For more information, see Configuring the OpFlex support for ERSPAN with OVS on OpenStack setups.

For more information, see Configuring the OpFlex support for ERSPAN with OVS on OpenStack setups.

For more information, see Verify the OpFlex support for ERSPAN with OVS.

This release introduces support for ERSPAN sessions on OpenStack ports. ERSPAN sessions are configured using the --apic-erspan-config option in the OpenStack python client/CLI. This option is supprted both when creating and updating a port in OpenStack.

# openstack port create --apic-erspan-config <apic_erspan_config> --network <network> <name>
# openstack port set --apic-erspan-config <apic_erspan_config> <port>

The <apic_erspan_config> field consists of the following comma-separated parameters:

• 'dest-ip': the ERSPAN destination IP address

• 'flow-id': the flow ID to use for the session (1-1023)

• 'direction': 'in', 'out', or 'both' (port-centric)

The dest-ip and flow-id fields are mandatory, while the direction is optional (default value is "both"). The OpenStack port UUID plus direction define a unique ERSPAN source, while the destination IP and flow ID define a unique ERSPAN destination. ERSPAN sessions can only be active when the port is bound to an opflex type segment. This means that hierarchical port binding (HPB) and 'vlan' type segments are not supported, nor are SVI networks. Ports must also have a vnic_type of "normal", and have a device_owner prefix of "compute:". Multiple ERSPAN sessions can be applied to a single OpenStack port, simply by adding additional --apic-erspan-config options.

The status of the ERSPAN session can be examined through the apic:synchronization_state property of the port. Run the following command to see the state:

# openstack port show UUID or name-of-port

The aggregate state of the ERSPAN configuration is reflected in the port's apic_synchronization_state. This field can have the following values:

• N/A: Either:

  • The state has not yet been synced with ACI; or

  • There either is no ERSPAN state, or the port is not bound

• build: ERSPAN state is being synchronized with ACI

• error: ERSPAN state could not be synchronized with ACI

• synced: All ERSPAN state is synchronized with ACI. ERSPAN sessions should now be active

ERSPAN traffic is sent from the local vSwitch to the host, and the host's IP stack forwards the encapsulated packet. ERSPAN sessions may experience some drop-out when live-migrating the ports with ERSPAN configuration, due to port rebinding.

You can confirm the ERSPAN sessions on host vSwitches using the "ovs-vsctl show" command:

[root@overcloud-novacompute-0 heat-admin]# ovs-vsctl show
021cf127-1978-4096-9897-a5d0e0b20b23
    Manager "ptcp:6640:127.0.0.1"
        is_connected: true
....
    Bridge br-int
        fail_mode: secure
        Port "172.28.184.58-2"
            Interface "172.28.184.58-2"
                type: erspan
                options: {erspan_dir="1", erspan_hwid="4", erspan_ver="2", key="2", remote_ip="172.28.184.58"}
        Port "172.28.184.58-3"
            Interface "172.28.184.58-3"

When the port is unbound, the ERSPAN session is terminated. However, the ERSPAN configuration is still present in the port, and if the port is bound again, then the ERSPAN session will be resumed. The ERSPAN configuration state can only be removed explicitly or when the port is deleted. To remove all the ERSPAN configuration from the port, enter the following command:

# openstack port set --no-apic-erspan-config <port>

$ kubectl get crd
$ kubectl describe crd erspanpolicies.aci.erspan

A sample CRD yaml file is shown below:

apiVersion: aci.erspan/v1alpha
kind: ErspanPolicy
metadata:
  name: erspan-policy
  namespace: default
spec:
  selector:
    labels:
      app: consul
    namespace: default
  source:
    adminState: "start"
    direction: "both"
  destination:
    destIP: "1.1.1.1"
    flowID: 1

# gbp_inspect -prq SpanSession

$ ovs-vsctl list mirror