I configured an erspan session running on a Nexus 3k with 2 sources:
Config is as below:
monitor session 10 type erspan-source
destination ip 10.1.1.1
source interface Ethernet1/18 both
source vlan 3-5,10
monitor erspan origin ip-address 10.1.1.100 global
In the config above, 10.1.1.1 is the station running tcpdump
10.1.1.100 is the IP of the switch itself
To add some complexity to the set up:
The 1st source is a switchport that has been sub-divided into 2 sub-interfaces i.e. eth1/1.1 and eth1/1.2
the capture station's interface is also subdivided into several VLANs
The capture has ran for a few days and I am not capturing what I am intending to capture.
I am seeing traffic that isn't meant to traverse those 2 sources.
Is it due to the fact that the capture is going to a sub-int or because i am using vrf default or a combination? :)
Would appreciate it if someone could send some pointers my way.
looking at the guidelines for ERSPAN on the Nexus 3K, the problem appears to be indeed that you have subinterfaces as source:
• A single ERSPAN session can include mixed sources in any combination of the following:
◦ Ethernet ports or port channels but not subinterfaces.