[c-nsp] erspan for just one IP
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jan 12 05:34:55 EST 2012
On 01/12/2012 02:44 AM, Robert Hass wrote:
> Hi
>
> Is any way to have ERSPAN (on Cat6500) where traffic is copied only
> for one IP within VLAN.
> Eg. VLAN400, IP 2.2.2.2 (where VLAN consist /16 subnet and 2k active hosts)
Sadly not, on sup720.
Nexus 7k has this, and since it's using EARL8 as well I assume it's
possible in hardware on sup2T, but as I recall no sign of the feature in
software.
If it suits your needs, the "capture" SPAN type can apply an IP ACL in
hardware:
mon sess X capture
filter access-group ...
...but since it captures to a memory buffer, and you have to TFTP the
packets off for any detailed analysis, this only works for relatively
low-bandwidth captures.
No IPv6 either :o(
Also: beware of "capture" SPAN sessions. We've seen some bugs, which
seem to have reared their head again in the SXJ train, where enabling a
"capture" SPAN causes all existing and future ERSPAN sessions to
malfunction - specifically, ERSPAN packet generation no longer obeys the
routing table, and packets always flow to 0.0.0.0/0. This usually
results in a routing loop...
More information about the cisco-nsp
mailing list