To set up GRIP successfully, it is advised that you check the inline functions of each HC2 separately.

https://gigamoncp.force.com/partnercommunity/s/article/HC2-GRIP-Configuration-example#loaded

A. Set up Primary without GRIP
a. ensure secondary is wire only (i.e physical bypass = enable)
b. take primary out of bypass, configure all ports and forward inline traffic to inline tool

On secondary: inline-network alias default_inline_net_1_1_4 physical-bypass en

On primary:
port 1/1/x23..x24 params admin enable
port 1/1/x8..x9 type inline-tool
port 1/1/x8..x9 params ad en

inline-network alias default_inline_net_1_1_4 traffic-path to-inline-tool

inline-tool alias IT-01 pair tool-a 1/1/x8 and tool-b 1/1/x9
inline-tool alias IT-01 failover-action tool-bypass
inline-tool alias IT-01 enable
c. Forward traffic to the inline tool for inspection:
map-passall alias IL-to-tool-Grip
from default_inline_net_1_1_4
to IT-01
exit

inline-network alias default_inline_net_1_1_4 physical-bypass disable

Confirm set up on primary using show port params and show port stats

B. Set up Secondary without GRIP
a. Set primary as wire only (i.e physical bypass = enable)
On primary: inline-network alias default_inline_net_1_1_4 physical-bypass en

On secondary:
port 1/1/x23..x24 params admin enable
inline-network alias default_inline_net_1_1_4 traffic-path to-inline-tool

port 1/1/x2..x3 type inline-tool
port 1/1/x2..x3 params ad en
inline-tool alias IT-02 pair tool-a 1/1/x2 and tool-b 1/1/x3
inline-tool alias IT-02 failover-action tool-bypass
inline-tool alias IT-02 enable

map-passall alias IL-to-tool-GripSecondary
from default_inline_net_1_1_4
to IT-02
exit

inline-network alias default_inline_net_1_1_4 physical-bypass disable

Again, confirm configuration by using show port params and show port stats

C. Configure redundancy profiles and signal links.

i. Enable bypass on both
[primary] inline-network alias default_inline_net_1_1_4 physical-bypass en
[secondary] inline-network alias default_inline_net_1_1_4 physical-bypass en

ii. Configure GRIP Redundancy profiles and check signal link
Note: signal link on primary is 1/x7, on secondary, it is x4

Primary:
port 1/1/x7 type stack
port 1/1/x7 params admin en

redundancy-profile alias RP-01
protection-role primary
signaling-port 1/1/x7
exit

Secondary:
port 1/1/x4 type stack
port 1/1/x4 params admin en

redundancy-profile alias RP-02
protection-role secondary
signaling-port 1/1/x4
exit

D. Turn off LFP, Assign Redundancy Profile (RP) to Inline Network ports on both chassis
[primary]
no inline-network alias default_inline_net_1_4_4 lfp en
inline-network alias default_inline_net_1_1_4 physical-bypass disable
inline-network alias default_inline_net_1_1_4 redundancy-profile RP-01
[secondary]
no inline-network alias default_inline_net_1_4_4 lfp en
inline-network alias default_inline_net_1_1_4 physical-bypass disable
inline-network alias default_inline_net_1_1_4 redundancy-profile RP-02
ADDITIONAL NOTES
Once the redundancy profile has been applied, the physical bypass state is controlled by software

Commands for checking status;
[Primary]
show inline-network alias default_inline_net_1_1_4
show port stats p 1/1/x23,1/1/x8,1/1/x9,1/1/x24
show port params p 1/1/x23,1/1/x8,1/1/x9,1/1/x24

[Secondary]
show inline-network alias default_inline_net_1_1_4
show port params p 1/1/x23,1/1/x2,1/1/x3,1/1/x24
show port stats p 1/1/x23,1/1/x2,1/1/x3,1/1/x24

Note: Note that in this example, link fail propagation (LFP) is disabled to reduce inlinennetwork recovery time after failover.
When GRIP is deployed with high availability networks where a second path is present, it is a best practice to leave LFP enabled.

