SPAN and Hyper-V virtual machines

gtlalpachicatl · ‎12-06-2016

Hello team,

I´ve posted this to the Networking forum too.

Customer is running Hyper-V on top of UCS (actually, UCS is part of a Vblock, but VCE/EMC don't support Hyper-V).

Everything runs just fine but they are having some issues with some VMs and need to monitor the traffic between them. They have setup SPAN on the N5K switches that carry the traffic from/to the Vblock (standard in the Vblock architecture), but they are unable to see any traffic from the affected VMs. The VMs are located in different UCS chassis so they expected the traffic to flow all the way to the switches so they can capture and analyze such traffic. They are wondering if they need to enabled something at the VM level or at the Fabric Interconnect level to allow the 5K to see the traffic between the VMs.

Has anyone tried this before? Any advice we can share with the customer?

Thanks in advance for any input.

Gabriel Tlalpachicatl

Dell EMC Customer Advocate

Kirk J · ‎12-08-2016

Greetings.

In End Host mode (the default, and recommended 'switching' mode), the UCSM will drop unknown unicast traffic by design. You would need to have some sort of ERspan source encapsulating the spanned traffic, and targeting an ERspan IP destination that is at the guestVM OS level.

The nature of the captured traffic being unknown (MACs don't match any of the learned address of devices living in UCSM domain) is what causes the span traffic being sent to FI uplink port to be dropped.

Thanks,

Kirk...