cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6740
Views
0
Helpful
10
Replies

ACI SPAN Session

gilou_1973
Level 1
Level 1

Hello,

I'd like to create a span session in my ACI infrastructure, typically from my proxy appliance attached to physical port on a LEAF toward a remote VM acting as a sniffer receptor, running Wireshark.

I have tested few methods for configuring SPAN policies:

- from Fabric\Access Policies\Troubleshooting\SPAN

- from Fabric\Fabric Policies\Troubleshooting\SPAN

- from Tenant\Policies\Troubleshooting\SPAN

But I don't receive any packets.

Other relevant information:

 

The source SPAN is located from TENANT DMZ :

TENANT:DMZ

Application Profile: AP-LEGACY

epg-DMZ-APPLICATION.220

The remote SPAN port is located somewhere on a VM in another TENANT:

TENANT: RIZIV-INAMI

Application Profile: AP-ON-DCS

epg-ON-DCS-ADMIN.804

VM is running on a blade on a vPC....

 

I tried to apply configuration settings from, chapter 

Configuring SPAN for Traffic Monitoring

 https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/troubleshooting/b_APIC_Troubleshooting/b_APIC_Troubleshooting_chapter_0110.html?bookSearch=true#id_37668

but it doesn't work

The only relevant fault seen in the event is:

In the stats I can see traffic matching, but also a warning

code="F1559"

descr="Fault delegate: Failed to configure SPAN with destination SNIFFER of destination group SNIFFER on tenant DMZ due to Invalid Destination Epg"

Affected Object: topology/pod-1/node-102/local/svc-policyelem-id-0/uni/tn-DMZ/destgrp-SNIFFER/dest-SNIFFER]-fault-F1559"

 

Any idea about this? Did I missed a mandatory step(s) before setting SPAN session?  

 

 

Beforehand thanks for any help.

 

Here under a picture of the topology of my network:

Topology of my fabric.PNG

kind regards

 

2 Accepted Solutions

Accepted Solutions

By configuring the SPAN destination as an IP, what you actually configure is ERSPAN (Encapsulated Remote SPAN). This flavor of SPAN is encapsulating the mirrored traffic intro a GRE with destination IP configured by you. But since your BD is in L2, the fabric doesn;t know about that Endpoint (IP). You either configure a classic SPAN (where you select a destination interface) or you enable routing on your BD.

 

Stay safe,

Sergiu

View solution in original post

Your'e right, in fact I've mistaken with the source IP/prefix.

Since I've set the good prefix I can see the gre packets arriving on my sniffer.

Many thanks for the support.

Kind regards,

Gildas 

View solution in original post

10 Replies 10

Robert Burns
Cisco Employee
Cisco Employee

You're going to want a Tenant SPAN most likely.  This would allow you to specific the PRoxy EPG as a source group, and the Sniffer EPG as the destination group.   What does your SPAN policy look like?  That fault definitely points to some config issue.  

Robert

Hello Robert,

Thanks for your quick reaction, you can find here below further information about my policy.

Indeed, in source, I've selected the DMZ Tenant and did:

  1. A Span Source Group by selecting the egg from which the proxy belongs toSPAN Source Group.PNG
  2. A Span Destination Group guess the @ of the VM [10.180.4.14]where is located the snifferSPAN Destination Group.PNGAt my knowledge, source and destination BD are set in L2 because hosted behind a firewall.

Kind regards,

Gildas

Hello,

 

I did the change of the destination IP without prefix, but it doesn't fix the issue, no GRE traffic toward my destination sniffer.

Kind regards,

Gildas

Sergiu.Daniluk
VIP Alumni
VIP Alumni

if your destination VM is learned as an IP inside your EPG (so basically you have a L3 BD), you can use ERSPAN.

 

Stay safe,

Sergiu

Hello Sergiu,

Thanks for your quick reaction, you can find here below further information about my policy.

At my knowledge, source and destination BD are set in L2 because hosted behind a firewall.

Indeed, in source, I've selected the DMZ Tenant and did:

  1. A Span Source Group by selecting the egg from which the proxy belongs toSPAN Source Group.PNG
  2. A Span Destination GroupI guess the @ of the VM [10.180.4.14]where is located the snifferSPAN Destination Group.PNG

Kind regards,

Gildas

By configuring the SPAN destination as an IP, what you actually configure is ERSPAN (Encapsulated Remote SPAN). This flavor of SPAN is encapsulating the mirrored traffic intro a GRE with destination IP configured by you. But since your BD is in L2, the fabric doesn;t know about that Endpoint (IP). You either configure a classic SPAN (where you select a destination interface) or you enable routing on your BD.

 

Stay safe,

Sergiu

Hello,

Ok, so if I good understand I need to set my destination BD as L3.

I have few questions about it.

When I set the BD in L3, a pervasive gateway will be published. But now my Gateway is a firewall cluster and must remains the firewall, so I guess that I must set a different VIP for this.

So the question is, is it disruptive for the ongoing traffic? and is it possible to do it by this way?

 

Beforehand thanks

Gildas

Hello,

I've set a the destination BD as L3 but it doesn't work.

I can't see incoming packets and no GRE packets neither.

Do I also need to set the source BD as L3?

Did I forgot a step? At this point I can't see any fault  when applying the SPAN policy at the TENANT level.

Best regards,

Your'e right, in fact I've mistaken with the source IP/prefix.

Since I've set the good prefix I can see the gre packets arriving on my sniffer.

Many thanks for the support.

Kind regards,

Gildas 

Hi, if I want to configure erspan for l2 destination can I use a BD/EPG setup with a dummy ip and do a static binding for the l2 destination under EPG?

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License