The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
The Switched Port Analyzer (SPAN) feature (sometimes called port mirroring or port monitoring) selects network traffic for analysis by a network analyzer. The network analyzer can be a Cisco SwitchProbe or other Remote Monitoring (RMON) probes.
SPAN have the following guideline and limitation:
You can monitor the same source interfaces (physical port or port-channel) in multiple local SPAN sessions.
The Cisco Nexus 3500 Series switches do not support access-group command for SPAN sessions.
SPAN sources refer to the interfaces from which traffic can be monitored. The Cisco Nexus device supports Ethernet, port channels, and VLANs as SPAN sources. With VLANs, all supported interfaces in the specified VLAN are included as SPAN sources. You can choose the SPAN traffic in the ingress direction, the egress direction, or both directions for Ethernet source interfaces:
Ingress source (Rx)—Traffic entering the device through this source port is copied to the SPAN destination port.
Egress source (Tx)—Traffic exiting the device through this source port is copied to the SPAN destination port.
A source port, also called a monitored port, is a switched interface that you monitor for network traffic analysis. The switch supports any number of ingress source ports (up to the maximum number of available ports on the switch) and any number of source VLANs.
A source port has these characteristics:
Can be of Ethernet, port channel, or VLAN port type.
Cannot be a destination port.
Can be configured with a direction (ingress, egress, or both) to monitor. For VLAN sources, the monitored direction can only be ingress and applies to all physical ports in the group. The RX/TX option is not available for VLAN SPAN sessions.
Can be in the same or different VLANs.
 Note |
|
SPAN destinations refer to the interfaces that monitors source ports. The Cisco Nexus Series device supports Ethernet interfaces as SPAN destinations.
Each local SPAN session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs. A destination port has these characteristics:
Can be any physical port. Source Ethernet and FCoE ports cannot be destination ports.
Cannot be a source port.
Cannot be a port channel.
Does not participate in spanning tree while the SPAN session is active.
Is excluded from the source list and is not monitored if it belongs to a source VLAN of any SPAN session.
Receives copies of sent and received traffic for all monitored source ports.
The same destination interface cannot be used for multiple SPAN sessions. However, an interface can act as a destination for a SPAN and an ERSPAN session.
A SPAN or ERSPAN session can be used to monitor all the traffic on all the source interfaces. This volume of traffic can cause packet drops if there are congestions or if the destination bandwidth is not enough to monitor all the traffic.
Cisco NX-OS Release 6.0(2)A4(1) provides the ability to filter out specific SPAN or ERSPAN traffic flows that must be monitored. Filtering is achieved by creating a filter and attaching it to a SPAN or ERSPAN session. Only the packets that match the filter are mirrored.
Filtering can be of the following types:
MAC-based
IP-based
VLAN-based
SPAN and ERSPAN filtering have the following guidelines and limitations:
Cisco Nexus 3500 Series switches drop the SPAN copies while spanning an interface in the rx direction and another interface in the tx direction when the traffic starts. It happens due to the default SPAN threshold limit being low and it cannot handle the burst traffic for SPAN. Use the CLI command hardware profile buffer span-threshold <xx> to increase the SPAN threshold.
Note |
Increasing the SPAN threshold affects the shared buffer allocation. It allocates the SPAN buffers from the shared buffer pool. |
The span-threshold least value has been updated from 0 to 2. When you set the span-threshold to a lowest value of 2, the SPAN buffer occupied is 528. When you use the negate command no hardware profile buffer span-threshold 2, the span-threshold value is 208. The default value is lesser then the least value of span-threshold.
When a source interface in a SPAN session is operationally down, then that SPAN session will not go operationally down. This behavior does not impact any functionality
Configuring two SPAN or ERSPAN sessions on the same source interface with only one filter is not supported. If the same source is used in multiple SPAN or ERSPAN sessions, either all the sessions must have different filters or no sessions should have filters.
SPAN filtering supports only 16 filters. These filters can be a combination of VLAN-based, IP-based, and MAC-based filters.
When a SPAN session is configured with a multicast router port being the source port, the destination port sees all the multicast traffic even when there is no traffic that is actually being forwarded to the source port. This is due to a current limitation of the multicast/SPAN implementation.
SPAN filtering is applicable for all the traffic of the switch except the SPAN source interface traffic.
You can configure only one IP-based, one MAC-based and one VLAN-based filter per SPAN session.
