Test Access Point (TAP) Aggregation

This section describes test access point (TAP) aggregation and the data structures that it requires. Topics in this section include:

Port mirroring is described in Test Access Point (TAP) Aggregation.

TAP Aggregation introduction

Ethernet-based switches are commonly deployed in dedicated networks to support tool access point (TAP) and mirror port traffic toward one or more analysis applications. Ports configured to mirror data can simultaneously switch traffic to its primary destination while directing a copy of that traffic to analysis or test devices. TAP ports are typically part of a dedicated environment that allows for the aggregation of data streams from multiple sources that can be directed to multiple destinations.

Arista switches support port mirroring and TAP aggregation and the data structures required by these functions.

TAP Aggregation Description

These sections describe TAP aggregation, timestamps, and keyframes:

TAP Aggregation

Tool access point (TAP) aggregation is the accumulation of data streams and the subsequent dispersal of these streams to devices and applications that analyze, test, verify, parse, detect, or store data. TAP aggregation requires an environment free from switching operations. Arista switches operate in one of two device modes:

Switching mode: the switch performs normal switching and routing operations. Data mirroring is supported in switching mode. Tap aggregation is not available in switching mode.
TAP aggregation mode: The switch is a data-monitoring device and does not provide normal switching and routing services. Data mirroring is not available in tap aggregation mode.
Access control lists, port channels, LAGs, QoS, and VLANs function normally in both modes.

Ethernet and port channel interfaces are configured as TAP and tool ports to support tap aggregation.

TAP ports: a tap port is an interface that receives a data stream that two network ports exchange.
TAP ports prohibit egress traffic. MAC learning is disabled. All control plane interaction is prevented. Traps for inbound traffic are disabled. Tap ports are in STP forwarding mode.
Tool ports: A tool port is an interface that replicates data streams received by one or more tap ports. Tool ports connect to devices that process the monitored data streams.
Tool ports prohibit ingress traffic. MAC learning is disabled. All control plane interaction is prevented. Tool ports are in STP forwarding mode.

TAP and tool ports are configured with the switchport mode command. These ports are active when the switch is in tap aggregation mode and error-disabled when the switch is in switching mode.

TAP and tool ports are designated through switchport mode commands and act similar to trunk ports, in that they can allow access to VLANs specified through allowed-VLAN lists. Tap ports also specify a native VLAN for handling untagged frames.

Access, trunk, and dot1q-tunnel mode ports are active when the switch is in switching mode and error-disabled when the switch is in tap aggregation mode.

TAP and tool mode ports are active when the switch is in TAP aggregation mode and error-disabled when the switch is in switching mode.

TAP aggregation groups are data structures that map a set of TAP ports to a set of tool ports. Both TAP and tool ports may belong to multiple TAP aggregation groups, and a TAP aggregation group may contain multiple TAP and tool ports.

Timestamps and Keyframes

FM6000 platform switches support packet timestamping of packets sent from any port at line rate. Timestamps are used to correlate network events and in performance analysis. Keyframes provide information to assist in the interpretation of timestamps.

The switch contains two 64-bit counters to maintain ASIC time and UTC time. ASIC time is based on an internal 350 MHz counter. UTC is absolute time that is maintained by a precision oscillator and synchronized through PTP.

Timestamps are derived from the least significant 31 bits of ASIC time. Based on the 350 MHz counter period and 31-bit resolution, timestamp values repeat every 6.135 seconds.

Keyframes are periodically inserted into the data stream to provide context for interpreting timestamps. Keyframes contain the 64-bit value of the ASIC time counter, the corresponding 64-bit value of the UTC time counter, and the elapsed time since the last PTP synchronization of the UTC counter. Inserting one keyframe every second into the data stream assures that the timestamp value in each egress packet can be associated with values of the complete 64-bit ASIC time counter and the corresponding UTC counter.

Timestamps

Timestamps are based on a frame’s ingress time and applied to frames sent on egress ports, ensuring that timestamps on monitored traffic reflect ingress timing of the original frames. Timestamping is configured on the egress port where the timestamp is applied to the frame.

A timestamp consists of the least significant 31 bits of the ASIC time counter. The most significant bit of the least significant byte is a 0 pad, resulting in a 32-bit timestamp with 31 bits of data. The keyframe mechanism provides recovery of the most significant 33 bits of the ASIC counters and a map to UTC time. Applications use this mechanism to determine the absolute time of the frame timestamp.

The switch supports three timestamp modes, which are configurable on individual Ethernet ports. The modes differ in the management of the egress frame’s 32-bit frame check sequence (FCS):

Disabled: timestamping is disabled.
FCS Replacement Mode: the original FCS is discarded, and the ingress timestamp is appended to frame data, followed by a new FCS that is based on the appended timestamp. The result is a valid Ethernet frame, but the headers of all nested protocols are not updated to reflect the timestamp.
FCS Appending Mode: the original FCS is discarded and replaced by the ingress timestamp. The size of the original frame is maintained without any latency impact, but the FCS is not valid.

Keyframes

Keyframes contain routable IP packets that provide information to relate timestamps with the complete ASIC counter and absolute UTC time. Keyframes have valid L2 and L3 headers. Keyframes contain these header fields:

MAC fields (12 bytes):
- Source MAC address is the address of the egress interface transmitting the keyframe.
- Destination MAC address is configured through a CLI command.
IP Header (20 bytes):
- Source IP address is configured through CLI; default is management interface IP address.
- Destination IP address is configured through a CLI command.
- TTL is set to 64.
- TOS is set to 0.
- Protocol field is set to 253.
- IP header’s ID field is set to 0.

Keyframes contain these payload fields:

ASIC time: (64 bits) ASIC time counter. (2.857 ns resolution).
UTC time:(64 bits) Unix time that corresponds to ASIC time (ns).
Last sync time: (64 bits) ASIC time of most recent PTP synchronization.
Keyframe time: (64 bits) ASIC time of the keyframe’s egress (ns).
Egress interface drops: (64 bits) Number of dropped frames on keyframe’s egress interface.
Device ID: (16 bits) device ID (user defined).
Egress interface: (16 bits) Keyframe’s egress switchport.
FCS type (8 bits): Timestamping mode configured on keyframe’s egress port.
- 0: timestamping disabled.
- 1: timestamp is appended to payload; new FCS is added to the frame.
- 2: timestamp overwrites the existing FCS.
Reserved (8 bits): reserved for future use.
Skew numerator/skew denominator: form a ratio indicating the ASIC clock skew. If the ratio is greater than 1, the clock is skewed fast; if the ratio is less than 1, the clock is skewed slow.

Last sync time equals 0 when there was no previous synchronization or the time since the last synchronization is greater than 8 hours.

The 31-bit frame timestamp provides high-resolution timing, rolling over about every 6.135 seconds (31 bits at 2.857ns per tick). To obtain the full ASIC time and to correlate the timestamp to an absolute UTC time, the switch sends keyframes. Each keyframe contains the current ASIC time and UTC time; hence an application can compute the high order bits of the ASIC time (for precise, relative timing) from the ASIC to UTC time mapping, and then determine absolute time.

ASIC to UTC time conversion is not quite immediate, so the UTC time in the frame will not be the current time. A keyframe timestamp is provided for this purpose. The frame also includes the timestamping mode (FCS type) so applications can dynamically determine the timestamp’s byte offset. Each field is shown in the following table.

Table 1. Keyframe Payload
0 7	8 15	16 31
ASIC time
UTC time
Last sync time
Skew numerator
Skew denominator
Keyframe timestamp
Drop count
Device ID		Egress interface
FCS type	Reserved

TAP Aggregation Configuration

These sections describe TAP aggregation configuration tasks:

Enabling Tap Aggregation Mode

The switch supports switching mode and TAP aggregation mode. In switching mode, normal switching and routing functions are supported while TAP aggregation functions are disabled. In TAP aggregation mode, TAP aggregation functions are enabled while normal switching and routing functions are disabled. By default, the switch is in switching mode.

A ports switchport status depends on its switchport mode and the switch’s TAP aggregation mode.

Tap aggregation mode enabled: TAP and tool ports are enabled. Switching ports are errdisabled.
Tap aggregation mode disabled: TAP and tool ports are errdisabled. Switching ports are enabled.

To enable the switch to carry out TAP aggregation, first enter TAP aggregation configuration mode using the tap aggregation command, then set the mode to exclusive.

Note: The switch can also perform TAP aggregation in mixed mode.See Mixed Mode Configuration.

Example

These commands enter TAP aggregation configuration mode, then place the switch in TAP aggregation exclusive mode.

switch(config)#tap aggregation
switch(config-tap-agg)#mode exclusive
switch(config-tap-agg)#show active
tap aggregation
 mode exclusive
switch(config-tap-agg)#

To return the switch to switching mode, remove the mode command from running-config.

Examples

These commands enter TAP aggregation configuration mode, then place the switch in switching mode.

switch(config)#tap aggregation
switch(config-tap-agg)#no mode
switch(config-tap-agg)#show active
switch(config-tap-agg)#

These commands enter switching mode and remove all TAP aggregation configuration mode statements.
```
switch(config)#no tap aggregation
switch(config)#
```

TAP Aggregation Mixed Mode

On a modular switch, the user can configure TAP Aggregation on some linecards and leave other linecards to operate normally. This is referred to as TAP aggregation mixed mode.

Mixed Mode Platform Compatibility

The following platforms support TAP Aggregation Mixed Mode.

DCS-7500R
DCS-7500R2

Mixed Mode Configuration

Complete the following steps to configure Linecard 3 as a TAP aggregation linecard in mixed mode.

Enable the switch for configuration.
```
switch>configure terminal
```
Enable TAP aggregation.
```
switch(config)#tap aggregation
```
Enable TAP aggregation mixed mode, selecting the targeted linecard module using the TAP aggregation default.
```
switch(config-tap-agg)#mode mixed module linecard 3 tap-aggregation-default
```
Note: Changing modes may affect available functionality. Unsupported configuration elements will be ignored.

The profile selection in mixed mode is the same as in exclusive mode. The user can configure multiple linecards for TAP aggregation in mixed mode.

The user can check TAP Aggregation Mixed Mode status by executing the following show commands:
```
switch(config)#show running-config section tap
tap aggregation
 mode mixed module linecard 3 profile tap-aggregation-default 
switch(config)#show hardware tcam profile
 ConfigurationStatus
Linecard4defaultdefault 
Linecard3defaulttap-aggregation-default 
Linecard6defaultdefault
switch(config)#
```

TAP Port Configuration

TAP ports function when the switch is in TAP aggregation mode. TAP ports receive traffic for replication to one or more tool ports. In TAP aggregation mode, TAP ports are in STP forwarding state and prohibit egress traffic. MAC learning, control plane interaction and traps for inbound traffic are disabled.

TAP mode ports are configured through switchport mode commands. TAP mode command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP aggregation mode.

This section describes the following tap port configuration steps.

Configuring an Interface as a Tap Mode Port

Ethernet and port-channel interfaces are configured as TAP ports with the switchport mode command.

Example

These commands configure Ethernet interfaces 41 through 43 as TAP mode ports.

switch(config)#interface ethernet 41-43
switch(config-if-Et41-43)#switchport mode tap
switch(config-if-Et41-43)#show interface ethernet 41-43 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et41taptap110---
Et42taptap110---
Et43taptap110---
switch(config-if-Et41-43)#

TAP Port Allowed VLAN List Configuration

By default, TAP mode interfaces handle tagged traffic for all VLANs. The switchport tap allowed vlan command creates or modifies the set of VLANs for which a TAP port handles tagged traffic.

