{"id":784,"date":"2013-09-19T18:23:14","date_gmt":"2013-09-20T00:23:14","guid":{"rendered":"http:\/\/benincosa.com\/blog\/?p=784"},"modified":"2014-11-19T11:23:55","modified_gmt":"2014-11-19T17:23:55","slug":"quick-span-with-the-nexus-1000v","status":"publish","type":"post","link":"https:\/\/benincosa.com\/?p=784","title":{"rendered":"Quick SPAN with the Nexus 1000v"},"content":{"rendered":"<p>Today I thought I&#8217;d take a look at creating a SPAN session on the 1000v to monitor traffic. \u00a0I found it really easy to do! \u00a0SPAN is one of those things that takes you longer to read and understand than to actually configure. \u00a0I find that true with a lot of Cisco products: \u00a0Fabric Path, OTV, LISP, etc.<\/p>\n<p>SPAN is &#8220;Switched Port Analyzer&#8221;. \u00a0Its basically port monitoring. \u00a0You capture the traffic going from one port and then mirror it on another. \u00a0This is one of the benefits you get out of the box for the 1000v that enables the network administrator not to have this big black box of VMs.<\/p>\n<p>To follow the <a href=\"http:\/\/www.cisco.com\/en\/US\/docs\/switches\/datacenter\/nexus1000\/sw\/4_0_4_s_v_1_3\/system_management\/configuration\/guide\/n1000v_system_9span.html\">guide<\/a>, I installed 3 VMs. \u00a0iperf1, iperf2, and xcat. \u00a0The idea was I wanted to monitor traffic between iperf1 and iperf2 on the xcat virtual machine.<\/p>\n<p>On the xcat virtual machine I created a new interface and put it in the same VLAN as the other VMs. \u00a0These were all on my port-profile called &#8220;VM Network&#8221;. \u00a0I created it like this:<\/p>\n<blockquote><p>conf<br \/>\nvlan 5<br \/>\nport-profile type vethernet &#8220;VM Network&#8221;<br \/>\nvmware port-group<br \/>\nswitchport mode access<br \/>\nswitchport access vlan 510<br \/>\nno shutdown<br \/>\nstate enabled<\/p><\/blockquote>\n<p>Then, using vCenter I edited the VMs to assign them to that port group.  (Remember:  VMware Port-Group = Nexus 1000 Port-Profile)<\/p>\n<p>On the Nexus 1000v Running the command:<\/p>\n<blockquote><p># sh interface virtual<\/p>\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<br \/>\nPort        Adapter        Owner                    Mod Host<br \/>\n&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<br \/>\nVeth1       vmk3           VMware VMkernel          4   192.168.40.101<br \/>\nVeth2       vmk3           VMware VMkernel          3   192.168.40.102<br \/>\nVeth3       Net Adapter 1  xCAT2                    3   192.168.40.102<br \/>\nVeth4       Net Adapter 2  iPerf2                   3   192.168.40.102<br \/>\nVeth5       Net Adapter 3  xCAT                     3   192.168.40.102<br \/>\nVeth6       Net Adapter 2  iPerf1                   3   192.168.40.102<\/p><\/blockquote>\n<p>Allows me to see which vethernet is assigned to which VM.  In this SPAN session, I decided I wanted to monitor the traffic coming out of iPerf1 (Veth6) on the xCAT VM (veth5).<br \/>\nNo problem:<\/p>\n<p><strong>Create The SPAN session<\/strong><\/p>\n<p>To do this, we just configure a SPAN session:<\/p>\n<blockquote><p>n1kv221(config-monitor)# source interface vethernet 6 both<br \/>\nn1kv221(config-monitor)# destination interface vethernet 5<br \/>\nn1kv221(config-monitor)# no shutdown<\/p><\/blockquote>\n<p>As you can see from above, I&#8217;m monitoring both received and transmitted packets from vethernet 6( iPerf1).  Then those packets are being mirrored to vethernet 5 (xCAT).  If you have an IP address on xCAT (vethernet 5) you&#8217;ll find you can no longer ping it.  The port is in span mode. Notice also that by default the monitoring session is off.  You have to turn it on.