Configure ICL Port Mirroring in a Multi-Tenant Architecture

Procedure

  1. Run the following commands to configure access control list applications on Ethernet or Port channel and VLAN or Virtual Ethernet:
    efa tenant epg create --name <epg-name> --tenant <tenant-name>
    
        --type port-profile
        --po <mirror-source-po-list>
            
        --pp-ipv6-acl-in <acl-name>
        --pp-ip-acl-in <acl-name> --pp-ip-acl-out <acl-name>
    
  2. Run the following commands to configure a mirror session:
    efa tenant service mirror session create –name <session-name> --tenant <tenant-name>
        --source {<device-ip>,<eth | po | vlan>,<if-name>}
        --type {<source-device-ip>,<eth | po | vlan>,<source-if-name>:<port-based | flow-based>}
    
        --destination-type {<source-device-ip>,< eth | po | vlan>,<source-if-name>:<span>}
        --destination {<source-device-ip>,<eth | po | vlan>,<source-if-name> : 
    			<destination-device-ip>,<eth | po | vlan>,<destination-if-name}
        --direction {<source-device-ip>,< eth | po | vlan>,<source-if-name> : <tx | rx | both>}
    
    
    (efa:root)root@node-2:~# efa tenant show
    +-------+------+------+------+------+------+-------+----------------------------+-------------------+
    |Name   | Type | VLAN | L2VNI|L3VNI | VRF  |Enable |           Ports            |  Mirroring Ports  |
    |       |      | Range| Range|Range | Count|BD     |                            |                   |
    +-------+------+------+------+------+------+-------+----------------------------+-------------------+
    |shared |Shared|      |      |      |   0  |false  |10.20.246.15[0/46-47]       |10.20.246.15[0/31] |
    |Tenant |      |      |      |      |      |       |10.20.246.16[0/46-47]       |10.20.246.16[0/31] |
    |       |      |      |      |      |      |       |10.20.246.21[0/9-10,0/46-48]|10.20.246.21[0/31] |
    |       |      |      |      |      |      |       |10.20.246.22[0/9-10,0/46-48]|10.20.246.22[0/31] |
    |       |      |      |      |      |      |       |                            |10.20.246.25[0/31] |
    |       |      |      |      |      |      |       |                            |10.20.246.26[0/31] |
    +-------+------+------+------+------+------+-------+----------------------------+-------------------+
    
    
    (efa:root)root@node 2:~# efa tenant po show
    +-------+------+--+------+---+-----------+--------+-------+----------------+-----------+------------+-----------+
    |  Name |Tenant|ID|Speed |MTU|Negotiation|Min Link| Lacp  |     Ports      |   State   | Dev State  | App State |
    |       |      |  |      |   |           |Count   |Timeout|                |           |            |           |
    +-------+------+--+------+---+-----------+--------+-------+----------------+-----------+------------+-----------+
    |ten1po1|ten1  |64|10Gbps|   |   active  |   1    |  long |10.20.246.15    |po-created |provisioned |cfg-in-sync|
    |       |      |  |      |   |           |        |       |[0/46-47]       |           |            |           |
    |       |      |  |      |   |           |        |       |10.20.246.16    |           |            |           |
    |       |      |  |      |   |           |        |       |[0/46-47]       |           |            |           |
    +-------+------+--+------+---+-----------+--------+-------+----------------+-----------+------------+-----------+
    |ten2po1|ten2  |64|10Gbps|   |   active  |   1    |  long |10.20.246.21    |po-created |provisioned |cfg-in-sync|
    |       |      |  |      |   |           |        |       |0/9-10,0/46-48] |           |            |           |
    |       |      |  |      |   |           |        |       |10.20.246.22|   |           |            |           |
    |       |      |  |      |   |           |        |       |[0/9-10,0/46-48]|           |            |           |
    +-------+------+--+------+---+-----------+--------+-------+----------------+-----------+------------+-----------+
    Example
    efa tenant epg create –name ten1epg1 –tenant ten1 --type port-profile
      --po ten1po1
      --pp-ipv6-acl-in ext-ipv6-permit-any-mirror-acl
    efa tenant service mirror session create –name mirrorsession1 --tenant ten1
      --source 10.20.246.15,po,ten1po1
      --type 10.20.246.15,po,ten1po1:port-based
      --destination 10.20.246.15,po,ten1po1:10.20.246.15,eth,0/31
      --destination-type 10.20.246.15,po,ten1po1:span
      --direction 10.20.246.15,po,ten1po1:tx
    efa tenant service mirror session create –name mirrorsession2 --tenant ten1
      --source 10.20.246.15,po,ten1po1
      --type 10.20.246.15,po,ten1po1:flow-based
      --destination 10.20.246.15,po,ten1po1:10.20.246.15,eth,0/31
      --destination-type 10.20.246.15,po,ten1po1:span
      --direction 10.20.246.15,po,ten1po1:rx
    efa tenant epg create –name ten1epg2 –tenant ten1 --type port-profile
      --po ten1po2
      --pp-ipv6-acl-in ext-ipv6-permit-any-mirror-acl
    efa tenant service mirror session create –name mirrorsession3 --tenant ten1
      --source 10.20.246.21,po,ten1po2
      --type 10.20.246.21,po,ten1po2:port-based 
      --destination 10.20.246.21,po,ten1po2:10.20.246.21,eth,0/31
      --destination-type 10.20.246.21,po,ten1po2:span
      --direction 10.20.246.21,po,ten1po2:tx
    efa tenant service mirror session create –name mirrorsession4 --tenant ten1
      --source 10.20.246.21,po,ten1po2
      --type 10.20.246.21,po,ten1po2:flow-based
      --destination 10.20.246.21,po,ten1po2:10.20.246.21,eth,0/31
      --destination-type 10.20.246.21,po,ten1po2:span
      --direction 10.20.246.21,po,ten1po2:rx
  3. Verify the switch configuration on the SLX device.
    10.20.246.15
    SLX# show running-config ipv6 access-list
    ipv6 access-list extended ext-ipv6-permit-any-mirror-acl
     seq 10 permit ipv6 any any mirror
    !
    SLX#
    
