Wired Intelligent Edge

Hello ,

I have two 8360 Switches working as Core and in VSX .

I have a Asset visibility/NAC appliance connected to one of the Switches for port mirroring sensing SPAN traffic , Do i need another cable to between NAC appliance and 2nd core .

I have been reading some stuff online and having NAC connected to both core switches is best pratice to have full visibility .

Can some one confirm this ?

Also , the ISL is on a Port channel , so is there any sense to monitor ISL Port channel also as source in the port mirroring config .

If you use ERSPAN (destination GRE), then no need for another cable, but pay attention of BW, you should avoid overloaded ISL; if mirror destination is a physical interface, then I would suggest to connect a second cable to the other VSX node and have similar config on both VSX node for mirror session.

Monitoring ISL does not bring value as you already monitor what is ingressing the switch from the user-ports. You will also get some ISL protocol communication that will pop up in your analyzer tool that is not really worth considering/collecting as this is pure internal sauce of VSX cluster.

Hello ,

I have two 8360 Switches working as Core and in VSX .

I have a Asset visibility/NAC appliance connected to one of the Switches for port mirroring sensing SPAN traffic , Do i need another cable to between NAC appliance and 2nd core .

I have been reading some stuff online and having NAC connected to both core switches is best pratice to have full visibility .

Can some one confirm this ?

Also , the ISL is on a Port channel , so is there any sense to monitor ISL Port channel also as source in the port mirroring config .

Hi Vincent ,

Thanks for your response , There is no ERSPAN .

Indeed monitoring ISL is not a good option .

I will proceed by connecting the NAC with Second node of VSX and do the same configuration .

Thanks again for this , is there any official documentation related to this ?

If you use ERSPAN (destination GRE), then no need for another cable, but pay attention of BW, you should avoid overloaded ISL; if mirror destination is a physical interface, then I would suggest to connect a second cable to the other VSX node and have similar config on both VSX node for mirror session.

Monitoring ISL does not bring value as you already monitor what is ingressing the switch from the user-ports. You will also get some ISL protocol communication that will pop up in your analyzer tool that is not really worth considering/collecting as this is pure internal sauce of VSX cluster.

Hello ,

I have two 8360 Switches working as Core and in VSX .

I have a Asset visibility/NAC appliance connected to one of the Switches for port mirroring sensing SPAN traffic , Do i need another cable to between NAC appliance and 2nd core .

I have been reading some stuff online and having NAC connected to both core switches is best pratice to have full visibility .

Can some one confirm this ?

Also , the ISL is on a Port channel , so is there any sense to monitor ISL Port channel also as source in the port mirroring config .