efa tenant epg update

Update an endpoint group.

Syntax

efa tenant epg update [--name epg-name | --tenant tenant-name | --operation { port-group-add | port-group-delete | port-property-update | ctag-range-add | ctag-range-delete | vrf-add | vrf-delete | local-ip-add | local-ip-delete | anycast-ip-add | anycast-ip-delete | network-property-update | port-property-add | port-property-delete | port-property-update | network-property-add | network-property-delete | network-property-update } | --port ip-ethport | --po po-name | --switchport-mode { access | trunk | trunk-no-default-native } | --switchport-native-vlan-tagging | --switchport-native-vlan value | --ctag-range range | --ctag-description desc | --vrf vrf-name | --l3-vni vni | --l2-vni vni | --anycast-ip ipv4 | --anycast-ipv6 ipv6 | --local-ip ipv4 | --bridge-domain bd-name | --single-homed-bfd-session-type { auto | software | hardware } | --ip-mtu mtu-value | --suppress-arp array | --suppress-nd array | --pp-mac-acl-in ext-mac-permit-any-mirror-acl | --pp-mac-acl-out ext-mac-permit-any-mirror-acl | --pp-ip-acl-in ext-ip-permit-any-mirror-acl | --pp-ip-acl-out ext-ip-permit-any-mirror-acl | --pp-ipv6-acl-in ext-ipv6-permit-any-mirror-acl | --np-mac-acl-in ctag:ext-mac-permit-any-mirror-acl | --np-mac-acl-out ctag:ext-mac-permit-any-mirror-acl | --np-ip-acl-in ctag:ext-ip-permit-any-mirror-acl | --np-ip-acl-out ctag:ext-ip-permit-any-mirror-acl | --np-ipv6-acl-in ctag:ext-ipv6-permit-any-mirror-acl | --dhcpv4-relay-address-ip ipv4 | --dhcpv6-relay-address-ip ipv6 | --dhcpv4-relay-gateway-ip ipv4 | --dhcpv4-relay-gateway-ip-interface ipv4 | --dhcpv6-relay-gateway-ip-interface ipv6 | --dhcpv4-relay-gateway-interface ipv4 | --dhcpv6-relay-gateway-interface ipv6 | --dhcpv6-relay-gateway-interface-ip ipv6 | --ip-icmp-redirect ctag:ip-icmp-redirect | --ipv6-icmp-redirect ctag:ipv6-icmp-redirect | --help ]

Parameters

--anycast-ip ipv4
Specifies the IPv4 anycast address in the following format: ctag:anycast-ip.
--anycast-ipv6 ipv4
Specifies the IPv6 local address in the following format: ctag,device-ip:local-ipv6.
--local-ip ipv4
Specifies the IPv4 local address in the following format: ctag,device-ip:local-ip.
--bridge-domain bd-name
Specifies the bridge domain name in the following format; ctag:bridge-domain.
--ctag-range range
Specifies the customer VLAN range in comma and hyphen separated format. Example: 2-20,30,40,50-55.
--ctag-description desc
Specifies a unique description of the ctag in the following format: ctag:l2-vni.
--dhcpv4-relay-address-ip ipv4
DHCP Server IPv4 Address
--dhcpv6-relay-address-ip ipv6
DHCP Server IPv6 Address
--dhcpv4-relay-gateway-ip ipv4
DHCP ipv4 relay gateway.
--dhcpv4-relay-gateway-ip-interface ipv4
DHCP ipv4 relay gateway ip interface.
--dhcpv6-relay-gateway-ip-interface ipv6
DHCP ipv6 relay gateway interface.
--dhcpv4-relay-gateway-interface ipv4
DHCP ipv4 relay gateway interface.
--dhcpv6-relay-gateway-interface ipv6
DHCP ipv6 relay gateway interface.
--dhcpv6-relay-gateway-interface-ip ipv6
DHCP ipv6 relay gateway interface ip.
--ip-icmp-redirect ctag:ip-icmp-redirect
Sets IPv4 icmp redirect flag in the format ctag:icmp-redirect. Example: 1002:true.
--ipv6-icmp-redirect ctag:ipv6-icmp-redirect
Sets IPv6 icmpv6 redirect flag in the format ctag:icmpv6-redirect. Example: 1002:true.
--ip-mtu mtu-value
Sets the IP maximum transmission unit (MTU) for the tenant network. Valid values range from 1280 through 9194. The format is ctag:ip-mtu.
--l3-vni vni
Specifies the Layer 3 VNI to be used for this VRF.
--l2-vni vni
Specifies the Layer 2 VNI to be used for this network in the following format: ctag:l2-vni.
--np-mac-acl-in ctag:ext-mac-permit-any-mirror-acl

Apply MAC ACL for mirror action in ingress direction on vlan. The only supported ACL name is ext-mac-permit-any-mirror-acl and only supported ACL type is extended. Format --np-mac-acl-in <ctag:acl-name>. Example: --np-mac-acl-in 101:ext-mac-permit-any-mirror-acl.