The number of filters is further restricted by the number of SPAN sessions and the type of source as follows:
A maximum of 8 MAC-based, 8 IP-based or 8 VLAN-based filters can be configured.
A maximum of 4 IP-based, 4 MAC-based or 4 VLAN-based filters can be attached to all interface-based SPAN sessions.
A maximum of 8 IP-based, 8 MAC-based or 8 VLAN-based filters can be attached to all VLAN-based SPAN sessions.
Filters can be used only in the ingress direction. This is not configurable.
A SPAN session must be up to for filters to work.
You cannot configure filters on ERSPAN-dst sessions.
You cannot configure filters on Warp SPAN sessions.
The control-packet filter is always applied in the egress direction.
The control-packet filter is recommended when both, the source and the destination interfaces of the ERSPAN session are PTP enabled.
Cisco NX-OS Release 6.0(2)A8(9) provides the ability to filter out CPU generated packets going out of the SPAN source interface. Control-packet filter is applied in the egress direction, and is therefore effective on source interfaces enabled for Tx mirroring.
Cisco NX-OS Release 6.0(2)A4(1) supports sampling of source packets for each SPAN or ERSPAN session. Monitoring only a sample number of source packets helps reduce SPAN or ERSPAN bandwidth. This sample is defined by a range that you can configure. For example, if you configure the range as 2, 1 out of every 2 source packets will be spanned. Similarly, if you configure the range as 1023, 1 out of every 1023 packets will be spanned. This method provides an accurate count of SPAN or ERSPAN source packets, but it does not include any time-related information about the spanned packets.
By default, SPAN and ERSPAN sampling are disabled. To use sampling, you must enable it for each SPAN or ERSPAN session.
SPAN and ERSPAN sampling have the following guidelines and limitations:
Sampling is only supported for local and ERSPAN-src sessions.
Sampling is not supported for ERSPAN-dst sessions.
Sampling is not supported for Warp SPAN sessions.
The supported sampling range is from 2 to 1023.
Cisco NX-OS Release 6.0(2)A4(1) introduces truncation of source packets for each SPAN or ERSPAN session based on the size of their MTU. Truncation helps reduce SPAN or ERSPAN bandwidth by reducing the size of packets monitored. MTU truncation can be set from 64 bytes to 1518 bytes. Any SPAN or ERSPAN packet that is larger than the configured MTU size is truncated to the given size with a 4-byte offset. For example, if you configure the MTU as 300 bytes, the maximum size of the replicated packet is 304 bytes.
By default, SPAN and ERSPAN truncation are disabled. To use truncation, you must enable it for each SPAN or ERSPAN session.
SPAN and ERSPAN truncation have the following guidelines and limitations:
Truncation is only supported for local and ERSPAN-src sessions.
Truncation is not supported for ERSPAN-dst sessions.
Truncation is not supported for Warp SPAN sessions.
The supported MTU range is from 64 bytes to 1518 bytes.
You create a SPAN session by assigning a session number using the monitor session command. If the session already exists, any additional configuration information is added to the existing session.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
switch# configure terminal |
Enters global configuration mode. |
|
Step 2 |
switch(config)# monitor session session-number |
Enters the monitor configuration mode. New session configuration is added to the existing session configuration. |
The following example shows how to configure a SPAN monitor session:
switch# configure terminal
switch(config) # monitor session 2
switch(config) #You can configure an Ethernet interface as a SPAN destination port.
Note |
The SPAN destination port can only be a physical port on the switch. |
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
switch# configure terminal |
Enters global configuration mode. |
||
|
Step 2 |
switch(config)# interface ethernet slot/port |
Enters interface configuration mode for the Ethernet interface with the specified slot and port.
|
||
|
Step 3 |
switch(config-if)# switchport monitor |
Enters monitor mode for the specified Ethernet interface. Priority flow control is disabled when the port is configured as a SPAN destination. |
||
|
Step 4 |
switch(config-if)# exit |
Reverts to global configuration mode. |
||
|
Step 5 |
switch(config)# monitor session session-number |
Enters monitor configuration mode for the specified SPAN session. |
||
|
Step 6 |
switch(config-monitor)# destination interface ethernet slot/port |
Configures the Ethernet SPAN destination port.
