Configuring SPAN

This chapter contains the following sections:

Information About SPAN

The Switched Port Analyzer (SPAN) feature (sometimes called port mirroring or port monitoring) selects network traffic for analysis by a network analyzer. The network analyzer can be a Cisco SwitchProbe or other Remote Monitoring (RMON) probes.

SPAN Sources

SPAN sources refer to the interfaces from which traffic can be monitored. The Cisco Nexus device supports Ethernet, port channels, and VLANs as SPAN sources. With VLANs, all supported interfaces in the specified VLAN are included as SPAN sources. You can choose the SPAN traffic in the ingress direction, the egress direction, or both directions for Ethernet source interfaces:

  • Ingress source (Rx)—Traffic entering the device through this source port is copied to the SPAN destination port.

  • Egress source (Tx)—Traffic exiting the device through this source port is copied to the SPAN destination port.

You can also configure SPAN source sessions to filter ingress traffic (Rx) by using VLAN access control lists (VACLs).

Characteristics of Source Ports

A source port, also called a monitored port, is a switched interface that you monitor for network traffic analysis. The switch supports any number of ingress source ports (up to the maximum number of available ports on the switch) and any number of source VLANs.

A source port has these characteristics:

  • Can be of Ethernet, port channel, or VLAN port type.

  • SPAN sources for VLANs cannot be more than 6 VLANS.

  • Without an ACL filter configured, the same source can be configured for multiple sessions as long as either the direction or SPAN destination is different. However, each SPAN RX source should be configured for only one SPAN session with an ACL filter.

  • Cannot be a destination port.

  • Can be configured with a direction (ingress, egress, or both) to monitor. For VLAN sources, the monitored direction can only be ingress and applies to all physical ports in the group. The RX/TX option is not available for VLAN SPAN sessions.

  • Ingress traffic can be filtered by using ACLs so that they mirror only those packets of information that match the ACL criteria.

  • Can be in the same or different VLANs.

SPAN Destinations

SPAN destinations refer to the interfaces that monitors source ports. The Cisco Nexus 3600 platform switches support Ethernet interfaces as SPAN destinations.

Characteristics of Destination Ports

Each local SPAN session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs. A destination port has these characteristics:

  • Can be any physical port. Source Ethernet and FCoE ports cannot be destination ports.

  • Cannot be a source port.

  • Cannot be a port channel.

  • Does not participate in spanning tree while the SPAN session is active.

  • Is excluded from the source list and is not monitored if it belongs to a source VLAN of any SPAN session.

  • Receives copies of sent and received traffic for all monitored source ports.

Guidelines and Limitations for SPAN


Note


For scale information, see the release-specific Cisco Nexus 3600 NX-OS Verified Scalability Guide.


SPAN has the following guidelines and limitations:

  • The same source (ethernet or port-channel) can be a part of multiple sessions. You can configure two monitor session with different destinations, but the same source VLAN is not supported.

  • Multiple ACL filters are supported on the same 
source.

  • An egress SPAN copy of an access port on Cisco Nexus 3600 platform switch interfaces will always have a dot1q header.

  • Configuring two SPAN or ERSPAN sessions on the same source interface with only one filter is not supported. If the same source is used in multiple SPAN or ERSPAN sessions, either all the sessions must have different filters or no sessions should have filters.

  • ACL filtering is supported only for Rx SPAN. Tx SPAN mirrors all traffics that egresses at the source interface.

  • TCAM carving is not required for SPAN/ERSPAN on Cisco Nexus 3600 platform switches.

  • ACL filtering is not supported for IPv6 and MAC ACLs because of ternary content addressable memory (TCAM) width limitations.

  • The SPAN TCAM size is 128 or 256, depending on the ASIC. One entry is installed as the default and four are reserved for ERSPAN.

  • If the same source is configured in more than one SPAN session, and each session has an ACL filter configured, the source interface is programmed only for the first active SPAN session. Hardware entries programmed for ACEs in other sessions is not included in this source interface.

  • Both permit and deny access control entries (ACEs) are treated alike. Packets that match the ACE are mirrored irrespective of whether they have a permit or deny entry in the ACL.


    Note


    A deny ACE does not result in a dropped packet. An ACL configured in a SPAN session determines only whether the packet is mirrored or not.
  • It is recommended to use only the RX type of source traffic for SPAN to provide better performance because RX traffic is cut-through, whereas TX is store-and-forward. Hence, when monitoring both directions (RX and TX), the performance is not as good as when monitoring only RX. If you need to monitor both directions of traffic, you can monitor RX on more physical ports to capture both sides of the traffic.