--np-mac-acl-out ctag:ext-mac-permit-any-mirror-acl

Apply MAC ACL for mirror action in egress direction on vlan. The only supported ACL name is ext-mac-permit-any-mirror-acl and only supported ACL type is extended. Format --np-mac-acl-out <ctag:acl-name>. Example: --np-mac-acl-out 101:ext-mac-permit-any-mirror-acl.

--np-ip-acl-in ctag:ext-ip-permit-any-mirror-acl

Apply IP ACL for mirror action in ingress direction on ve interface. The only supported ACL name is ext-ip-permit-any-mirror-acl and only supported ACL type is extended. Format --np-ip-acl-in <ctag:acl-name>. Example: --np-ip-acl-in 101:ext-ip-permit-any-mirror-acl.

--np-ip-acl-out ctag:ext-ip-permit-any-mirror-acl

Apply IP ACL for mirror action in egress direction on ve interface. The only supported ACL name is ext-ip-permit-any-mirror-acl and only supported ACL type is extended. Format --np-ip-acl-out <ctag:acl-name>. Example: --np-ip-acl-out 101:ext-ip-permit-any-mirror-acl.

--np-ipv6-acl-in ctag:ext-ipv6-permit-any-mirror-acl

Apply IPv6 ACL for mirror action in ingress direction on ve interface. The only supported ACL name is ext-ipv6-permit-any-mirror-acl and only supported ACL type is extended. Format --np-ipv6-acl-in <ctag:acl-name>. Example: --np-ipv6-acl-in 101:ext-ipv6-permit-any-mirror-acl.

--name epg-name
Specifies the name of the endpoint group.
--operation { port-group-add | port-group-delete | port-property-update | ctag-range-add | ctag-range-delete | vrf-add, vrf-delete | local-ip-add | local-ip-delete | anycast-ip-add | anycast-ip-delete | port-property-add | port-property-delete | port-property-update | network-property-add | network-property-delete | network-property-update }
Specifies the operation to be performed.
--port ip-ethport
Specifies the device IP address and Ethernet port details. Example: SW1_IP[0/1], SW2_IP[0/5,0/6], SW3_IP[0/7-10]
--po po-name
Lists port channels. Example: po1, po2.
--pp-mac-acl-in ext-mac-permit-any-mirror-acl

Apply MAC ACL for mirror action in ingress direction on ethernet / portchannel interfaces. The only supported ACL name is ext-mac-permit-any-mirror-acl and only supported ACL type is extended. Format --pp-mac-acl-in <acl-name>. Example: --pp-mac-acl-in ext-mac-permit-any-mirror-acl.

--pp-mac-acl-out ext-mac-permit-any-mirror-acl

Apply MAC ACL for mirror action in egress direction on ethernet / portchannel interfaces. The only supported ACL name is ext-mac-permit-any-mirror-acl and only supported ACL type is extended. Format --pp-mac-acl-out <acl-name>. Example: --pp-mac-acl-out ext-mac-permit-any-mirror-acl.

--pp-ip-acl-in ext-ip-permit-any-mirror-acl

Apply IP ACL for mirror action in ingress direction on ethernet / portchannel interfaces. The only supported ACL name is ext-ip-permit-any-mirror-acl and only supported ACL type is extended. Format --pp-ip-acl-in <acl-name>. Example: --pp-ip-acl-in ext-ip-permit-any-mirror-acl.

--pp-ip-acl-out ext-ip-permit-any-mirror-acl

Apply IP ACL for mirror action in egress direction on ethernet / portchannel interfaces. The only supported ACL name is ext-ip-permit-any-mirror-acl and only supported ACL type is extended. Format --pp-ip-acl-out <acl-name>. Example: --pp-ip-acl-out ext-ip-permit-any-mirror-acl.

--pp-ipv6-acl-in ext-ipv6-permit-any-mirror-acl

Apply IPv6 ACL for mirror action in ingress direction on ethernet / portchannel interfaces. The only supported ACL name is ext-ipv6-permit-any-mirror-acl and only supported ACL type is extended. Format --pp-ipv6-acl-in <acl-name>. Example: --pp-ipv6-acl-in ext-ipv6-permit-any-mirror-acl.

