Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
2
Helpful
4
Replies

Cisco SD-WAN : Packet Capturing/Traffic Mirroring

RS19
Level 4
Level 4

‎09-04-2024 02:21 AM

I have the attached high level SD-WAN network.

There are 3 locations. Location A,B & C . All are interconnected using SD-WAN.

In location 3, I have connected L3 switch behind the SD-WAN device. To this switch packet capturing server is connected.

My requirement is that I want to capture all the traffic flowing between Location C -> Location A & B and vice versa.

I want to know what is the best way to achieve this. 
I can think of 2 solutions.
1. Via SD-WAN mirroring policy
2. Configuring SPAN port in SD-WAN (Not sure , if is supported or not)

Need suggestions and the best and recommended solutions for this.

Preview file
45 KB
0 Helpful
4 Replies 4

ericgar
Cisco Employee
Cisco Employee

‎09-04-2024 01:04 PM

Hi RS19,

This is Eric from SD-WAN Team.

1.- Mirroring Policy can impact the network performance and overwhelm routers forwarding processor by duplicating the traffic. So it's only suggested on certain flows that requires the packet duplication.
2.- IOS-XE SDWAN and vEdge routers don't support SPAN. Even if its configurable via CLI. Only EPC and Packet Trace are supported.

To continuously capture all traffic from point C to A/B, it's suggested to use another alternative such as a Switch behind the routers.

Hope this helps.

Eric.

RS19
Level 4
Level 4
In response to ericgar

‎09-04-2024 05:18 PM

@ericgar 
Thanks for your reply. 

Regarding point no 1, I understood.  Even my thought was the same it could lead to performance impact.
Regarding point no 2, is there any official document in which these are captured. If so could you please share the same ?
Regarding EPC let me know if this is same like capturing the packets using SPAN port ? Is it same or different ?
If there is difference what is the difference ?

0 Helpful

RS19
Level 4
Level 4
In response to RS19

‎09-05-2024 08:12 PM

Any inputs pls

0 Helpful

Kanan Huseynli
VIP
VIP

‎09-09-2024 03:06 PM

EPC is Embedded Packet Capture (using monitor capture commands), packet trace not direct way of capturing.

https://www.cisco.com/c/en/us/support/docs/routers/xe-sd-wan-routers/215119-example-of-ios-xe-sd-wan-issues-troubles.html

Btw, in vManage GUI for devices > troubleshooting there is possibility of capturing using vmanage GUI (although this feature is not supported for all).

https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/221085-perform-a-packet-capture-on-sd-wan-vmana.html

Use, EPC - monitor capture on LAN facing (service side) interface.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Customers Also Viewed These Support Documents