Example 2 adds the default heartbeat profile to the unprotected inline bypass solution on GigaVUE-HC2 in Example 1.

Step

Description

Command

1. Configure inline network aliases, port type (inline-network), and administratively enable inline network ports.

(config) # port 3/1/x1 alias iN1
(config) # port iN1 type inline-network
(config) # port iN1 params admin enable

(config) # port 3/1/x2 alias iN2
(config) # port iN2 type inline-network
(config) # port iN2 params admin enable

2. Configure inline network.

(config) # inline-network alias inNet pair net-a iN1 and net-b iN2

3. Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 3/1/x3 alias iT1
(config) # port iT1 type inline-tool
(config) # port iT1 params admin enable

(config) # port 3/1/x4 alias iT2
(config) # port iT2 type inline-tool
(config) # port iT2 params admin enable

4. Configure default heartbeat profile.

(config) # hb-profile alias hb1
(config hb-profile alias hb1) # exit
(config) #

5. Configure inline tool and enable it.

(config) # inline-tool alias inTool pair tool-a iT1 and tool-b iT2
(config) # inline-tool alias inTool enable

6. Specify heartbeat profile and enable heartbeat.

(config) # inline-tool alias inTool hb-profile hb1
(config) # inline-tool alias inTool heart-beat

7. Configure map passall, from inline network to inline tool.

(config) # map-passall alias inMap
(config map-passall alias inMap) # from inNet
(config map-passall alias inMap) # to inTool
(config map-passall alias inMap) # exit
(config) #

8. Configure the path of the traffic to inline tool.

(config) # inline-network alias inNet traffic-path to-inline-tool

9. Display the configuration for this example.

(config) # show hb-profile
(config) # show inline-tool

Example 1: Unprotected Inline Bypass

On GigaVUE-HC1, an unprotected inline bypass solution can be configured on the base module, with the inline networks and inline tools on ports 1/1/x1..x12 and
1/1/g1..g4, or on the bypass combo module on ports x1..x4.

Step

Description

Command

1. Configure inline network aliases, port type (inline-network), and administratively enable inline network ports.

(config) # port 3/1/x1 alias iN1
(config) # port iN1 type inline-network
(config) # port iN1 params admin enable

(config) # port 3/1/x2 alias iN2
(config) # port iN2 type inline-network
(config) # port iN2 params admin enable

2. Configure inline network.

(config) # inline-network alias inNet pair net-a iN1 and net-b iN2

3. Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 3/1/x3 alias iT1
(config) # port iT1 type inline-tool
(config) # port iT1 params admin enable

(config) # port 3/1/x4 alias iT2
(config) # port iT2 type inline-tool
(config) # port iT2 params admin enable

4. Configure inline tool and enable it.

(config) # inline-tool alias inTool pair tool-a iT1 and tool-b iT2
(config) # inline-tool alias inTool enable

5. Configure map passall, from inline network to inline tool.

(config) # map-passall alias inMap
(config map-passall alias inMap) # from inNet
(config map-passall alias inMap) # to inTool
(config map-passall alias inMap) # exit

6. Configure the path of the traffic to inline tool.

(config) # inline-network alias inNet traffic-path to-inline-tool

7. Display the configuration for this example.

(config) # show port
(config) # show inline-network
(config) # show inline-tool
(config) # show map

AFP, ASF Sample

gigamon-2c013c (config) # sh running-config
##

Running database "initial"

Generated at 2019/12/23 05:23:44 +0000

Software version on which this output was taken: GigaVUE-OS 5.7.01 142718 2019-09-23 23:20:06