Example

These commands create TAP-mode allowed VLAN lists for Ethernet interfaces 41 through 43.

switch(config)#interface ethernet 41
switch(config-if-Et41)#switchport tap allowed vlan 401-410
switch(config-if-Et41)#interface ethernet 42
switch(config-if-Et42)#switchport tap allowed vlan 411-420
switch(config-if-Et41)#interface ethernet 41-42
switch(config-if-Et41-42)#show active
interface Ethernet41
 switchport mode tap
 switchport tap allowed vlan 401-410
interface Ethernet42
 switchport mode tap
 switchport tap allowed vlan 411-420
switch(config-if-Et41-42)#

TAP Port Native VLAN

Tap mode Interfaces associate untagged frames with the tap mode native VLAN. The switchport tap native vlan command specifies the TAP-mode native VLAN for the configuration-mode interface. The default TAP-mode native VLAN for all interfaces is VLAN 1.

Example

These commands assign VLAN 400 as the TAP-mode native VLAN for Ethernet interface 41.

switch(config)#interface ethernet 41
switch(config-if-Et41)#switchport tap native vlan 400
switch(config-if-Et41)#show interface ethernet 41-43 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et41taptap40010---
Et42taptap110---
Et43taptap110---
switch(config-if-Et41)#

TAP Port Packet Truncation

TAP ports can be configured to truncate inbound packets. The switchport tap truncation command configures the configuration-mode interface, as a TAP port, to truncate inbound packets to the specified packet size. By default, TAP ports do not truncate packets.

Examples

These commands configure Ethernet interface 41 to truncate packets to 150 bytes.

switch(config)#interface ethernet 41
switch(config-if-Et41)#switchport tap truncation 150
switch(config-if-Et41)#show interface ethernet 41-43 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et41taptap4001150---
Et42taptap110---
Et43taptap110---
switch(config-if-Et41)#

These commands configure Ethernet interface 41 to send complete packets for replication.

switch(config-if-Et41)#no switchport tap truncation
switch(config-if-Et41)#show interface ethernet 41 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et41taptap40010---
switch(config-if-Et41)#

Tool Port Configuration

Tool ports replicate traffic received by TAP ports. Tool ports are mapped to the TAP ports through TAP aggregation groups. A tool port may belong to multiple aggregation groups and an aggregation group may contain multiple tool ports.

Tool ports function when the switch is in TAP aggregation mode. In this switch mode, tool ports are in STP forwarding state and ingress traffic is prohibited. MAC learning, control plane interaction, and traps for inbound traffic are disabled. All control plane interaction is prevented and L2 agents do not send PDUs to tool-mode interfaces. When the switch is in switching mode, tool ports are error-disabled.

Tool-mode ports are configured through switchport commands. Tool-mode command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP aggregation mode.

This section describes the following tool port configuration steps.

Configuring an Interface as a Tool-mode Port

Ethernet and port channel interfaces are configured as tool ports with the switchport mode command.

Example

These commands configure port-channel interfaces 101 through 103 as tool-mode ports and display the result.

switch(config)#interface port-channel 101-103
switch(config-if-Po101-103)#switchport mode tool
switch(config-if-Po101-103)#show interface port-channel 101-103 tool
PortConfigured Status Allowed Id Timestamp
ModeVlans TagMode
-----------------------------------------------------------------------
Po101 tool tool All Off---
Po102 tool tool All Off---
Po103 tool tool All Off---
switch(config-if-Po101-103)#

Tool Port Allowed VLAN List Configuration

By default, tool mode interfaces handle tagged traffic for all VLANs. The switchport tool allowed vlan command creates or modifies the set of VLANs for which a tool port handles tagged traffic.

Example

These commands create tool mode allowed VLAN lists for port-channel interfaces 101 through 103.

switch(config)#interface port-channel 101-103
switch(config-if-Po101-103)#switchport tool allowed vlan 1010-1020
switch(config-if-Po101-103)#interface port-channel 101
switch(config-if-Po101)#switchport tool allowed vlan add 1001-1009
switch(config-if-Po103)#interface port-channel 102
switch(config-if-Po102)#switchport tool allowed vlan remove 1016-1020
switch(config-if-Po102)#interface port-channel 103
switch(config-if-Po103)#switchport tool allowed vlan add 1021-1030
switch(config-if-Po103)#show interface port-channel 101-103 tool
PortConfigured Status Allowed Id Timestamp
ModeVlans TagMode
-----------------------------------------------------------------------
Po101 tool tool 1001-1020 Off---
Po102 tool tool 1010-1015 Off---
Po103 tool tool 1010-1030 Off---
switch(config-if-Po103)#

Tool Port Packet Truncation

Tool ports can be configured to truncate outbound packets. The switchport tool truncation command configures the configuration-mode interface, as a tool port, to truncate outbound packets to 160 bytes. By default, tool ports do not truncate packets.

Tool port packet truncation is supported only on the 7150 series platform.

Examples

These commands configure Ethernet interface 41, as a tool port, to truncate packets on egress to 160 bytes.

switch(config)#interface ethernet 41
switch(config-if-Et41)#switchport mode tool
switch(config-if-Et41)#switchport tool truncation 160
switch(config-if-Et41)#

These commands configure Ethernet interface 41 to send complete packets.

switch(config-if-Et41)#no switchport tool truncation
switch(config-if-Et41)#

Per-linecard TCAM Profile Configuration

This feature gives the ability to specify different profiles for different linecards in mixed mode. The following platforms support per-linecard TCAM profile configuration:

DCS-7500
DCS-7500R
DCS-7500R2

To enable the TAP aggregation mode and configure a TCAM profile for a linecard set, complete the following steps:

Enable the switch for configuration.
```
switch>configure terminal
```
Enable TAP aggregation mode.
```
switch(config)#tap aggregation
```

Configure the TCAM profile for a linecard set.

switch(config-tap-agg)#mode mixed module linecard 3,4 profile tap-aggregation-default
switch(config-tap-agg)#mode mixed module linecard 5,6 profile tap-aggregation-extended
switch(config-tap-agg)#

To disable TAP aggregation on a linecard set, complete the following steps:

Enable the switch for configuration.
```
switch>configure terminal
```
Enable TAP aggregation mode.
```
switch(config)#tap aggregation
```

Disable TAP aggregation for a linecard set.

switch(config-tap-agg)#no mode mixed module linecard 3,4
switch(config-tap-agg)#

Note: If a TAP is a port-channel, its members must all come from linecards using the same profile.

Two-Way Ports for TAP Aggregation

While in TAP aggregation mode, there is support for traffic only in one direction through either TAP ports that receive packets from mirroring, or through optical TAP or tool ports that send out packets to customer devices. Two-way ports for TAP aggregation allow bidirectional transmit and receive capability on a single port in TAP aggregation mode. Using the TAP-tool switchport mode enables both TAP and tool configurations simultaneously on an interface.

Two-Way Ports Platform Compatibility

The following platforms support two-way ports for TAP aggregation.

DCS-7280R
DCS-7280R2
DCS-7500R
DCS-7500R2

Two-Way Ports Configuration

To enable a two-way port, use the tap-tool option of the switchport mode command.

Example

The following commands configure Ethernet interface 4/1 as a two-way port, allowing it to function as both a TAP and a tool port.

switch(config)#interface ethernet 4/1
switch(config-if-Et4/1)#switchport mode tap-tool
switch(config-if-Et4/1)#

Additional configurations for TAP and tool functionality on the interface remain the same. Once the user enables the TAP-tool switchport mode on the interface, they can use the existing TAP and tool mode commands to enable their respective configurations.

Arista recommends using this feature with unidirectional send-receive enabled on the interface, which allows the receiver and transmitter for the interface to operate independently. If one goes down, the other remains active. To enable unidirectional send-receive on an interface, use the unidirectional send-receive command.

Example

These commands enable unidirectional send-receive on Ethernet interface 4/1.

switch(config)#interface ethernet 4/1
switch(config-if-Et4/1)#unidirectional send-receive
switch(config-if-Et4/1)#

TAP Aggregation QoS Handling on TAP Ports

Before eos 4.20.5F, QoS behavior was not enforced for TAP aggregation ports, meaning that QoS behavior for packets passing through the device was not changed.

QoS Handling Platform Compatibility

The following platforms support QoS handling on TAP ports.

DCS-7280E
DCS-7280R
DCS-7500E
DCS-7500R
DCS-7280R2

Note: QoS is not available on TAP aggregation ports on the DCS-7150.

QoS Handling Configuration

Trust Mode of TAP Ports

TAP ports are in QoS untrusted mode by default. This means that the QoS marking of an incoming packet is not trusted when determining the QoS attributes of the packet. Therefore, the default QoS handling takes place. Consider the default CoS to traffic class mapping in the following example.

switch(config)#show qos maps
[...]
 Cos-tc map:
 cos:01234567
 ----------------------------
 tc: 10234567
[...]

The Class of Service (CoS) field of incoming packets is ignored and is assumed to be zero. In this example, all packets are assigned to traffic class 1 when using the above mapping.

To override the default trust mode behavior on a TAP port, use the qos trust command.

Example

The following commands override the default trust mode behavior on Ethernet port 1, configuring it to use Class of Service (CoS) trust mode instead so that incoming packets will be placed in their CoS-marked classes.

switch(config-if-Et1)#qos trust cos
switch(config-if-Et1)#

Class of Service Rewrite of TAP Ports

By default, TAP ports do not override the existing Class of Service (CoS) field of incoming packets. In other words, the CoS marking of steered packets is not changed in any way.

However, the CoS field of added tags may change according to the traffic class to CoS mapping. For example, the identity tag added by TAP ports may have the CoS value from the global traffic class to CoS mapping. Consider the following mapping:

switch(config)#show qos maps
[...]
 Tc-cos map:
 tc: 01234567
 ----------------------------
 cos:17234560
[...]

Using this mapping, the added tag CoS field of packets assigned to traffic class 1 may be set to 7.

Displaying QoS Handling Status

Use the Displaying QoS Handling Status to see the active QoS mappings.

Example

This command displays the QoS maps that are configured on the switch.

switch#show qos maps
Number of Traffic Classes supported: 8
 Number of Transmit Queues supported: 8
 Cos Rewrite:Disabled
 Dscp Rewrite:Disabled

 Cos-tc map:
 cos:01234567
 ----------------------------
 tc: 10234567

 Dscp-tc map:
 d1 :d2 0123456789
 --------------------------------------
0 : 1111111100
1 : 0000002222
2 : 2222333333
3 : 3344444444
4 : 5555555566
5 : 6666667777
6 : 7777

 Tc-cos map:
 tc: 01234567
 ----------------------------
 cos:10234567

 Tc-dscp map:
 tc:01234567
 -----------------------------
 dscp:80 16 24 32 40 48 56

 Tc - tx-queue map:
 tc:01234567
 ---------------------------------
 tx-queue:01234567

switch#

Identity VLAN Tagging

By default, tool port output packets are identical to the replicated packets they receive from the tap ports to which they are associated. Identity tagging modifies packets sent by tool ports by adding a dot1q VLAN tag that identifies the originating TAP port. Each TAP port is associated with an identity number. Tool ports that are configured to add an identity tag append the originating TAP port’s identity number in the outer layer (or s-VLAN) tag.

The following sections describe identity VLAN tagging on TAP and tool ports.