|
The following example shows how to configure an Ethernet SPAN destination port (HIF):
switch# configure terminal
switch(config)# interface ethernet100/1/24
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 1
switch(config-monitor)# destination interface ethernet100/1/24
switch(config-monitor)# The following example shows how to configure a virtual ethernet (VETH) SPAN destination port:
switch# configure terminal
switch(config)# interface vethernet10
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 2
switch(config-monitor)# destination interface vethernet10
switch(config-monitor)# Source ports can only be Ethernet ports.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
switch# configure terminal |
Enters global configuration mode. |
|
Step 2 |
switch(config) # monitor session session-number |
Enters monitor configuration mode for the specified monitoring session. |
|
Step 3 |
switch(config-monitor) # source interface type slot/port [rx | tx | both] |
Adds an Ethernet SPAN source port and specifies the traffic direction in which to duplicate packets. You can enter a range of Ethernet, Fibre Channel, or virtual Fibre Channel ports. You can specify the traffic direction to duplicate as ingress (Rx), egress (Tx), or both. By default, the direction is both. |
switch# configure terminal
switch(config)# monitor session 2
switch(config-monitor)# source interface ethernet 1/16
switch(config-monitor)#You can configure the source channels for a SPAN session. These ports can be port channels and VLANs. The monitored direction can be ingress, egress, or both and applies to all physical ports in the group.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
switch# configure terminal |
Enters global configuration mode. |
|
Step 2 |
switch(config) # monitor session session-number |
Enters monitor configuration mode for the specified SPAN session. |
|
Step 3 |
switch(config-monitor) # source {interface {port-channel | san-port-channel} channel-number [rx | tx | both] | vlan vlan-range | vsan vsan-range } |
Configures port channel, SAN port channel, VLAN, or VSAN sources. For VLAN or VSAN sources, the monitored direction is implicit. |
The following example shows how to configure a port channel SPAN source:
switch# configure terminal
switch(config)# monitor session 2
switch(config-monitor)# source interface port-channel 1 rx
switch(config-monitor)# source interface port-channel 3 tx
switch(config-monitor)# source interface port-channel 5 both
switch(config-monitor)#The following example shows how to configure a VLAN SPAN source:
switch# configure terminal
switch(config)# monitor session 2
switch(config-monitor)# source vlan 1
switch(config-monitor)#For ease of reference, you can provide a descriptive name for a SPAN session.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
switch# configure terminal |
Enters global configuration mode. |
|
Step 2 |
switch(config) # monitor session session-number |
Enters monitor configuration mode for the specified SPAN session. |
|
Step 3 |
switch(config-monitor) # description description |
Creates a descriptive name for the SPAN session. |
The following example shows how to configure a SPAN session description:
switch# configure terminal
switch(config) # monitor session 2
switch(config-monitor) # description monitoring ports eth2/2-eth2/4
switch(config-monitor) #The default is to keep the session state shut. You can open a session that duplicates packets from sources to destinations.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
switch# configure terminal |
Enters global configuration mode. |
|
Step 2 |
switch(config) # no monitor session {all | session-number} shut |
Opens the specified SPAN session or all sessions. |
The following example shows how to activate a SPAN session:
switch# configure terminal
switch(config) # no monitor session 3 shut By default, the session state is shut .
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
switch# configure terminal |
Enters global configuration mode. |
|
Step 2 |
switch(config) # monitor session {all | session-number} shut |
Suspends the specified SPAN session or all sessions. |
The following example shows how to suspend a SPAN session:
switch# configure terminal
switch(config) # monitor session 3 shut
switch(config) #You can configure SPAN filters for local and ERSPAN-source sessions only.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
switch# configure terminal |
Enters global configuration mode. |
|
Step 2 |
switch(config)# monitor session session-number |
Enters monitor configuration mode for the specified SPAN session. |
|
Step 3 |
switch(config-monitor)# source {interface {port-channel} channel-number [rx | tx | both] | vlan vlan-range} |
Configures port channel or VLAN sources. For VLAN sources, the monitored direction is implicit. |
|
Step 4 |
switch(config-monitor)# filter {ip source-ip-address source-ip-mask destination-ip-address destination-ip-mask} |
Creates a SPAN filter. |
|
Step 5 |
switch(config-monitor)# destination interface ethernet slot/port |
Configures the Ethernet SPAN destination port. |
The following example shows how to configure an IP-based SPAN filter for a local session:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# monitor session 1
switch(config-monitor)# source interface Ethernet 1/7 rx
switch(config-monitor)# filter ip 10.1.1.1 255.255.255.255 20.1.1.1 255.255.255.255
switch(config-monitor)# destination interface Ethernet 1/48
switch(config-monitor)# no shut
switch(config-monitor)#
The following example shows how to configure a VLAN-based SPAN filter for a local session:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# monitor session 3
switch(config-monitor)# source vlan 200
switch(config-monitor)# destination interface Ethernet 1/4
switch(config-monitor)# no shut
switch(config-monitor)#
You can configure sampling for local and ERSPAN-source sessions only.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
switch# configure terminal |
Enters global configuration mode. |
|
Step 2 |
switch(config)# monitor session session-number |
Enters monitor configuration mode for the specified SPAN session. |
|
Step 3 |
switch(config-monitor)# source {interface {port-channel} channel-number [rx | tx | both] | vlan vlan-range} |
Configures port channel or VLAN sources. For VLAN sources, the monitored direction is implicit. |
|
Step 4 |
switch(config-monitor)# sampling sampling-range |
Configures a range for spanning packets. If the range is defined as n, every nth packet will be spanned. The sampling range is between 2 and 1023. |
|
Step 5 |
switch(config-monitor)# destination interface ethernet slot/port |
Configures the Ethernet SPAN destination port. |
The following example shows how to configure sampling on a VLAN for a local session:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# monitor session 1
switch(config-monitor)# source vlan 100
switch(config-monitor)# sampling 10
switch(config-monitor)# destination interface ethernet 1/48
switch(config-monitor)# no shut
switch(config-monitor)# show monitor session 1
session 1
---------------
type : local
state : up
sampling : 10
source intf :
rx : Eth1/3 Eth1/7
tx :
both :
source VLANs :
rx : 100
destination ports : Eth1/48
Legend: f = forwarding enabled, l = learning enabled
The following example shows how to configure sampling on an Ethernet interface for a local session:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# monitor session 3
switch(config-monitor)# source interface ethernet 1/8
switch(config-monitor)# sampling 20
switch(config-monitor)# destination interface ethernet 1/4
switch(config-monitor)# show monitor session 3
session 3
---------------
type : local
state : down (No operational src/dst)
sampling : 20
source intf :
rx : Eth1/8
tx : Eth1/8
both : Eth1/8
source VLANs :
rx : 200
destination ports : Eth1/4
Legend: f = forwarding enabled, l = learning enabled
You can configure truncation for local and ERSPAN-source sessions only.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
switch# configure terminal |
Enters global configuration mode. |
|
Step 2 |
switch(config)# monitor session session-number |
Enters monitor configuration mode for the specified SPAN session. |
|
Step 3 |
switch(config-monitor) # source {interface {port-channel} channel-number [rx | tx | both] | vlan vlan-range} |
Configures port channel or VLAN sources. For VLAN sources, the monitored direction is implicit. |
|
Step 4 |
switch(config-monitor) # mtu size |
Configures the MTU size for truncation. Any SPAN packet that is larger than the configured MTU size is truncated to the configured size with a 4-byte offset. The MTU truncation size is between 64 bytes and 1518 bytes. |
|
Step 5 |
switch(config-monitor)# destination interface ethernet slot/port |
Configures the Ethernet SPAN destination port. |
The following example shows how to configure MTU truncation for a local session:
switch# configure terminal
switch(config)# monitor session 5
switch(config-monitor)# source interface ethernet 1/5 both
switch(config-monitor)# mtu 512
switch(config-monitor)# destination interface Ethernet 1/39
switch(config-monitor)# no shut
switch(config-monitor)# show monitor session 5
session 5
---------------
type : local
state : down (No operational src/dst)
mtu : 512
source intf :
rx : Eth1/5
tx : Eth1/5
both : Eth1/5
source VLANs :
rx :
destination ports : Eth1/39
Legend: f = forwarding enabled, l = learning enabled
| Command or Action | Purpose |
|---|---|
|
switch# show monitor [session {all | session-number | range session-range} [brief]] |
Displays the SPAN configuration. |
The following example shows how to display SPAN session information:
switch# show monitor
SESSION STATE REASON DESCRIPTION
------- ----------- ---------------------- --------------------------------
2 up The session is up
3 down Session suspended
4 down No hardware resourceThe following example shows how to display SPAN session details:
switch# show monitor session 2
session 2
---------------
type : local
state : up
source intf :
source VLANs :
rx :
destination ports : Eth3/1
Feedback