##

Port level configurations

##
port 1/1/g1 type network
port 1/1/g2 type network
port 1/1/g3 type network
port 1/1/g4 type network
port 1/1/x1 type hybrid
port 1/1/x1 params admin enable
port 1/1/x2 type network
port 1/1/x2 params admin enable
port 1/1/x3 type tool
port 1/1/x3 params admin enable
port 1/1/x4 type network
port 1/1/x4 params admin enable
port 1/1/x5 type network
port 1/1/x6 type tool
port 1/1/x6 params admin enable
port 1/1/x7 type tool
port 1/1/x7 params admin enable
port 1/1/x8 type tool
port 1/1/x8 params admin enable
port 1/1/x9 type network
port 1/1/x10 type tool
port 1/1/x10 params admin enable
port 1/1/x11 type network
port 1/1/x12 type tool
port 1/1/x12 params admin enable
port 1/2/x1 type network
port 1/2/x2 type network
port 1/2/x3 type network
port 1/2/x4 type network
port 1/2/x5 type inline-net
port 1/2/x5 params admin enable speed 1000
port 1/2/x6 type inline-net
port 1/2/x6 params admin enable speed 1000
port 1/2/x7 type inline-net
port 1/2/x8 type inline-net
port 1/3/g1 type network
port 1/3/g1 params taptx passive
port 1/3/g2 type network
port 1/3/g2 params taptx passive
port 1/3/g3 type network
port 1/3/g3 params taptx passive
port 1/3/g4 type network
port 1/3/g4 params taptx passive
port 1/3/g5 type network
port 1/3/g5 params taptx passive
port 1/3/g6 type network
port 1/3/g6 params taptx passive
port 1/3/g7 type network
port 1/3/g7 params taptx passive
port 1/3/g8 type network
port 1/3/g8 params taptx passive

##

Gigastream hash configurations

##
gigastream advanced-hash slot 1/cc1 default

##

Gigastream configurations

##
gigastream alias T-LB-1
port-list 1/1/x6,1/1/x8 params hash advanced
exit
gigastream alias T-LB-2
port-list 1/1/x10,1/1/x12 params hash advanced
exit

##

SAPF configurations

##
apps asf alias youtube-asf
bi-directional enable
buffer enable
buffer-count-before-match 6
packet-count disable
protocol tcp-udp
sess-field add ipv4-5tuple outer
timeout 15
exit

##

Gsgroup configurations

##
gsgroup alias GS1 port-list 1/1/e1

##

Gs params configurations

##
gsparams gsgroup GS1
cpu utilization type total rising 80
dedup-action drop
dedup-ip-tclass include
dedup-ip-tos include
dedup-tcp-seq include
dedup-timer 50000
dedup-vlan ignore
diameter-packet timeout 2
diameter-s6a-session limit 10000
diameter-s6a-session timeout 30
eng-watchdog-timer 60
erspan3-timestamp format none
flow-mask disable
flow-sampling-rate 5
flow-sampling-timeout 1
flow-sampling-type device-ip
generic-session-timeout 5
gtp-control-sample enable
gtp-flow timeout 48
gtp-persistence disable
gtp-persistence file-age-timeout 30
gtp-persistence interval 10
gtp-persistence restart-age-time 30
gtp-randomsample disable
gtp-randomsample interval 12
ip-frag forward enable
ip-frag frag-timeout 10
ip-frag head-session-timeout 30
lb failover disable
lb failover-thres lt-bw 80
lb failover-thres lt-pkt-rate 1000
lb replicate-gtp-c disable
lb use-link-spd-wt disable
node-role disable
resource buffer-asf 2
resource cpu overload-threshold 90
resource hsm-ssl buffer disable
resource hsm-ssl packet-buffer 1000
resource inline-ssl standalone enable
resource metadata disable
resource packet-buffer overload-threshold 80
resource xpkt-pmatch num-flows 0
session logging level none
sip-media timeout 30
sip-nat disable
sip-session timeout 30
sip-tcp-idle-timeout 20
ssl-decrypt decrypt-fail-action drop
ssl-decrypt enable
ssl-decrypt hsm-pkcs11 dynamic-object enable
ssl-decrypt hsm-pkcs11 load-sharing enable
ssl-decrypt hsm-timeout 1000
ssl-decrypt key-cache-timeout 10800
ssl-decrypt non-ssl-traffic drop
ssl-decrypt pending-session-timeout 60
ssl-decrypt session-timeout 300
ssl-decrypt tcp-syn-timeout 20
ssl-decrypt ticket-cache-timeout 10800
tunnel-health-check action pass
tunnel-health-check disable
tunnel-health-check dstport 54321
tunnel-health-check interval 600
tunnel-health-check protocol icmp
tunnel-health-check rcvport 54321
tunnel-health-check retries 5
tunnel-health-check roundtriptime 1
tunnel-health-check srcport 54321
xpkt-pmatch disable
exit