ASF (Buffered) Email Attachment Content-Disposition 1000byte & (Unbuffered) Yahoo MSG

hc2-1 (config) # show run
##

Running database "initial"

Generated at 2019/06/19 05:51:13 +0900

Software version on which this output was taken: GigaVUE-OS 5.4.00 98411 2018-07-24 02:03:59

Hostname: hc2-1

##

Note: If you are not an admin user some command invocations may be omitted

because you do not have permissions to see them.

##

##

Network interface configuration

##
interface eth0
create
no dhcp
ip address 192.168.44.71 /24
no shutdown
no zeroconf
exit

##

Routing configuration

##
ip default-gateway 192.168.44.1 eth0

##

Other IP configuration

##
hostname hc2-1
ip domain-list learn.local
ip name-server 192.168.44.4

##

Other IPv6 configuration

##
no ipv6 enable

##

Logging configuration

##
logging 192.168.44.60
logging 192.168.44.60 trap warning

##

Local user account configuration

##
username admin password 7 $1$o0F.tl2T$BR6jW4rLWr1rN/oJ7kkb1.

##

AAA remote server configuration

##

ldap bind-password ****

radius-server key ****

tacacs-server key ****

##

Chassis level configurations

##
chassis box-id 1 serial-num CD607 type hc2 gdp disable

##

Card level configurations

##
card slot 1/1 product-code 132-00BD
card slot 1/2 product-code 132-00B3
card slot 1/3 product-code 132-00BE
card slot 1/4 product-code 132-00BQ
card slot 1/5 product-code 132-00AT
card slot 1/cc1 product-code 132-00AN

##

Port level configurations

##
port 1/1/x1 type network
port 1/1/x1 params admin enable
port 1/1/x2 type network
port 1/1/x2 params admin enable
port 1/1/x3 type network
port 1/1/x3 params admin enable
port 1/1/x4 type network
port 1/1/x4 params admin enable
port 1/1/x5 type tool
port 1/1/x5 params admin enable
port 1/1/x6 type tool
port 1/1/x6 params admin enable
port 1/1/x7 type tool
port 1/1/x7 params admin enable
port 1/1/x8 type tool
port 1/1/x8 params admin enable
port 1/1/x9 type tool
port 1/1/x9 params admin enable
port 1/1/x10 type network
port 1/1/x10 params admin enable
port 1/1/x11 type network
port 1/1/x11 params admin enable
port 1/1/x12 type network
port 1/1/x12 params admin enable
port 1/1/x13 type network
port 1/1/x13 params admin enable discovery all gdp enable
port 1/1/x14 type network
port 1/1/x14 params admin enable discovery all gdp enable
port 1/1/x15 type tool
port 1/1/x15 alias CEM-WebTool
port 1/1/x15 params admin enable
port 1/1/x16 type tool
port 1/1/x16 params admin enable
port 1/1/x17 type tool
port 1/1/x17 params admin enable
port 1/1/x18 type tool
port 1/1/x18 params admin enable
port 1/1/x19 type tool
port 1/1/x19 params admin enable
port 1/1/x20 type network
port 1/1/x20 params admin enable
port 1/1/x21 type network
port 1/1/x21 params admin enable
port 1/1/x22 type network
port 1/1/x22 params admin enable
port 1/1/x23 type network
port 1/1/x23 params admin enable
port 1/1/x24 type network
port 1/1/x24 params admin enable
port 1/2/g1 type network
port 1/2/g1 params taptx passive
port 1/2/g2 type network
port 1/2/g2 params taptx passive
port 1/2/g3 type network
port 1/2/g3 params taptx passive
port 1/2/g4 type network
port 1/2/g4 params taptx passive
port 1/2/g5 type network
port 1/2/g5 params taptx passive
port 1/2/g6 type network
port 1/2/g6 params taptx passive
port 1/2/g7 type network
port 1/2/g7 params taptx passive
port 1/2/g8 type network
port 1/2/g8 params taptx passive
port 1/2/g9 type network
port 1/2/g9 params taptx passive
port 1/2/g10 type network
port 1/2/g10 params taptx passive
port 1/2/g11 type network
port 1/2/g11 params taptx passive
port 1/2/g12 type network
port 1/2/g12 params taptx passive
port 1/2/g13 type network
port 1/2/g13 params taptx passive
port 1/2/g14 type network
port 1/2/g14 params taptx passive
port 1/2/g15 type network
port 1/2/g15 params taptx passive
port 1/2/g16 type network
port 1/2/g16 params taptx passive
port 1/2/g17 type network
port 1/2/g17 params taptx passive
port 1/2/g18 type network
port 1/2/g18 params taptx passive
port 1/2/g19 type network
port 1/2/g19 params taptx passive
port 1/2/g20 type network
port 1/2/g20 params taptx passive
port 1/2/g21 type network
port 1/2/g21 params taptx passive
port 1/2/g22 type network
port 1/2/g22 params taptx passive
port 1/2/g23 type network
port 1/2/g23 params taptx passive
port 1/2/g24 type network
port 1/2/g24 params taptx passive
port 1/3/q1 type network
port 1/3/q2 type network
port 1/3/q3 type network
port 1/3/q4 type network
port 1/3/q5 type network
port 1/3/q6 type network
port 1/4/x1 type network
port 1/4/x2 type network
port 1/4/x3 type network
port 1/4/x4 type network
port 1/4/x5 type network
port 1/4/x6 type network
port 1/4/x7 type network
port 1/4/x8 type network
port 1/4/x9 type network
port 1/4/x10 type network
port 1/4/x11 type network
port 1/4/x12 type network
port 1/4/x13 type network
port 1/4/x14 type network
port 1/4/x15 type network
port 1/4/x16 type network
port 1/4/x17 type inline-net
port 1/4/x18 type inline-net
port 1/4/x19 type inline-net
port 1/4/x20 type inline-net
port 1/4/x21 type inline-net
port 1/4/x22 type inline-net
port 1/4/x23 type inline-net
port 1/4/x24 type inline-net