Tap Port Identity Value Configuration

The switchport tap identity command configures the TAP port identity value for the configuration-mode interface. The default identity value for all TAP ports is 1.

Example

These commands configure 1042 as the identity value for Ethernet interface 42 and display the result.

switch(config)#interface ethernet 42
switch(config-if-Et42)#switchport tap identity 1042
switch(config-if-Et42)#show interface ethernet 41-43 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et41taptap40010---
Et42taptap11042 0---
Et43taptap110---
switch(config-if-Et42)#

Tool Port Identity Tag Configuration

The switchport tool identity command configures the configuration-mode interface to include a tier-1 VLAN tag (dot1q) in packets it transmits. The VLAN number on the dot1q tag is the identity value configured for the TAP port that supplies the packets. By default, tool ports do not encapsulate packets with the tier-1 VLAN tag.

Example

These commands configure port channel 102 to include the identity tag in packets it transmits.

switch(config)#interface port-channel 102
switch(config-if-Po102)#switchport tool identity dot1q
switch(config-if-Po102)#show interface port-channel 101-103 tool
PortConfigured Status Allowed Id Timestamp
ModeVlans TagMode
-----------------------------------------------------------------------
Po101 tool tool 1001-1020 Off---
Po102 tool tool 1010-1015 On ---
Po103 tool tool 1010-1030 Off---
switch(config-if-Po102)#

TAP Aggregation Group Configuration

TAP aggregation groups associate a set of TAP ports with a set of tool ports. A tool port replicates packets it receives from TAP ports that are in the aggregation groups to which it belongs. A TAP port can be configured to send data to multiple TAP aggregation groups. Tool ports may belong to multiple TAP aggregation groups. TAP aggregation groups may contain multiple TAP ports and multiple tool ports.

The following sections describe the configuration of TAP aggregation groups:

Assigning a Tool Port to a TAP Aggregation Group

Tool ports are assigned to a TAP aggregation group through the switchport tool group command. Each command either creates a list or alters the existing list of groups to which a tool port belongs.

Examples

These commands create the list of TAP aggregation groups for port-channel interface 101.

switch(config)#interface port-channel 101
switch(config-if-Po101)#switchport tool group set analyze1 analyze2 analyze3
switch(config-if-Po101)#show active
interface Port-Channel101
 switchport mode tool
 switchport tap identity 2101
 switchport tool allowed vlan 1001-1020
 switchport tap default group tag-9
 switchport tool group set analyze3 analyze1 analyze2
switch(config-if-Po101)#

These commands remove “analyze-1” from port channel 101’s TAP aggregation group list.

switch(config-if-Po101)#switchport tool group remove analyze1
switch(config-if-Po101)#show active
interface Port-Channel101
 switchport mode tool
 switchport tap identity 2101
 switchport tool allowed vlan 1001-1020
 switchport tap default group tag-9
 switchport tool group set analyze3 analyze2
switch(config-if-Po101)#

Assigning TAP Ports to a TAP Aggregation Group

TAP ports are assigned to a TAP aggregation group using the switchport tap default group command. Multiple ports are added to a group by entering the command in interface configuration mode for each port.

Example

These commands assign Ethernet interfaces 41 through 43 to TAP aggregation groups “analyze2” (41 and 42) and “analyze3” (43).

switch(config)#interface ethernet 41-42
switch(config-if-Et41-42)#switchport tap default group analyze2
switch(config-if-Et41-42)#interface ethernet 43
switch(config-if-Et43)#switchport tap default group analyze3
switch(config-if-Et43)#show interface ethernet 41-43 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et41taptap40010analyze2
Et42taptap11042 0analyze2
Et43taptap110analyze3
switch(config-if-Et43)#

Viewing TAP Aggregation Group Assignments

TAP aggregation group membership is displayed by show tap aggregation groups. Options allow the display of individual groups or of all configured groups. The command displays active tool and TAP ports by default, and provides an option to display configured ports that are not active.

Example

This command displays the contents of all configured TAP aggregation groups.

switch#show tap aggregation groups
Group NameTool Members
---------------------------------------------------------
analyze2Po101, Po102
analyze3Po101, Po103

Group NameTap Members
---------------------------------------------------------
analyze2Et41, Et42
analyze3Et43
switch#

LAGs in Tool Groups

Link Aggregation Groups (LAGs) can be included in tool groups for load balancing. A tool group can contain both LAGs and regular ports. Each member of a tool group receives one copy of the traffic destined to the group. Traffic is replicated to tool group members using multicast replication. The traffic replicated to LAGs is then load balanced to their members as per load-balance policies configured on the system.

If a tool group has no more than 60 members with at least one hardware LAG, then the replication mode of the tool group is set to ingress-only. Otherwise, the replication mode of the tool group is set to the configured system default multicast replication mode. See platform sand multicast replication default for more information on configuration of the system default replication mode.

Example

The following command changes the system-wide default multicast replication mode to ingress.

switch(config)#platform sand multicast replication default ingress
switch(config)#

TAP Aggregation Traffic Steering

Traffic steering is a TAP aggregation process that uses class maps and policy maps to direct data streams at tool ports that are not otherwise associated to the ingress TAP port. A policy map is a data structure that filters data streams upon which identity VLAN tagging or TAP aggregation group assignment is implemented.

TAP-aggregation class maps and policy maps are similar to QoS and control-plane maps. However, policy maps and their components are not interchangeable among function types.

TAP Aggregation Policies

A policy map filters data packets by using classes and match rules. Each class contains an eponymous class map and a traffic resolution command. Each match rule contains packet content descriptors and a traffic resolution parameter.

A class map uses ACLs that identify packets that comprise a specified data stream
Packet content descriptors specify packet field values that are compared to inbound packets.
A traffic resolution command or parameter specifies data handling methods for filtered traffic.

Each data packet entering an entity to which a policy map is assigned is managed as defined by the traffic resolution command of the highest priority class or rule that matches the packet.

Class maps are user-created and can be edited or deleted. They filter traffic with IPv4 ACLs and are listed in running-config. TAP aggregation traffic resolution commands do one the following:

specify a TAP aggregation group to direct the packet.
specify a VLAN number for identity tagging the packet.

TAP aggregation policy maps do not define an implicit deny statement. Packets that do not match a policy map class or rule are replicated and sent out tool ports specified by the default aggregation group assigned to the ingress TAP port. If no default group is selected, these packets are dropped.

Configuring TAP Aggregation Traffic Policies

TAP aggregation traffic policies are implemented by creating class maps and policy maps, then applying the policy maps to Ethernet and port-channel interfaces.

Creating Class Maps

A class map is an ordered list of IPv4 access control lists (ACLs). Each ACL is assigned a sequence number that specifies its priority in the class map. TAP aggregation class maps utilize ACL permit rules to pass packets and deny rules to drop packets.

Class maps are created and modified in class-map configuration mode, which is entered using the class-map type tapagg. The match (class-map (tapagg)) command inserts a specified ACL into the class map, assigning it a sequence number that denotes its placement.

Class-map configuration mode is a group-change mode. Changes made in a group-change mode are saved by exiting the mode. The show active command displays the saved version of class map. The exit command returns the switch to global configuration mode and saves pending class-map changes. The abort command returns the switch to global configuration mode and discards pending changes.

Examples

This command creates a TAP aggregation class map named t-class_1 and places the switch in class-map configuration mode.
```
switch(config)#class-map type tapagg match-any t-class_1
switch(config-cmap-t-class_1)#
```
These commands add two IPv4 ACLs (tacl-1 and tacl-2) to the t-class_1 class map. The commands use the default method of assigning sequence numbers to the ACLs.
```
switch(config-cmap-t-class_1)#match ip access-group tacl-1
switch(config-cmap-t-class_1)#match ip access-group tacl-2
switch(config-cmap-t-class_1)#
```

These commands exit class-map configuration mode, store pending changes to running-config, then display the class map.

switch(config-cmap-t-class_1)#exit
switch(config)#class-map type tapagg match-any t-class_1
switch(config-cmap-t-class_1)#show active
class-map type tapagg match-any t-class_1
10 match ip access-group tacl-1
20 match ip access-group tacl-2
switch(config-cmap-t-class_1)#

Creating Policy Maps

Policy maps are created and modified in policy-map configuration mode. A policy map is an ordered list of classes and match rules. Policy maps are edited by adding or removing map elements. Data packets are managed by commands of the highest priority class or rule that matches the packet.

Classes

Each class contains a class map, a set command, and a sequence number:

The class map identifies a data stream by using an ordered list of ACLs. Class maps are configured in class-map (tapagg) configuration mode.
The set command specifies the replication method for filtered data packets, either through an associated aggregation group or identity VLAN tagging.
The sequence number specifies the class’s priority within the policy map. Lower sequence numbers denote higher priority.

Matching Rules

Each rule contains a filter list, an action, and a sequence number:

The filter list identifies a data stream by using a set of packet field values.
The action, (SET_VALUE parameter) specifies the replication method of filtered data packets, either through an associated aggregation group or identity VLAN tagging.
The sequence number specifies the rule’s priority within the policy map. Lower sequence numbers denote higher priority.

Policy-map and policy-map-class configuration modes are group-change modes. Changes are saved with the exit command or discarded with the abort command. The show active and show pending commands display the saved and modified policy map versions respectively.

The class (policy-map (tapagg)) command enters policy-map configuration mode.

Example

This command creates the TAP aggregation policy map named t-policy_1 and places the switch in policy-map configuration mode.

switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#

The class (policy-map (tapagg)) command adds a class to the configuration mode policy map and places the switch in policy-map-class configuration mode for adding a traffic resolution command to the class. The set (policy-map-class (tapagg)) command specifies the data replication method for traffic filtered by the associated class map in the configuration-mode policy map. The set command performs one of the following replication actions for filtered data packets.

specifies an aggregation group.
specifies a VLAN identity tag for replicated packets.
specifies an aggregation group and a VLAN identity tag.

Examples

These commands add the t-class_1 class map to the t-policy_1 policy map, associate a set statement with the class, then save the policy map by exiting the modes. Packets filtered by the class map are identity tagged with VLAN 444 and replicated as specified by the t-grp aggregation group.

switch(config-pmap-t-policy_1)#class t-class_1
switch(config-pmap-c-t-policy_1-t-class_1)#set aggregation-group
t-grp id-tag 444
switch(config-pmap-c-t-policy_1-t-class_1)#exit
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
policy-map type tapagg t-policy_1
10 class t-class_1
set aggregation-group t-group id-tag 444
switch(config-pmap-t-policy_1)#

The match (policy-map (tapagg)) command adds a match rule to the configuration-mode TAP aggregation policy map.

This command enters policy-map configuration mode for t-policy_1, then creates a match rule for the policy map that filters OSPF packets and replicates them as specified by t-grp TAP aggregation group.
```
switch(config-pmap-t-policy_1)#match ip ospf any any set
aggregation-group t-grp
switch(config-pmap-t-policy_1)#
```

Applying Policy Maps to an Interface

The service-policy type tapagg (Interface mode) command applies a specified policy map to the configuration-mode interface.

Example

These commands apply the t-policy_1 policy map to interface ethernet 17.

switch(config)#interface ethernet 17
switch(config-if-Et17)#service-policy type tapagg input tpolicy_1
switch(config-if-Et17)#

TAP Aggregation GUI

The switch provides a graphical user interface (GUI) for creating and viewing a TAP aggregation configuration and displaying LANZ traffic statistics.

All commands available on the GUI are accessible through the CLI. The TAP aggregation configuration created through either the CLI or the GUI can be viewed and modified through either medium.

