ERSPAN assistance

smyap333 · ‎01-11-2019

Hi all

I configured an erspan session running on a Nexus 3k with 2 sources:

1st source is an interface on the same switch
2nd source is a set of vlans which go through a trunk port which already has a span session running

Config is as below:

monitor session 10 type erspan-source
erspan-id 10
vrf default
destination ip 10.1.1.1
source interface Ethernet1/18 both
source vlan 3-5,10
no shut

monitor erspan origin ip-address 10.1.1.100 global

In the config above, 10.1.1.1 is the station running tcpdump

10.1.1.100 is the IP of the switch itself

To add some complexity to the set up:
The 1st source is a switchport that has been sub-divided into 2 sub-interfaces i.e. eth1/1.1 and eth1/1.2
and
the capture station's interface is also subdivided into several VLANs

The capture has ran for a few days and I am not capturing what I am intending to capture.
I am seeing traffic that isn't meant to traverse those 2 sources.

Is it due to the fact that the capture is going to a sub-int or because i am using vrf default or a combination? :)

Would appreciate it if someone could send some pointers my way.

Georg Pauwen · ‎01-11-2019

Hello,

looking at the guidelines for ERSPAN on the Nexus 3K, the problem appears to be indeed that you have subinterfaces as source:

• A single ERSPAN session can include mixed sources in any combination of the following:
◦ Ethernet ports or port channels but not subinterfaces.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/system_mgmt/503_u2_2/Cisco_Nexus_3000_system_mgmt_config_gd_503_U2_2_chapter14.pdf

smyap333 · ‎01-13-2019

Thank you Georg.

Is there any way around this if i still needed to capture traffic on that interface?