cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

381
Views
5
Helpful
3
Replies
Paul Austin
Enthusiast

Understanding and Deploying UCS B-Series LAN Networking for span

Hi All, Anyone configured a VM and a dedicated Ethernet NIC to be used as a SPAN solution? The VM is defined and looks OK I am just having problems getting the physical NIC connected to the softswitch within VMware.

Sorry if its a dumb simple answer but its a production system so needs to get it right 1st time.

 

Many Thanks

Paul

3 REPLIES 3
Kirk J
Cisco Employee

Greetings.

The only real solution would involve ERspan, where the target guestVM would own the ERSPAN destination IP, and application would have to know how to strip off the GRE encapsulation from ERSPAN.

The reason you can't do a regular span session into the UCSM/FI ports, is that the UCSM (In End Host Mode) does not forward unknown unicast traffic (RPF check), which is essentially what span traffic would be.

 

Thanks,

Kirk...

Hi Kirk, That sounds fantastic. Will need to investigate the span hosts settings.

Unfortunately, it is very hard to find an actual 'solution' that is a guestVM ERSPAN TARGET.

Seems like everyone is happy to be an ERSPAN source, but none with targets (i.e. N1k, vmware DVS)

Wireshark has the ability to strip the GRE encapsulation if you run it in a guestVM with the IP address that you have specified elsewhere on your network as an ERSPAN target.

In your wireshark session, you would want to setup a capture filter with 'ip proto 0x2f', which is GRE.

To strip the GRE header, run ..\program files\wireshark>editcap.exe -C 38 <sourcepath-file> <destinationpath-file> where the -C 38 strips the first 38 bytes from the header and saves out to new file.

 

If you have a UCSM integrated C series rack server, it is possible to install an un-managed add-in physical PCI-E NIC, and wire that directly to an upstream switch (bypassing UCSM/FIs) that has a defined span monitor pointed to that port.  Definitely not ideal, but would still allow you to stick with the UCSM service profiles and use traditional SPAN.

 

Would be awesome to see :

  • New guestVM NIC type (i.e. VMXNET3-ERSPAN) where the VMXNET3 virtual nic allowed you to define the ERSPAN target IP that would strip the GRE header, allowing guestVM OS to effectively see remote spanned traffic
  • VMware DVS option that allowed for defining a "local" ERSPAN target, that would also strip the GRE headers before handing off traffic to DVS port.
  • UCSM port mirroring option that included defining a ERSPAN target that pointed to a VNIC, auto stripping the GRE headers off on delivery to the UCSM VNIC.

Kirk...

Content for Community-Ad