Hi All, Anyone configured a VM and a dedicated Ethernet NIC to be used as a SPAN solution? The VM is defined and looks OK I am just having problems getting the physical NIC connected to the softswitch within VMware.
Sorry if its a dumb simple answer but its a production system so needs to get it right 1st time.
The only real solution would involve ERspan, where the target guestVM would own the ERSPAN destination IP, and application would have to know how to strip off the GRE encapsulation from ERSPAN.
The reason you can't do a regular span session into the UCSM/FI ports, is that the UCSM (In End Host Mode) does not forward unknown unicast traffic (RPF check), which is essentially what span traffic would be.
Unfortunately, it is very hard to find an actual 'solution' that is a guestVM ERSPAN TARGET.
Seems like everyone is happy to be an ERSPAN source, but none with targets (i.e. N1k, vmware DVS)
Wireshark has the ability to strip the GRE encapsulation if you run it in a guestVM with the IP address that you have specified elsewhere on your network as an ERSPAN target.
In your wireshark session, you would want to setup a capture filter with 'ip proto 0x2f', which is GRE.
To strip the GRE header, run ..\program files\wireshark>editcap.exe -C 38 <sourcepath-file> <destinationpath-file> where the -C 38 strips the first 38 bytes from the header and saves out to new file.
If you have a UCSM integrated C series rack server, it is possible to install an un-managed add-in physical PCI-E NIC, and wire that directly to an upstream switch (bypassing UCSM/FIs) that has a defined span monitor pointed to that port. Definitely not ideal, but would still allow you to stick with the UCSM service profiles and use traditional SPAN.
Would be awesome to see :