This section provides a brief description of the TAP aggregation GUI.

Accessing the TAP Aggregation GUI

The URL for the TAP aggregation GUI is: https://hostname/apps/TapAgg/index.html where the hostname is the switch’s configured hostname. The “TAP Aggregation GUI Initial Panel” displays the initial TAP aggregation GUI panel for the switch with the hostname “ro402.”

The TAP aggregation panel contains two sections:

The configuration section displays the TAP aggregation configuration, including the TAP interfaces, tool interfaces, and aggregation groups. Links are displayed to indicate interface group membership.
The component section displays information and control buttons for the active configuration entity. When an entity is not selected, the section displays information for the switch (device).

The configuration section displays TAP aggregation components only when the switch is in TAP aggregation mode. To enter TAP aggregation mode, click the TAP Aggregation icon in the component section for the device. The icon is a toggle mechanism; clicking it again disables TAP aggregation mode.

Figure 1. TAP Aggregation GUI Initial Panel

Viewing TAP Aggregation Component Details

“TAP Aggregation GUI Panel with TAP Aggregation Mode Enabled” displays the TAP aggregation panel when the switch is in TAP aggregation mode. The configuration section indicates that the TAP aggregation configuration consists of three tool interfaces, one TAP interface, and four aggregation groups. Ethernet port 10 is the active component; configuration control and traffic information for this interface is available in the component section.

The active component is changed by clicking on the desired component in the configuration section. To display device (switch) information, click on any configuration section outside of any component.

Modifying a TAP Aggregation Configuration

The TAP aggregation configuration can be modified only when the switch is in TAP aggregation mode, (see Accessing the TAP Aggregation GUI). The following is a partial list of configuration tasks that are available from the GUI:

adding a TAP or tool interface: begin typing the interface name in the desired add-interface data entry area to access a drop-down list of available interfaces. Select the desired interface and press the Add button.
removing an interface from the configuration: select the desired interface in the configuration section and click the deconfigure button in that interface’s component section.
adding an aggregation group: type the desired name of the new group in the data entry area and press the Add button. The TAP aggregation group name can consist of alphanumeric characters and specific special characters (- _ [ ] { } :) only.
adding an interface to an aggregation group: select the desired interface in the configuration section, then press the icon of the group in the group membership area of the interface’s component section.

Group icons are toggle buttons; clicking the icon of a group to which the interface belongs removes that interface from the group.

Figure 2. TAP Aggregation GUI Panel with TAP Aggregation Mode Enabled

TAP Aggregation Keyframe and Timestamp Configuration

This section contains the following topics:

TAP Aggregation Keyframe Generation

Keyframes contain routable IP packets that provide information to relate timestamps with the complete ASIC counter and absolute UTC time. The switch supports a maximum of ten keyframes, which are distinguished by their name label. Each keyframe can egress from every Ethernet port.

Keyframe generation is enabled by the platform fm6000 keyframe command. Command options specify ports that transmit keyframes along with the destination MAC address and IP address in the keyframe’s header. Other keyframe commands specify the transmission rate and the frame’s source:

the platform fm6000 keyframe rate command configures the keyframe’s transmission rate.
the platform fm6000 keyframe source command configures the source IP address that is placed in each keyframe’s header. The management interface IP address is the default source address.
The source MAC address is the MAC address of the egress interface transmitting the keyframe.
the platform fm6000 keyframe device command configures the 16-bit number that keyframes list as the device ID in their payload.
the platform fm6000 keyframe fields skew command enables the inclusion of clock skew fields in the keyframe.
the show platform fm6000 keyframe command displays keyframe configuration information.

Examples

This command enables the generation of a keyframe named “key-1” and configures it to egress from Ethernet interfaces 11 through 15 with a source IP address of 10.21.1.4 and a MAC address of 10.4E21.9F11.
```
switch(config)#platform fm6000 keyframe key-1 interface ethernet 11-15 10.21.1.4 10.4E21.9F11
switch(config)#
```
This command configures the generation rate for the keyframe of 10 frames per second on each of the five interfaces that it is configured to egress.
```
switch(config)#platform fm6000 keyframe key-1 rate 10
switch(config)#
```
This command enables the generation of a keyframe named “key-1” and configures 100 as the value that is placed in the keyframe’s device ID field.
```
switch(config)#platform fm6000 keyframe key-1 device 100
switch(config)#
```
This command enables the inclusion of clock skew fields in the keyframe named “key-1.”
```
switch(config)#platform fm6000 keyframe key-1 fields skew
switch(config)#
```

This command displays configuration information for keyframe “key-1.”

switch(config)#show platform fm6000 keyframe

Keyframe key-1
------------------------
Egress Interface(s): Ethernet11, Ethernet12, Ethernet13, Ethernet14, Ethernet15
Source IP: 172.22.30.142
Destination IP: 10.21.1.4
Destination MAC: 00:10:4e:21:9f:11
Device ID: 100
Rate: 10 packet(s) per second

switch(config)#

Enabling Timestamp Insertion on an Interface

Timestamps are based on a frame’s ingress time and applied to frames sent on egress ports, ensuring that timestamps on monitored traffic reflect ingress timing of the original frames. Time-stamping is configured on the egress port where the timestamp is applied to the frame.

When timestamping is enabled on an egress interface, packets leave the interface with timestamps that were applied in hardware when the packet arrived at the switch. This is facilitated by applying a hardware timestamp to all frames arriving on all interfaces when timestamping is enabled on any interface, then removing timestamps on packets egressing interfaces where timestamping is not enabled.

The mac timestamp command enables time-stamping on the configuration-mode interface. The switch supports two timestamp modes, which differ in managing the egress frame’s 32-bit frame check sequence (FCS):

before-fcs: the switch discards the original FCS, appends the ingress timestamp at the end of the frame data, recalculates a new FCS based on the appended timestamp, then appends the new FCS to the end of the frame. This creates a valid Ethernet frame but does not update headers of any nested protocols.
replace-fcs: the switch replaces the original FCS with the timestamp. This mode maintains the size of the original frame without any latency impact, but the FCS is not valid.

Examples

These commands enable timestamping in before-fcs mode on Ethernet interface 44.

switch(config)#interface ethernet 44
switch(config-if-Et44)#mac timestamp before-fcs
switch(config-if-Et44)#show active
interface Ethernet44
 mac timestamp before-fcs
switch(config-if-Et44)#

These commands disable timestamping on Ethernet interface 44.

switch(config-if-Et44)#no mac timestamp
switch(config-if-Et44)#show active
interface Ethernet44
switch(config-if-Et44)#

TAP Aggregation Commands

Global Configuration Commands

Interface Configuration Commands

Tap Aggregation Configuration Mode

Tap Aggregation Traffic Steering

Display Commands EXEC Mode

class (policy-map (tapagg))

The class (policy-map (tapagg)) command places the switch in policy-map-class (TAPagg) configuration mode, which is a group-change mode that defines a TAP aggregation class by associating the class’s eponymous class-map to a set statement. Upon exiting the policy-map-class mode, the class is placed in the policy-map as specified by an assigned sequence number.

A policy map is an ordered list of classes and match rules. Each class contains a class map, a set command, and a sequence number:

The class map identifies a data stream by using an ordered list of ACLs. Class maps are configured in class-map (tapagg) configuration mode. Data packets are managed by commands of the highest priority class or rule that matches the packet.
set commands specify the replication method of filtered data packets, either through an associated aggregation group or identity VLAN tagging.
Sequence numbers specify the class’s priority within the policy map. Lower sequence numbers denote higher priority.

The exit command returns the switch to policy-map configuration mode. However, saving policymap-class changes also requires an exit from policy-map mode. This saves all pending policy map and policy-map-class changes to running-config and returns the switch to global configuration mode. The abort command discards pending changes and returns the switch to global configuration mode.

The no class and default class commands remove the class assignment from the configuration mode policy map by deleting the corresponding class configuration from running-config.

Command Mode

Policy-Map (tapagg) Configuration accessed through class (policy-map (tapagg))

Command Syntax

[SEQ_NUM] class class_name

default [SEQ_NUM] class class_name

no [SEQ_NUM] class class_name

Parameters

SEQ_NUM priority of the class within the policy map. Lower numbers denote higher priority.
- <no parameter> number is derived by adding 10 to number of the map’s last class or rule.
- 1 to 4294967295 number assigned to class.
class_name name of the class.

Guidelines

When a class is not associated with a set (policy-map-class (tapagg)) command, the filtered traffic is managed as specified by the TAP port’s default aggregation group.

Commands Available in Policy-map-class (tapagg) Configuration Mode

set (policy-map-class (tapagg)) assigns VLAN identity tag or tap aggregation group to class.
exit returns the switch to parent policy map configuration mode.
abort discards pending class map changes, then returns the switch to global configuration mode.

Related Commands

class (policy-map (tapagg)) places the switch in policy-map (tapagg) configuration mode.
match (policy-map (tapagg)) assigns a match rule to a TAP aggregation policy map.

Example

These commands place the switch in policy-map-class and add the t-class_1 class map to the tpolicy_1 policy map. Packets filtered by the class map are identity tagged with VLAN 444.

switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#class t-class_1
switch(config-pmap-c-t-policy_1-t-class_1)#set id-tag 444
switch(config-pmap-c-t-policy_1-t-class_1)#exit
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
policy-map type tapagg t-policy_1
10 class t-class_1
set id-tag 444
switch(config-pmap-t-policy_1)#

class-map type tapagg

The class-map type tapagg command places the switch in class-map (tapagg) configuration mode, which is a group change mode that modifies a tapagg class map. A tapagg class map is a data structure that uses access control lists (ACLs) to define a data stream by specifying characteristics of data packets that comprise the stream. Tapagg policy maps use class maps to specify traffic that is managed by policy map criteria.

The exit command saves pending class map changes to running-config, then returns the switch to global configuration mode. Class map changes are also saved by entering a different configuration mode. The abort command discards pending changes and returns the switch to global configuration mode.

The no class-map type tapagg and default class-map type tapagg commands delete the specified class map by removing the corresponding class-map type qos command and its associated configuration.

Command Mode

Global Configuration

Command Syntax

class-map type tapagg match-any class_name

no class-map type tapagg match-any class_name

default class-map type tapagg match-any class_name

Parameters

class_name name of class map.

Commands Available in Class-Map (tapagg) Configuration Mode

Related Commands

class (policy-map (tapagg))

Example

This command creates a TAP aggregation class map named t-class_1 and places the switch in class-map configuration mode.

switch(config)#class-map type tapagg match-any t-class_1
switch(config-cmap-t-class_1)#

mac timestamp

The mac timestamp command enables timestamping on the configuration mode interface.

When timestamping is enabled on an egress interface, packets leave the interface with timestamps that were applied in hardware upon arriving at the switch. This is facilitated by applying a hardware timestamp to all frames arriving on all interfaces when timestamping is enabled on any interface, then removing timestamps on packets egressing interfaces where timestamping is not enabled.

The switch supports two timestamp modes, which differ in managing the egress frame’s 32-bit frame check sequence (FCS):

before-fcs: the switch discards the original FCS, appends the ingress timestamp at the end of the frame data, recalculates a new FCS based on the appended timestamp, then appends the new FCS to the end of the frame. This creates a valid Ethernet frame but does not update headers of any nested protocols.
replace-fcs: the switch replaces the original FCS with the timestamp. This mode maintains the size of the original frame without any latency impact, but the FCS is not valid.

