ethernet port. Command options specify the destination MAC address and IP address in the keyframe’s header. Other keyframe commands specify the transmission rate and the frame’s source.
The no platform fm6000 keyframe and default platform fm6000 keyframe commands disable generation of the specified keyframe by deleting the corresponding platform fm6000 keyframe command from running-config. These command also remove all supporting platform fm6000 keyframe commands for the specified keyframe.
Command Mode
Global Configuration
Command Syntax
platform fm6000 keyframe kf_name interface ethernet e_range ipv4_addr mac_addr
no platform fm6000 keyframe kf_name
default platform fm6000 keyframe kf_name
Parameters
- kf_name the keyframe’s name.
- e_range Ethernet interface range over which the keyframe egresses. Valid formats include number, range, or comma-delimited list of numbers and ranges.
- ipv4_addr destination IPv4 address inserted into keyframes (dotted decimal notation).
- mac_addr destination MAC address inserted into keyframes (48-bit dotted hex notation).
Guidelines
Subsequent issuance of this command for a specified keyframe replaces the existing command in running-config. Ethernet interfaces are inserted into an existing keyframe only by issuing the complete command that identifies all interfaces through which the keyframe is transmitted.
Example
switch(config)#platform fm6000 keyframe key-1 interface ethernet 11-15 10.21.1.4 10.4E21.9F11
switch(config)#
platform sand multicast replication default
The platform sand multicast replication default command configures the default replication mode on Sand platform switches. The factory default replication mode differs in various scenarios as follows:
- The default replication mode on switches with fabric is fabric-egress mode.
- The default replication mode on switches with single Fabric Access Processor (FAP) systems is ingress mode.
- The default replication mode on switches without fabric barring single FAP systems is ingress-egress mode.
- If a tool group with less than 60 LAGs has at least one hardware LAG, then the default replication mode of the tool group is ingress-only mode. Else the default replication mode of the tool group is the one configured across all LAGs in the tool group.
The default platform sand multicast replication default and no platform sand multicast replication default commands revert the current state to the factory default behavior.
Command Mode
Global Configuration
Command Syntax
platform sand multicast replication default {fabric-egress | ingress}
no platform sand multicast replication default
default platform sand multicast replication default
Parameters
- fabric-egress configures the replication mode to use fabric-egress VoQ buffers.
- ingress configures the replication mode to use ingress VoQ buffers.
Guidelines
This command is supported on Sand platforms only.
Related Commands
Example
switch(config)#platform sand multicast replication default ingress
switch(config)#
platform sand multicast replication ingress maximum
The platform sand multicast replication ingress maximum command configures maximum members for ingress-only replication.
The default platform sand multicast replication ingress maximum command reverts the maximum members for ingress-only replication to the default value.
The no platform sand multicast replication ingress maximum command deletes the maximum member value for ingress-only replication.
Command Mode
Global Configuration
Command Syntax
platform sand multicast replication ingress maximum max_value
no platform sand multicast replication ingress maximum
default platform sand multicast replication ingress maximum
Parameters
Guidelines
This command is supported on Sand platforms only.
Related Commands
Example
switch(config)#platform sand multicast replication ingress maximum 63
switch(config)#
policy-map type tapagg
The policy-map type tapagg command places the switch in policy-map (tapagg) configuration mode, which is a group-change mode that modifies a TAP-aggregation policy map. A TAP-aggregation policy map is a data structure that consists of class maps and match statements that filter a specific data stream. Packets in that data stream are either managed as specified by a TAP aggregation group or modified to add a VLAN identity tag. Policy maps manage traffic when applied to an Ethernet or port-channel interface.
The exit command saves pending policy map changes to running-config and returns the switch to global configuration mode. Policy map changes are also saved by entering a different configuration mode. The abort command discards pending changes, returning the switch to global configuration mode.
The no policy-map type tapagg and default policy-map type tapagg commands delete the specified policy map by removing the corresponding policy-map type tapagg command and the associated policy map statements from running-config.
Command Mode
Global Configuration
Command Syntax
policy-map type tapagg map_name
no policy-map type tapagg map_name
default policy-map type tapagg map_name
Parameters
map_name name of policy map.
Commands Available in Policy-Map Configuration Mode
Related Commands
Example
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#
resequence (class-map (tapagg))
The resequence command assigns sequence numbers to access control lists (ACLs) in the configuration mode TAP-aggregation class map. Sequence numbers denote an ACL’s priority within the class map. Command parameters specify the number of the first ACL and the numeric interval between consecutive ACLs.
Maximum rule sequence number is 4294967295.
Command Mode
Class-map (tagagg) Configuration
accessed with the class-map type tapagg command
Command Syntax
resequence [start_num [inc_num]]
Parameters
- start_num sequence number assigned to the first rule. Default is 10.
- inc_num numeric interval between consecutive rules. Default is 10.
Example
switch(config-pmap-t-policy_1)#show active
policy-map type tapagg t-policy_1
10 match ip ospf any any set aggregation-group t-group
20 class fred
set aggregation-group t-group id-tag 444
30 class t-class_2
set id-tag 500
40 class t-class_3
set id-tag 600
50 class t-class_4
set id-tag 700
switch(config-pmap-t-policy_1)#resequence 100 20
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
policy-map type tapagg t-policy_1
100 match ip ospf any any set aggregation-group t-group
120 class fred
set aggregation-group t-group id-tag 444
140 class t-class_2
set id-tag 500
160 class t-class_3
set id-tag 600
180 class t-class_4
set id-tag 700
switch(config-pmap-t-policy_1)#
resequence (policy-map (tapagg))
The resequence command assigns sequence numbers to classes and rules in the configuration mode TAP-aggregation policy map. Sequence numbers denote the priority of a class or rule within the policy map. Command parameters specify the number of the first policy map entity and the numeric interval between consecutive entities.
Maximum rule sequence number is 4294967295.
Command Mode
Policy-Map (tapagg) Configuration
accessed with the class (policy-map (tapagg)) command
Command Syntax
resequence [start_num [inc_num]]
Parameters
- start_num sequence number assigned to the first rule. Default is 10.
- inc_num numeric interval between consecutive rules. Default is 10.
Example
switch(config-pmap-t-policy_1)#show active
policy-map type tapagg t-policy_1
10 match ip ospf any any set aggregation-group t-group
20 class fred
set aggregation-group t-group id-tag 444
30 class t-class_2
set id-tag 500
40 class t-class_3
set id-tag 600
50 class t-class_4
set id-tag 700
switch(config-pmap-t-policy_1)#resequence 100 20
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
policy-map type tapagg t-policy_1
100 match ip ospf any any set aggregation-group t-group
120 class fred
set aggregation-group t-group id-tag 444
140 class t-class_2
set id-tag 500
160 class t-class_3
set id-tag 600
180 class t-class_4
set id-tag 700
switch(config-pmap-t-policy_1)#
service-policy type tapagg (Interface mode)
The service-policy type tapagg command applies a specified TAP-aggregation policy map to the configuration-mode interface. A policy map is a data structure that identifies data traffic through class maps and match rules, then specifies the method of replicating the traffic. This command is active only when TAP aggregation mode is enabled on the switch.
The no service-policy type tapagg and default service-policy type tapagg commands remove the policy map assignment from the configuration mode interface by deleting the corresponding service-policy tapagg command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port-Channel Configuration
Command Syntax
service-policy type tapagg input policymap_name
Parameters
- inputpolicy map applies to inbound packet streams.This is the only option.
- map_name mame of policy map.
Guidelines
A policy map that is attached to a port-channel interface takes precedence for member interfaces of the port channel over their individual Ethernet interface configuration. Members that are removed from a port channel revert to the policy-map implementation specified by its Ethernet interface configuration.
Related Commands
class (policy-map (tapagg)) places the switch in policy-map configuration mode to create a policy map.
Example
switch(config)#interface ethernet 17
switch(config-if-Et17)#service-policy type tapagg input t-policy_1
switch(config-if-Et17)#
set (policy-map-class (tapagg))
The set command specifies the data replication method for traffic filtered by the associated class map in the configuration-mode policy map. The set command specifies one of these replication actions for filtered data packets:
- specifies an aggregation group.
