01-27-2014 09:30 AM - edited 03-07-2019 05:49 PM
Hey All,
I'm trying to setup an ERSPAN on our Nexus 7010 and running into some trouble. I want to span the data from a VLAN in our DMZ vDC and have the source configuration setup correctly (i believe).
monitor session 1 type erspan-source
erspan-id 22
vrf default
destination ip 10.5.10.198
source vlan 129 both
no shut
the problem is occuring when i try to setup the ERSPAN origin. Documentation states that "The global origin IP address can be configured only in the default VDC. The value that is configured in the default VDC is valid across all VDCs. Any change made in the default VDC is applied across all nondefault VDCs." And sure enough if you try to configure the origin in the non-default vDC you get the following:
HZN-N7K-1-DMZ(config)# monitor erspan origin ip-address 10.12.1.231
ERROR: Per VDC origin IP not supported. Please use global mode
HZN-N7K-1-DMZ(config)# monitor erspan origin ip-address 10.12.1.231 global
ERROR: This config allowed ONLY in default VDC
So i drop to the ADMIN vDC and can then setup my erspan origin:
HZN-N7K-1-DMZ(config)# end
HZN-N7K-1-DMZ# exit
HZN-N7K-1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
HZN-N7K-1(config)# monitor erspan origin ip-address 10.5.11.41
ERROR: Per VDC origin IP not supported. Please use global mode
HZN-N7K-1(config)# monitor erspan origin ip-address 10.5.11.41 global
HZN-N7K-1(config)#
So that config takes and i guess everything looks correct. the ADMIN vDC shows no sessions running, as i would expect:
HZN-N7K-1# sh monitor
Note: No sessions configured
HZN-N7K-1#
The DMZ vDC shows that is has an active session:
HZN-N7K-1-DMZ# sh monitor
Session State Reason Description
------- ----------- ---------------------- --------------------------------
1 up The session is up
HZN-N7K-1-DMZ# sh monitor session 1
session 1
---------------
type : erspan-source
state : up
erspan-id : 22
vrf-name : default
acl-name : acl-name not specified
ip-ttl : 255
ip-dscp : 0
destination-ip : 10.5.10.198
origin-ip : 10.5.11.41 (global)
source intf :
rx :
tx :
both :
source VLANs :
rx : 129
tx : 129
both : 129
filter VLANs : filter not specified
Feature Enabled Value Modules Supported Modules Not-Supported
-----------------------------------------------------------------------------
Rate-limiter No
MTU-Trunc No
Sampling No
MCBE No
L3-TX - - 1 2 5 10 -
ERSPAN-ACL - - 1 2 10 5
ERSPAN-V2 Yes - 1 2 10 5
Legend:
MCBE = multicast best effort
L3-TX = L3 Multicast Egress SPAN
HZN-N7K-1-DMZ#
Yet i am not seeing my erspan data on my NAM (the 10.5.10.198 listed as the erspan destination).
Now i can get to the NAM from both the DMZ vDC and from the ADMIN vDC so it's not a routing or firewall issue.
Anyone have any tips or ideas? Which vDC would this ERSPAN source the GRE tunnel from. Knowing what I do about vDCs it amazes me that it would source from the ADMIN vDC, but if you configure the origin information from ADMIN and you need to specify a source IP that would live in the DMZ vDC, how would that work if you wanted to send ERSPAN data from a different, third vDC???
Thanks,
Ben Posner
02-23-2014 02:31 AM
Hi Ben,
Did you manage to get this working.
I am also facing this issue while trying to do an erspan from VDC.
BR
02-24-2014 06:30 AM
nope, still not working. i was able to get around my immediate problem by using an erspan from another device but i still cannot get one working from any non-admin vDC on my 7010s
04-11-2014 05:25 PM
I'm curious to know what other device you used. I bought two new 4551X and was/am a bit dismayed at the ERSPAN peer limitations. I do have 2 7010s and was planning to end-point the sessions there until I crossed this thread on the forum.
What do you have (or not) working? I was able to get ERSPAN to work across my 4551Xs but that's only to prove the concept. Going to production for my McAffee IDSs I was planning to connect them to the 7010s in a non-admin VDC.
01-27-2016 03:12 PM
Did anyone get a resolution to this?
07-04-2018 12:23 PM
The resolution for this issue is to enable the original IP under the main default VDC. Then all other VDC will have the same original IP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide