Text only | Text with Images

Networking-Forums.com

Professional Discussions => Routing and Switching => Topic started by: deanwebb on February 19, 2019, 08:49:52 AM

Title: ACI and ERSPAN
Post by: deanwebb on February 19, 2019, 08:49:52 AM
OK, this one is bugging me... ACI can send traffic to a network monitor, but its ERSPAN is sent in GRE encapsulation format. :doh:

If I had Wireshark reading this, the solution is easy: force decapsulation, read the traffic. But this is a network appliance that's basically expecting a SPAN of raw traffic - CounterACT NAC in this case, although the same situation would face an IDS or other such monitor.

So far, my research is pointing at a network packet broker (NPB) solution like Gigamon, Ixia, or Apcon. Those guys can decapsulate and then forward on to a network monitoring appliance. What I want to know is if there is a more direct way to force the ACI to not use GRE for its ERSPAN. The only other solution I can think of would be reaching back to my product guys to see if there was a way to have our port monitor force decapsulation.

Ideas?
Title: Re: ACI and ERSPAN
Post by: LynK on February 19, 2019, 02:07:15 PM
Dean,

We were facing the same issue. We are using counterACT, as well as implementing VXLAN via DCNM right now. We were looking at simple using two counteract devices, but we would not be able to do exactly as you mentioned over the fabric.

The solution I came up with?

Flexible licensing, and multiple virtual appliances with SPANs at each location to gather the SPAN traffic. We have not deployed VXLAN yet, but we are hoping it will work well.
Title: Re: ACI and ERSPAN
Post by: deanwebb on February 20, 2019, 01:08:24 PM
8.1 just released, I'll check to see if we have better ACI support in it...
Title: Re: ACI and ERSPAN
Post by: Otanx on February 20, 2019, 07:09:48 PM
I have not done ERSPAN in awhile, but if I remember right you can terminate it on another switch, and send it out a port un-encapsulated. You would need a 2960 or 9200/9300 switch, but those are cheaper than a Gigamon.

-Otanx
Title: Re: ACI and ERSPAN
Post by: deanwebb on February 21, 2019, 08:57:12 AM
Quote from: Otanx on February 20, 2019, 07:09:48 PM
I have not done ERSPAN in awhile, but if I remember right you can terminate it on another switch, and send it out a port un-encapsulated. You would need a 2960 or 9200/9300 switch, but those are cheaper than a Gigamon.

-Otanx


Thanks, I'll look at that!
Title: Re: ACI and ERSPAN
Post by: Otanx on February 21, 2019, 09:27:15 AM
Here you go.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/configuration/xe-3s/lanswitch-xe-3s-book/lnsw-conf-erspan.html#GUID-06C9B800-C881-45EE-82C0-28321550017B

-Otanx

Text only | Text with Images