Gsop configurations

gsop alias youtube-gsop apf set asf set port-list GS1

Vport configurations

vport alias vp1 gsgroup GS1
vport alias vp1 failover-action vport-bypass
vport alias vp1 outer-traffic-path to-inline-tool
vport alias vp1 inner-traffic-path to-inline-tool
vport alias vp1 deferred-binding disable
vport alias vp1 asf profile youtube-asf
vport alias vp1 mmon disable

Inline-network configurations

inline-network alias default_inline_net_1_2_1
pair net-a 1/2/x5 and net-b 1/2/x6
physical-bypass disable
traffic-path bypass
exit

##

Traffic map connection configurations

인라인네트워크에서 특정 포트로 미러패킷을 전달(전체 패킷-rx)

map-passall alias N1-map-source-packet-rx
roles replace admin to owner_roles
to 1/1/x1
from 1/2/x5
exit

인라인네트워크에서 특정 포트로 미러패킷을 전달(전체 패킷-tx)

map-passall alias N1-map-source-packet-tx
roles replace admin to owner_roles
to 1/1/x1
from 1/2/x6
exit

인라인네트워크에서 받은 미러패킷을 버철포트로 전달

map alias All-traffic
type firstLevel byRule
roles replace admin to owner_roles
comment " "
rule add pass macsrc 00:00:00:00:00:00 00:00:00:00:00:00 bidir
to vp1
from 1/1/x1
exit

유투브사이트에서 비디오 플레이 될때 탐지함.

map alias traffic-sapf-youtube
type secondLevel byRule
roles replace admin to owner_roles
use gsop youtube-gsop
gsrule add pass pmatch RegEx youtube|ytimg|yt3.ggpht|tubeMogul|tmogul|googlevideo|tmogulyoutu 0..1460
to 1/1/x3
from vp1
exit

PC에서 시만텍서버와 클라이언트 또는 패턴 업데이트 될때 탐지함.

map alias traffic-sapf-symatec
type secondLevel byRule
roles replace admin to owner_roles
use gsop youtube-gsop
gsrule add pass pmatch RegEx symantec|syma|sep|livet|symant 0..1460
to 1/1/x3
from vp1
exit

번외 - 특정 헥사 코드값 만을 탐지

map alias traffic-sapf-hex
type secondLevel byRule
roles replace admin to owner_roles
comment hex-.ama
use gsop youtube-gsop
gsrule add pass pmatch protocol ipv4 pos 1 RegEx [\x2e\x61\x6d\x61] 0..80
to 1/1/x7
from vp1
exit

The RegEx expression identifies the

SSL handshake type Client Hello patterns and All Buffered packets(TCP) #

pos -> number presenting the occurrence(발생 될 숫자 지정)

HTTPS사이트에 접근하면 탐지

map alias traffic-sapf-https
type secondLevel byRule
roles replace admin to owner_roles
use gsop youtube-gsop
gsrule add pass pmatch protocol tcp pos 1 RegEx \x16\x03.{3}\x01 0..6
to 1/1/x7
from vp1
exit

특정 지정한 패킷(HTTPS,youtube,symatec 등) 외 탐지

map-scollector alias traffice-non-asf
roles replace admin to owner_roles
from vp1
collector T-LB-1
exit

How To: Configure Out of band clustering on H series

Objective
How to get going with Out of Band Clustering: In OOB clustering all the cluster control traffic uses eth0 or eth2 interface depending on the type of the node.
If you have HD & HC devices then you can use either eth0 or eth2 as your cluster control interface (where the control traffic will bet exchange between the nodes)
If you have low end devices like HB & TAxx you have to use only eth0 as your cluster control interface. eth2 is not supported on this platforms.

