Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1804
Views
0
Helpful
3
Replies

ERSPAN configuration

Christopher Liesfield
Level 1
Level 1

‎02-12-2013 08:20 PM - edited ‎03-07-2019 11:40 AM

Hi All. We've deployed a pair of Nexus 5596UP switches at our HQ site and I'm trying to get ERSPAN to work.

My understanding is that ERSPAN is simply a SPAN session encapsulated in GRE?

We are running Wildpackets Omnipeek as our sniffer - is there a way to configure this product to receive ERSPAN sessions, decapsulate them and perform a conventional packet capture?

This is sending me batty.

Thanks in advance.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Cedric DELAUNAY
Level 1
Level 1

‎10-15-2015 07:37 AM

I

Same problem here. 3 years after, did you find the solution ?

Thanks

0 Helpful

Steve Fuller
Level 9
Level 9
In response to Cedric DELAUNAY

‎10-15-2015 03:44 PM

Hi,

There are the documented limitations, but ERSPAN works fine on the Nexus 5500.

An ERSPAN session is exactly as described in the original post i.e., the original frame encapsulated in a GRE packet. The following is an example of what a PIM Hello packet looks like.

 

In most documentation I’ve seen the focus for ERSPAN is typically on sending the ERPSAN packet to another switch as the ERSPAN destination, and it’s here that the GRE and outer IP header is removed and the original frame forwarded to the probe.

What I’ve started to do more and more, especially in a lab where the traffic volumes are low, is configure the ERPSAN source to send the ERSPAN packets to a destination IP address that is a Linux host for example. On this host I then run tcpdump with a GRE capture filter to capture the packet, ERSPAN header and all. Sometimes this is far quicker than getting capture probes connected.

So here's an example where I have a Nexus 5500 with a Loopback0 IP address of 192.168.2.133 as my ERSPAN source and a SPAN configuration as follows:

 

monitor session 1 type-erspan-source
  erspan-id 11
  vrf default
  destination ip 192.168.15.133
  source interface Ethernet1/31 both
  no shut
monitor erspan origin ip-address 192.168.2.133 global

 

On my destination switch, a Catalyst 6500 in this case with a Loopback 0 IP address of 192.168.15.133, I have my probe connected to Gi4/6 and the following configuration:

monitor session 1 type erspan-destination
 destination interface Gi4/6
 source
  erspan-id 11
  ip address 192.168.15.133

 

The piece that wasn’t obvious to me was that on the ERSPAN destination Catalyst 6500 switch, the IP address configured under monitor session -> source is the IP address of the Catalyst 6500 Loopback interface i.e., the destination IP address configured on the ERSPAN source switch. Go figure the logic of the guy who coded that!!!

Don't be misled by the title, but you might also take a read of the post ERSPAN on Catalyst 6500 which was what brought me to these forums three years ago, and give koudos to branfarm1 who gave me the answer I was looking for.

Regards

0 Helpful

Cedric DELAUNAY
Level 1
Level 1
In response to Steve Fuller

‎11-17-2015 06:41 AM

Hi,

Thanks a lot for your answer full of details.

But my question was about decode erspan with omnipeek.

Sorry if I was not enough precise.

I succeed configuring erspan source on nexus but I'll shut down my 6500 in a few month and I will no more have any switch erspan destination capable's.

Cédric

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card