[c-nsp] ERSPAN strangeness (C6k Sup720)
Peter Rathlev
peter at rathlev.dk
Wed Oct 19 10:38:40 EDT 2011
We use ERSPAN a lot, sourcing from out PEs (6500 Sup720) and sending it
to a CentOS 5 server with a 10G NIC. We're using a derivative of Phil
Mayers' Python scripts[0] which can be found here[1]. I don't think the
session destination is relevant though, just plugging our version. :-)
Just today one of our PEs (VS-SUP20-10G SXI1 AIS) started malfunctioning
concerning ERSPAN. What I observe is this:
- The ERSPAN destination see packets from one or more "other"
interfaces, no matter what the monitor session definition says.
- I only the control plane traffic, e.g. BPDUs, PIM packets, broadcasts
et cetera. I don't see any "production" traffic.
- All ERSPAN packets containing BPDUs have a GRE sequence number
of 4294967295, which I don't see on other (working) devices. IP
payloads have a "sane" sequence number.
Removing the ERSPAN session and re-entering the definition does not
change anything. Shutting the interface from where the traffic seen
arrives makes the device choose another interface, but it still isn't
choosing the right one and still only sending control plane traffic.
It has worked fine until a few hours ago. A similar device (same H/W and
S/W) next to this one works fine. The malfunctioning device should be
upgraded soon and therefore rebooted, and this will probably clear the
error, but I wouldn't mind having a work-around until then. :-)
Anybody seen anything like this before? Are there any "secret" show
commands to tell me something about SPAN sessions?
[0]: http://cisco.cluepon.net/index.php/ERSPAN_to_PCAP_script
[1]: http://ampere.rathlev.dk/erspan-capture.c
http://ampere.rathlev.dk/remotedump
--
Peter
More information about the cisco-nsp
mailing list