##

Gigastream hash configurations

##
gigastream advanced-hash slot 1/cc1 default

##

SAPF configurations

##
apps asf alias sessions-20p-2
bi-directional enable
buffer enable
buffer-count-before-match 20
packet-count disable
protocol tcp
sess-field add ipv4-5tuple outer
timeout 15
exit
apps asf alias sessions-unbuffered-2
bi-directional enable
buffer disable
buffer-count-before-match 3
packet-count disable
protocol tcp
sess-field add ipv4-protocol outer
sess-field add ipv4-src outer
timeout 15
exit

##

Gsgroup configurations

##
gsgroup alias GS51 port-list 1/5/e1

##

Gs params configurations

##
gsparams gsgroup GS51
cpu utilization type total rising 80
dedup-action drop
dedup-ip-tclass include
dedup-ip-tos include
dedup-tcp-seq include
dedup-timer 50000
dedup-vlan ignore
eng-watchdog-timer 60
erspan3-timestamp format none
flow-mask disable
flow-sampling-rate 5
flow-sampling-timeout 1
flow-sampling-type device-ip
generic-session-timeout 5
gtp-control-sample enable
gtp-flow timeout 48
gtp-persistence disable
gtp-persistence file-age-timeout 30
gtp-persistence interval 10
gtp-persistence restart-age-time 30
ip-frag forward enable
ip-frag frag-timeout 10
ip-frag head-session-timeout 30
lb failover disable
lb failover-thres lt-bw 80
lb failover-thres lt-pkt-rate 1000
lb replicate-gtp-c disable
lb use-link-spd-wt disable
resource buffer-asf 2
resource cpu overload-threshold 90
resource hsm-ssl buffer disable
resource hsm-ssl packet-buffer 1000
resource packet-buffer overload-threshold 80
resource xpkt-pmatch num-flows 0
sip-media timeout 30
sip-session timeout 30
sip-tcp-idle-timeout 20
ssl-decrypt decrypt-fail-action drop
ssl-decrypt enable
ssl-decrypt hsm-pkcs11 dynamic-object enable
ssl-decrypt hsm-pkcs11 load-sharing enable
ssl-decrypt hsm-timeout 1000
ssl-decrypt key-cache-timeout 10800
ssl-decrypt non-ssl-traffic drop
ssl-decrypt pending-session-timeout 60
ssl-decrypt session-timeout 300
ssl-decrypt tcp-syn-timeout 20
ssl-decrypt ticket-cache-timeout 10800
tunnel-arp-timeout 600
tunnel-health-check action pass
tunnel-health-check disable
tunnel-health-check dstport 54321
tunnel-health-check interval 600
tunnel-health-check protocol icmp
tunnel-health-check rcvport 54321
tunnel-health-check retries 5
tunnel-health-check roundtriptime 1
tunnel-health-check srcport 54321
tunnel-ndp-timeout 600
xpkt-pmatch disable
exit