The no mac timestamp and default mac timestamp commands restore the default behavior of disabling timestamping on the configuration mode interface by removing the corresponding mac timestamp command from running-config.

Command Mode

Interface-Ethernet Configuration

Command Syntax

mac timestamp TS_PROPERTY

Parameters

TS_PROPERTY specifies the timestamp insertion mode. Options include:
- before-fcs the ingress timestamp is appended to the frame and the FCS is recalculated.
- replace-fcs the ingress timestamp replaces the original FCS.

Examples

These commands enable timestamping in before-fcs mode on Ethernet interface 44.

switch(config)#interface ethernet 44
switch(config-if-Et44)#mac timestamp before-fcs
switch(config-if-Et44)#show active
interface Ethernet44
 mac timestamp before-fcs
switch(config-if-Et44)#

These commands disable timestamping on Ethernet interface 44.

switch(config-if-Et44)#no mac timestamp
switch(config-if-Et44)#show active
interface Ethernet44
switch(config-if-Et44)#

match (class-map (tapagg))

The match command adds an ACL to the configuration-mode class map and associates a sequence number to the ACL. A class map is an ordered list of ACLs that define a data stream; the sequence number specifies an ACL’s priority within the list. A class map is used by policy maps to filter data packets. Tapagg class maps utilize ACL permit rules to pass packets and deny rules to drop packets.

Class map (tapagg) configuration mode is a group change mode. Match statements are not saved to running-config until the edit session is completed by exiting the mode.

The no match and default match commands remove the specified match statement from the configuration-mode class map by deleting the corresponding match command from running-config.

Command Mode

Class-map (tagagg) Configuration accessed through class-map type tapagg command.

Command Syntax

[SEQ_NUM] match ip access-group list_name

no SEQ_NUM] match ip access-group list_name

default SEQ_NUM] match ip access-group list_name

Parameters

SEQ_NUM sequence number assigned to the ACL. Options include:
- <no parameter> number is derived by adding 10 to the number of the map’s last ACL.
- 1 to 4294967295 number assigned to ACL.
list_name name of ACL assigned to class map.

Guidelines

match statements accept IPv4 ACLs.

Related Commands

class-map type tapagg places the switch in Class-Map configuration mode.
exit saves pending class map changes, then returns the switch to global configuration mode.
abort discards pending class map changes, then returns the switch to global configuration mode.
class (policy-map (tapagg)) assigns a class map to a policy map.

Example

These commands add two IPv4 ACLs (“tacl-1” and “tacl-2”) to the “t-class_1” class map, save the command by exiting class-map mode, and re-enter the mode to display the added ACLs.

switch(config)#class-map type tapagg match-any t-class_1
switch(config-cmap-t-class_1)#match ip access-group tacl-1
switch(config-cmap-t-class_1)#match ip access-group tacl-2
switch(config-cmap-t-class_1)#exit
switch(config)#class-map type tapagg match-any t-class_1
switch(config-cmap-t-class_1)#show active
 class-map type tapagg match-any t-class_1
10 match ip access-group tacl-1
20 match ip access-group tacl-2
switch(config-cmap-t-class_1)#

match (policy-map (tapagg))

The match command adds a rule to the configuration-mode TAP aggregation policy map. A policy map is an ordered list of classes and rules. Each rule contains a filter list, an action, and a sequence number:

The filter list identifies a data stream through a set of packet field values.
The action, (SET_VALUE parameter) specifies the replication method of filtered data packets, either through an associated aggregation group or identity VLAN tagging.
The sequence number specifies the rule’s priority within the policy map.

The no match and default match commands remove the match rule from the configuration-mode policy by deleting the corresponding statement from running-config.

Command Mode

Policy-Map (tapagg) Configuration accessed through class (policy-map (tapagg)).

Command Syntax

[SEQ_NUM] match [VLAN_TAG] SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT] [PROTOCOL] [FLAGS] [MESSAGE] [fragments] [tracked] [DSCP_FILTER] [TTL_FILTER] [log] SET_VALUE

no match [VLAN_TAG] SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT] [PROTOCOL] [FLAGS] [MESSAGE] [fragments] [tracked] [DSCP_FILTER] [TTL_FILTER] [log] SET_VALUE

default match [VLAN_TAG] SOURCE_ADDR [SOURCE_PORT] DEST_ADDR [DEST_PORT] [PROTOCOL] [FLAGS] [MESSAGE] [fragments] [tracked] [DSCP_FILTER] [TTL_FILTER] [log] SET_VALUE

Note: Commands use a subset of the listed fields. Available parameters depend on specified protocol. Use CLI syntax assistance to view options for specific protocols when creating a permit rule.

Parameters

SEQ_NUM priority of the rule within the policy map. Lower numbers denote higher priority.
- <no parameter> number derived by adding 10 to number of the map’s last class or rule.
- <1 to 4294967295> number assigned to class.
VLAN_TAG VLAN field filter. Options include:
- <no parameter> packets are not filtered by VLAN field.
- vlan <1 to 4094> <0 to 4095> VLAN ID and mask.
- vlan inner <1 to 4094> <0 to 4095> VLAN ID and mask.
- vlan <1 to 4094> <0 to 4095> inner <1 to 4094> <0 to 4095> VLAN ID and mask.
PROTOCOL protocol field filter. Values include:
- <no parameter> packets are not filtered by host name.
- ahp authentication header protocol (51).
- icmp internet control message protocol (1).
- igmp internet group management protocol (2).
- ip internet protocol IPv4 (4).
- ospf open shortest path first (89).
- pim protocol independent multicast (103).
- tcp transmission control protocol (6).
- udp user datagram protocol (17).
- vrrp virtual router redundancy protocol (112).
- protocol_num integer corresponding to an IP protocol. Values range from 0 to 255.
SOURCE_ADDR and DEST_ADDR source and destination address filters. Options include:
- network_addr subnet address (CIDR or address-mask).
- any packets from all addresses are filtered.
- host ip_addr IP address (dotted decimal notation).
  Source and destination subnet addresses support discontiguous masks.
SOURCE_PORT and DEST_PORT source and destination port filters. Options include:
- any all ports.
- eq port-1 port-2 ... port-n a list of ports. Maximum list size is 10 ports.
- neq port-1 port-2 ... port-n the set of all ports not listed. Maximum list size is 10 ports.
- gt port the set of ports with larger numbers than the listed port.
- lt port the set of ports with smaller numbers than the listed port.
- range port_1 port_2 the set of ports whose numbers are between the range.
fragments filters packets with FO bit set (indicates a non-initial fragment packet).
FLAGS flag bit filters (TCP packets). Use CLI syntax assistance (?) to display options.
MESSAGE message type filters (ICMP packets). Use CLI syntax assistance (?) to display options.
tracked rule filters packets in existing ICMP, UDP, or TCP connections.
- Valid in ACLs applied to the control plane.
- Validity in ACLs applied to data plane varies by switch platform.
DSCP_FILTER rule filters packet by its DSCP value. Values include:
- <no parameter> rule does not use DSCP to filter packets.
- dscp dscp_value packets match if DSCP field in packet is equal to dscp_value.
TTL_FILTER rule filters packet by its TTL (time-to-live) value. Values include:
- <no parameter> rule does not use TTL field to filter packets.
- ttl eq ttl_value packets match if ttle in packet is equal to ttl_value.
- ttl gt ttl_value packets match if ttl in packet is greater than ttl_value.
- ttl lt ttl_value packets match if ttl in packet is less than ttl_value.
- ttl neq ttl_value packets match if ttl in packet is not equal to ttl_value.
log triggers an informational log message to the console about the matching packet.
- Valid in ACLs applied to the control plane.
- Validity in ACLs applied to data plane varies by switch platform.
SET_VALUE specifies the replication method for filtered packets.
- set aggregation group agg_group peplication specified by aggregation group.
- set id-tag <1 to 4094> packet is identity tagged with specified VLAN number.
- set aggregation group agg_group id-tag <1 to 4094> assigns agg group and identity tag.

Related Commands

policy-map type tapagg places the switch in policy-map (tapagg) configuration mode.
class (policy-map (tapagg)) assigns a class to the configuration-mode policy map.

Example

This command creates a match rule for the “t-policy_1” policy map that filters OSPF packets and replicates them as specified by the “t-group” tap aggregation group.

switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#match ip ospf any any set aggregation-group t-group
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
 policy-map type tapagg t-policy_1
 10 match ip ospf any any set aggregation-group t-group
switch(config-pmap-t-policy_1)#

mode (tap-agg configuration mode)

The mode command configures the switch’s TAP aggregation mode. The mode exclusive command enables TAP aggregation. When TAP aggregation is enabled, TAP and tool ports are enabled, switching mode is disabled, and switching ports are errdisabled. TAP aggregation is disabled by default.

The no mode and default mode commands disable TAP aggregation mode and enable switching mode by removing the mode command from running-config.

Command Mode

TAP Aggregation Configuration

Command Syntax

mode exclusive

no mode exclusive

default mode exclusive

Parameters

exclusive TAP aggregation is enabled.

Related Command

tap aggregation places the switch in TAP-aggregation configuration mode.

Examples

These commands place the switch in TAP-aggregation configuration mode, enable TAP aggregation mode, and display the results.

switch(config)#tap aggregation
switch(config-tap-agg)#mode exclusive
switch(config-tap-agg)#show active
tap aggregation
 mode exclusive
switch(config-tap-agg)#

These commands disable TAP-aggregation mode by removing the mode command from running-config, then display the results.

switch(config)#tap aggregation
switch(config-tap-agg)#no mode
switch(config-tap-agg)#show active
switch(config-tap-agg)#

mode exclusive no-errdisable (tap-agg configuration mode)

The mode exclusive no-errdisable command configures the specified interface to remain enabled, regardless of its switchport mode, when TAP aggregation is enabled. This command is used primarily to configure a port to support PTP functions while the switch operates as a TAP aggregator.

Each command configures one Ethernet or port-channel interface. Subsequent mode exclusive no-errdisable commands add to the list of ports that remain enabled when TAP aggregation is enabled.

The no mode exclusive no-errdisable and default mode exclusive no-errdisable commands configure the specified interface to be error-disabled when programmed in access, trunk, or dot1q-tunnel switching mode (when TAP aggregation is enabled) by removing the corresponding mode exclusive no-errdisable command from running-config.

Command Mode

TAP Aggregation Configuration

Command Syntax

mode exclusive no-errdisable INT_NAME

Parameters

INT_NAME interface type and number. Options include:
- ethernet e_num Ethernet interface specified by e_num.
- port-channel p_num port-channel interface specified by p_num.

Related Commands

tap aggregation places the switch in TAP-aggregation configuration mode.
mode (tap-agg configuration mode) configures the switch’s TAP-aggregation mode.

Guidelines

In order for a TAP-aggregation switch to receive PTP traffic, the upstream device to which it is connected should be set to statically send PTP multicast traffic to the connected port on the switch.

Since IGMP snooping is disabled on TAP-aggregation switches and with no configuration to support sending upstream join messages in such a state, the messages are transmitted statically from the upstream device. Once the upstream messages are received, the port will move to the slave state and follow the standard PTP mechanism.

Example

These commands place the switch in TAP-aggregation configuration mode and place Ethernet interface 21/3 in no-errdisable mode.

switch(config)#tap aggregation
switch(config-tap-agg)#mode exclusive
switch(config-tap-agg)#mode exclusive no-errdisable ethernet 21/4
switch(config-tap-agg)#

platform fm6000 keyframe device

The platform fm6000 keyframe device command configures the 16-bit number that the specified keyframe lists as the device ID in its payload. By default, the device value placed in the specified keyframes is 0.