- specifies a VLAN identity tag for replicated packets.
- specifies an aggregation group and a VLAN identity tag.
The no set and default set commands remove the specified set command data action from the configuration-mode class by deleting the associated set command from running-config.
Command Mode
Policy-map-class (tapagg) Configuration
accessed using the class (policy-map (tapagg)) command
Command Syntax
set SET_VALUE
no set SET_VALUE
default set SET_VALUE
Parameters
- SET_VALUE specifies the replication method for filtered packets. Options include:
- aggregation group agg_group replication specified by aggregation group.
- id-tag VLAN_number packet is identity tagged with specified VLAN number. VLAN numbers range from 1 to 4094.
- aggregation group agg_group id-tag VLAN_number assigns aggregation group and identity tag (VLAN number). VLAN numbers range from 1 to 4094.
Related Commands
- policy-map type tapagg places the switch in policy-map (tapagg) configuration mode.
- class (policy-map (tapagg)) assigns a class to the policy-map configuration mode.
- match (policy-map (tapagg)) assigns a rule to the policy-map configuration mode.
Guidelines
When a class is not associated with a set command, the filtered traffic is managed as specified by the TAP port’s default aggregation group.
Example
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#class t-class_1
switch(config-pmap-c-t-policy_1-t-class_1)#set aggregation-group t-group id-tag
444
switch(config-pmap-c-t-policy_1-t-class_1)#exit
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
policy-map type tapagg t-policy_1
10 class t-class_1
set aggregation-group t-group id-tag 444
switch(config-pmap-t-policy_1)#
show interfaces tap
The show interfaces tap command displays TAP-port configuration information for the specified interfaces.
Command Mode
EXEC
Command Syntax
show interfaces [INTERFACE] tap [INFO_LEVEL]
Parameters
- INTERFACE interface type and numbers. Options
include:
- <no parameter> all interfaces.
- ethernet e_range Ethernet interface range specified by e_range.
- management m_range management interface range specified by m_range.
- port-channel
p_range port-channel interface range specified by
p_range.
Valid e_range, m_range, and p_range formats include number, number range, or comma-delimited list of numbers and ranges.
- INFO_LEVEL amount of information that is
displayed. Options include:
- <no parameter> command displays table that summarizes TAP data.
- detail command displays TAP data summary table and a list of ACLS applied to TAP ports.
Examples
- This command displays TAP-port configuration information for
Ethernet interfaces 36 through
40.
switch#show interface ethernet 31-35 tap PortConfigured Status Native Id Truncation Default ModeVlan VlanGroup ----------------------------------------------------------------------- Et31taptap30131 0tag_1 Et32taptap11320tag_1 Et33taptap3032330tag_1 Et34taptap13340tag_3 Et35taptap13450tag_3 switch#
- This command displays detailed TAP-port configuration information
for Ethernet interface
31.
switch#show interface ethernet 31 tap detail PortConfigured Status Native Id Truncation Default ModeVlan VlanGroup ----------------------------------------------------------------------- Et31taptap30131 0tag_1 PortACLs Applied ------------------------------------------------------------------- switch#
show interfaces tool
The show interfaces tool command displays tool port configuration information for the specified interfaces.
Command Mode
EXEC
Command Syntax
show interfaces [INTERFACE] tool
Parameters
- INTERFACE interface type and numbers. Options
include:
- <no parameter> all interfaces.
- ethernet e_range Ethernet interface range specified by e_range.
- management m_range management interface range specified by m_range.
- port-channel
p_range port-channel interface range specified by
p_range.
Valid e_range, m_range, and p_range formats include number, number range, or comma-delimited list of numbers and ranges.
Example
switch#show interface ethernet 36-40 tool
PortConfigured Status Allowed Id Timestamp
ModeVlans TagMode
-----------------------------------------------------------------------
Et36tool tool 201-205 OffNone
Et37tool tool 201-205 OffNone
Et38tool tool 201-205 OffNone
Et39access errdisabledAll OffNone
Et40tool tool All On None
switch#
show platform fm6000 keyframe
The show platform fm6000 keyframe command displays configured information for the specified keyframes. Keyframes are routable IP packets that the switch inserts into a data stream to provide contextual information that correlate timestamps inserted into data packets with the absolute UTC time and the switch’s complete ASIC time counter.
