We are setting up a mirror/span/rspan/erspan to get traffic (DC's live as VMs in ESX Cluster) to our Microsoft ATA server. The problem that we are running into is that a traditional RSPAN is not working because all unicast messages are getting blocked in the Fabric Interconnects of the UCS Chassis (where VMware lives). Some searching indicates that there is really no way to run an L2 RSPAN thorough a Fabric interconnect, only local mirror sessions to/from the FIs.
So enter ERSPAN, basically encapsulating the packets in GRE and sending them to a layer 3 destination. This works fantastically with wireshark as the destination, because it is smart enough to strip off the GRE and present the packet. Microsoft ATA however 'does not currently support ERSPAN' and requires the GRE be decapsulated by a switch/router.
What we are now trying to do is setup the ERSPAN destination on a Nexus 7k, then monitor the session to a physical interface and hand that off to ATA as raw packets. Has anyone worked with this sort of configuration before? I found an example configuration from Cisco, but I am not sure what to put for the eRSPAN session-id, or if it has to match anything.
Short of setting up a linux host to terminate GRE then mirror, does anyone have any ideas?
(Rough physical network, clustered FI's, Clustered 4500x, 1 Nexus 7k, 2 linecards).
DC—VMware—VDS(ERSPAN Source)—- Fabric Interconnect —– Cisco 4500X —– Nexus 7k(ERSPAN Destination)— Microsoft ATA
Best Answer
Do you really want all that superfluous traffic to and from your domain controllers going through all that network equipment? All the encapsulation, decapsulation and circuitous routing is really going to limit your throughput and leave less bandwidth available for all of the other devices that need to share that network.
I'd think long and hard about some way you can just get the ATA Gateways in on the same VLAN as the domain controllers. It doesn't have to be a 1:1 ratio of ATA Gateways to domain controllers, but then again, it certainly can be.
You are correct that Microsoft ATA does not currently support receiving ERSPAN traffic directly. It must be decapsulated first. To support this type of network setup, you would just simply have to set up some sort of device (Linux host, a switch, a router, anything that was capable of decapsulating the ERSPAN traffic) before forwarding it to the ATA Gateway.
Sorry, I know that's the one thing you said you didn't want to do, but I don't see any other options.