The no platform fm6000 keyframe device and default platform fm6000 keyframe device commands restore the default device ID insertion value of 0 for the specified keyframe by removing the corresponding platform fm6000 keyframe device command from running-config. The no platform fm6000 keyframe and default platform fm6000 keyframe command also removes the corresponding platform fm6000 keyframe device command from running-config.

Command Mode

Global Configuration

Command Syntax

platform fm6000 keyframe kf_name device device_id

no platform fm6000 keyframe kf_name device

default platform fm6000 keyframe kf_name device

Parameters

kf_name keyframe name.
device_id value inserted in keyframe’s device ID field. Values range from 0 to 65535. Default is 0.

Example

These commands enable the generation of a keyframe named “key-1,” then configure 100 as the value that is placed in the keyframe’s device ID field.

switch(config)#platform fm6000 keyframe key-1 interface ethernet 11-15 10.21.1.4 10.4E21.9F11
switch(config)#platform fm6000 keyframe key-1 device 100
switch(config)#

platform fm6000 keyframe fields skew

Keyframes may optionally include skew numerator and skew denominator fields. These skew fields form a ratio indicating the ASIC clock skew. If the ratio is greater than 1, the clock is skewed fast; if the ratio is less than 1, the clock is skewed slow. Clock skew fields are omitted by default.

The platform fm6000 keyframe fields skew command enables the inclusion of clock skew fields in the keyframe.

The no platform fm6000 keyframe fields skew and default platform fm6000 keyframe fields skew commands remove the clock skew fields from the keyframe.

Command Mode

Global Configuration

Command Syntax

platform fm6000 keyframe kf_name fields skew

Parameters

kf_name keyframe name.

Example

This command enables the inclusion of clock skew fields in the keyframe named “key-1.”

switch(config)#platform fm6000 keyframe key-1 fields skew
switch(config)#

platform fm6000 keyframe rate

The platform fm6000 keyframe rate command specifies the transmission rate for the specified keyframe from each interface from which it is configured to egress. By default, one keyframe is sent per second.

The no platform fm6000 keyframe rate and default platform fm6000 keyframe rate commands restore the default transmission rate for the specified keyframe of one per second by removing the corresponding platform fm6000 keyframe rate command from running-config. The no platform fm6000 keyframe and default platform fm6000 keyframe command also removes the corresponding platform fm6000 keyframe rate command from running-config.

Command Mode

Global Configuration

Command Syntax

platform fm6000 keyframe kf_name rate tx_rate

Parameters

kf_name the keyframe’s name.
tx_rate keyframe transmission rate (frames per second). Values range from 1 to 100. Default value is 1.

Example

These commands enable the generation of a keyframe named “key-1,” then configure the generation rate for the keyframe of 10 frames per second on each of the five interfaces that it is configured to egress.

switch(config)#platform fm6000 keyframe key-1 interface ethernet 11-15 10.21.1.4 
10.4E21.9F11
switch(config)#platform fm6000 keyframe key-1 rate 10
switch(config)#

platform fm6000 keyframe source

The platform fm6000 keyframe source command configures the source IP address that the specified keyframe lists in its IP header. By default, keyframes use the IP address of the management interface as their source address.

The no platform fm6000 keyframe source and default platform fm6000 keyframe source commands restore the management interface IP address as the specified keyframe’s source IP address by removing the corresponding platform fm6000 keyframe source command from running-config. The no platform fm6000 keyframe and default platform fm6000 keyframe command also removes the corresponding platform fm6000 keyframe source command from running-config.

Command Mode

Global Configuration

Command Syntax

platform fm6000 keyframe kf_name source ip ipv4_addr

no platform fm6000 keyframe

kf_name source ip

default platform fm6000 keyframe kf_name source ip

Parameters

kf_name keyframe’s name.
ipv4_addr keyframe’s source IPv4 address (dotted decimal notation).

Example

These commands enable the generation of a keyframe named “key-1,” then sets the keyframe source IP address to 10.1.1.101.

switch(config)#platform fm6000 keyframe key-1 interface ethernet 11-15 10.21.1.4 10.4E21.9F11
switch(config)#platform fm6000 keyframe key-1 source 10.1.1.101
switch(config)#

platform fm6000 keyframe

The platform fm6000 keyframe command enables keyframe generation for data streams transmitted from specified ethernet interfaces. Keyframes are routable IP packets that the switch inserts into a data stream to provide contextual information that correlate timestamps inserted into data packets with absolute UTC time and the switch’s complete ASIC time counter.

The switch supports a maximum of ten keyframes. The keyframe name is the label that distinguishes different keyframes. Each keyframe can egress from every ethernet port. Command options specify the destination MAC address and IP address in the keyframe’s header. Other keyframe commands specify the transmission rate and the frame’s source.

The no platform fm6000 keyframe and default platform fm6000 keyframe commands disable generation of the specified keyframe by deleting the corresponding platform fm6000 keyframe command from running-config. These command also remove all supporting platform fm6000 keyframe commands for the specified keyframe.

Command Mode

Global Configuration

Command Syntax

platform fm6000 keyframe kf_name interface ethernet e_range ipv4_addr mac_addr

no platform fm6000 keyframe kf_name

default platform fm6000 keyframe kf_name

Parameters

kf_name the keyframe’s name.
e_range Ethernet interface range over which the keyframe egresses. Valid formats include number, range, or comma-delimited list of numbers and ranges.
ipv4_addr destination IPv4 address inserted into keyframes (dotted decimal notation).
mac_addr destination MAC address inserted into keyframes (48-bit dotted hex notation).

Guidelines

Subsequent issuance of this command for a specified keyframe replaces the existing command in running-config. Ethernet interfaces are inserted into an existing keyframe only by issuing the complete command that identifies all interfaces through which the keyframe is transmitted.

Example

This command enables the generation of a keyframe named “key-1.” This keyframe egresses from Ethernet interfaces 11 through 15 and specifies a source IP address of 10.21.1.4 and a MAC address of 10.4E21.9F11.

switch(config)#platform fm6000 keyframe key-1 interface ethernet 11-15 10.21.1.4 10.4E21.9F11
switch(config)#

platform sand multicast replication default

The platform sand multicast replication default command configures the default replication mode on Sand platform switches. The factory default replication mode differs in various scenarios as follows:

The default replication mode on switches with fabric is fabric-egress mode.
The default replication mode on switches with single Fabric Access Processor (FAP) systems is ingress mode.
The default replication mode on switches without fabric barring single FAP systems is ingress-egress mode.
If a tool group with less than 60 LAGs has at least one hardware LAG, then the default replication mode of the tool group is ingress-only mode. Else the default replication mode of the tool group is the one configured across all LAGs in the tool group.

The default platform sand multicast replication default and no platform sand multicast replication default commands revert the current state to the factory default behavior.

Command Mode

Global Configuration

Command Syntax

platform sand multicast replication default {fabric-egress | ingress}

no platform sand multicast replication default

default platform sand multicast replication default

Parameters

fabric-egress configures the replication mode to use fabric-egress VoQ buffers.
ingress configures the replication mode to use ingress VoQ buffers.

Guidelines

This command is supported on Sand platforms only.

Related Commands

Example

This command configures the default replication mode to ingress.

switch(config)#platform sand multicast replication default ingress
switch(config)#

platform sand multicast replication ingress maximum

The platform sand multicast replication ingress maximum command configures maximum members for ingress-only replication.

The default platform sand multicast replication ingress maximum command reverts the maximum members for ingress-only replication to the default value.

The no platform sand multicast replication ingress maximum command deletes the maximum member value for ingress-only replication.

Command Mode

Global Configuration

Command Syntax

platform sand multicast replication ingress maximum max_value

no platform sand multicast replication ingress maximum

default platform sand multicast replication ingress maximum

Parameters

max_value specifies the maximum number of members for ingress-only replication. Values range from 1 to 64. The default value is 64.

Note: max_value for a single FAP Jericho system ranges from 1 to 4096.

Guidelines

This command is supported on Sand platforms only.

Related Commands

Example

This command specifies a maximum of sixty-three members for ingress-only replication.

switch(config)#platform sand multicast replication ingress maximum 63
switch(config)#

policy-map type tapagg

The policy-map type tapagg command places the switch in policy-map (tapagg) configuration mode, which is a group-change mode that modifies a TAP-aggregation policy map. A TAP-aggregation policy map is a data structure that consists of class maps and match statements that filter a specific data stream. Packets in that data stream are either managed as specified by a TAP aggregation group or modified to add a VLAN identity tag. Policy maps manage traffic when applied to an Ethernet or port-channel interface.

The exit command saves pending policy map changes to running-config and returns the switch to global configuration mode. Policy map changes are also saved by entering a different configuration mode. The abort command discards pending changes, returning the switch to global configuration mode.

The no policy-map type tapagg and default policy-map type tapagg commands delete the specified policy map by removing the corresponding policy-map type tapagg command and the associated policy map statements from running-config.

Command Mode

Global Configuration

Command Syntax

policy-map type tapagg map_name

no policy-map type tapagg map_name

default policy-map type tapagg map_name

Parameters

map_name name of policy map.

Commands Available in Policy-Map Configuration Mode

Related Commands

Example

This command creates the TAP-aggregation policy map named “t-policy_1” and places the switch in policy-map configuration mode.

switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#

resequence (class-map (tapagg))

The resequence command assigns sequence numbers to access control lists (ACLs) in the configuration mode TAP-aggregation class map. Sequence numbers denote an ACL’s priority within the class map. Command parameters specify the number of the first ACL and the numeric interval between consecutive ACLs.

Maximum rule sequence number is 4294967295.

Command Mode

Class-map (tagagg) Configuration

accessed with the class-map type tapagg command

Command Syntax

resequence [start_num [inc_num]]

Parameters

start_num sequence number assigned to the first rule. Default is 10.
inc_num numeric interval between consecutive rules. Default is 10.

Example

These commands display a policy map whose entities were entered with default sequence numbers, then renumber the contents.

switch(config-pmap-t-policy_1)#show active
 policy-map type tapagg t-policy_1
 10 match ip ospf any any set aggregation-group t-group
 20 class fred
set aggregation-group t-group id-tag 444
 30 class t-class_2
set id-tag 500
 40 class t-class_3
set id-tag 600
 50 class t-class_4
set id-tag 700
switch(config-pmap-t-policy_1)#resequence 100 20
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
 policy-map type tapagg t-policy_1
 100 match ip ospf any any set aggregation-group t-group
 120 class fred
set aggregation-group t-group id-tag 444
 140 class t-class_2
set id-tag 500
 160 class t-class_3
set id-tag 600
 180 class t-class_4
set id-tag 700
switch(config-pmap-t-policy_1)#

resequence (policy-map (tapagg))

The resequence command assigns sequence numbers to classes and rules in the configuration mode TAP-aggregation policy map. Sequence numbers denote the priority of a class or rule within the policy map. Command parameters specify the number of the first policy map entity and the numeric interval between consecutive entities.

Maximum rule sequence number is 4294967295.

Command Mode

Policy-Map (tapagg) Configuration

accessed with the class (policy-map (tapagg)) command

Command Syntax

resequence [start_num [inc_num]]

Parameters

start_num sequence number assigned to the first rule. Default is 10.
inc_num numeric interval between consecutive rules. Default is 10.