Command Mode
Privileged EXEC
Command Syntax
show platform fm6000 keyframe [KEYFRAME_ID]
Parameters
- KEYFRAME_ID specifies keyframes that the
command displays. Options include:
- <no parameter> command displays all configured keyframes.
- kf_name specifies a single keyframe to display information for.
Example
switch#show platform fm6000 keyframe
Keyframe key-2
------------------------
Egress Interface(s): Ethernet17, Ethernet18, Ethernet19, Ethernet20, Ethernet21
Source IP: 10.22.30.144
Destination IP: 10.21.1.14
Destination MAC: 00:09:00:09:00:09
Device ID: 0
Rate: 5 packet(s) per second
Keyframe key-1
------------------------
Egress Interface(s): Ethernet11, Ethernet12, Ethernet13, Ethernet14, Ethernet15
Source IP: 10.22.30.146
Destination IP: 10.21.1.4
Destination MAC: 00:10:4e:21:9f:11
Device ID: 0
Rate: 2 packet(s) per second
switch#
show platform sand mcast capacity
The show platform sand mcast capacity command displays the usage details of hardware resources on Sand platform switches.
Command Mode
EXEC
Command Syntax
show platform sand mcast capacity [threshold threshold_value]
Parameters
threshold threshold_value displays the list of resources whose usage percentage is greater than or equal to the specified threshold value. Values range from 0 to 100. The default value is 100.
Guidelines
This command is supported on Sand platforms only.
Examples
switch#show platform sand mcast capacity
Multicast Resources
-------------------
'*' - Applies to all Modules
'-' - Not applicable
TCAM Resources
--------------------------------------------------------------------------
ResourceModuleTotal Used Used%
v4 MC TCAM Linecard3-Jericho3/0 40962 0.0
v4 MC TCAM Linecard5-Jericho5/0 409650612.4
Replication Table Resources
--------------------------------------------------------------------------
ResourceModuleTotal Used Used%
Multicast Table Row
Linecard3-Jericho3/0.026214310586 4.0
Linecard3-Jericho3/1.026214310576 4.0
Linecard3-Jericho3/0.126214310586 4.0
Linecard3-Jericho3/1.126214310576 4.0
Linecard6-Jericho6/2.026214310576 4.0
switch#
show tap aggregation groups
The show tap aggregation groups command displays the TAP and tool port members of the specified TAP aggregation groups.
Command Mode
EXEC
Command Syntax
show tap aggregation groups [INFO_LEVEL] [GROUP_NAMES]
Parameters
- INFO_LEVEL port information to display. Options include:
- <no parameter> displays active TAP and tool ports.
- detail displays all configured TAP and tool ports, including inactive ports.
- GROUP_NAMES TAP aggregation groups. Options include:
- <no parameter> displays information for all TAP aggregation groups.
- group_list displays information for the specified TAP aggregation group list.
Valid group_list format is a space-delimited list of one or more TAP aggregation group names.
Example
switch#show tap aggregation groups
Group NameTool Members
---------------------------------------------------------
analyze2Po101, Po102
analyze3Po101, Po103
Group NameTap Members
---------------------------------------------------------
analyze2Et41, Et42
analyze3Et43
switch#
switchport tap allowed vlan
The switchport tap allowed vlan command creates or modifies the list of VLANs for which the configuration mode interface, in TAP mode, handles tagged traffic. By default, interfaces handle tagged traffic for all VLANs. Command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP aggregation mode.
The no switchport tap allowed vlan and default switchport tap allowed vlan commands restore the TAP mode default allowed VLAN setting of all by removing the corresponding switchport tap allowed vlan statement from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port Channel Configuration
Command Syntax
switchport tap allowed vlan EDIT_ACTION
Parameters
- EDIT_ACTION modifications to the VLAN list. Options include:
- v_range creates VLAN list from range of VLANs specified by v_range.
