[Oisf-users] Monitoring a VPC

[MILESTONE Kerry]

You may wish to check the frame size on the Vpc matches what the nic is configured.

Run Ethtool on Intel server to set, see how large it'll go. Also, there are guides around for other settings to set/unset for capturing only

Sh hardware internal naxos port n# state | grep MTU

MRU/MTU: 9284 bytes,   Rx-CRC-Mode: 4 bytes, Tx-CRC-Mode: 4 bytes

Sh running-config all | grep jumbo
system jumbomtu 9216


On nexus to see what it's doing.

You may (guessing) need to reduce jumbo size to support the maximum size of the of the capture nic, including the VPC overhead.
________________________________
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of Charles Devoe <Charles.Devoe at cisecurity.org>
Sent: 15 June 2017 15:05:04
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Monitoring a VPC

I have a system where we have tapped into 4 10gig uplinks in a VPC port-channel trunk.  We are using intel X520 cards to get the traffic from the taps.  These cards are showing a lot of CRC errors, frame error, and rxerrors.  Has anyone had experience taping a VPC connection and is there anything special I need to do.


Charles DeVoe Jr.
Manager of Engineering
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061

charles.devoe at cisecurity.org
(518) 266-3494
7x24 Security Operations Center
SOC at cisecurity.org<mailto:SOC at cisecurity.org> - 1-866-787-4722


[cid:image001.png at 01D2E5BE.DB75C0C0]
       [id:image002.png at 01D2926D.D9CF2E90] <https://www.facebook.com/CenterforIntSec>     [id:image003.png at 01D2926D.D9CF2E90] <https://twitter.com/CISecurity>    [id:image004.png at 01D2926D.D9CF2E90] <https://www.youtube.com/user/TheCISecurity>     [id:image005.png at 01D2926D.D9CF2E90] <https://www.linkedin.com/company/the-center-for-internet-security>


This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170615/d21216dc/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14323 bytes
Desc: image001.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170615/d21216dc/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1892 bytes
Desc: image002.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170615/d21216dc/attachment-0011.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2176 bytes
Desc: image003.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170615/d21216dc/attachment-0012.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1889 bytes
Desc: image004.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170615/d21216dc/attachment-0013.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2058 bytes
Desc: image005.png
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170615/d21216dc/attachment-0014.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170615/d21216dc/attachment-0002.ksh>