##

Gsop configurations

##
gsop alias ASF-buffered-2 apf set asf sessions-20p-2 port-list GS51
gsop alias ASF-unbuffered-2 apf set asf sessions-unbuffered-2 port-list GS51

##

Vport configurations

##
vport alias vp51-2 gsgroup GS51
vport alias vp51-2 failover-action vport-bypass

##

Inline-network configurations

##
inline-network alias default_inline_net_1_4_1
pair net-a 1/4/x17 and net-b 1/4/x18
physical-bypass enable
traffic-path bypass
exit
inline-network alias default_inline_net_1_4_2
pair net-a 1/4/x19 and net-b 1/4/x20
physical-bypass enable
traffic-path bypass
exit
inline-network alias default_inline_net_1_4_3
pair net-a 1/4/x21 and net-b 1/4/x22
physical-bypass enable
traffic-path bypass
exit
inline-network alias default_inline_net_1_4_4
pair net-a 1/4/x23 and net-b 1/4/x24
physical-bypass enable
traffic-path bypass
exit

##

Traffic map connection configurations

##
map alias map-email-2
type firstLevel byRule
roles replace admin to owner_roles
rule add pass portdst 25 bidir
to vp51-2
from 1/1/x11
exit
map alias map-IPv4-2
type firstLevel byRule
roles replace admin to owner_roles
rule add pass ipver 4
to vp51-2
from 1/1/x11
exit
map alias email-attachments-2
type secondLevel byRule
roles replace admin to owner_roles
use gsop ASF-buffered-2
gsrule add pass pmatch string Content-Disposition 0..1000
to 1/1/x15
from vp51-2
exit
map alias yahooMsg-2
type secondLevel byRule
roles replace admin to owner_roles
use gsop ASF-unbuffered-2
gsrule add pass pmatch string ymsg}ypns}yahoo 34..1000
to 1/1/x17
from vp51-2
exit
map-scollector alias vp51-collector-2
roles replace admin to owner_roles
from vp51-2
collector 1/1/x16
exit

##

Notifications

##

notifications target ip 192.168.44.60 port 5672 non-secure username admin password **

##

SNMP configuration

##
no snmp-server host 192.168.44.60 disable
snmp-server host 192.168.44.60 traps port 162 version 2c public

##

X.509 certificates configuration

##
#

Certificate name system-self-signed, ID 16a1327fbd87a1006edb042febc21e03f011810a

(public-cert config omitted since private-key config is hidden)

ASF (Buffered) Email Attachment Content-Disposition 1000byte + (unbuffered) Yahoo Msg

##

Web configuration

##

web proxy auth basic password ****

##

Time/NTP configuration

##
clock timezone Asia Southeast Seoul

##

Flat Panel Display configuration

##

lcd password ****

##

E-mail configuration

##

email auth password ****

email autosupport auth password ****

##

Miscellaneous other settings

##
internal set modify - /gv/notf/config/chassis/C7823 value string C7823
internal set modify - /gv/notf/config/chassis/C8B76 value string C8B76
hc2-1 (config) #

Gigamon Policy (Active Visibility)

