Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

ERSPAN from vDC on Nexus 7k

Hey All,

I'm trying to setup an ERSPAN on our Nexus 7010 and running into some trouble. I want to span the data from a VLAN in our DMZ vDC and have the source configuration setup correctly (i believe).

monitor session 1 type erspan-source

  erspan-id 22

  vrf default

  destination ip

  source vlan 129 both

  no shut

the problem is occuring when i try to setup the ERSPAN origin. Documentation states that "The global origin IP address can be configured only in the default VDC. The value that is configured in the default VDC is valid across all VDCs. Any change made in the default VDC is applied across all nondefault VDCs." And sure enough if you try to configure the origin in the non-default vDC you get the following:

HZN-N7K-1-DMZ(config)# monitor erspan origin ip-address

ERROR: Per VDC origin IP not supported. Please use global mode

HZN-N7K-1-DMZ(config)# monitor erspan origin ip-address global

ERROR: This config allowed ONLY in default VDC

So i drop to the ADMIN vDC and can then setup my erspan origin:

HZN-N7K-1-DMZ(config)# end
HZN-N7K-1-DMZ# exit
HZN-N7K-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
HZN-N7K-1(config)# monitor erspan origin ip-address
ERROR: Per VDC origin IP not supported. Please use global mode
HZN-N7K-1(config)# monitor erspan origin ip-address global

So that config takes and i guess everything looks correct. the ADMIN vDC shows no sessions running, as i would expect:

HZN-N7K-1# sh monitor

Note: No sessions configured


The DMZ vDC shows that is has an active session:

HZN-N7K-1-DMZ# sh monitor
Session  State        Reason                  Description
-------  -----------  ----------------------  --------------------------------
1        up           The session is up                                      
HZN-N7K-1-DMZ# sh monitor session 1
   session 1
type              : erspan-source
state             : up
erspan-id         : 22
vrf-name          : default
acl-name          : acl-name not specified
ip-ttl            : 255
ip-dscp           : 0
destination-ip    :
origin-ip         : (global)
source intf       :
    rx            :
    tx            :
    both          :
source VLANs      :
    rx            : 129
    tx            : 129
    both          : 129
filter VLANs      : filter not specified

Feature       Enabled   Value   Modules Supported       Modules Not-Supported
Rate-limiter  No
MTU-Trunc     No
Sampling      No
MCBE          No
L3-TX         -           -     1  2  5  10             - 
ERSPAN-ACL    -           -     1  2  10                5 
ERSPAN-V2     Yes       -       1  2  10                5 

  MCBE  = multicast best effort
  L3-TX = L3 Multicast Egress SPAN


Yet i am not seeing my erspan data on my NAM (the listed as the erspan destination).


Now i can get to the NAM from both the DMZ vDC and from the ADMIN vDC so it's not a routing or firewall issue.

Anyone have any tips or ideas? Which vDC would this ERSPAN source the GRE tunnel from. Knowing what I do about vDCs it amazes me that it would source from the ADMIN vDC, but if you configure the origin information from ADMIN and you need to specify a source IP that would live in the DMZ vDC, how would that work if you wanted to send ERSPAN data from a different, third vDC???


Ben Posner


Hi Ben,

Did you manage to get this working.

I am also facing this issue while trying to do an erspan from VDC.


nope, still not working. i was able to get around my immediate problem by using an erspan from another device but i still cannot get one working from any non-admin vDC on my 7010s

I'm curious to know what other device you used.  I bought two new 4551X and was/am a bit dismayed at the ERSPAN peer limitations. I do have 2 7010s and was planning to end-point the sessions there until I crossed this thread on the forum.

What do you have (or not) working?  I was able to get ERSPAN to work across my 4551Xs but that's only to prove the concept.  Going to production for my McAffee IDSs I was planning to connect them to the 7010s in a non-admin VDC.

Did anyone get a resolution to this?

The resolution for this issue is to enable the original IP under the main default VDC. Then all other VDC will have the same original IP