- add v_range adds specified VLANs to current list.
- all VLAN list contains all VLANs.
- except v_range VLAN list contains all VLANs except those specified by v_range.
- none VLAN list is empty (no VLANs).
- remove v_range removes VLANs specified by v_range from current list.
Valid v_range formats include number (1 to 4094), range, or comma-delimited list of numbers and ranges.
Example
switch(config)#interface ethernet 20
switch(config-if-Et20)#switchport tap allowed vlan 26-30
eswitch(config-if-Et20)#show active
interface Ethernet20
switchport mode tap
switchport tap allowed vlan 26-30
switch(config-if-Et20)#
switchport tap default group
The switchport tap default group command assigns the configuration-mode interface to the specified tool group as a TAP port member. TAP aggregation groups associate a set of TAP ports with a set of tool ports. Both TAP ports and tool ports may belong to multiple TAP aggregation groups.
The no switchport tap default group and default switchport tap default group commands remove the configuration-mode interface from the TAP aggregation group to which it is assigned by deleting the corresponding switchport tap default group statement from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-port Channel Configuration
Command Syntax
switchport tap default group group_name
no switchport tap default group
default switchport tap default group
Parameters
group_name tool group name.
Restriction
This command is only available on FM6000 platform switches.
Example
switch(config)#interface port-channel 101
switch(config-if-Po101)#switchport tap default group tag-1
switch(config-if-Po101)#show interfaces port-channel 101 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Po101 access notconnect 110tag-1
switch(config)#
switchport tap identity
The switchport tap identity command associates a VLAN number to the configuration mode TAP interface. Tool ports that are configured to encapsulate packets with an dot1q-style tag enter the number specified by this command as the s-VLAN (tier 1) for packets received from this TAPs port. The default identity value is 1.
The no switchport tap identity and default switchport tap identity commands restore VLAN 1 as the configuration-mode ports’s identity VLAN by removing the corresponding switchport tap identity command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port Channel Configuration
Command Syntax
switchport tap identity port_id
no switchport tap identity
default switchport tap identity
Parameters
port_id port’s identity VLAN. Values range from 1 to 4094. Default is 1.
Related Commands
switchport tool identity configures a tool port to encapsulate packets received from TAP ports.
Restriction
This command is available only on FM6000 platform switches.
Example
switch(config)#interface ethernet 17
switch(config-if-Et17)#switchport tap identity 171
switch(config-if-Et17)#show active
interface Ethernet17
switchport tap identity 171
switch(config-if-Et17)#show interfaces ethernet 17 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et17access connected1171 0
switch(config-if-Et17)#
switchport tap native vlan
The switchport tap native vlan command specifies the TAP-mode native VLAN for the configuration-mode interface. Interfaces in TAP mode associate untagged frames with the native VLAN. The default native VLAN for all interfaces is VLAN 1. Command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP mode.
The no switchport tap native vlan and default switchport tap native vlan commands restore VLAN 1 as the TAP-mode native VLAN to the configuration-mode interface by removing the corresponding switchport tap native vlan command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port Channel Configuration
Command Syntax
switchport tap native vlan v_num
no switchport tap native vlan
default switchport tap native vlan
Parameters
v_num TAP-mode native VLAN ID. Values range from 1 to 4094. Default is 1.
Restriction
This command is available only on FM6000 platform switches.
Example
switch(config)#interface ethernet 7
switch(config-if-Et7)#switchport tap native vlan 25
switch(config-if-Et7)#show interface ethernet 7 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et7 tool connected25 1 0---
switch(config-if-Et7)#
switchport tap truncation
The switchport tap truncation command configures the configuration-mode interface, as a TAP port, to truncate inbound packets to the specified packet size. This command is in effect when the port is in TAP mode and the switch is in TAP aggregation mode. Command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP mode. By default, TAP ports do not truncate inbound packets.
The no switchport tap truncation and default switchport tap truncation commands restore the default behavior of not truncating packets received by the configuration-mode interface by removing the corresponding switchport tap truncation command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port Channel Configuration
Command Syntax
switchport tap truncation packet_size
no switchport tap truncation
default switchport tap truncation
Parameters
packet_size size of truncated packets (bytes). Values range from 100 to 9236. Default value of 0 corresponds to not truncating packets.
Restriction
This command is available only on FM6000 platform switches.
Examples
- These commands configure Ethernet interface 38 to truncate packets to 150 bytes.
switch(config)#interface ethernet 38 switch(config-if-Et38)#switchport tap truncation 150 switch(config-if-Et38)#show interface ethernet 38 tap PortConfigured Status Native Id Truncation Default ModeVlan VlanGroup ----------------------------------------------------------------------- Et38access notconnect 11 150--- switch(config-if-Et38)#
- These commands configure Ethernet interface 38 to send complete packets to tool ports in its TAP aggregation group.
switch(config-if-Et38)#no switchport tap truncation switch(config-if-Et38)#show interface ethernet 38 tap PortConfigured Status Native Id Truncation Default ModeVlan VlanGroup ----------------------------------------------------------------------- Et38access notconnect 11 0--- switch(config-if-Et38)#
switchport tool allowed vlan
The switchport tool allowed vlan command creates or modifies the list of VLANs for which the configuration-mode interface, in tool mode, handles tagged traffic. By default, interfaces handle tagged traffic for all VLANs. Command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP aggregation mode.
The no switchport tool allowed vlan and default switchport tool allowed vlan commands restore the tool mode default allowed VLAN setting of all by removing the corresponding switchport tool allowed vlan statement from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port Channel Configuration
Command Syntax
switchport tool allowed vlan EDIT_ACTION
Parameters
- EDIT_ACTION modifications to the VLAN list. Options include:
- v_range creates VLAN list from v_range.
- add v_range adds specified VLANs to current list.
- all VLAN list contains all VLANs.
- except v_range VLAN list contains all VLANs except those specified.
- none VLAN list is empty (no VLANs).
- remove v_range removes specified VLANs from current list.
Valid v_range formats include number, range, or comma-delimited list of numbers and ranges.
Example
switch(config)#interface ethernet 38
switch(config-if-Et38)#switchport tool allowed vlan 16-20
switch(config-if-Et38)#show interfaces ethernet 38 tool
PortConfigured Status Allowed Id Timestamp
ModeVlans TagMode
-----------------------------------------------------------------------
Et38access notconnect 16-20 OffNone
switch(config-if-Et38)#
switchport tool group
The switchport tool group command modifies the configuration-mode interface’s tool port membership in the specified TAP aggregation groups. Tool ports may belong to multiple TAP aggregation groups. Command options for configuring a port’s TAP aggregation group membership include:
- specifying the groups to which the port belongs (supersedes the port’s previous group memberships).
- adding to the list of groups to which the port belongs.
- deleting from the list of groups to which the port belongs.
TAP aggregation groups associate a set of TAP ports with a set of tool ports. A TAP port can belong to a maximum of one default TAP aggregation group.
The no switchport tool default group and default switchport tool default group commands remove the configuration-mode interface from all TAP aggregation groups to which it is assigned as a tool port by modifying the corresponding statements in running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port Channel Configuration
Command Syntax
switchport tool group EDIT_ACTION
Parameters
- EDIT_ACTION specifies changes to the list of groups to which the port belongs
- add group_list specifies additional groups to which the port belongs.
- remove group_list removes interface as a tool port member from specified groups.
- set group_list specifies groups to which interface belongs as a tool port.
Valid group_list format is a space-delimited list of one or more TAP aggregation group names.
Restriction
This command is available only on FM6000 platform switches.
