Configure ICL Port Mirroring in a Multi-Tenant Architecture

  1. Run the following commands to configure access control list applications on Ethernet or port channel and VLAN or virtual Ethernet: 
    efa tenant epg create --name <epg-name> --tenant <tenant-name>

        --type port-profile
        --po <mirror-source-po-list>
        
        --pp-ipv6-acl-in <acl-name>
        --pp-ip-acl-in <acl-name> --pp-ip-acl-out <acl-name>
  2. Run the following commands to configure a mirror session: 
    efa tenant service mirror session create –name <session-name> --tenant <tenant-name>
    --source {<device-ip>,<eth | po | vlan>,<if-name>}
    --type {<source-device-ip>,<eth | po | vlan>,<source-if-name>:<port-based | flow-based>}

    --destination-type {<source-device-ip>,< eth | po | vlan>,<source-if-name>:<span>}
    --destination {<source-device-ip>,<eth | po | vlan>,<source-if-name> : 
			<destination-device-ip>,<eth | po | vlan>,<destination-if-name}
    --direction {<source-device-ip>,< eth | po | vlan>,<source-if-name> : <tx | rx | both>}


(efa:root)root@node-2:~# efa tenant show
+--------+--------+-------+-------+-------+-------+--------+-----------------------------+--------------------+
| Name   |  Type  | VLAN  | L2VNI | L3VNI | VRF   | Enable |            Ports            |   Mirroring Ports  |
|        |        | Range | Range | Range | Count | BD     |                             |                    |
+--------+--------+-------+-------+-------+-------+--------+-----------------------------+--------------------+
| shared | Shared |       |       |       |   0   | false  | 10.20.246.15[0/46-47]       | 10.20.246.15[0/31] |
| Tenant |        |       |       |       |       |        | 10.20.246.16[0/46-47]       | 10.20.246.16[0/31] |
|        |        |       |       |       |       |        | 10.20.246.21[0/9-10,0/46-48]| 10.20.246.21[0/31] |
|        |        |       |       |       |       |        | 10.20.246.22[0/9-10,0/46-48]| 10.20.246.22[0/31] |
|        |        |       |       |       |       |        |                             | 10.20.246.25[0/31] |
|        |        |       |       |       |       |        |                             | 10.20.246.26[0/31] |
+--------+--------+-------+-------+-------+-------+--------+-----------------------------+--------------------+


(efa:root)root@node 2:~# efa tenant po show
+---------+--------+----+--------+-----+-------------+----------+---------+-----------------------------+------------+-------------+-------------+
|   Name  | Tenant | ID | Speed  | MTU | Negotiation | Min Link |  Lacp   |          Ports              |    State   |  Dev State  |  App State  |
|         |        |    |        |     |             |   Count  | Timeout |                             |            |             |             |
+---------+--------+----+--------+-----+-------------+----------+---------+-----------------------------+------------+-------------+-------------+
| ten1po1 | ten1   | 64 | 10Gbps |     |    active   |    1     |   long  | 10.20.246.15[0/46-47]       | po-created | provisioned | cfg-in-sync |
|         |        |    |        |     |             |          |         | 10.20.246.16[0/46-47]       |            |             |             |
+---------+--------+----+--------+-----+-------------+----------+---------+-----------------------------+------------+-------------+-------------+
| ten2po1 | ten2   | 64 | 10Gbps |     |    active   |    1     |   long  | 10.20.246.21[0/9-10,0/46-48]| po-created | provisioned | cfg-in-sync |
|         |        |    |        |     |             |          |         | 10.20.246.22[0/9-10,0/46-48]|            |             |             |
+---------+--------+----+--------+-----+-------------+----------+---------+-----------------------------+------------+-------------+-------------+
    Example
    efa tenant epg create –name ten1epg1 –tenant ten1 --type port-profile
         --po ten1po1
         --pp-ipv6-acl-in ext-ipv6-permit-any-mirror-acl
    efa tenant service mirror session create –name mirrorsession1 --tenant ten1
              --source 10.20.246.15,po,ten1po1
              --type 10.20.246.15,po,ten1po1:port-based
              --destination 10.20.246.15,po,ten1po1:10.20.246.15,eth,0/31
              --destination-type 10.20.246.15,po,ten1po1:span
              --direction 10.20.246.15,po,ten1po1:tx
    efa tenant service mirror session create –name mirrorsession2 --tenant ten1
              --source 10.20.246.15,po,ten1po1
              --type 10.20.246.15,po,ten1po1:flow-based
              --destination 10.20.246.15,po,ten1po1:10.20.246.15,eth,0/31
              --destination-type 10.20.246.15,po,ten1po1:span
              --direction 10.20.246.15,po,ten1po1:rx

