Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
1
Replies

Span port on Nexus 5548

arman
Level 1
Level 1

‎04-17-2018 10:34 AM - edited ‎03-08-2019 02:41 PM

I have a pair of Nexus 5548's that handle traffic between UCS blades and a SAN cluster. It is a datacenter FCOE switch that handles traffic for Vmware hypervisor hosting Windows VM's. I also have some catalyst switch stacks used for access layer traffic. I have been capturing traffic using a span port on the catalyst for some time now successfully and sending this traffic to an IDS. Now I am attempting to capture traffic from the Nexus switches by using a local individual span port on each Nexus. I have a cable running from each Nexus to the IDS which at this point I am using standard TCPDUMP on the IDS to monitor this traffic. The captures from the Catalyst switch are working correctly with a ton of traffic showing source, destination, port, etc.. when viewed in TCPDUMP. But with the Nexus switches, 99% of the traffic that I am seeing on TCPDUM is DCE packets and a very small number of unicast packets. 

 

 

Is there something on the SPAN configuration that I can change for this to work? Here is a sample of 2 frame captures in TCPDUMP on the Nexus. If I show the sample on the Catalyst it will display the source and destination IP/port but the Cataylst is only showing this traffic with ethertype unknown (8903) which is DCE traffic. The other interesting thing is when I run this capture from Nexus to a laptop running wireshark I'm seeing the traffic. I want to make sure on the Cisco Nexus side everything is in order.

 

I have also toggled the span port on the nexus from Trunk to Access and filtered VLAN's but nothing yet.

 

Can you check my config?

 

 

Config:

 

interface Ethernet1/7
switchport mode trunk
switchport monitor
speed 1000

 

 

monitor session 1
description SPAN Monitoring VLANs for IDS
source vlan 100,200
destination interface Ethernet1/7
no shut

 

 

 

Frames from Nexus (I removed the payload part of the frames here to hide real data but in the payload you can see real data that is traveling across the switch, some in clear):

 

 

10:10:25.870970 02:0a:be:00:00:00 (oui Unknown) > 02:0a:bc:00:00:00 (oui Unknown), ethertype Unknown (0x8903), length 234:


10:10:25.871448 02:0a:be:00:00:00 (oui Unknown) > 02:0a:bc:00:00:00 (oui Unknown), ethertype Unknown (0x8903), length 234:

 

 

 

Labels:
0 Helpful
1 Reply 1

arman
Level 1
Level 1

‎05-01-2018 10:14 AM

Any thoughts on this issue? The IDS vendor wants us to check if the Cisco config is correct, is there anything in the below port config that does not look correct?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card