Hello, I recently was asked the following quesiton by my customer:
"What is Cisco best practice for SPAN ports on VMWare envrionments? As you know, we are running Nexus 1000v that allows for SPAN sessions. However, my concern is that we will saturate our uplinks for the ESX hosts if there is a lot of SPAN traffic. One of the options is to dedicate a NIC on the ESX hosts for SPAN. But I wanted to see what Cisco has done."
Is there a best practice for how to SPAN traffic for VM guests on the N1Kv? Is the customers assumption correct that the SPAN traffic would be duplicated across the VM Hosts uplinks?
Since they are using the 1000v vs the 1010 appliance, how would this be different if they were using the 1010 appliance with or without the NAM module?
With the 1000v, the intention is you're SPAN/ERSPAN traffic to your own sniffing device. Either another switch (Cat6500), Wireshark Host/VM or other traffic capturing device.
The SPAN is mirroring source traffic on a single VEM host. SPAN does not utilize the uplinks for traffic in this regard. The amount of extra traffic in a SPAN/ERSPAN session is dictated by the source (vEth, Eth, Port Channel, Port Profile, entire VLAN etc.). The destination for a SPAN session can be another vEthernet, Ethernet or Port Channel interface on that host. Most customers setup a Wireshark VM, migrate it to whichever VEM host they want to run a SPAN on, and then just set their SPAN destination to the vEth port of the Wireshark VM. Simple and free way to capture traffic.
If you're looking at ERSPAN, then you will need to create a new VMKnic for sending the traffic to the remote desintation IP. Again, depending on whether the source is a single vEth or entire VLAN, you may wish to allocate a dedicated NIC for this purpose. In a 10G environment you can likely get away with ERSPAN for entire VLANs without saturating the link. Each environment is different so you should monitor bandwidth accordingly.
Using the 1010, you can utilize the NAM. With the NAM your SPAN destination becomes the NAM so traffic can be sniffed and analyzed accordingly. The NAM is a neat & effecient way to analyze traffic behavior and patterns.
Hi all,not sure this is the right place to raise my question..if not..beg you pardon.problem: I have to interconnect 2 datacenter with 2 links 10gb each so...10+10physical connection is DWDM (dark fiber) and each datacenter has is own nexus93108 (as ...
Learn about new product capabilities from Cisco product managers in live interactive briefings throughout October. Open to all customers through Cisco’s Customer Connection program.
Join the Cisco Customer Connection program to attend. Membership i...
Description:Fault delegate: A Fabric Node Group (fabricNodeGrp) configuration was not deployed on the fabric node 152 because: Node Not Registered for Node Group Policies Type:Config Cause:configuration-failed Change Set:deplSt:not-register...
<original blog published on cisco @ https://blogs.cisco.com/datacenter/cisco-mds-32g-fibre-channel-fabric-switches-small-doesnt-mean-less >
When we think about fabric switches, we tend to consider low-end hardware. These typically do ...
Cisco Champion Radio · S7|E34 Cisco HyperFlex with iSCSI Helps Consolidate Workloads
IT organizations that get the most out of their technology investments tend to grow faster than their peers. As a result, they are always exploring enhancements to exist...