Hello, I recently was asked the following quesiton by my customer:
"What is Cisco best practice for SPAN ports on VMWare envrionments? As you know, we are running Nexus 1000v that allows for SPAN sessions. However, my concern is that we will saturate our uplinks for the ESX hosts if there is a lot of SPAN traffic. One of the options is to dedicate a NIC on the ESX hosts for SPAN. But I wanted to see what Cisco has done."
Is there a best practice for how to SPAN traffic for VM guests on the N1Kv? Is the customers assumption correct that the SPAN traffic would be duplicated across the VM Hosts uplinks?
Since they are using the 1000v vs the 1010 appliance, how would this be different if they were using the 1010 appliance with or without the NAM module?
With the 1000v, the intention is you're SPAN/ERSPAN traffic to your own sniffing device. Either another switch (Cat6500), Wireshark Host/VM or other traffic capturing device.
The SPAN is mirroring source traffic on a single VEM host. SPAN does not utilize the uplinks for traffic in this regard. The amount of extra traffic in a SPAN/ERSPAN session is dictated by the source (vEth, Eth, Port Channel, Port Profile, entire VLAN etc.). The destination for a SPAN session can be another vEthernet, Ethernet or Port Channel interface on that host. Most customers setup a Wireshark VM, migrate it to whichever VEM host they want to run a SPAN on, and then just set their SPAN destination to the vEth port of the Wireshark VM. Simple and free way to capture traffic.
If you're looking at ERSPAN, then you will need to create a new VMKnic for sending the traffic to the remote desintation IP. Again, depending on whether the source is a single vEth or entire VLAN, you may wish to allocate a dedicated NIC for this purpose. In a 10G environment you can likely get away with ERSPAN for entire VLANs without saturating the link. Each environment is different so you should monitor bandwidth accordingly.
Using the 1010, you can utilize the NAM. With the NAM your SPAN destination becomes the NAM so traffic can be sniffed and analyzed accordingly. The NAM is a neat & effecient way to analyze traffic behavior and patterns.
Join us on Wednesday, June 2 at 10 am PT/ 1 pm ET as we discuss what tomorrow's cloud will be and what you need to know to prepare.
Accelerate your IT to a cloud operating model and get the information you need to be cloud smart, no matter how many cloud...
Thanks for attending our ATXs sessions! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology questions through produ...
Thanks for attending our Ask the Experts (ATXs) sessions! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology quest...
New Cisco Champion Radio release on Cisco Intersight Cloud Operations PlatformListen: https://smarturl.it/CCRS8E15Follow us: https://twitter.com/CiscoChampion Known as Project Starship when it was introduced in June 2017, Cisco Intersight has come a ...