We use ERSPAN a lot, sourcing from out PEs (6500 Sup720) and sending it to a CentOS 5 server with a 10G NIC. We're using a derivative of Phil Mayers' Python scripts[0] which can be found here[1]. I don't think the session destination is relevant though, just plugging our version. :-)
Just today one of our PEs (VS-SUP20-10G SXI1 AIS) started malfunctioning concerning ERSPAN. What I observe is this: - The ERSPAN destination see packets from one or more "other" interfaces, no matter what the monitor session definition says. - I only the control plane traffic, e.g. BPDUs, PIM packets, broadcasts et cetera. I don't see any "production" traffic. - All ERSPAN packets containing BPDUs have a GRE sequence number of 4294967295, which I don't see on other (working) devices. IP payloads have a "sane" sequence number. Removing the ERSPAN session and re-entering the definition does not change anything. Shutting the interface from where the traffic seen arrives makes the device choose another interface, but it still isn't choosing the right one and still only sending control plane traffic. It has worked fine until a few hours ago. A similar device (same H/W and S/W) next to this one works fine. The malfunctioning device should be upgraded soon and therefore rebooted, and this will probably clear the error, but I wouldn't mind having a work-around until then. :-) Anybody seen anything like this before? Are there any "secret" show commands to tell me something about SPAN sessions? [0]: http://cisco.cluepon.net/index.php/ERSPAN_to_PCAP_script [1]: http://ampere.rathlev.dk/erspan-capture.c http://ampere.rathlev.dk/remotedump -- Peter _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