gigamon-0200fd (config policy alias test3) # condition add ?
< condition > Add a condition to the policy
GsCpuUtilHigh
GsCpuUtilLow
GsHbStatusDown
GsHbStatusUp
GsPktBufThHigh
GsPktBufThLow
GsPktDropRateHigh
GsPktDropRateLow
GsRxPktErrorHigh
GsRxPktErrorLow
GsRxPktRateHigh
GsRxPktRateLow
InlineToolDown
InlineToolReady
InlineToolUp
PortDown
PortRxBufferHigh
PortRxBufferLow
PortRxDiscardsHigh
PortRxDiscardsLow
PortRxDropsHigh
PortRxDropsLow
PortRxErrorsHigh
PortRxErrorsLow
PortRxUtilHigh
PortRxUtilLow
PortTxBufferHigh
PortTxBufferLow
PortTxDiscardsHigh
PortTxDiscardsLow
PortTxDropsHigh
PortTxDropsLow
PortTxErrorsHigh
PortTxErrorsLow
PortTxUtilHigh
PortTxUtilLow
PortUp
TimeFriday
TimeMonday
TimeOfDay
TimeSaturday
TimeSunday
TimeThursday
TimeTuesday
TimeWednesday
TimeWeekday
TimeWeekend

gigamon-0200fd (config policy alias test3) # action add ?
< action > Add an action to the policy.
FlexInlineOOBAdd
FlexInlineOOBDelete
InlineNetTrafficPath
InlineToolDisable
InlineToolEnable
InlineToolRecover
MapDisable
MapEnable
MapGsRuleAdd
MapGsRuleDelete
MapRuleAdd
MapRuleDelete
PhysicalByPassDisable
PhysicalByPassEnable
PolicyDisable
PolicyEnable
PortDisable
PortEnable
PortFilterAdd
PortFilterDelete
PortFilterDeleteAll
WriteMemory

Controlled GigaStream Configuration

To configure a controlled tool GigaStream, specify hash size and hash bucket ID, using the prefix mode. Refer to the following example:

Step

Description

Command

1. Configure ports using type tool for controlled GigaStream.

(config) # port 1/3/q4..q6 type tool

2. Configure a controlled GigaStream. This uses the prefix mode to configure all parameters.

(config) # gigastream alias stream2
(config gigastream alias stream2) # hash-size 12
(config gigastream alias stream2) # hash-bucket-id 1..3 port 1/3/q4..q6
(config gigastream alias stream2) # comment “controlled gigastream”
(config gigastream alias stream2) # exit
(config) #

3. Display the configuration for this example.

(config) # show gigastream

IP Tunnel Receiving End Configuration

port 1/1/x1 type network

port 1/1/x5 type tool

gsgroup alias GS51 port-list 1/5/e1

tunneled-port 1/1/x1 ip 192.168.51.80/24 gateway 192.168.51.1 mtu 9600 port-list GS51

gsop alias Remote2HQtunnel tunnel-recap type grip portdst 8001 port-list GS51

map alias FieldCallCtrDB

# comment "Field Call Center database traffic received at HQ"
# use gsop Remote2HQTunnel
# rule add pass ipsrc 172.16.10.88
# from 1/1/x1
# to 1/1/x5
# exit

IP Tunnel Sending End Configuration

port 1/1/x1 type network

port 1/1/x5 type tool

gsgroup alias GS51 port-list 1/5/e1

tunneled-port 1/1/x5 ip 172.16.10.88/24 gateway 172.16.10.1 mtu 9600 port-list GS51

gsop alias Chicago2HQ tunnel-uncap type gmip porters 8000 protest 8001 ipdst 192.168.51.80 port-list GS51

map alias ChicagoDBtoHQ

# comment "Chicago Call Center Database traffic sent to HQ"
# use gsop Chcago2HQ
# rule add pass porters 1521 bidir
# from 1/1/x1
# to 1/1/x5
# exit

You can configure Gigamon Resiliency for inline protection on H Series nodes (GigaVUE-HC1, GigaVUE-HC2, and GigaVUE-HC3). Example 18 is an inline bypass solution for GRIP using TAP-HC1-G10040 modules on GigaVUE-HC1 with copper ports. The same instructions apply to GigaVUE-HC2 and GigaVUE-HC3.

Note: On the GigaVUE-HC2, the configuration steps will be the same as in this example, but the network ports and the TAP module will be different.

First, configure the GigaVUE-HC1 with the primary role, then configure the GigaVUE-HC1 with the secondary role. The configuration is the same (is synchronized) on both nodes, except for step 3, in which the protection role (primary or secondary) is specified.

