SPAN Features

This chapter contains the following sections:

About SPAN Feature Configuration

The Cisco ACI Virtual Edge supports Switched Port Analyzer (SPAN) features, including local SPAN and Encapsulated remote SPAN (ERSPAN).

You cannot use the Cisco ACI Virtual Edge inside or outside interface uplinks as the source or destination of a SPAN sessions. The Cisco ACI Virtual Edge supports 64 SPAN sessions per DVS (local SPAN and ERSPAN). A source can be a member of a maximum of four SPAN sessions.

Guidelines for Configuring SPAN

Follow these guidelines when you configure local SPAN sessions on the Cisco ACI Virtual Edge:

  • You can have only a single vLeaf per session.

  • Sessions are defined by a client end point (CEP). EPG as a destination is not supported.

  • Sessions are deployed on the vLeaf when a destination CEP is defined.

  • No regular traffic is allowed from or to the destination CEP.

  • A separate EPG with promiscuous mode enabled must be created for LSPAN destination CEP.

Guidelines for Configuring ERSPAN

Follow these guidelines when you configure ERSPAN sessions on the Cisco ACI Virtual Edge:

  • Sessions are defined based on an IP address with other optional parameters.

  • Sessions can be deployed on multiple vLeafs.

  • Sessions are deployed to a vLeaf when a source CEP or endpoint group (EPG) is defined.

  • The destination for an ERSPAN session should always be in overlay-1 (infraVRF [virtual routing and forwarding]). If the destination is a VM behind the Cisco ACI Virtual Edge, bring it up in the infra EPG.

    The ERSPAN destination should always be remote. ERSPAN from a Cisco ACI Virtual Edge to a destination hosted behind the same Cisco ACI Virtual Edge is not supported.

  • If the ERSPAN destination is a VM, make sure that vMotion is disabled on it. If the ERSPAN destination VM is moved to another host for any reason, make sure that the static CEP is configured accordingly. See Step 21 through Step 24 in the section Configure SPAN Features Using the GUI.

  • The IP address for the destination can be obtained using DHCP (Option 61 is needed during DHCP) or static configuration. Make sure that the IP address is in the same subnet as the other VTEPs in overlay-1 (infra VRF).


    Note
    Not all operating systems for VMs and devices support Option 61 for DHCP. In those cases, use a static IP address on infra VLAN. Choose a static IP address for ERSPAN carefully because it might lead to an IP conflict with the leased DHCP IPs on infra VLAN.

Guidelines for Configuring SPAN or ERSPAN with a UCS B Series Server

If you want to configure SPAN or ERSPAN on Cisco ACI Virtual Edge, and the Cisco ACI Virtual Edge hosts are running on a UCS B Series server, you must configure a port channel (PC) interface policy group with MAC pinning for the interfaces connecting to the fabric interconnects. This is because the virtual source (vsource) and virtual destination (vdestination) groups are specified only on PC policy groups.

Configure SPAN Features Using the GUI

Before you begin

If you are configuring LSPAN, you must have a new EPG configured with Promiscuous mode to capture local traffic on the same host. This EPG should be used on the VM that captures the traffic. Complete the following steps:

  1. Create a new EPG and associate it to the VMM domain, choosing AVE as the switching mode and Auto as the encapsulation mode.

  2. Enable Promiscuous mode on the EPG.

    In Cisco APIC, expand the EPG, click Domains(VMs and Bare-metals), right-click the VMM already associated with the EPG, and then click Edit VMM Domain association, set Allow Promiscuous to Accept, and then click OK.

Procedure

Step 1

Log in to the Cisco APIC.

Step 2

On the menu bar, choose Fabric > Access Policies.

Step 3

In the Policies navigation pane, open the Policies and the Troubleshooting folders.

Step 4

Expand the VSPAN folder.

Step 5

Right-click the VSPAN Destinations Groups folder and choose Create VSPAN Destination Group.

Step 6

In the Create VSPAN Destination Group dialog box, complete the following steps:

  1. In the Name field, enter a name.

  2. In the Create Destinations area, click the + icon.

Step 7

In the Create VSPAN VDestination dialog box, complete the following steps:

  1. In the Destination Type field, choose ERSPAN or LSPAN (for local SPAN).

  2. Complete one of the following series of steps:

     

    If in Step 7 a you chose...

    Then...

    ERSPAN

    Enter the following values:

    • Name—Enter a name for the VSPAN destination (Destination1).