    SLX# show running-config int po 64
    interface Port-channel 64
     mtu 9216
     description MCTPeerInterface
     ip address 10.20.20.3/31
     ipv6 access-group ext-ipv6-permit-any-mirror-acl in
     no shutdown
    !
    SLX#
    10.20.246.16
    SLX# show running-config ipv6 access-list
    ipv6 access-list extended ext-ipv6-permit-any-mirror-acl
     seq 10 permit ipv6 any any mirror
    !
    SLX#
    
    SLX# show running-config int po 64
    interface Port-channel 64
     mtu 9216
     description MCTPeerInterface
     ip address 10.20.20.2/31
     ipv6 access-group ext-ipv6-permit-any-mirror-acl in
     no shutdown
    !
    SLX#
    10.20.246.21
    SLX# show running-config ipv6 access-list
    ipv6 access-list extended ext-ipv6-permit-any-mirror-acl
     seq 10 permit ipv6 any any mirror
    !
    SLX#
    
    SLX# show running-config int po 64
    interface Port-channel 64
     mtu 9216
     description MCTPeerInterface
     ip address 10.20.20.3/31
     ipv6 access-group ext-ipv6-permit-any-mirror-acl in
     no shutdown
    !
    SLX#
    10.20.246.22
    SLX# show running-config ipv6 access-list
    ipv6 access-list extended ext-ipv6-permit-any-mirror-acl
     seq 10 permit ipv6 any any mirror
    !
    SLX#
    
    SLX# show running-config int po 64
    interface Port-channel 64
     mtu 9216
     description MCTPeerInterface
     ip address 10.20.20.2/31
     ipv6 access-group ext-ipv6-permit-any-mirror-acl in
     no shutdown
    !
    SLX#
    10.20.246.15
    SLX# show running-config monitor session
    monitor session 1
     source port-channel 64 destination ethernet 0/31 direction tx
    !
    monitor session 2
     source port-channel 64 destination ethernet 0/31 direction rx flow-based
    !
    SLX# show monitor session 1
    Session                : 1
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Po 64 (Up)
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Tx
    Type                   : port-based
    
    SLX# show monitor session 2
    Session                : 2
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Po 64 (Up)
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Rx
    Type                   : flow-based
    10.20.246.21
    SLX# show running-config monitor session
    monitor session 1
     source port-channel 64 destination ethernet 0/31 direction tx
    !
    monitor session 2
     source port-channel 64 destination ethernet 0/31 direction rx flow-based
    !
    SLX# show monitor session 1
    Session                : 1
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Po 64 (Up)
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Tx
    Type                   : port-based
    
    SLX# show monitor session 2
    Session                : 2
    Type                   : SPAN
    Description            : [None]
    State                  : Enabled
    Source Interface       : Po 64 (Up)
    Destination Interface  : Eth 0/31 (Down)
    Direction              : Rx
    Type                   : flow-based