Note that in this example, link fail propagation (LFP) is disabled to reduce inline network recovery time after failover. When a primary to secondary failover occurs and LFP is enabled for copper inline bypass links, network service recovery may take several seconds because of Ethernet link renegotiation. Optical links failover faster and typically recover service much faster. For inline networks where only one path is available, this is a consideration. When GRIP is deployed with high availability networks where a second path is present, it is a best practice to leave LFP enabled.

Configuring Primary Role GigaVUE-HC1

Step

Description

Command

1. Configure ports on the TAP-HC1-G10040 module as passive (in passive mode, relays are closed). Also configure ports, port type (inline-network).

(config) # port 1/3/g1..g8 params taptx passive
(config) # port 1/3/g1..g8 type inline-network

2. Configure stack port (for signaling port/link) and enable it.

(config) # port 1/1/x1 type stack
(config) # port 1/1/x1 params admin enable

3. Create the redundancy profile by giving it a name and configuring parameters for the redundancy profile such as the signaling port and protection role (primary).

(config) # redundancy-profile alias RP_001
(config redundancy-profile alias RP_001) # signaling-port 1/1/x1
(config redundancy-profile alias RP_001) # protection-role primary
(config redundancy-profile alias RP_001) # exit
(config) #

4. Configure inline network.

(config) # inline-network alias IN_001 pair net-a 1/3/g1 and net-b 1/3/g2

5. Associate the redundancy profile to the inline network. Also disable link fail propagation on the inline network.

(config) # inline-network alias IN_001 redundancy-profile RP_001
(config) # no inline-network alias IN_001 lfp enable

6. Configure inline tool ports, port type (inline-tool), and administratively enable them.

(config) # port 1/1/x11 type inline-tool
(config) # port 1/1/x11 params admin enable

(config) # port 1/1/x12 type inline-tool
(config) # port 1/1/x12 params admin enable

7. Configure inline tool and failover action. Then enable inline tool.

(config) # inline-tool alias IT_001 pair tool-a 1/1/x11 and tool-b 1/1/x12
(config) # inline-tool alias IT_001 failover-action network-bypass
(config) # inline-tool alias IT_001 enable

8. Configure map passall, from inline network to inline tool.

(config) # map-passall alias INtoIT
(config map-passall alias INtoIT) # from IN_001
(config map-passall alias INtoIT) # to IT_001
(config map-passall alias INtoIT) # exit
(config) #

9. Configure the path of the traffic to inline tool.

(config) # inline-network alias IN_001 traffic-path to-inline-tool

Example 17 is an inline bypass solution on GigaVUE-HC2 for an inline tool group with four tools. It is similar to Example 16: Asymmetrical Hashing in Inline Tool Group, but has four rule-based inline maps, one to each individual member of the inline tool group. In Example 17, asymmetrical hashing is used, but the hashing could also be symmetrical. The hashing only applies to the traffic sent to the shared collector.

Example 17 is different from Example 5: Inline Tool Group (N+1) Redundancy. In Example 5, all the traffic was sent to the inline tool group as a whole, using a map passall. Hashing distributed the traffic across the group.

With the multiple rule-based maps in Example 17, specific traffic is sent to specific tools in the inline tool group according to the rules. Each of the four inline maps directs traffic from one source IP address to a specific inline tool in the group.

A shared collector is configured from the inline network to the inline tool group. Traffic that does not match any of the map rules is sent to the shared collector and will be distributed according to the hashing value specified for the group.

Step

Description

Command

1. Configure inline network aliases, port type (inline-network), and administratively enable inline network ports.

(config) # port 1/2/x1 alias iN1
(config) # port iN1 type inline-network
(config) # port iN1 params admin enable

(config) # port 1/2/x2 alias iN2
(config) # port iN2 type inline-network
(config) # port iN2 params admin enable

2. Configure inline network.

(config) # inline-network alias inNet pair net-a iN1 and net-b iN2

3. Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 1/2/x15 alias iT1
(config) # port iT1 type inline-tool
(config) # port iT1 params admin enable

(config) # port 1/2/x16 alias iT2
(config) # port iT2 type inline-tool
(config) # port iT2 params admin enable

(config) # port 1/2/x19 alias iT3
(config) # port iT3 type inline-tool
(config) # port iT3 params admin enable

(config) # port 1/2/x20 alias iT4
(config) # port iT4 type inline-tool
(config) # port iT4 params admin enable