    • Description—(Optional) Enter a description for the VSPAN destination.

    • Destination Type—Choose ERSPAN.

    • Destination IP—Specify a destination IP address.

    • Flow ID—Specify a flow ID value.

    • TTL—Specify a TTL value (64).

    • MTU—Specify an MTU value (1510).

    • DSCP—Enter a QoS DSCP value.

    LSPAN

    Enter the following values:

    • Name—Enter a name for the VSPAN destination (Destination1).

    • Description—(Optional) Enter a description for the VSPAN destination.

    • Destination Type—Choose LSPAN.

    • Destination CEP—(Optional) Choose a Tenant (1), Application Profile (a1), and EPG (e1), and CEP MAC address for the destination.

      You see the destination CEP MAC address if you fulfilled the prerequisites for LSPAN.

      Note

       
      When you configure the destination CEP, choose the EPG that you created in the "Before You Begin" section with Promiscuous mode enabled.

  3. Click OK to save the VSPAN destination.

Step 8

In the Create VSPAN Destination dialog box, click Submit to save the VSPAN destination group.

Step 9

In the Policies navigation pane, right-click the VSPAN Sessions folder and choose Create VSPAN Session.

Step 10

In the Create VSPAN Session dialog box, in the Name field, enter a name for the source group.

Step 11

In the Admin State field, ensure that Start is chosen.

Step 12

From the Destination Group drop-down list, choose the new destination group.

Step 13

In the Create Sources area, click the + icon.

Step 14

In the Create VSPAN VSource dialog box, complete the following steps:

  1. In the Name field, enter a name for the source.

  2. In the Direction area, choose a direction for the source (Both, Incoming, or Outgoing).

  3. In the Source type area, choose EPG or CEP.

  4. In the Source EPG or Source CEP area, choose a tenant, an application profile, and an EPG from the drop-down lists.

  5. If you choose CEP as the source type, also choose a CEP from the drop-down list.

  6. Disregard the Add Source Access Paths area.

  7. Click OK to save the VSPAN VSource.

Step 15

Click Submit to save the VSPAN VSource Group.

Step 16

On the menu bar, choose Fabric > Access Policies.

Step 17

In the Policies navigation pane, expand the Interfaces, Leaf Interfaces, and Policy Groups folders.

Step 18

Expand the VPC Interface folder and click the policy group through which the SPAN source or destination is to be connected.

Step 19

In the PC/VPC Interface Policy Group work pane for the policy group, complete the following steps:

  1. From the Attached Entity Profile drop-down list, choose or create an attached entity profile.

    Note

     
    You may need to scroll down the page to complete the next steps.

  2.  In the VSource Groups area, click the + icon, choose the desired SPAN source group, and then click Update.

    This is the name of the source you that you created in Step 14 a.

  3. In the VDestination Group area, choose the SPAN destination group, and then click Update.

    This is the name of the destination you that you created in Step 7 b.

  4. Click Submit.

    These steps associate the SPAN source and SPAN destination groups with the selected policy groups.

Step 20

To verify the configuration, open an SSH session on Cisco ACI Virtual Edge and enter the vemcmd show span command to display active SPAN sessions. Verify that the new session is running.

Note

 
Step 21 through Step 24 are for ERSPAN only.

Step 21

 In the APIC GUI, on the menu bar, choose Tenants > infra

Step 22

In the Tenant infra navigation pane, expand the following: Application Profiles > access > Application EPGs > EPG default.

Step 23

Right-click the Static EndPoint folder and then choose Create Static EndPoint.

Step 24

In the Create Static Endpoint dialog box, complete the following steps:

  1. In the MAC field, enter the ERSPAN destination's MAC address.

  2. In the Type area, choose tep.

  3. In the Path Type area, choose the appropriate path type.

    If you choose Port as the path type, choose a node from the Node drop-down list.

    The path type determines how the leaf is connected to the ERSPAN destination. The leaf can be connected by port, direct port channel, or virtual port channel.

  4. In the Path field, enter the appropriate path.

    The path determines the policy group where the ERSPAN destination is attached.

  5. In the IP Address field, enter the ERSPAN destination IP address.

  6. In the Encap field, enter the overlay-1 VLAN.

  7. Click Submit.

  8. From the ERSPAN destination, ping any overlay- IP address.

    This step ensures that the fabric learns the ERSPAN destination IP address.