Question regarding SPAN and vpc links

sdavids5670 · ‎05-22-2013

Please refer to the attached PDF for topology and configuration information.

I want to send tx/rx traffic in/out of interface Po21 on DC1-7K1-PROD to a laptop connected to eth1/24 on DC1-7K1-PROD. Since Po21 is a vpc my concern is that I'll only see traffic coming across eth1/5 and eth1/7 from both DC1-5548-P1 & P2 and will not see traffic that coming across eth1/6 and eth1/8 (inbound into DC1-7K2-PROD). Is that true or does everything get aggregated and sent to eth1/24? Here's my SPAN configuration:

monitor session 1

source interface port-channel21 both

destination interface Ethernet1/24

no shut

!

If I will miss traffic due to the vpc, is there a better way to setup SPAN (or ERSPAN) to capture traffic coming up to both DC1-7K1-PROD and DC1-7K2-PROD from the 5Ks?

Thanks,

Steven

Reza Sharifi · ‎05-22-2013

It depends on the version of Nexus-OS you are running:

From the eVPC documentation:

The vPC topology presents a challenge for traffic monitoring because each vPC device carries half of the traffic flow. Prior to ERSPAN, you had to configure local SPAN on both vPC devices to monitor all flows sent to and received from the vPC. The procedure required that you combined the packets trace from two SPAN destination ports to get a complete view.

From the Cisco NX-OS 5.1(3)N1(1) release and later releases, the Cisco Nexus 5000 Series devices support ERSPAN source session. With ERSPAN, you can monitor and capture all the flows for the same vPC from one sniffer. The following example shows how to capture all the traffic flows from a host behind an Enhanced vPC.

More info:

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/mkt_ops_guides/513_n1_1/n5k_enhanced_vpc.html

HTH