01-11-2019 02:03 AM - edited 03-08-2019 05:00 PM
Hi all
I configured an erspan session running on a Nexus 3k with 2 sources:
Config is as below:
monitor session 10 type erspan-source
erspan-id 10
vrf default
destination ip 10.1.1.1
source interface Ethernet1/18 both
source vlan 3-5,10
no shut
monitor erspan origin ip-address 10.1.1.100 global
In the config above, 10.1.1.1 is the station running tcpdump
10.1.1.100 is the IP of the switch itself
To add some complexity to the set up:
The 1st source is a switchport that has been sub-divided into 2 sub-interfaces i.e. eth1/1.1 and eth1/1.2
and
the capture station's interface is also subdivided into several VLANs
The capture has ran for a few days and I am not capturing what I am intending to capture.
I am seeing traffic that isn't meant to traverse those 2 sources.
Is it due to the fact that the capture is going to a sub-int or because i am using vrf default or a combination? :)
Would appreciate it if someone could send some pointers my way.
01-11-2019 03:51 AM
Hello,
looking at the guidelines for ERSPAN on the Nexus 3K, the problem appears to be indeed that you have subinterfaces as source:
• A single ERSPAN session can include mixed sources in any combination of the following:
◦ Ethernet ports or port channels but not subinterfaces.
01-13-2019 04:33 PM
Thank you Georg.
Is there any way around this if i still needed to capture traffic on that interface?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide