Tuesday, September 13, 2011

ERSPAN with Nexus 1000v in a Virtualized Data Center


Encapsulated remote SPAN, or ERSPAN can be used to monitor traffic remotely. In a Nexus 1000v environment, it is not feasible to attach probe directly to the virtual switch. Therefore it is particularly valuable to monitor host traffic using ERSPAN, by routing monitored traffic through IP network to designated network analyzer.

A functioning ERSPAN system consists of these components working together:
·         Nexus1000v with specific port profile and SPAN session
·         Host configured to support monitoring interface
·         Destination switch to forward monitoring traffic to probe

A sample reference model is provided here, using Nexus 7000 attached probe as a common example.
ERSPAN - Cisco Networks

Nexus 1000v
First, choose a routed VLAN (2000) to carrying ERSPAN traffic. Chose a subnet size that will accommodate growth of hosts (each host uses an IP address). To illustrate, 10.1.0.0/24 is used for VLAN 2000.

Create a port profile for this VLAN on Nexus1000v, note this VLAN must be a system VLAN.

port-profile type vethernet ERSPAN_2000
  capability l3control
  vmware port-group
  vmware max-ports 64
  switchport mode access
  switchport access vlan 2000
  no shutdown
  system vlan 2000
  state enabled


Next, create a test ERSPAN session, for example, monitor VM on Veth88, send monitored traffic to destination 10.2.0.88. See Nexus 7000 section for destination configuration.

monitor session 1 type erspan-source
 source interface Vethernet88 both
  destination ip 10.2.0.88
  erspan-id 51
  ip ttl 64
  ip prec 0
  ip dscp 0
  mtu 1500
  header-type 2
  no shut

Add a VMKNIC for each host
Must be done from vCenter, for each host. An IP address in VLAN 2000 10.1.0.0/24 is required for each host.
Reference Vmware configuration guide for details.

Nexus 7000
The destination probe is connected to Nexus 7000. We’d want monitored traffic originating from Nexus 1000v, to be forwarded to the probe.

The destination 10.2.0.1 specified by ERSPAN session (on N1kv) has an ARP entry in vlan 3000. There is also a corresponding static MAC address entry pointing to the port which the probe is connected. As a result, the ERSPAN traffic destined for 10.2.0.1 will be forwarded to the probe.

interface Vlan2000
  …
  ip address 10.1.0.2/24
  hsrp 2000
ip 10.1.0.1

interface Vlan3001
  …
  ip address 10.2.0.1/24
  ip arp 10.2.0.88 00AA.BBCC.DD66

interface Ethernet2/2
  switchport
  switchport access vlan 3000
  no shutdown

mac address-table static 00AA.BBCC.DD66 vlan 3000 interface Ethernet2/2
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)