  • Beginning with Cisco NX-OS Release 10.2(3)F, ACL filters are supported on following platform switches:

    • N3K-C36180YC-R

    • N3K-C3636C-R

Creating or Deleting a SPAN Session

You create a SPAN session by assigning a session number using the monitor session command. If the session already exists, any additional configuration information is added to the existing session.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config)# monitor session session-number

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# monitor session session-number

Enters the monitor configuration mode. New session configuration is added to the existing session configuration.

Example

The following example shows how to configure a SPAN monitor session:

switch# configure terminal
switch(config) # monitor session 2
switch(config) #

Configuring an Ethernet Destination Port

You can configure an Ethernet interface as a SPAN destination port.


Note


The SPAN destination port can only be a physical port on the switch.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config)# interface ethernet slot/port
  3. switch(config-if)# switchport monitor
  4. switch(config-if)# exit
  5. switch(config)# monitor session session-number
  6. switch(config-monitor)# destination interface ethernet slot/port

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# interface ethernet slot/port

Enters interface configuration mode for the Ethernet interface with the specified slot and port.

Note

 
To enable the switchport monitor command on virtual ethernet ports, you can use the interface vethernet slot/port command.

Step 3

switch(config-if)# switchport monitor

Enters monitor mode for the specified Ethernet interface. Priority flow control is disabled when the port is configured as a SPAN destination.

Step 4

switch(config-if)# exit

Reverts to global configuration mode.

Step 5

switch(config)# monitor session session-number

Enters monitor configuration mode for the specified SPAN session.

Step 6

switch(config-monitor)# destination interface ethernet slot/port

Configures the Ethernet SPAN destination port.

Note

 
To enable the virtual ethernet port as destination interface in the monitor configuration, you can use the destination interface vethernet slot/port command.

Example

The following example shows how to configure an Ethernet SPAN destination port (HIF):

switch# configure terminal
switch(config)# interface ethernet100/1/24
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 1
switch(config-monitor)# destination interface ethernet100/1/24
switch(config-monitor)# 

The following example shows how to configure a virtual ethernet (VETH) SPAN destination port:

switch# configure terminal
switch(config)# interface vethernet10
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 2
switch(config-monitor)# destination interface vethernet10
switch(config-monitor)# 

Configuring Source Ports

Source ports can only be Ethernet ports.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config) # monitor session session-number
  3. switch(config-monitor) # source interface type slot/port [rx | tx | both]

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config) # monitor session session-number

Enters monitor configuration mode for the specified monitoring session.

Step 3

switch(config-monitor) # source interface type slot/port [rx | tx | both]

Adds an Ethernet SPAN source port and specifies the traffic direction in which to duplicate packets. You can enter a range of Ethernet, Fibre Channel, or virtual Fibre Channel ports. You can specify the traffic direction to duplicate as ingress (Rx), egress (Tx), or both. By default, the direction is both.

Example

The following example shows how to configure an Ethernet SPAN source port:

switch# configure terminal
switch(config)# monitor session 2
switch(config-monitor)# filter access-group acl1
switch(config-monitor)# source interface ethernet 1/16
switch(config-monitor)#

Configuring the Rate Limit for SPAN Traffic

By configuring a rate limit for SPAN traffic to 1Gbps across the entire monitor session, you can avoid impacting the monitored production traffic.

  • When spanning more than 1Gbps to a 1 Gb SPAN destination interface, SPAN source traffic will not drop.

  • When spanning more than 6 Gbps (but less than 10Gbps) to a 10Gb SPAN destination interface, the SPAN traffic is limited to 1Gbps even though the destination/sniffer is capable of 10Gbps.

  • SPAN is rate-limited to 5 Gbps for every 8 ports (one ASIC).

  • RX-SPAN is rate-limited to 0.71 Gbps per port when the RX-traffic on the port exceeds 5 Gbps.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config)# interface ethernet slot/port
  3. switch(config-if)# switchport monitor rate-limit 1G
  4. switch(config-if)# exit

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config)# interface ethernet slot/port

Enters interface configuration mode for the specified Ethernet interface selected by the slot and port values.

Note

 
If this is a QSFP+ GEM, the slot/port syntax is slot/QSFP-module/port .

Step 3

switch(config-if)# switchport monitor rate-limit 1G

Specifies that the rate limit is 1 Gbps.

Note

 

This command is not supported on the Cisco Nexus N3K-C36180YC-R platform switch.

Step 4

switch(config-if)# exit

Reverts to global configuration mode.