Example

These commands display a policy map whose entities were entered with default sequence numbers, then use the resequence command to renumber the contents.

switch(config-pmap-t-policy_1)#show active
 policy-map type tapagg t-policy_1
 10 match ip ospf any any set aggregation-group t-group
 20 class fred
set aggregation-group t-group id-tag 444
 30 class t-class_2
set id-tag 500
 40 class t-class_3
set id-tag 600
 50 class t-class_4
set id-tag 700
switch(config-pmap-t-policy_1)#resequence 100 20
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
 policy-map type tapagg t-policy_1
 100 match ip ospf any any set aggregation-group t-group
 120 class fred
set aggregation-group t-group id-tag 444
 140 class t-class_2
set id-tag 500
 160 class t-class_3
set id-tag 600
 180 class t-class_4
set id-tag 700
switch(config-pmap-t-policy_1)#

service-policy type tapagg (Interface mode)

The service-policy type tapagg command applies a specified TAP-aggregation policy map to the configuration-mode interface. A policy map is a data structure that identifies data traffic through class maps and match rules, then specifies the method of replicating the traffic. This command is active only when TAP aggregation mode is enabled on the switch.

The no service-policy type tapagg and default service-policy type tapagg commands remove the policy map assignment from the configuration mode interface by deleting the corresponding service-policy tapagg command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port-Channel Configuration

Command Syntax

service-policy type tapagg input policymap_name

Parameters

inputpolicy map applies to inbound packet streams.This is the only option.
map_name mame of policy map.

Guidelines

A policy map that is attached to a port-channel interface takes precedence for member interfaces of the port channel over their individual Ethernet interface configuration. Members that are removed from a port channel revert to the policy-map implementation specified by its Ethernet interface configuration.

Related Commands

class (policy-map (tapagg)) places the switch in policy-map configuration mode to create a policy map.

Example

These commands apply the “t-policy_1” policy map to Ethernet interface 17.

switch(config)#interface ethernet 17
switch(config-if-Et17)#service-policy type tapagg input t-policy_1
switch(config-if-Et17)#

set (policy-map-class (tapagg))

The set command specifies the data replication method for traffic filtered by the associated class map in the configuration-mode policy map. The set command specifies one of these replication actions for filtered data packets:

specifies an aggregation group.
specifies a VLAN identity tag for replicated packets.
specifies an aggregation group and a VLAN identity tag.

The no set and default set commands remove the specified set command data action from the configuration-mode class by deleting the associated set command from running-config.

Command Mode

Policy-map-class (tapagg) Configuration

accessed using the class (policy-map (tapagg)) command

Command Syntax

set SET_VALUE

no set SET_VALUE

default set SET_VALUE

Parameters

SET_VALUE specifies the replication method for filtered packets. Options include:
- aggregation group agg_group replication specified by aggregation group.
- id-tag VLAN_number packet is identity tagged with specified VLAN number. VLAN numbers range from 1 to 4094.
- aggregation group agg_group id-tag VLAN_number assigns aggregation group and identity tag (VLAN number). VLAN numbers range from 1 to 4094.

Related Commands

policy-map type tapagg places the switch in policy-map (tapagg) configuration mode.
class (policy-map (tapagg)) assigns a class to the policy-map configuration mode.
match (policy-map (tapagg)) assigns a rule to the policy-map configuration mode.

Guidelines

When a class is not associated with a set command, the filtered traffic is managed as specified by the TAP port’s default aggregation group.

Example

These commands place the switch in policy-map-class to add the “t-class_1” class map to the “t-policy_1” policy map. Packets filtered by the class map are identity tagged with VLAN 444 and replicated as specified through the “t-group” aggregation group.

switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#class t-class_1
switch(config-pmap-c-t-policy_1-t-class_1)#set aggregation-group t-group id-tag 
444
switch(config-pmap-c-t-policy_1-t-class_1)#exit
switch(config-pmap-t-policy_1)#exit
switch(config)#policy-map type tapagg t-policy_1
switch(config-pmap-t-policy_1)#show active
 policy-map type tapagg t-policy_1
 10 class t-class_1
set aggregation-group t-group id-tag 444
switch(config-pmap-t-policy_1)#

show interfaces tap

The show interfaces tap command displays TAP-port configuration information for the specified interfaces.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] tap [INFO_LEVEL]

Parameters

INTERFACE interface type and numbers. Options include:
- <no parameter> all interfaces.
- ethernet e_range Ethernet interface range specified by e_range.
- management m_range management interface range specified by m_range.
- port-channel p_range port-channel interface range specified by p_range.
  Valid e_range, m_range, and p_range formats include number, number range, or comma-delimited list of numbers and ranges.
INFO_LEVEL amount of information that is displayed. Options include:
- <no parameter> command displays table that summarizes TAP data.
- detail command displays TAP data summary table and a list of ACLS applied to TAP ports.

Examples

This command displays TAP-port configuration information for Ethernet interfaces 36 through 40.

switch#show interface ethernet 31-35 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et31taptap30131 0tag_1
Et32taptap11320tag_1
Et33taptap3032330tag_1
Et34taptap13340tag_3
Et35taptap13450tag_3
switch#

This command displays detailed TAP-port configuration information for Ethernet interface 31.

switch#show interface ethernet 31 tap detail
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et31taptap30131 0tag_1



PortACLs Applied
-------------------------------------------------------------------
switch#

show interfaces tool

The show interfaces tool command displays tool port configuration information for the specified interfaces.

Command Mode

EXEC

Command Syntax

show interfaces [INTERFACE] tool

Parameters

INTERFACE interface type and numbers. Options include:
- <no parameter> all interfaces.
- ethernet e_range Ethernet interface range specified by e_range.
- management m_range management interface range specified by m_range.
- port-channel p_range port-channel interface range specified by p_range.
  Valid e_range, m_range, and p_range formats include number, number range, or comma-delimited list of numbers and ranges.

Example

This command displays tool port configuration information for Ethernet interfaces 36 through 40.

switch#show interface ethernet 36-40 tool
PortConfigured Status Allowed Id Timestamp
ModeVlans TagMode
-----------------------------------------------------------------------
Et36tool tool 201-205 OffNone
Et37tool tool 201-205 OffNone
Et38tool tool 201-205 OffNone
Et39access errdisabledAll OffNone
Et40tool tool All On None

switch#

show platform fm6000 keyframe

The show platform fm6000 keyframe command displays configured information for the specified keyframes. Keyframes are routable IP packets that the switch inserts into a data stream to provide contextual information that correlate timestamps inserted into data packets with the absolute UTC time and the switch’s complete ASIC time counter.

Command Mode

Privileged EXEC

Command Syntax

show platform fm6000 keyframe [KEYFRAME_ID]

Parameters

KEYFRAME_ID specifies keyframes that the command displays. Options include:
- <no parameter> command displays all configured keyframes.
- kf_name specifies a single keyframe to display information for.

Example

This command displays information concerning the three keyframes that the switch sends.

switch#show platform fm6000 keyframe
Keyframe key-2
------------------------
Egress Interface(s): Ethernet17, Ethernet18, Ethernet19, Ethernet20, Ethernet21
Source IP: 10.22.30.144
Destination IP: 10.21.1.14
Destination MAC: 00:09:00:09:00:09
Device ID: 0
Rate: 5 packet(s) per second

Keyframe key-1
------------------------
Egress Interface(s): Ethernet11, Ethernet12, Ethernet13, Ethernet14, Ethernet15
Source IP: 10.22.30.146
Destination IP: 10.21.1.4
Destination MAC: 00:10:4e:21:9f:11
Device ID: 0
Rate: 2 packet(s) per second

switch#

show platform sand mcast capacity

The show platform sand mcast capacity command displays the usage details of hardware resources on Sand platform switches.

Command Mode

EXEC

Command Syntax

show platform sand mcast capacity [threshold threshold_value]

Parameters

threshold threshold_value displays the list of resources whose usage percentage is greater than or equal to the specified threshold value. Values range from 0 to 100. The default value is 100.

Guidelines

This command is supported on Sand platforms only.

Examples

This command displays the usage details of hardware resources on a Sand platform switch.

switch#show platform sand mcast capacity

Multicast Resources
-------------------
'*' - Applies to all Modules
'-' - Not applicable
 TCAM Resources
--------------------------------------------------------------------------
ResourceModuleTotal Used Used%

 v4 MC TCAM Linecard3-Jericho3/0 40962 0.0
 v4 MC TCAM Linecard5-Jericho5/0 409650612.4

 Replication Table Resources
--------------------------------------------------------------------------
ResourceModuleTotal Used Used%

Multicast Table Row
Linecard3-Jericho3/0.026214310586 4.0
Linecard3-Jericho3/1.026214310576 4.0
Linecard3-Jericho3/0.126214310586 4.0
Linecard3-Jericho3/1.126214310576 4.0
Linecard6-Jericho6/2.026214310576 4.0

switch#

show tap aggregation groups

The show tap aggregation groups command displays the TAP and tool port members of the specified TAP aggregation groups.

Command Mode

EXEC

Command Syntax

show tap aggregation groups [INFO_LEVEL] [GROUP_NAMES]

Parameters

INFO_LEVEL port information to display. Options include:
- <no parameter> displays active TAP and tool ports.
- detail displays all configured TAP and tool ports, including inactive ports.
GROUP_NAMES TAP aggregation groups. Options include:
- <no parameter> displays information for all TAP aggregation groups.
- group_list displays information for the specified TAP aggregation group list.
Valid group_list format is a space-delimited list of one or more TAP aggregation group names.

Example

This command displays the contents of all configured TAP aggregation groups.

switch#show tap aggregation groups
Group NameTool Members
---------------------------------------------------------
analyze2Po101, Po102
analyze3Po101, Po103

Group NameTap Members
---------------------------------------------------------
analyze2Et41, Et42
analyze3Et43
switch#

switchport tap allowed vlan

The switchport tap allowed vlan command creates or modifies the list of VLANs for which the configuration mode interface, in TAP mode, handles tagged traffic. By default, interfaces handle tagged traffic for all VLANs. Command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP aggregation mode.

The no switchport tap allowed vlan and default switchport tap allowed vlan commands restore the TAP mode default allowed VLAN setting of all by removing the corresponding switchport tap allowed vlan statement from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port Channel Configuration

Command Syntax

switchport tap allowed vlan EDIT_ACTION

Parameters

EDIT_ACTION modifications to the VLAN list. Options include:
- v_range creates VLAN list from range of VLANs specified by v_range.
- add v_range adds specified VLANs to current list.
- all VLAN list contains all VLANs.
- except v_range VLAN list contains all VLANs except those specified by v_range.
- none VLAN list is empty (no VLANs).
- remove v_range removes VLANs specified by v_range from current list.
Valid v_range formats include number (1 to 4094), range, or comma-delimited list of numbers and ranges.

Example

These commands create the TAP mode allowed VLAN list of 26-30 for Ethernet interface 20.

switch(config)#interface ethernet 20
switch(config-if-Et20)#switchport tap allowed vlan 26-30
eswitch(config-if-Et20)#show active
interface Ethernet20
 switchport mode tap
 switchport tap allowed vlan 26-30
switch(config-if-Et20)#

switchport tap default group

The switchport tap default group command assigns the configuration-mode interface to the specified tool group as a TAP port member. TAP aggregation groups associate a set of TAP ports with a set of tool ports. Both TAP ports and tool ports may belong to multiple TAP aggregation groups.

