Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

VSG overloaded with extra-tenant traffic

We have a VMware - Nexus 1000V environment with VSG but no ASA 1000V. All VM vNICs have VSG-enabled port-profiles. We noticed intermittent network problems and found heavy loaded periods on VSG CPU and VSG's network traffic graphs. I've managed to SPAN the VSG-Data0 traffic and found huge amount of extra-tenant traffic encapsulated and sent to VSG by VEM. These are not flow initialization traffic at all, but 1500 byte data packets, clearly not TCP SYNs.

We have an UAG VM with vNIC to an external VLAN. (VLAN hosts are outside the vSphere environment.) It seems the problematic traffic is that traverses the UAG towards external hosts. That is, a tenant member VM talks to an extra-tenant server via (tenant member) UAG.

As the original packets are encapsulated I've found the respective MAC and IP addresses in hexa output so I've managed to determine what packets got forwarded to VSG. And this raises the questions:

  • How does VSG decide if a flow is intra-tenant or not? (VSG should control only intra-tenant flows). Does it decide based on L2 addresses or L3 addresses? Both an internal server and UAG have intra-tenant L2 address but one of the IP addresses (the external server) is extra-tenant.
  • How should VSG handle such connections?
  • How does vPath handle such connections?

It seems all packets of the flow is sent to VSG (by VEM) but no flow is created on VSG and Deny Hits are increasing in show vservice statistics.

Everyone's tags (3)
250
Views
0
Helpful
0
Replies