ACI and ERSPAN

Started by deanwebb, February 19, 2019, 08:49:52 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

deanwebb

February 19, 2019, 08:49:52 AM
OK, this one is bugging me... ACI can send traffic to a network monitor, but its ERSPAN is sent in GRE encapsulation format. :doh:

If I had Wireshark reading this, the solution is easy: force decapsulation, read the traffic. But this is a network appliance that's basically expecting a SPAN of raw traffic - CounterACT NAC in this case, although the same situation would face an IDS or other such monitor.

So far, my research is pointing at a network packet broker (NPB) solution like Gigamon, Ixia, or Apcon. Those guys can decapsulate and then forward on to a network monitoring appliance. What I want to know is if there is a more direct way to force the ACI to not use GRE for its ERSPAN. The only other solution I can think of would be reaching back to my product guys to see if there was a way to have our port monitor force decapsulation.

Ideas?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

LynK

#1
February 19, 2019, 02:07:15 PM
Dean,

We were facing the same issue. We are using counterACT, as well as implementing VXLAN via DCNM right now. We were looking at simple using two counteract devices, but we would not be able to do exactly as you mentioned over the fabric.

The solution I came up with?

Flexible licensing, and multiple virtual appliances with SPANs at each location to gather the SPAN traffic. We have not deployed VXLAN yet, but we are hoping it will work well.
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

deanwebb

#2
February 20, 2019, 01:08:24 PM
8.1 just released, I'll check to see if we have better ACI support in it...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

#3
February 20, 2019, 07:09:48 PM
I have not done ERSPAN in awhile, but if I remember right you can terminate it on another switch, and send it out a port un-encapsulated. You would need a 2960 or 9200/9300 switch, but those are cheaper than a Gigamon.

-Otanx

deanwebb

#4
February 21, 2019, 08:57:12 AM
Quote from: Otanx on February 20, 2019, 07:09:48 PM
I have not done ERSPAN in awhile, but if I remember right you can terminate it on another switch, and send it out a port un-encapsulated. You would need a 2960 or 9200/9300 switch, but those are cheaper than a Gigamon.

-Otanx


Thanks, I'll look at that!
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1
User actions