Environment
H series of nodes
Procedure
Planning
Assign a dedicated IP for the new cluster.
NB: this must be unique and is different to the two mgmt IP's if you are using eth2 interface as your cluster interface

Cluster Details
Name = provide any cluster name could be the combination of letters and numbers (e.g 1007)
ID = provide any cluster name could be the combination of letters and numbers (e.g 1007)
Mgmt IP = x.x.x.x /x (e.g 10.150.56.71/24)

Device A (Master node)
Stack ports = 1/1/x1..x2
Mgmt IP =
Cluster mgmt port = eth2 (for HD & HC devices)
Chassis Serial Number =
Box id = 1

Device B (standby node)
Stack ports = 2/1/x1..x2
Mgmt IP =
Cluster mgmt Port = eth2
Chassis Serial Number
New box id = 2

First, set up the cluster so each box communicates

On device A:
Re-run the Jump-Start script
(config) # config jump-start
...
Step 12: Cluster enable? [no] yes
Step 13: Cluster interface? [eth2]
Step 14: Cluster id (Back-end may take time to proceed)? [default-cluster] 1007
Step 15: Cluster name? [default-cluster] 1007
Step 16: Cluster mgmt IP address and masklen? [0.0.0.0/0] 10.150.56.71/24

#On device B
Change the chassis ID, please note, this will remove any existing configuration, so please take a back up first.
no chassis box-id 1
chassis box-id 2 serial-num <>

#Re-run the Jump-Start script
(config) # config jump-start
...
Step 12: Cluster enable? [no] yes
Step 13: Cluster interface? [eth2]
Step 14: Cluster id (Back-end may take time to proceed)? [default-cluster] 1007
Step 15: Cluster name? [default-cluster] 1007
Step 16: Cluster mgmt IP address and masklen? [0.0.0.0/0] 10.150.56.71/24

Log into VIP Address, the cluster mgmt IP set above.
chassis box-id 1 serial
card all box-id 1

chassis box-id 2 serial
card all box-id 2

Set up cluster stack-links (stack- link is used to send the data traffic between Gigamon nodes)
port 1/1/x1..x2 type stack
gigaStream alias box1-GSstack port 1/1/x1..x2

port 2/1/x1..x2 type stack
gigaStream alias box2-GSstack port 2/1/x1..x2

stack-link alias hc2-hc2 between gigastreams box1-GSstack and box2-GSstack

Additional Notes
please make sure that in an order to form the out of band cluster cluster name, cluster id, cluster interface and software version has to match with other nodes.
please also do not keep the cluster master preference default. for master node keep the cluster master preference higher (100 preferred) and for other nodes you can pick other number between 50 to 99
Verify all by using below commands on each nodes
show version
show cluster config
show cluster global brief

We recommend a clean node before joining existing cluster (reset factory only-traffic)

GigaVUE H Series nodes support Secure Sockets Layer (SSL) decryption. SSL is a cryptographic protocol that adds security to TCP/IP communications such as Web browsing and email. The protocol allows the transmission of secure data between a server and client who both have the keys to decode the transmission and the certificates to verify trust between them. Out-of-band SSL decryption delivers decrypted traffic to out-of-band tools that can then detect threats entering the network.

SSL decryption is a pillar of the GigaSECURE Security Delivery Platform. For an overview of GigaSECURE, refer to the “GigaSECURE Security Delivery Platform” section in the GigaVUE-FM User’s Guide.

Configure Out-of-Band SSL Decryption Examples
The following sections provide examples of out-of-band SSL decryption. Refer to the following:

• Example 1: Out-of-Band SSL Decryption with a Regular Map
• Example 2: Out-of-Band SSL Decryption with De-Duplication
• Other Usage Examples
For details on the CLI commands used in the following sections, refer to apps ssl, gsparams, and gsop in the reference section.

Example 1: Out-of-Band SSL Decryption with a Regular Map
In Example 1, a regular map is configured to use with out-of-band SSL decryption.

