cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1348
Views
10
Helpful
3
Replies

Difference between Destination Type: EPG/Access Interface on Span Configuration

Hello guys.

I was wondering if someone could help me to understand better what is the use case for the EPG Destination Type when you are configuring an Span Destination Group on ACI.
I dont have it clear and also the source IP/Prefix should it be any addressing or must be one IP from Fabric?

 

I appreciate your help.

1 Accepted Solution

Accepted Solutions

Robert Burns
Cisco Employee
Cisco Employee

Hi Fernando,

One of the destination options for SPAN traffic within ACI is an EPG.  This means whatever source traffic is matched gets sent to all endpoints within the target EPG (Dest. Group).  In most cases I use a single Packet Sniffer endpoint (Wireshark) in my "Sniffer_epg" to grab SPAN traffic, but this gives you the flexibility to have multiple sniffer devices.

As for the Source IP/Prefix, this address is used as the SRC IP in the IP header of the ERSPAN packet.  You can either hard code a single explicit IP (any IP will work) which will apply to all captured traffic regardless of which leaf it was captured on, or you can use the prefix (recommended) which will assign a different IP from your defined prefix to uniquely identify source switches.  Another benefit of using the prefix is ACI will try to assign the Switch node ID in the host portion of the IP, if the nodeID is >255, it'll assign one randomly. 

Ex. Let's say my Dest Group SPAN Source IP/Prefix = 1.1.1.0/24
My Switch NodeIDs are 101-199
In the SPAN'd IP Packet, traffic from Node-101 would be assigned a Src IP of 1.1.1.101
Robert 

View solution in original post

3 Replies 3

Robert Burns
Cisco Employee
Cisco Employee

Hi Fernando,

One of the destination options for SPAN traffic within ACI is an EPG.  This means whatever source traffic is matched gets sent to all endpoints within the target EPG (Dest. Group).  In most cases I use a single Packet Sniffer endpoint (Wireshark) in my "Sniffer_epg" to grab SPAN traffic, but this gives you the flexibility to have multiple sniffer devices.

As for the Source IP/Prefix, this address is used as the SRC IP in the IP header of the ERSPAN packet.  You can either hard code a single explicit IP (any IP will work) which will apply to all captured traffic regardless of which leaf it was captured on, or you can use the prefix (recommended) which will assign a different IP from your defined prefix to uniquely identify source switches.  Another benefit of using the prefix is ACI will try to assign the Switch node ID in the host portion of the IP, if the nodeID is >255, it'll assign one randomly. 

Ex. Let's say my Dest Group SPAN Source IP/Prefix = 1.1.1.0/24
My Switch NodeIDs are 101-199
In the SPAN'd IP Packet, traffic from Node-101 would be assigned a Src IP of 1.1.1.101
Robert 

Excellent answer Robert.
Now I understand it much better. In this case, I could create an EPG just for Span and put all my sniffers inside it to send my span traffic to them.
The Src IP/Prefix is just used to identify much better the traffic source Leaf.

Great. Thank you so much for your answer!

You got it.  Once setup, you can leave your SPAN destination group alone.  Then as you find the need, create Source Groups to grab traffic and easily & quickly send it to your Sniffer EPG.  Just like NXOS, you can enable/disable a SPAN Session (source group) so if you have a source EPG you want to occasionally capture, you can leave the configuration in place, then just enable/disable the Source Group if/when needed.  Much easier than trying to scramble and set this all up when you hit an issue and need it immediately.

Regards,

Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License