--switchport-mode { access | trunk | trunk-no-default-native }
Configures switch port mode on the interfaces. The default is trunk.
--switchport-native-vlan-tagging
Enables the native VLAN characteristics on the ports of this endpoint group. Valid only if the switchport-mode flag is set to trunk.
--switchport-native-vlan value
Configures native VLAN on the interfaces. Valid values are 2 through 4090 corresponding to the value of the ctag-range parameter.
--single-homed-bfd-session-type { auto | software | hardware }
Specifies the BFD session type for the endpoint group. The default is auto, which means that the BFD session type is automatically determined based on the value of the --type parameter: extension or L3 hand-off.
--suppress-arp array
Sets suppress-arp flag to this network. Format ctag:suppress-arp. Example: --suppress-arp 1002:true --suppress-arp 1003:false.
--suppress-nd array
Sets suppress-nd flag to this network. Format ctag:suppress-arp. Example: --suppress-arp 1002:true --suppress-arp 1003:false.
--tenant tenant-name
Specifies the name of the associated tenant.
--vrf vrf-name
Specifies the VRF to which these networks are attached.

Usage Guidelines

An empty endpoint group has no network-policy, network-property, or port-property.

An endpoint group can be created with a port-property and without a port-group. But an endpoint group cannot be created with a port-group and without a port-property.

ARP suppression is enabled for all the possible broadcast domains VLAN or BD on the device.

CEP is handled by replicating all the tenant configuration on the MCT neighbor except for the endpoint configuration, since the endpoint does not exist on the MCT neighbor.

The update operation for a bridge domain-based endpoint group is similar to that of a VLAN-based endpoint group. During a port-group add or delete operation, the logical interface configurations will be created or deleted for the existing ctags, and the corresponding bridge-domains.

During a ctag-range-add or delete operation, the logical interface and bridge-domain configurations are updated on the endpoint group.

During vrf-add or delete operation, the corresponding Layer 3 configurations are added to or deleted from the endpoint group.

Event handling sets the corresponding tenant networks to the cfg-refreshed state. However, there is no way to re-push the refreshed configuration onto the devices.

The value of --single-homed-bfd-session-type is configured for one endpoint group and then propagated to all Ethernet and single-homed port channel interfaces defined for that endpoint group.

XCO does not distinguish between SRIOV (single-root input/output virtualization) and non-SRIOV connections. Therefore, it treats both connections the same way. If you want to use hardware-based BFD sessions for CEP non-SRIOV connections, then create an endpoint group that contains all the CEP non-SRIOV connections and set the --single-homed-bfd-session-type to hardware.

During vrf-add and ctag-range-add operations, you can use the --ip-mtu parameter to configure the MTU for the tenant network. This value is then configured on the interface VE on the SLX device. The output of the efa tenant epg show --detail command includes the configured --ip-mtu <mtu-value>.

Examples

The following example adds a port to the endpoint group.

$ efa tenant epg update --name epg1 
--tenant tenant11 --operation port-group-add --port 10.20.216.15[0/20]

EndpointGroup updated successfully.

--- Time Elapsed: 32.208253521s ---

The following example adds a Ctag with network properties to endpoint group.

$ efa tenant epg update --name epg1 --tenant tenant11 
--operation ctag-range-add --ctag-range 100 --anycast-ip 100:1.1.100.1/24 
--local-ip 100,10.20.216.15:100.100.1.1/28

EndpointGroup updated successfully.

--- Time Elapsed: 37.428381252s ---
The following example adds a automatic BFD session type to an endpoint group.
$ efa tenant epg update --name epg5 --tenant tenant11 --operation port-group-add 
--port 10.20.216.15[0/11],10.20.216.16[0/11] --po po1 --switchport-mode trunk 
--single-homed-bfd-session-type auto
The following example configures the MTU during a vrf-add operation.
$ efa tenant epg update --name ten1epg1 --tenant ten1 --operation vrf-add 
--anycast-ip11:10.0.11.1/24 --anycast-ipv6 11:11::1/127  --vrf ten1vrf1 --ip-mtu 11:5990
The following example configures the MTU during a ctag-range-add operation.
$ efa tenant epg update --name ten1epg1 --tenant ten1 --operation ctag-range-add 
--ctag-range 212 --anycast-ip 213:33.1.1.1/24 --anycast-ipv6 213:12::1/127 --ip-mtu 213:6990 
--ip-icmp-redirect 213:true  --ipv6-icmp-redirect 213:true