Step

Description

Command

1. Upload a key and create a service. Refer to Working with Keys and Services on page 732.

(config) # apps ssl key alias key1 download type private-key url https://keyserver.domain.com/path/keyfile.pem
(config) # apps ssl service alias service1 server-ip 192.168.1.1 server-port 443

2. Configure a GigaSMART group.

(config) # gsgroup alias gsgrp1 port-list 1/1/e1

3. Specify the GigaSMART group alias.

(config) # gsparams gsgroup gsgrp1

4. Specify a failover action.

(config gsparams gsgroup gsgrp1) # ssl-decrypt decrypt-fail-action drop

5. Configure session timeouts, in seconds.

(config gsparams gsgroup gsgrp1) # ssl-decrypt pending-session-timeout 60
(config gsparams gsgroup gsgrp1) # ssl-decrypt session-timeout 300
(config gsparams gsgroup gsgrp1) # ssl-decrypt tcp-syn-timeout 20

6. Configure cache timeouts, in seconds.

(config gsparams gsgroup gsgrp1) # ssl-decrypt key-cache-timeout 9000
(config gsparams gsgroup gsgrp1) # ssl-decrypt ticket-cache-timeout 9000

7. Configure a key/service mapping that maps how a key is assigned to an IP address of a server.

(config gsparams gsgroup gsgrp1) # ssl-decrypt key-map add service service1 key key1

8. Enable out-of-band SSL decryption.

(config gsparams gsgroup gsgrp1) # ssl-decrypt enable

9. Exit the GigaSMART group configuration mode.

(config gsparams gsgroup gsgrp1) # exit
(config) #

10. Configure a GigaSMART operation for out-of-band SSL decryption.

(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto port-list gsgrp1

In the previous step, gdssl1 is the alias for a GigaSMART operation, in-port specifies the destination port on which to listen, out-port specifies the destination port on which to send decrypted traffic, and port-list is set to the GigaSMART group alias previously configured. The in-port and out-port arguments can also be a port number between 1 and 65535.

Next, configure a traffic map, as follows:

Step

Description

Command

1. Specify a map alias (m1) and specify the map type and subtype.

(config) # map alias m1

(config map alias m1) # type regular byRule

2. Specify the GigaSMART operation alias (gdssl1) as part of the map. This applies the associated GigaSMART functionality to packets matching a rule in the map.

(config map alias m1) # use gsop gdssl1

3. Specify a map rule.

(config map alias m1) # rule add pass ipver 4

4. Specify the destination for packets matching this map.

(config map alias m1) # to 1/1/g2

5. Specify the source port(s) for this map.

(config map alias m1) # from 1/1/g1

6. Exit the map prefix mode.

(config map alias m1) # exit
(config) #

7. Display the configuration.

(config) # show gsop
(config) # show map
(config) # show gsparams

Example 2: Out-of-Band SSL Decryption with De-Duplication
In Example 2, the configuration steps are the same except when you configure a GigaSMART operation you send the decrypted traffic to de-duplication for additional filtering, as follows:

(config) # gsop alias gdssl1 ssl-decrypt in-port any out-port auto dedup set port-list gsgrp1
Other Usage Examples
Two typical usage examples are as follows:

• Use map rules to filter on the IP address of the server and send everything to GigaSMART. Configure a GigaSMART operation to listen on the in-port used by the server. The GigaSMART will drop other traffic.
• Use map rules to filter on the IP address of the server and in-port and send specific port traffic to the GigaSMART. Configure a GigaSMART operation to listen on in-port any.

Example 8—Flexible Inline Single Tag Configuration

When you configure inline maps with single VLAN tag, the map rules must have the same VLAN tag as configured in the from parameter.