    efa tenant epg create –name ten1epg2 –tenant ten1 --type port-profile
              --po ten1po2
              --pp-ipv6-acl-in ext-ipv6-permit-any-mirror-acl
    efa tenant service mirror session create –name mirrorsession3 --tenant ten1
               --source 10.20.246.21,po,ten1po2
               --type 10.20.246.21,po,ten1po2:port-based 
               --destination 10.20.246.21,po,ten1po2:10.20.246.21,eth,0/31
               --destination-type 10.20.246.21,po,ten1po2:span
               --direction 10.20.246.21,po,ten1po2:tx
    efa tenant service mirror session create –name mirrorsession4 --tenant ten1
              --source 10.20.246.21,po,ten1po2
              --type 10.20.246.21,po,ten1po2:flow-based
              --destination 10.20.246.21,po,ten1po2:10.20.246.21,eth,0/31
              --destination-type 10.20.246.21,po,ten1po2:span
              --direction 10.20.246.21,po,ten1po2:rx
  3. Verify the switch configuration on the SLX device.
    10.20.246.15
    SLX# show running-config ipv6 access-list
ipv6 access-list extended ext-ipv6-permit-any-mirror-acl
 seq 10 permit ipv6 any any mirror
!
SLX#

SLX# show running-config int po 64
interface Port-channel 64
 mtu 9216
 description MCTPeerInterface
 ip address 10.20.20.3/31
 ipv6 access-group ext-ipv6-permit-any-mirror-acl in
 no shutdown
!
SLX#
    		 10.20.246.16
    SLX# show running-config ipv6 access-list
ipv6 access-list extended ext-ipv6-permit-any-mirror-acl
 seq 10 permit ipv6 any any mirror
!
SLX#

SLX# show running-config int po 64
interface Port-channel 64
 mtu 9216
 description MCTPeerInterface
 ip address 10.20.20.2/31
 ipv6 access-group ext-ipv6-permit-any-mirror-acl in
 no shutdown
!
SLX#
    10.20.246.21
    SLX# show running-config ipv6 access-list
ipv6 access-list extended ext-ipv6-permit-any-mirror-acl
 seq 10 permit ipv6 any any mirror
!
SLX#

SLX# show running-config int po 64
interface Port-channel 64
 mtu 9216
 description MCTPeerInterface
 ip address 10.20.20.3/31
 ipv6 access-group ext-ipv6-permit-any-mirror-acl in
 no shutdown
!
SLX#
    		 10.20.246.22
    SLX# show running-config ipv6 access-list
ipv6 access-list extended ext-ipv6-permit-any-mirror-acl
 seq 10 permit ipv6 any any mirror
!
SLX#

SLX# show running-config int po 64
interface Port-channel 64
 mtu 9216
 description MCTPeerInterface
 ip address 10.20.20.2/31
 ipv6 access-group ext-ipv6-permit-any-mirror-acl in
 no shutdown
!
SLX#
    10.20.246.15
    SLX# show running-config monitor session
monitor session 1
 source port-channel 64 destination ethernet 0/31 direction tx
!
monitor session 2
 source port-channel 64 destination ethernet 0/31 direction rx flow-based
!
SLX# show monitor session 1
Session                : 1
Type                   : SPAN
Description            : [None]
State                  : Enabled
Source Interface       : Po 64 (Up)
Destination Interface  : Eth 0/31 (Down)
Direction              : Tx
Type                   : port-based

SLX# show monitor session 2
Session                : 2
Type                   : SPAN
Description            : [None]
State                  : Enabled
Source Interface       : Po 64 (Up)
Destination Interface  : Eth 0/31 (Down)
Direction              : Rx
Type                   : flow-based
    		 10.20.246.21
    SLX# show running-config monitor session
monitor session 1
 source port-channel 64 destination ethernet 0/31 direction tx
!
monitor session 2
 source port-channel 64 destination ethernet 0/31 direction rx flow-based
!
SLX# show monitor session 1
Session                : 1
Type                   : SPAN
Description            : [None]
State                  : Enabled
Source Interface       : Po 64 (Up)
Destination Interface  : Eth 0/31 (Down)
Direction              : Tx
Type                   : port-based

SLX# show monitor session 2
Session                : 2
Type                   : SPAN
Description            : [None]
State                  : Enabled
Source Interface       : Po 64 (Up)
Destination Interface  : Eth 0/31 (Down)
Direction              : Rx
Type                   : flow-based
9037424-02 Rev AA