The no switchport tap default group and default switchport tap default group commands remove the configuration-mode interface from the TAP aggregation group to which it is assigned by deleting the corresponding switchport tap default group statement from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-port Channel Configuration

Command Syntax

switchport tap default group group_name

no switchport tap default group

default switchport tap default group

Parameters

group_name tool group name.

Restriction

This command is only available on FM6000 platform switches.

Example

These commands assign port channel 101 to TAPs aggregation group “tag-1.”

switch(config)#interface port-channel 101
switch(config-if-Po101)#switchport tap default group tag-1
switch(config-if-Po101)#show interfaces port-channel 101 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Po101 access notconnect 110tag-1
switch(config)#

switchport tap identity

The switchport tap identity command associates a VLAN number to the configuration mode TAP interface. Tool ports that are configured to encapsulate packets with an dot1q-style tag enter the number specified by this command as the s-VLAN (tier 1) for packets received from this TAPs port. The default identity value is 1.

The no switchport tap identity and default switchport tap identity commands restore VLAN 1 as the configuration-mode ports’s identity VLAN by removing the corresponding switchport tap identity command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port Channel Configuration

Command Syntax

switchport tap identity port_id

no switchport tap identity

default switchport tap identity

Parameters

port_id port’s identity VLAN. Values range from 1 to 4094. Default is 1.

Related Commands

switchport tool identity configures a tool port to encapsulate packets received from TAP ports.

Restriction

This command is available only on FM6000 platform switches.

Example

These commands 171 as the identity value for Ethernet interface 17.

switch(config)#interface ethernet 17
switch(config-if-Et17)#switchport tap identity 171
switch(config-if-Et17)#show active
interface Ethernet17
 switchport tap identity 171
switch(config-if-Et17)#show interfaces ethernet 17 tap

PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et17access connected1171 0
switch(config-if-Et17)#

switchport tap native vlan

The switchport tap native vlan command specifies the TAP-mode native VLAN for the configuration-mode interface. Interfaces in TAP mode associate untagged frames with the native VLAN. The default native VLAN for all interfaces is VLAN 1. Command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP mode.

The no switchport tap native vlan and default switchport tap native vlan commands restore VLAN 1 as the TAP-mode native VLAN to the configuration-mode interface by removing the corresponding switchport tap native vlan command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port Channel Configuration

Command Syntax

switchport tap native vlan v_num

no switchport tap native vlan

default switchport tap native vlan

Parameters

v_num TAP-mode native VLAN ID. Values range from 1 to 4094. Default is 1.

Restriction

This command is available only on FM6000 platform switches.

Example

These commands assign VLAN 25 as the TAP-mode native VLAN for Ethernet interface 7.

switch(config)#interface ethernet 7
switch(config-if-Et7)#switchport tap native vlan 25
switch(config-if-Et7)#show interface ethernet 7 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et7 tool connected25 1 0---
switch(config-if-Et7)#

switchport tap truncation

The switchport tap truncation command configures the configuration-mode interface, as a TAP port, to truncate inbound packets to the specified packet size. This command is in effect when the port is in TAP mode and the switch is in TAP aggregation mode. Command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP mode. By default, TAP ports do not truncate inbound packets.

The no switchport tap truncation and default switchport tap truncation commands restore the default behavior of not truncating packets received by the configuration-mode interface by removing the corresponding switchport tap truncation command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port Channel Configuration

Command Syntax

switchport tap truncation packet_size

no switchport tap truncation

default switchport tap truncation

Parameters

packet_size size of truncated packets (bytes). Values range from 100 to 9236. Default value of 0 corresponds to not truncating packets.

Restriction

This command is available only on FM6000 platform switches.

Examples

These commands configure Ethernet interface 38 to truncate packets to 150 bytes.

switch(config)#interface ethernet 38
switch(config-if-Et38)#switchport tap truncation 150
switch(config-if-Et38)#show interface ethernet 38 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et38access notconnect 11 150---
switch(config-if-Et38)#

These commands configure Ethernet interface 38 to send complete packets to tool ports in its TAP aggregation group.

switch(config-if-Et38)#no switchport tap truncation
switch(config-if-Et38)#show interface ethernet 38 tap
PortConfigured Status Native Id Truncation Default
ModeVlan VlanGroup
-----------------------------------------------------------------------
Et38access notconnect 11 0---
switch(config-if-Et38)#

switchport tool allowed vlan

The switchport tool allowed vlan command creates or modifies the list of VLANs for which the configuration-mode interface, in tool mode, handles tagged traffic. By default, interfaces handle tagged traffic for all VLANs. Command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in TAP aggregation mode.

The no switchport tool allowed vlan and default switchport tool allowed vlan commands restore the tool mode default allowed VLAN setting of all by removing the corresponding switchport tool allowed vlan statement from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port Channel Configuration

Command Syntax

switchport tool allowed vlan EDIT_ACTION

Parameters

EDIT_ACTION modifications to the VLAN list. Options include:
- v_range creates VLAN list from v_range.
- add v_range adds specified VLANs to current list.
- all VLAN list contains all VLANs.
- except v_range VLAN list contains all VLANs except those specified.
- none VLAN list is empty (no VLANs).
- remove v_range removes specified VLANs from current list.

Valid v_range formats include number, range, or comma-delimited list of numbers and ranges.

Example

These commands create the tool mode allowed VLAN list of 16-20 for Ethernet interface 38.

switch(config)#interface ethernet 38
switch(config-if-Et38)#switchport tool allowed vlan 16-20
switch(config-if-Et38)#show interfaces ethernet 38 tool
PortConfigured Status Allowed Id Timestamp
ModeVlans TagMode
-----------------------------------------------------------------------
Et38access notconnect 16-20 OffNone
switch(config-if-Et38)#

switchport tool group

The switchport tool group command modifies the configuration-mode interface’s tool port membership in the specified TAP aggregation groups. Tool ports may belong to multiple TAP aggregation groups. Command options for configuring a port’s TAP aggregation group membership include:

specifying the groups to which the port belongs (supersedes the port’s previous group memberships).
adding to the list of groups to which the port belongs.
deleting from the list of groups to which the port belongs.

TAP aggregation groups associate a set of TAP ports with a set of tool ports. A TAP port can belong to a maximum of one default TAP aggregation group.

The no switchport tool default group and default switchport tool default group commands remove the configuration-mode interface from all TAP aggregation groups to which it is assigned as a tool port by modifying the corresponding statements in running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port Channel Configuration

Command Syntax

switchport tool group EDIT_ACTION

Parameters

EDIT_ACTION specifies changes to the list of groups to which the port belongs
- add group_list specifies additional groups to which the port belongs.
- remove group_list removes interface as a tool port member from specified groups.
- set group_list specifies groups to which interface belongs as a tool port.

Valid group_list format is a space-delimited list of one or more TAP aggregation group names.

Restriction

This command is available only on FM6000 platform switches.

Examples

These commands associate interface Ethernet 40 with three TAP aggregation groups.

switch(config)#interface ethernet 40
switch(config-if-Et40)#switchport tool group set tag-1 tag-2 tag-3
switch(config-if-Et40)#show active
interface Ethernet40
 switchport tool group set tag-3 tag-2 tag-1
switch(config-if-Et40)#

These commands add tag-7 to the tap aggregation groups to which Ethernet interface 40 belongs.

switch(config-if-Et40)#switchport tool group add tag-7
switch(config-if-Et40)#show active
interface Ethernet40
 switchport tool group set tag-3 tag-7 tag-2 tag-1
switch(config-if-Et40)#

These commands specify “tag-9” as the only group to which Ethernet interface 40 belongs.

switch(config-if-Et40)#switchport tool group set tag-9
switch(config-if-Et40)#show active
interface Ethernet40
 switchport tool group set tag-9
switch(config-if-Et40)#

switchport tool identity

The switchport tool identity command configures the configuration-mode interface to add a tier-1 VLAN tag (dot1q) to packets it receives from TAP ports. The VLAN number on the dot1q tag is specified by the switchport tap identity command configured for the TAP port that supplies the packets. By default, tool ports do not encapsulate packets with the tier-1 VLAN tag.

The no switchport tool identity and default switchport tool identity commands restore the default VLAN handling method for the configuration-mode interface by removing the corresponding switchport tool identity statement from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port Channel Configuration

Command Syntax

switchport tool identity dot1q

no switchport tool identity dot1q

default switchport tool identity dot1q

Restriction

This command is available only on FM6000 platform switches.

Example

These commands configure Ethernet interface 40 to include a dot1q tag on egress packets.

switch(config)#interface ethernet 40
switch(config-if-Et40)#switchport tool identity dot1q
switch(config-if-Et40)#show active
interface Ethernet40
 switchport mode tool
 switchport tool identity dot1q
 switchport tool group set tag-9
switch(config-if-Et40)#

switchport tool truncation

The switchport tool truncation command configures the configuration-mode interface, as a tool port, to truncate outbound packets to 160 bytes. This command is in effect when the port is in tool mode and the switch is in TAP aggregation mode. Command settings persist in running-config without taking effect when the switch is not in TAP aggregation mode or the interface is not in tool mode. By default, tool ports do not truncate outbound packets.

The no switchport tool truncation and default switchport tool truncation commands restore the default behavior (not truncating packets that exit the configuration mode interface) by removing the corresponding switchport tool truncation command from running-config.

Command Mode

Interface-Ethernet Configuration

Interface-Port Channel Configuration

Command Syntax

switchport tool truncation packet_size

no switchport tool truncation

default switchport tool truncation

Parameters

packet_size size of truncated packets in bytes. The only permitted value is 160.

Examples

These commands configure Ethernet interface 38, as a tool port, to truncate packets on egress to 160 bytes.

switch(config)#interface ethernet 38
switch(config-if-Et38)#switchport mode tool
switch(config-if-Et38)#switchport tool truncation 160
switch(config-if-Et38)#

These commands configure Ethernet interface 38 to send complete packets.

switch(config)#interface ethernet 38
switch(config-if-Et38)#no switchport tool truncation
switch(config-if-Et38)#

tap aggregation

The tap aggregation command places the switch in TAP-aggregation configuration mode. The switch’s TAP aggregation mode is enabled or disabled by the mode command in TAP-aggregation configuration mode.

When TAP aggregation mode is enabled, normal switching and routing operations are disabled. A port’s switchport status depends on the switch’s TAP aggregation mode and the port’s switchport mode:

TAP aggregation mode enabled: TAP and tool ports are enabled. Switching ports are errdisabled.
TAP aggregation mode disabled: TAP and tool ports are errdisabled. Switching ports are enabled.

The no tap aggregation and default tap aggregation commands disable tap aggregation mode on the switch by removing all TAP-aggregation configuration mode commands from running-config.

TAP-aggregation configuration mode is not a group-change mode; running-config is changed immediately upon entering commands. Exiting TAP-aggregation configuration mode does not affect running-config. The exit command returns the switch to global configuration mode.

Command Mode

Global Configuration

Command Syntax

tap aggregation

no tap aggregation

default tap aggregation

Commands Available in TAP-aggregation Configuration Mode

mode (tap-agg configuration mode)

Related Commands

switchport mode

Example

These commands place the switch in TAP-aggregation configuration mode and enable TAP aggregation.

switch(config)#tap aggregation
switch(config-tap-agg)#mode exclusive
switch(config-tap-agg)#show active
tap aggregation
 mode exclusive
switch(config-tap-agg)#

This command disables TAP aggregation and removes all TAP-aggregation configuration mode commands from running-config.
```
switch(config)#no tap aggregation
switch(config)#
```