Add support for port mirroring CLIs #936
Conversation
Signed-off-by: Rupesh Kumar <rupesh-k.kumar@broadcom.com>
|
Thanks @prsunny for adding reviewers to swss port-mirroring PR. |
doc/Command-Reference.md
Outdated
| While adding a new SPAN session, users need to configure the following fields that are used while forwarding the mirrored packets. | ||
| 1) destination port, | ||
| 2) optional - List of source ports- List of source ports which can have both Ethernet and LAG ports. | ||
| 3) optional - Direction - Mirror session direction when configured along with Source port. |
There was a problem hiding this comment.
Could you specify the default direction as this is optional?
There was a problem hiding this comment.
When source port is specified, we can make direction default as both. Let me push that change.
There was a problem hiding this comment.
Done. taken care of this. Thanks.
|
|
||
| While adding a new SPAN session, users need to configure the following fields that are used while forwarding the mirrored packets. | ||
| 1) destination port, | ||
| 2) optional - List of source ports- List of source ports which can have both Ethernet and LAG ports. |
There was a problem hiding this comment.
Can we add a note that atleast one port/LAG is required for local span?
There was a problem hiding this comment.
we can have local span session with only destination port, which can be used in ACL mirroring.
Direction is optional in this case. Based on ingress/egress ACL, the corresponding flow gets mirrored.
| if validate_mirror_session_config(config_db, session_name, None, src_port, direction) is False: | ||
| return | ||
| config_db.set_entry("MIRROR_SESSION", session_name, session_info) | ||
| else: |
There was a problem hiding this comment.
@abdosi could you take a quick look at the multi-NPU logic here and make sure it looks OK to you?
There was a problem hiding this comment.
Validation need to be updated so that src_port and dst_port are in same asic/namespace.
TO_DO item (not blocking for this PR)
There was a problem hiding this comment.
Ok. will take of this in next PR. How do I validate this ?
|
Thanks alot @daall . |
| click.echo("Error: Destination Interface {} is invalid".format(dst_port)) | ||
| return False | ||
|
|
||
| if interface_is_in_vlan(vlan_member_table, dst_port): |
There was a problem hiding this comment.
If the port is a routed port, SPAN session is supported?
There was a problem hiding this comment.
No. Not supported. Please check in latest patchset.
| click.echo("Error: Destination Interface {} has vlan config".format(dst_port)) | ||
| return False | ||
|
|
||
| if interface_has_mirror_config(mirror_table, dst_port): |
There was a problem hiding this comment.
Not sure if I understand this correctly, can a single dst port cannot be a monitor (mirror-to) port
for multiple mirror sessions?
For example
case 1: mirror rx from Ethernet0 to Etherent4
case 2: mirror rx&tx from Ethernet2 to Etherent4
with the above check, case 2 will fail?
There was a problem hiding this comment.
Yes. This is not supported. We allow only one mirror session per port, The session can have any number of ports.
config/main.py
Outdated
| session_info['direction'] = direction.upper() | ||
|
|
||
| if policer is not None: | ||
| session_info['policer'] = policer |
There was a problem hiding this comment.
What is the need for policer and queue for SPAN sessions?
There was a problem hiding this comment.
This is existing support in community. This is to police the mirrored traffic.
|
|
||
| print(tabulate.tabulate(data, headers=header, tablefmt="simple", missingval="")) | ||
| if val.get("type") == "SPAN": |
There was a problem hiding this comment.
What is the need for policer and queue for SPAN sessions?
There was a problem hiding this comment.
same as above. Extending it to SPAN also.
|
Thanks @daall for the review. I have taken care of the comments. Can you please review again. |
Yes. sorry. :) i figured once u started first comment, will push in some time now. Thanks for quickly checking. |
|
Thanks @daall . I have resolved all comments. Can u please review. |
|
@daall @kperumalbfn @dev-aviz , Just like the request in the related PR, and given the imminent cutting of 202006 branch, can this PR be merged and any further updates to be made in 202006 branch? Thanks! |
|
@daall found some other places where it can be fixed for simpler validation. Modified and pushed. :) thanks |
|
@abdosi , missed to add you to my request to review and approve. |
|
|
||
| - Usage: | ||
| ``` | ||
| config mirror_session span add <session_name> <dst_port> [source-port-list] [direction] [queue] [policer <policer_name>] |
There was a problem hiding this comment.
this need to be enhance for Multi-asic platforms. dst port need to be on same asic where mirror session binded.
we need to enhance to take option -n and all dest port should be on same ASIC/namespace
We have enhanced similar for other features and PR# #878 with details
This can be TO_DO item and need not be needed with this PR
There was a problem hiding this comment.
Ok. thanks for sharing PR. will take care in next PR. please suggest on how can we validate these.
| for front_asic_namespaces in namespaces['front_ns']: | ||
| per_npu_configdb[front_asic_namespaces] = ConfigDBConnector(use_unix_socket_path=True, namespace=front_asic_namespaces) | ||
| per_npu_configdb[front_asic_namespaces].connect() | ||
| if validate_mirror_session_config(per_npu_configdb[front_asic_namespaces], session_name, dst_port, src_port, direction) is False: |
There was a problem hiding this comment.
Validation need to be updated so that src_port and dst_port are in same asic/namespace.
TO_DO item (not blocking for this PR)
|
retest this please |
| This command supports configuring both SPAN/ERSPAN sessions. | ||
| In SPAN user can configure mirroring of list of source ports/LAG to destination port in ingress/egress/both directions. | ||
| In ERSPAN user can configure mirroring of list of source ports/LAG to a destination IP. | ||
| Both SPAN/ERSPAN support ACL based mirroring and can be used in ACL configurations. |
There was a problem hiding this comment.
can we have Everflow ACL table with everflow mirror session and Data ACL Table with port based mirror session ?
|
|
||
| - Usage: | ||
| ``` | ||
| config mirror_session span add <session_name> <dst_port> [source-port-list] [direction] [queue] [policer <policer_name>] |
There was a problem hiding this comment.
Does it uses ACL internally ? Can we specify queue and policer without using ACL ? Also if does not use ACL internally can we police with direction as tx ?
Have we verified this combination and what is the behaviour at Sonic level if SAI return error for any of unsupported combination
* Add support for port mirroring CLIs Signed-off-by: Rupesh Kumar <rupesh-k.kumar@broadcom.com>
Signed-off-by: Rupesh Kumar rupesh-k.kumar@broadcom.com
- What I did
Port mirroring CLI implementation
HLD @ sonic-net/SONiC#58
- How I did it
Enhance existing mirror_session command to support port mirroring.
- How to verify it
Create ERSPAN/SPAN mirror session and verify show mirror_session.
- Previous command output (if the output of a command-line utility has changed)
config mirror_session add everflow0 10.1.1.1 12.1.1.1 10 10
root@sonic:/home/admin# show mirror_session
Name Status SRC IP DST IP GRE DSCP TTL Queue Policer Monitor Port SRC Port Direction
everflow0 active 10.1.1.1 12.1.1.1 10 10
- New command output (if the output of a command-line utility has changed)
config mirror_session add span sess1 Ethernet44 Ethernet40 rx
root@sonic:/home/admin# show mirror_session
ERSPAN Sessions
Name Status SRC IP DST IP GRE DSCP TTL Queue Policer Monitor Port SRC Port Direction
everflow0 active 10.1.1.1 12.1.1.1 0 10 10
SPAN Sessions
Name Status DST Port SRC Port Direction Queue Policer
sess1 active Ethernet44 Ethernet40 rx