Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ERSPAN from vDC on Nexus 7k

Hey All,

I'm trying to setup an ERSPAN on our Nexus 7010 and running into some trouble. I want to span the data from a VLAN in our DMZ vDC and have the source configuration setup correctly (i believe).

monitor session 1 type erspan-source

  erspan-id 22

  vrf default

  destination ip 10.5.10.198

  source vlan 129 both

  no shut

the problem is occuring when i try to setup the ERSPAN origin. Documentation states that "The global origin IP address can be configured only in the default VDC. The value that is configured in the default VDC is valid across all VDCs. Any change made in the default VDC is applied across all nondefault VDCs." And sure enough if you try to configure the origin in the non-default vDC you get the following:

HZN-N7K-1-DMZ(config)# monitor erspan origin ip-address 10.12.1.231

ERROR: Per VDC origin IP not supported. Please use global mode

HZN-N7K-1-DMZ(config)# monitor erspan origin ip-address 10.12.1.231 global

ERROR: This config allowed ONLY in default VDC

So i drop to the ADMIN vDC and can then setup my erspan origin:

HZN-N7K-1-DMZ(config)# end
HZN-N7K-1-DMZ# exit
HZN-N7K-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
HZN-N7K-1(config)# monitor erspan origin ip-address 10.5.11.41
ERROR: Per VDC origin IP not supported. Please use global mode
HZN-N7K-1(config)# monitor erspan origin ip-address 10.5.11.41 global
HZN-N7K-1(config)#

So that config takes and i guess everything looks correct. the ADMIN vDC shows no sessions running, as i would expect:

HZN-N7K-1# sh monitor

Note: No sessions configured

HZN-N7K-1#

The DMZ vDC shows that is has an active session:

HZN-N7K-1-DMZ# sh monitor
Session  State        Reason                  Description
-------  -----------  ----------------------  --------------------------------
1        up           The session is up                                      
HZN-N7K-1-DMZ# sh monitor session 1
   session 1
---------------
type              : erspan-source
state             : up
erspan-id         : 22
vrf-name          : default
acl-name          : acl-name not specified
ip-ttl            : 255
ip-dscp           : 0
destination-ip    : 10.5.10.198
origin-ip         : 10.5.11.41 (global)
source intf       :
    rx            :
    tx            :
    both          :
source VLANs      :
    rx            : 129
    tx            : 129
    both          : 129
filter VLANs      : filter not specified


Feature       Enabled   Value   Modules Supported       Modules Not-Supported
-----------------------------------------------------------------------------
Rate-limiter  No
MTU-Trunc     No
Sampling      No
MCBE          No
L3-TX         -           -     1  2  5  10             - 
ERSPAN-ACL    -           -     1  2  10                5 
ERSPAN-V2     Yes       -       1  2  10                5 


Legend:
  MCBE  = multicast best effort
  L3-TX = L3 Multicast Egress SPAN

HZN-N7K-1-DMZ#

Yet i am not seeing my erspan data on my NAM (the 10.5.10.198 listed as the erspan destination).

NAM-erspans.jpg

Now i can get to the NAM from both the DMZ vDC and from the ADMIN vDC so it's not a routing or firewall issue.

Anyone have any tips or ideas? Which vDC would this ERSPAN source the GRE tunnel from. Knowing what I do about vDCs it amazes me that it would source from the ADMIN vDC, but if you configure the origin information from ADMIN and you need to specify a source IP that would live in the DMZ vDC, how would that work if you wanted to send ERSPAN data from a different, third vDC???

Thanks,

Ben Posner

Everyone's tags (3)
4 REPLIES
Bronze

ERSPAN from vDC on Nexus 7k

Hi Ben,

Did you manage to get this working.

I am also facing this issue while trying to do an erspan from VDC.

BR

New Member

ERSPAN from vDC on Nexus 7k

nope, still not working. i was able to get around my immediate problem by using an erspan from another device but i still cannot get one working from any non-admin vDC on my 7010s

New Member

I'm curious to know what

I'm curious to know what other device you used.  I bought two new 4551X and was/am a bit dismayed at the ERSPAN peer limitations. I do have 2 7010s and was planning to end-point the sessions there until I crossed this thread on the forum.

What do you have (or not) working?  I was able to get ERSPAN to work across my 4551Xs but that's only to prove the concept.  Going to production for my McAffee IDSs I was planning to connect them to the 7010s in a non-admin VDC.

New Member

Did anyone get a resolution

Did anyone get a resolution to this?

1091
Views
0
Helpful
4
Replies
CreatePlease to create content