I currently have ERSPAN configured between our DC 5548s and 7010s. We are spanning our server VLAN bi directionally. For most IPs on this subnet i see bi directinal traffic (using ping for this example) without any issues in wireshark. My issues is that I am only getting Ingress (ICMP replies) for particular IPs on the server subnet (no firewall is in between these IPs or on the device perofmring the capture).

Capture to .55 see ping request and reply:

1    0.000000000    x.48.163.13    20.133.72.55    ICMP    98    Echo (ping) request  id=0x9415, seq=4/1024, ttl=59 (reply in 2)

2    0.000093000    20.133.72.55    x.48.163.13    ICMP    98    Echo (ping) reply    id=0x9415, seq=4/1024, ttl=255 (request in 1)

Capture to .92 only sees reply:

16    21.002586000    20.133.72.92    x.48.163.13    ICMP    98    Echo (ping) reply    id=0x1f19, seq=81/20736, ttl=128

According to the DOC cd the 5000s can only see ingress traffic when the source is a vlan:

""On Cisco Nexus 5000 Series switches, ERSPAN can monitor ingress, egress, or both ingress and egress traffic on a source port and only ingress traffic on source VLANs or source VSANs as long as the VLAN is not mapped to a VSAN.""

However we are running 5500s and we are seeing some IPs with bidirectional captures.

ERSPAN config:

5548s:

interface Vlan642
  no shutdown
  description Net-Monitoring-ERSPAN
  ip address 20.133.65.140/25

monitor session 10 type erspan-source
  erspan-id 20
  vrf default
  destination ip 20.133.65.130
  ip ttl 2
  source vlan 644,2851
  no shut

monitor erspan origin ip-address 20.133.65.140 global

7Ks:

monitor session 20 type erspan-destination
  erspan-id 20
  vrf default
  source ip 20.133.65.130
  destination interface port-channel20
  no shut

interface Vlan642
  ip address 20.133.65.130/25
  no shutdown

interface port-channel20
  switchport
  switchport monitor