<\/p>\n<p>Now we want to check things out:<\/p>\n<blockquote><p>n1kv221(config-monitor)# sh monitor<br \/>\nSession  State        Reason                  Description<br \/>\n&#8212;&#8212;-  &#8212;&#8212;&#8212;&#8211;  &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-  &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\n1        up           The session is up<br \/>\nn1kv221(config-monitor)# sh monitor session 1<br \/>\nsession 1<br \/>\n&#8212;&#8212;&#8212;&#8212;&#8212;<br \/>\ntype              : local<br \/>\nstate             : up<br \/>\nsource intf       :<br \/>\nrx            : Veth6<br \/>\ntx            : Veth6<br \/>\nboth          : Veth6<br \/>\nsource VLANs      :<br \/>\nrx            :<br \/>\ntx            :<br \/>\nboth          :<br \/>\nsource port-profile :<br \/>\nrx            :<br \/>\ntx            :<br \/>\nboth          :<br \/>\nfilter VLANs      : filter not specified<br \/>\ndestination ports : Veth5<br \/>\ndestination port-profile :<\/p><\/blockquote>\n<p>Now, you&#8217;ll probably want to monitor the port right?  I just installed <a href=\"http:\/\/www.wireshark.org\">wireshark <\/a>on my xcat vm.  (Its linux, yum -y install wireshark and ride).  To watch from the command line I just ran the command:<\/p>\n<blockquote><p>root@xcat ~]# tshark -D<br \/>\n1. eth0<br \/>\n2. eth1<br \/>\n3. eth2<br \/>\n4. eth3<br \/>\n5. any (Pseudo-device that captures on all interfaces)<br \/>\n6. lo<\/p><\/blockquote>\n<p>This gives me the interfaces.  By matching the MAC addresses, I can see that eth2 (or device 3 from the wireshark output) is the one that I have on the Nexus 1000v.<\/p>\n<p>From here I run:<\/p>\n<blockquote><p>[root@xcat ~]# tshark -i 3 -R &#8220;eth.dst eq 00:50:56:9C:3B:13&#8221;<br \/>\n0.000151 192.168.50.151 -&gt; 192.168.50.152 ICMP Echo (ping) reply<br \/>\n1.000210 192.168.50.151 -&gt; 192.168.50.152 ICMP Echo (ping) reply<br \/>\n2.000100 192.168.50.151 -&gt; 192.168.50.152 ICMP Echo (ping) reply<br \/>\n..<\/p><\/blockquote>\n<p>Then I get a long list of fun stuff to monitor.  By pinging between iperf1 and iperf2 I can see all the traffic that goes on.  Since there was nothing else on this VLAN it was pretty easy to see.  Hopefully this helps me or you troubleshoot down the road.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today I thought I&#8217;d take a look at creating a SPAN session on the 1000v to monitor traffic. \u00a0I found it really easy to do! \u00a0SPAN is one of those things that takes you longer to read and understand than to actually configure. \u00a0I find that true with a lot of Cisco products: \u00a0Fabric Path,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[147],"tags":[206,207,205,208],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/benincosa.com\/index.php?rest_route=\/wp\/v2\/posts\/784"}],"collection":[{"href":"https:\/\/benincosa.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/benincosa.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/benincosa.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/benincosa.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=784"}],"version-history":[{"count":1,"href":"https:\/\/benincosa.com\/index.php?rest_route=\/wp\/v2\/posts\/784\/revisions"}],"predecessor-version":[{"id":785,"href":"https:\/\/benincosa.com\/index.php?rest_route=\/wp\/v2\/posts\/784\/revisions\/785"}],"wp:attachment":[{"href":"https:\/\/benincosa.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=784"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/benincosa.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=784"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/benincosa.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}