SPAN Session - Source IP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2022 05:54 AM
Hello,
I need to configure a SPAN Session.
What should be configured in the Source IP / Prefix field? On some ACI deployment I saw arbitrary IPs like 3.3.3.3 or anything like this.
Any suggestion?
Kind regards
Udo
- Labels:
-
APIC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2022 06:05 AM - edited 06-29-2022 06:06 AM
its been long i touched ACI : check below document help you :
https://aciandme.wordpress.com/2016/06/07/span/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2022 07:45 AM
I believe you are referring to an ERSPAN session. If so, that value represents the source IP used for the SPANed packets sent to the ERSPAN collector. Can be basically any value, but myself I prefer using the IP address of the BD where the destination resides (basically it's gateway). Just to avoid any unexpected filters/firewall rules etc.
Stay safe,
Sergiu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2022 07:51 AM
This can used to identify the source leaf of the SPAN traffic. If you configure a dummy prefix (ie. 192.168.1.0/24) then ACI will append the Node ID as the last octet of the source address. This way you can distinguish when traffic comes from a particular leaf.
Hostname: NodeID
Leaf1 = 101
Leaf2 = 102
...
Would result in a source IP of:
192.168.1.101
192.168.1.102
...
Robert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2022 10:05 AM
This is definitely a much better approach
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2022 11:07 PM
That's cool @Robert Burns ! This is definitive a great approach. Thanks for that.
Also thanks to @balaji.bandi , @Sergiu.Daniluk and @RedNectar.
From my perspective I didn't found any explanation in the ACI documentation.
Kind Regards
Udo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2022 02:15 PM - edited 06-29-2022 11:57 PM
HI @udo.konstantin ,
@Robert Burns & @Sergiu.Daniluk have nailed it - the Source IP helps identify WHICH Leaf/Spine sent which packets, which is especially useful if you have an ERSPAN set up span traffic from more than one Leaf.
In the sample capture I've attached (sorry - you'll have to unzip it first because this stupid site won't allow uploads of .pcappng) you can see that the first packet has an outer source IP of 1.18.8.154
- this is because I specified the source IP range as 1.18.0.0/16
- which explains the 1.18
part. The 8.154
is bit trickier - it identifies that the packet was sourced from Node 2202.
2202 you ask? Let me leave you with this
(8 x 256) + 154 = 2202
I'll assume you know enough about IP addressing to join the dots!
Now - there are a few things you need to do with in Wireshark Analyse settings (Wireshark Analyse > Decode as) capture to get it looking like mine:
- UDP Port 48879 decode as VXLAN
- Ethertype 0x8988 decode as Cisco ttag
And finally, don't forget that the EASIEST way to do a packet capture in ACI is via the Operations > Visibility & Troubleshooting page - where you can send the packets to the APIC and simply download then later (which is how the above was captured)
Oh - and if your output doesn't look like mine - i.e. the ARP gleaning packets are not identified - it's time to upgrade your Wireshark.
Also check out: https://community.cisco.com/t5/application-centric/aci-span-configuration-detailed-explanation-needed/m-p/4562875/highlight/true#M11920
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2022 11:16 PM
Hi @RedNectar
I just want to confirm I understand you
Assume I would like to send packets sourced from leaf 1117. The Source IP ca be:
192.16.4.93
192.16.(256*4).(+93)
And for leaf IDs which has only 3 digits, only the last octet is affected?!
Thanks
Udo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2022 11:44 PM
Hi @udo.konstantin ,
Assume I would like to send packets sourced from leaf 1117. The Source IP ca be:
192.16.4.93
192.16.(256*4).(+93)
Correct - to achieve this, specify the source IP as 192.16.0.0/16 - I tend to use something totally unlike anything in the actual network - like 1.1.0.0/16
And for leaf IDs which has only 3 digits, only the last octet is affected?!
Again - absolutely correct
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