(config) # port 1/2/x21 alias iT5
(config) # port iT5 type inline-tool
(config) # port iT5 params admin enable

(config) # port 1/2/x22 alias iT6
(config) # port iT6 type inline-tool
(config) # port iT6 params admin enable

(config) # port 1/2/x23 alias iT7
(config) # port iT7 type inline-tool
(config) # port iT7 params admin enable

(config) # port 1/2/x24 alias iT8
(config) # port iT8 type inline-tool
(config) # port iT8 params admin enable

4. Configure inline tools and enable them.

(config) # inline-tool alias inTool1 pair tool-a iT1 and tool-b iT2
(config) # inline-tool alias inTool2 pair tool-a iT3 and tool-b iT4
(config) # inline-tool alias inTool3 pair tool-a iT5 and tool-b iT6
(config) # inline-tool alias inTool4 pair tool-a iT7 and tool-b iT8

(config) # inline-tool alias inTool1 enable
(config) # inline-tool alias inTool2 enable
(config) # inline-tool alias inTool3 enable
(config) # inline-tool alias inTool4 enable

5. Configure inline tool group and parameters. Enable it and then configure failover action.

(config) # inline-tool-group alias inToolGroup
(config inline-tool-group alias inToolGroup) # tool-list inTool1,inTool2,inTool3,inTool4
(config inline-tool-group alias inToolGroup) # hash a-srcip-b-dstip
(config inline-tool-group alias inToolGroup) # minimum-group-healthy-size 4
(config inline-tool-group alias inToolGroup) # enable
(config inline-tool-group alias inToolGroup) # failover-action network-bypass
(config inline-tool-group alias inToolGroup) # exit
(config) #

6. Configure rule-based map, from inline network to first tool in inline tool group, from the same source, inNet.

(config) # map alias inNet-to-inTool1
(config map alias inNet-to-inTool1) # type inline byRule
(config map alias inNet-to-inTool1) # from inNet
(config map alias inNet-to-inTool1) # to inTool1
(config map alias inNet-to-inTool1) # rule add pass ipsrc 10.10.10.101 /32
(config map alias inNet-to-inTool1) # exit
(config) #

7. Configure rule-based map, from inline network to second tool in inline tool group, from the same source, inNet.

(config) # map alias inNet-to-inTool2
(config map alias inNet-to-inTool2) # type inline byRule
(config map alias inNet-to-inTool2) # from inNet
(config map alias inNet-to-inTool2) # to inTool2
(config map alias inNet-to-inTool2) # rule add pass ipsrc 20.10.20.102 /32
(config map alias inNet-to-inTool2) # exit
(config) #

8. Configure rule-based map, from inline network to third tool in inline tool group, from the same source, inNet.

(config) # map alias inNet-to-inTool3
(config map alias inNet-to-inTool3) # type inline byRule
(config map alias inNet-to-inTool3) # from inNet
(config map alias inNet-to-inTool3) # to inTool3
(config map alias inNet-to-inTool3) # rule add pass ipsrc 31.11.31.103 /32
(config map alias inNet-to-inTool3) # exit
(config) #

9. Configure rule-based map, from inline network to fourth tool in inline tool group, from the same source, inNet.

(config) # map alias inNet-to-inTool4
(config map alias inNet-to-inTool4) # type inline byRule
(config map alias inNet-to-inTool4) # from inNet
(config map alias inNet-to-inTool4) # to inTool4
(config map alias inNet-to-inTool4) # rule add pass ipsrc 41.11.41.104 /32
(config map alias inNet-to-inTool4) # exit
(config) #

10. Add a shared collector for any unmatched data and send it to the inline tool group. Again, the source is the same, inNet.

(config) # map-scollector alias inNet-to-ITG
(config map-scollector alias inNet-to-ITG) # from inNet
(config map-scollector alias inNet-to-ITG) # collector inToolGroup
(config map-scollector alias inNet-to-ITG) # exit
(config) #

11. Configure the path of the traffic to inline tool.

(config) # inline-network alias inNet traffic-path to-inline-tool

12. Display the configuration for this example.

(config) # show inline-tool-group
(config) # show map