The following is an example of a flexible inline single tag configuration.

map alias map1_in1_100_11
  type flexinline byRule
  rule add pass ipver 4 vlan 100
  from in1 vlan 100
  a-to-b it1_extTool,itg1
  b-to-a reverse
  tag 11
  oob-copy from in1 to 1/2/x1 tag original
  oob-copy from it1_extTool to 1/2/x1 tag original
  exit
 

Example 7—Protected Flexible Inline, Out-of-Band Copy

Example 7 demonstrates a flexible inline map with OOB copy configuration as follows:

• an example of the source as a protected inline network and the destination as a hybrid port
• an example of the source as a tool member in the a-to-b list and the destination as a regular tool port
• an example of the source as a tool member in the a-to-b list and the destination as a GigaStream
Use the following steps to configure Example 7:

 

Step

Description

Command

1.    
Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 1/3/x1..x4 type inline-tool
(config) # port 1/3/x1..x4 params admin enable

2.  
Configure inline tools, specify that the inline tool is going to be shared by different sources, specify heart-beat, and enable inline tools.

(config) # inline-tool alias it1 pair tool-a 1/3/x1 and tool-b 1/3/x2
(config) # inline-tool alias it1 shared true
(config) # inline-tool alias it1 heart-beat
(config) # inline-tool alias it1 enable

(config) # inline-tool alias it2 pair tool-a 1/3/x3 and tool-b 1/3/x4
(config) # inline-tool alias it2 shared true
(config) # inline-tool alias it2 heart-beat
(config) # inline-tool alias it2 enable

3.  
Configure hybrid port, port type (hybrid), and administratively enable hybrid port. The flexible inline map will configure out-of-band (OOB) traffic to this hybrid port.

(config) # port 1/3/x19 type hybrid
(config) # port 1/3/x19 params admin enable

4.  
Configure regular tool ports, port type (tool), and administratively enable tool ports. The flexible inline map will configure out-of-band (OOB) traffic to a regular tool port. Two other tool ports will be used in a GigaStream.

(config) # port 1/3/x20..x22 type tool
(config) # port 1/3/x20..x22 params admin enable

5.  
Create a GigaStream using two of the regular tool ports.

(config) # gigastream alias gs1 port-list 1/3/x21,1/3/x22

6.  
Configure the flexible inline map from the default inline network to inline tools in both directions, specify a rule, and a user-defined tag. Then configure out-of-band traffic as follows:

• from a protected inline network to a hybrid port using the same VLAN tag as the flexible inline map
• from the first tool member in the a-to-b list to a regular tool port without a VLAN tag. The tag can be configured to none, because traffic goes to a different destination, it1.
• from the second tool member in the a-to-b list to a GigaStream using the same VLAN tag as the flexible inline map
Finally, enable the map.

(config) # map alias FLEX1
(config map alias FLEX1) # type flexInline byRule
(config map alias FLEX1) # from default_inline_net_1_4_1
(config map alias FLEX1) # rule add pass vlan 500
(config map alias FLEX1) # a-to-b it1,it2
(config map alias FLEX1) # b-to-a same
(config map alias FLEX1) # tag 11
(config map alias FLEX1) # oob-copy from default_inline_net_1_4_1 to 1/3/x19 tag as-inline
(config map alias FLEX1) # oob-copy from it1 to 1/3/x20 tag none
(config map alias FLEX1) # oob-copy from it2 to gs1 tag as-inline
(config map alias FLEX1) # enable
(config map alias FLEX1) # exit
(config) #

7.  
Configure the path of the traffic to inline tools.

(config) # inline-network alias default_inline_net_1_4_1 traffic-path to-inline-tool

8.  
Disable physical bypass on the default inline network.

(config) # inline-network alias default_inline_net_1_4_1 physical-bypass disable

Example 6—Unprotected Flexible Inline, Monitoring Mode

Example 6 adds a traffic path of monitoring for one inline tool to Example 4. It has the same two inline networks, the same five inline tools, and the same maps, but the flexible traffic path on the second inline tool is set to monitoring.

The monitoring mode is similar to bypass, but at the tool level. In a sequence of tools, you can select a separate tool to put into monitoring mode, in this case, it is the second tool, t0910.

Refer to Figure 1423: Example 6 Inline Tool Sharing by Multiple Inline Flows. All the flows going through a tool in monitoring mode absorb the traffic. The traffic to t0910 is absorbed, however a copy of the traffic goes to the next tool, which in this case, is t1314. Although the B-to-A traffic is not shown in Figure 1423: Example 6 Inline Tool Sharing by Multiple Inline Flows, the traffic returned from the B side of the network to t0910 will also be absorbed.

