public
public copied to clipboard
openconfig
Packet mirroring model
New model for configuring packet mirroring
module: openconfig-mirror
+--rw mirroring
+--rw sessions
+--rw session* [name]
+--rw name -> ../config/name
+--rw config
| +--rw name? string
| +--rw mirror-action? mirror-action
| +--rw enabled? boolean
| +--rw interfaces* -> /oc-if:interfaces/interface/name
| +--rw direction? enumeration
| +--rw acl? -> /oc-acl:acl/acl-sets/acl-set/name
| +--rw source-address? oc-inet:ip-address
| +--rw destination-address? oc-inet:ip-address
| +--rw network-instance? oc-ni:network-instance-ref
| +--rw max-capture-size? uint32
| +--rw max-size? uint32
+--ro state
+--ro name? string
+--ro mirror-action? mirror-action
+--ro enabled? boolean
+--ro interfaces* -> /oc-if:interfaces/interface/name
+--ro direction? enumeration
+--ro acl? -> /oc-acl:acl/acl-sets/acl-set/name
+--ro source-address? oc-inet:ip-address
+--ro destination-address? oc-inet:ip-address
+--ro network-instance? oc-ni:network-instance-ref
+--ro max-capture-size? uint32
+--ro max-size? uint32
Implementations
References for packet mirroring with filtering to remote destination
Cisco IOS XR https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/Interfaces/73x/configuration/guide/b-interfaces-config-guide-cisco8k-r73x/configuring-traffic-mirroring.html#Cisco_Concept.dita_aef1adcd-7dd5-44f2-9f60-10fc37a99b05
Juniper JunOS https://kb.juniper.net/InfoCenter/index?page=content&id=KB35163&actp=METADATA
Arista EOS: https://eos.arista.com/eos-4-15-3f/gre-filtered-mirroring/
References for packet mirroring with filtering to remove destination
Cisco IOS XR https://www.cisco.com/c/en/us/td/docs/iosxr/cisco8000/Interfaces/73x/configuration/guide/b-interfaces-config-guide-cisco8k-r73x/configuring-traffic-mirroring.html#Cisco_Concept.dita_aef1adcd-7dd5-44f2-9f60-10fc37a99b05
Juniper JunOS https://kb.juniper.net/InfoCenter/index?page=content&id=KB35163&actp=METADATA
Arista EOS: https://eos.arista.com/eos-4-15-3f/gre-filtered-mirroring/
Some initial comments/feedback:
- Various implementations do not implement port-mirroring in this fashion thus this caters closer to 1 specifically. Implementation differences can vary greatly here much like is seen in various other domains.
- For remote mirroring, there are generally 2 methods to implement encap
- Inline encap defining the tunnel attributes directly within the domain (as is this PR)
- Tunnel interfaces where policies are defined separately (e.g. ACL) with specific actions to direct mirrored traffic
- In addition, this specifies the mirror source (or ACL defining interesting traffic) directly within a domain. An alternative is to leverage ACLs applied to interfaces that co-exist for alternate purposes to set an action of 'mirror' for a given ACE.
If an implementation supports the inverse as described above, then not only would this present various constructs unaccounted for (e.g. tunnel interface creation, ACL definition) but also issues with co-existence of any other domains that translate to an underlying ACL applied to an interface
No major YANG version changes in commit 57df349553008d50d059e6f59765af7987bd1689
Open question, should enable/disable be defined as a gnoi rather than configuration? If the intent is that an enabled mirror session is ephemeral and should not be persisted across reboots, then the mirror enable/disable should be moved into a gnoi action instead of config. I appreciate any feedback on this.