Examples
- These commands associate interface Ethernet 40 with three TAP
aggregation
groups.
switch(config)#interface ethernet 40 switch(config-if-Et40)#switchport tool group set tag-1 tag-2 tag-3 switch(config-if-Et40)#show active interface Ethernet40 switchport tool group set tag-3 tag-2 tag-1 switch(config-if-Et40)#
- These commands add tag-7 to the tap aggregation groups to which
Ethernet interface 40
belongs.
switch(config-if-Et40)#switchport tool group add tag-7 switch(config-if-Et40)#show active interface Ethernet40 switchport tool group set tag-3 tag-7 tag-2 tag-1 switch(config-if-Et40)#
- These commands specify “tag-9” as the only group to which
Ethernet interface 40
belongs.
switch(config-if-Et40)#switchport tool group set tag-9 switch(config-if-Et40)#show active interface Ethernet40 switchport tool group set tag-9 switch(config-if-Et40)#
switchport tool identity
The switchport tool identity command configures the configuration-mode interface to add a tier-1 VLAN tag (dot1q) to packets it receives from TAP ports. The VLAN number on the dot1q tag is specified by the switchport tap identity command configured for the TAP port that supplies the packets. By default, tool ports do not encapsulate packets with the tier-1 VLAN tag.
The no switchport tool identity and default switchport tool identity commands restore the default VLAN handling method for the configuration-mode interface by removing the corresponding switchport tool identity statement from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port Channel Configuration
Command Syntax
switchport tool identity dot1q
no switchport tool identity dot1q
default switchport tool identity dot1q
Restriction
This command is available only on FM6000 platform switches.
Example
switch(config)#interface ethernet 40
switch(config-if-Et40)#switchport tool identity dot1q
switch(config-if-Et40)#show active
interface Ethernet40
switchport mode tool
switchport tool identity dot1q
switchport tool group set tag-9
switch(config-if-Et40)#
switchport tool truncation
The switchport tool truncation command configures the configuration-mode interface, as a tool port, to truncate outbound packets to 160 bytes. This command is in effect when the port is in tool mode and the switch is in TAP aggregation mode. Command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in tool mode. By default, tool ports do not truncate outbound packets.
The no switchport tool truncation and default switchport tool truncation commands restore the default behavior (not truncating packets that exit the configuration mode interface) by removing the corresponding switchport tool truncation command from running-config.
Command Mode
Interface-Ethernet Configuration
Interface-Port Channel Configuration
Command Syntax
switchport tool truncation packet_size
no switchport tool truncation
default switchport tool truncation
Parameters
- packet_size size of truncated packets in bytes. The only permitted value is 160.
Examples
- These commands configure Ethernet interface 38, as a tool port,
to truncate packets on egress to 160
bytes.
switch(config)#interface ethernet 38 switch(config-if-Et38)#switchport mode tool switch(config-if-Et38)#switchport tool truncation 160 switch(config-if-Et38)#
- These commands configure Ethernet interface 38 to send complete
packets.
switch(config)#interface ethernet 38 switch(config-if-Et38)#no switchport tool truncation switch(config-if-Et38)#
tap aggregation
The tap aggregation command places the switch in TAP-aggregation configuration mode. The switch’s TAP aggregation mode is enabled or disabled by the mode command in TAP-aggregation configuration mode.
When TAP aggregation mode is enabled, normal switching and routing operations are disabled. A port’s switchport status depends on the switch’s TAP aggregation mode and the port’s switchport mode:
- TAP aggregation mode enabled: TAP and tool ports are enabled. Switching ports are errdisabled.
- TAP aggregation mode disabled: TAP and tool ports are errdisabled. Switching ports are enabled.
The no tap aggregation and default tap aggregation commands disable tap aggregation mode on the switch by removing all TAP-aggregation configuration mode commands from running-config.
TAP-aggregation configuration mode is not a group-change mode; running-config is changed immediately upon entering commands. Exiting TAP-aggregation configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.
Command Mode
Global Configuration
Command Syntax
tap aggregation
no tap aggregation
default tap aggregation
Commands Available in TAP-aggregation Configuration Mode
Related Commands
Example
- These commands place the switch in TAP-aggregation configuration mode and enable
TAP
aggregation.
switch(config)#tap aggregation switch(config-tap-agg)#mode exclusive switch(config-tap-agg)#show active tap aggregation mode exclusive switch(config-tap-agg)#
- This command disables TAP aggregation and removes all TAP-aggregation
configuration mode commands from
running-config.
switch(config)#no tap aggregation switch(config)#