Figure 1423: Example 6 Inline Tool Sharing by Multiple Inline Flows illustrates Example 6. Traffic is only shown in one direction.

 



Figure 1423: Example 6 Inline Tool Sharing by Multiple Inline Flows

Use the following steps to configure Example 6:

 

Step

Description

Command

1.    
Configure inline network ports, port type (inline-network), and administratively enable inline network ports.

(config) # port 1/3/x1..x4 type inline-network
(config) # port 1/3/x1..x4 params admin enable

2.  
Configure inline networks.

(config) # inline-network alias n0102 pair net-a 1/3/x1 and net-b 1/3/x2

(config) # inline-network alias n0304 pair net-a 1/3/x3 and net-b 1/3/x4

3.  
Configure inline tool ports, port type (inline-tool), and administratively enable inline tool ports.

(config) # port 1/3/x7..x16 type inline-tool
(config) # port 1/3/x7..x16 params admin enable

4.  
Configure inline tools, specify that the inline tool is going to be shared by different sources, and enable them. On the second inline tool, specify a traffic path of monitoring.

(config) # inline-tool alias t0708 pair tool-a 1/3/x7 and tool-b 1/3/x8
(config) # inline-tool alias t0708 shared true
(config) # inline-tool alias t0708 enable

(config) # inline-tool alias t0910 pair tool-a 1/3/x9 and tool-b 1/3/x10
(config) # inline-tool alias t0910 flex-traffic-path monitoring
(config) # inline-tool alias t0910 shared true
(config) # inline-tool alias t0910 enable

(config) # inline-tool alias t1112 pair tool-a 1/3/x11 and tool-b 1/3/x12
(config) # inline-tool alias t1112 shared true
(config) # inline-tool alias t1112 enable

(config) # inline-tool alias t1314 pair tool-a 1/3/x13 and tool-b 1/3/x14
(config) # inline-tool alias t1314 shared true
(config) # inline-tool alias t1314 enable

(config) # inline-tool alias t1516 pair tool-a 1/3/x15 and tool-b 1/3/x16
(config) # inline-tool alias t1516 shared true
(config) # inline-tool alias t1516 enable

5.  
Configure maps from inline networks to inline tools in both directions, add user-defined tags, and enable maps.

For the rule-based map, configure a rule (one rule only) to direct traffic to the tools. The rule can be based on any map rule criteria such as TCP port, IP subnet, or VLAN.

Note: The tag is optional. The default is auto, which automatically assigns tags.

(config) # map alias FLEX1
(config map alias FLEX1) # type flexInline collector
(config map alias FLEX1) # from n0102
(config map alias FLEX1) # a-to-b t0708,t0910,t1112,t1314,t1516
(config map alias FLEX1) # b-to-a reverse
(config map alias FLEX1) # tag 100
(config map alias FLEX1) # enable
(config map alias FLEX1) # exit
(config) #

(config) # map alias FLEX2
(config map alias FLEX2) # type flexInline collector
(config map alias FLEX2) # from n0304
(config map alias FLEX2) # a-to-b t0708,t1112
(config map alias FLEX2) # b-to-a reverse
(config map alias FLEX2) # tag 200
(config map alias FLEX2) # enable
(config map alias FLEX2) # exit
(config) #

(config) # map alias FLEX3
(config map alias FLEX3) # type flexInline byRule
(config map alias FLEX3) # from n0102
(config map alias FLEX3) # a-to-b t0910,t1314
(config map alias FLEX3) # b-to-a reverse
(config map alias FLEX3) # rule add pass ipver 4
(config map alias FLEX3) # tag 300
(config map alias FLEX3) # enable
(config map alias FLEX3) # exit
(config) #

6.  
Configure the path of the traffic to inline tools.

(config) # inline-network alias n0102 traffic-path to-inline-tool

(config) # inline-network alias n0304 traffic-path to-inline-tool