Posts Tagged ‘nxos’

In the NX-OS 5.1(3)N1 release for the Nexus 5000 family of switches, Encapsulated Remote Switch Port Analyzer (ERSPAN) was finally added. This is a long standing feature enhancement request to allow for easier capturing of traffic for monitoring and analysis as ERSPAN allows you to statically place a network sniffer in the IP topology without having to relocate the sniffer to the local switch you want to monitor. ERSPAN copies the ingress/egress of a given switch source and creates a GRE tunnel back to a ERSPAN destination. This allows network operators to strategically place their network monitoring gear in a central location of their network as they then can collect historical traffic patterns in great detail. This is a Good Thing(c).

Now, you’re probably irritated that you need a second device to terminate the ERSPAN session (I know I am); however, let’s put this into perspective. You can only have 2 active source SPAN sessions per Nexus 7000 / Nexus 3000 or even Catalyst 6500 chassis. With the inclusion of the Nexus 5000 series for ERSPAN support, you now have more telemetry points within the network. Depending on your access layer deployment, you could actually more points of visibility within your network than you previously did if you’re leveraging the Nexus 5000 switches with Nexus 2000 fabric extenders for rackmount server deployments. Even with all of the VDC slicing and dicing you can do on a Nexus 7000, you’re only allowed 2 SPAN sources per chassis. Period. This got to be very troublesome in some early Nexus deployments as we were leveraging multiple VDC’s. ( I should point out that ACL captures are now supported on the Nexus 7000 as of NX-OS 5.2 ). Now, you can use the Nexus 7000 and Nexus 3000 ( as of  NX-OS 5.0(3) U2(2) )  to support up to 23 ERSPAN destinations per chassis.

Side Note:  you should use 5.0(3)U2(2b) on the Nexus 3000 because of a nasty memory leak with the monitor process that would cause the switch to crash.

There are however some important caveats to pay attention to:

  • The Nexus 5500 / 5000 switches ONLY support ERSPAN sources. You can NOT locally terminate an ERSPAN to a Nexus 5500/5000 chassis. The ERSPAN traffic must be sent to a switch capable of supporting ERSPAN sources like the Nexus 7000, 3000 or a Catalyst 6500.
  • The Nexus 5000 switches (1st generation ) support only 2 ERSPAN sources while the Nexus 5500 switches (2nd generation) support 4 ERSPAN sources.
  • With wireshark – if you specify “erspan.spanid == #”, you can filter on the specific ERSPAN you want to see.
  • You can specify sources based on ethernet interfaces, VLANs, FEX interfaces, and port-channels. With VLAN sources, both Tx and Rx information will be sent.

Example config below – in this topology: is the N5K’s management SVI; is the N3K management SVI.


monitor session 1 type erspan-source
erspan-id 10
vrf default
destination ip
source interface ethernet100/1/3
no shutdown

monitor erspan origin ip-address global

N7K // N3K:

interface Ethernet1/3
switchport monitor

monitor session 2 type erspan-destination
erspan-id 10
vrf default
source ip
destination interface ethernet1/3
no shutdown

Hope this helps!


Read Full Post »

Nexus 7000 5.2.3 Deferral Notice

A couple of weeks back, NX-OS 5.2.3 was released for the Nexus 7000 platform. This was the first maintenance release for the long running train of the NXOS 5.2 software train. Unfortunately, almost as soon as it was posted to CCO customers started to incur issues with the upgrade from 5.2.1 to 5.23.  One of the scenarios that produced the bug conditions was mentioned on the Cisco Network Service Provider Mailing List (cisco-nsp) – see here for the start of the thread. Cisco TAC quickly responded and has since deferred the 5.2.3 release for 5.2.3a.

Also should be noted that NX-OS 6.0(2) is now available for the Nexus 7000 which is a short runnig train that introduced hardware support for the Fabric 2 modules and F248XP-25 on the Nexus 7010 and Nexus 7018 chassis ( the Nexus 7009 had FAB2 / F248XP-25 support at its FCS on 5.2 ).

What does this all mean? Well, it means you should always be judicious when introducing new software to your production infrastructure as while hardware and software manufacturers will do whats possible for quality assurance, they don’t always take into account all of the variables that can occur in a given customer network. See some of the case examples in this book written by a friend of mine..

Read Full Post »