Feeds:
Posts
Comments

Posts Tagged ‘nexus5000’

In the NX-OS 5.1(3)N1 release for the Nexus 5000 family of switches, Encapsulated Remote Switch Port Analyzer (ERSPAN) was finally added. This is a long standing feature enhancement request to allow for easier capturing of traffic for monitoring and analysis as ERSPAN allows you to statically place a network sniffer in the IP topology without having to relocate the sniffer to the local switch you want to monitor. ERSPAN copies the ingress/egress of a given switch source and creates a GRE tunnel back to a ERSPAN destination. This allows network operators to strategically place their network monitoring gear in a central location of their network as they then can collect historical traffic patterns in great detail. This is a Good Thing(c).

Now, you’re probably irritated that you need a second device to terminate the ERSPAN session (I know I am); however, let’s put this into perspective. You can only have 2 active source SPAN sessions per Nexus 7000 / Nexus 3000 or even Catalyst 6500 chassis. With the inclusion of the Nexus 5000 series for ERSPAN support, you now have more telemetry points within the network. Depending on your access layer deployment, you could actually more points of visibility within your network than you previously did if you’re leveraging the Nexus 5000 switches with Nexus 2000 fabric extenders for rackmount server deployments. Even with all of the VDC slicing and dicing you can do on a Nexus 7000, you’re only allowed 2 SPAN sources per chassis. Period. This got to be very troublesome in some early Nexus deployments as we were leveraging multiple VDC’s. ( I should point out that ACL captures are now supported on the Nexus 7000 as of NX-OS 5.2 ). Now, you can use the Nexus 7000 and Nexus 3000 ( as of  NX-OS 5.0(3) U2(2) )  to support up to 23 ERSPAN destinations per chassis.

Side Note:  you should use 5.0(3)U2(2b) on the Nexus 3000 because of a nasty memory leak with the monitor process that would cause the switch to crash.

There are however some important caveats to pay attention to:

  • The Nexus 5500 / 5000 switches ONLY support ERSPAN sources. You can NOT locally terminate an ERSPAN to a Nexus 5500/5000 chassis. The ERSPAN traffic must be sent to a switch capable of supporting ERSPAN sources like the Nexus 7000, 3000 or a Catalyst 6500.
  • The Nexus 5000 switches (1st generation ) support only 2 ERSPAN sources while the Nexus 5500 switches (2nd generation) support 4 ERSPAN sources.
  • With wireshark – if you specify “erspan.spanid == #”, you can filter on the specific ERSPAN you want to see.
  • You can specify sources based on ethernet interfaces, VLANs, FEX interfaces, and port-channels. With VLAN sources, both Tx and Rx information will be sent.

Example config below – in this topology: 10.1.1.2 is the N5K’s management SVI; 10.1.1.5 is the N3K management SVI.

N5K:

monitor session 1 type erspan-source
erspan-id 10
vrf default
destination ip 10.1.1.5
source interface ethernet100/1/3
no shutdown

monitor erspan origin ip-address 10.1.1.2 global

N7K // N3K:

interface Ethernet1/3
switchport
switchport monitor

monitor session 2 type erspan-destination
erspan-id 10
vrf default
source ip 10.1.1.2
destination interface ethernet1/3
no shutdown

Hope this helps!

Read Full Post »