cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2425
Views
5
Helpful
3
Replies

DNA Center - Traffic Copy Policy

scvvuuren
Level 1
Level 1

I have been going through the documentation to create a traffic copy policy for ERSPAN with DNA Center.

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-3/user_guide/b_cisco_dna_center_ug_1_3/b_cisco_dna_center_ug_1_3_chapter_01010.html#id_52684

 

The challenge I have is that the first step tells you to create a Traffic Copy Destination by selecting the switch and port. But on DNA Center I do not see any devices or interfaces.

dnactrafficcopydest.png

I do have switches running in SD-Access and some Traditional switches as well, not

1 Accepted Solution

Accepted Solutions

jedolphi
Cisco Employee
Cisco Employee

Hi Devi. The traffic copy destination must be an ISR4K or ASR1K, destination of switch not supported. Honestly I think Traffic Copy Policy in DNAC needs an overhaul and more functionality added (e.g. a switch can be a traffic copy destination, and that the capture is bidirectional - currently traffic copy policy will only copy one direction of traffic into the ERSPAN which typically is not what people want to accomplish). Please do "Make a Wish" in DNAC GUI and explain what you are trying to achieve. In meantime please share here what use case you are trying to solve by using Traffic Copy Policy and perhaps I can suggest an alternative. Best regards, Jerome

View solution in original post

3 Replies 3

jedolphi
Cisco Employee
Cisco Employee

Hi Devi. The traffic copy destination must be an ISR4K or ASR1K, destination of switch not supported. Honestly I think Traffic Copy Policy in DNAC needs an overhaul and more functionality added (e.g. a switch can be a traffic copy destination, and that the capture is bidirectional - currently traffic copy policy will only copy one direction of traffic into the ERSPAN which typically is not what people want to accomplish). Please do "Make a Wish" in DNAC GUI and explain what you are trying to achieve. In meantime please share here what use case you are trying to solve by using Traffic Copy Policy and perhaps I can suggest an alternative. Best regards, Jerome

Thanks for the response @jedolphi

 

In conjunction with SD-Access we are in the process of deploying Stealthwatch Enterprise at a customer. We are already doing ETA/FNF from Catalyst 9300 switches at Edge. We also need to introduce a FlowSensor to add the RTT/SRT and payload information into Stealthwatch.

 

One of the ideas that came out from the customer was to use the Copy Policy in DNAC to copy interested traffic like end users for example to a port connected to the FlowSensor.

Hi scvvuuren, Devi. If you need bidirectional traffic copied into RSPAN then please consider using FRSPAN or ERSPAN on the SD-Access FE switch. You can push it via template from DNAC or put the commands directly into the CLI for the FE switch. Prior to IOS-XE 17.3.2 you should choose FRSPAN because of this one: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu65008 . Best regards, Jerome

Review Cisco Networking for a $25 gift card