Example

This example shows how to limit the bandwidth on Ethernet interface 1/2 to 1 Gbps:

switch(config)# interface ethernet 1/2
switch(config-if)# switchport monitor rate-limit 1G
switch(config-if)#

Configuring Source Port Channels or VLANs

You can configure the source channels for a SPAN session. These ports can be port channels and VLANs. The monitored direction can be ingress, egress, or both and applies to all physical ports in the group.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config) # monitor session session-number
  3. switch(config-monitor) # filter access-group access-map
  4. switch(config-monitor) # source {interface {port-channel} channel-number [rx | tx | both] | vlan vlan-range}

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config) # monitor session session-number

Enters monitor configuration mode for the specified SPAN session.

Step 3

switch(config-monitor) # filter access-group access-map

Filters ingress traffic at source ports based on the ACL list. Only packets that match the access-list used by access-map are spanned.

Step 4

switch(config-monitor) # source {interface {port-channel} channel-number [rx | tx | both] | vlan vlan-range}

Configures port channel or VLAN sources. For VLAN sources, the monitored direction is implicit.

Example

The following example shows how to configure a port channel SPAN source:

switch# configure terminal
switch(config)# monitor session 2
switch(config-monitor)# filter access-group acl1
switch(config-monitor)# source interface port-channel 1 rx
switch(config-monitor)# source interface port-channel 3 tx
switch(config-monitor)# source interface port-channel 5 both
switch(config-monitor)#

The following example shows how to configure a VLAN SPAN source:

switch# configure terminal
switch(config)# monitor session 2
switch(config-monitor)# filter access-group acl1
switch(config-monitor)# source vlan 1
switch(config-monitor)#

Configuring the Description of a SPAN Session

For ease of reference, you can provide a descriptive name for a SPAN session.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config) # monitor session session-number
  3. switch(config-monitor) # description description

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config) # monitor session session-number

Enters monitor configuration mode for the specified SPAN session.

Step 3

switch(config-monitor) # description description

Creates a descriptive name for the SPAN session.

Example

The following example shows how to configure a SPAN session description:

switch# configure terminal
switch(config) # monitor session 2
switch(config-monitor) # description monitoring ports eth2/2-eth2/4
switch(config-monitor) #

Activating a SPAN Session

The default is to keep the session state shut. You can open a session that duplicates packets from sources to destinations.

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config) # no monitor session {all | session-number} shut

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config) # no monitor session {all | session-number} shut

Opens the specified SPAN session or all sessions.

Example

The following example shows how to activate a SPAN session:

switch# configure terminal
switch(config) # no monitor session 3 shut 

Suspending a SPAN Session

By default, the session state is shut .

SUMMARY STEPS

  1. switch# configure terminal
  2. switch(config) # monitor session {all | session-number} shut

DETAILED STEPS

  Command or Action Purpose

Step 1

switch# configure terminal

Enters global configuration mode.

Step 2

switch(config) # monitor session {all | session-number} shut

Suspends the specified SPAN session or all sessions.

Example

The following example shows how to suspend a SPAN session:

switch# configure terminal
switch(config) # monitor session 3 shut
switch(config) #

Displaying SPAN Information

SUMMARY STEPS

  1. switch# show monitor [session {all | session-number | range session-range} [brief]]

DETAILED STEPS

Command or Action Purpose

switch# show monitor [session {all | session-number | range session-range} [brief]]

Displays the SPAN configuration.

Example

The following example shows how to display SPAN session information:

switch# show monitor
SESSION  STATE        REASON                  DESCRIPTION
-------  -----------  ----------------------  --------------------------------
2        up           The session is up
3        down         Session suspended
4        down         No hardware resource

The following example shows how to display SPAN session details:

switch# show monitor session 2
   session 2
---------------
type              : local
state             : up
source intf       :

source VLANs      :
    rx            : 100 
				tx            :
				both          :
destination ports : Eth3/1

Configuration Examples for SPAN

Configuration Example for a SPAN Session

To configure a SPAN session, follow these steps:

SUMMARY STEPS

  1. Configure destination ports in access mode and enable SPAN monitoring.
  2. Configure a SPAN session.

DETAILED STEPS


Step 1

Configure destination ports in access mode and enable SPAN monitoring.

Example:

switch# configure terminal
switch(config)# interface ethernet 2/5
switch(config-if)# switchport
switch(config-if)# switchport monitor
switch(config-if)# no shut
switch(config-if)# exit
switch(config)# 
			  

Step 2

Configure a SPAN session.

Example:

switch(config)# no monitor session 3
switch(config)# monitor session 3
switch(config-monitor)# source interface ethernet 2/1-3, ethernet 3/1 rx
switch(config-monitor)# source interface port-channel 2
switch(config-monitor)# source interface sup-eth 0 both
switch(config-monitor)# source vlan 3, 6-8 rx
switch(config-monitor)# source interface ethernet 101/1/1-3
switch(config-monitor)# destination interface ethernet 2/5
switch(config-monitor)# no shut
switch(config-monitor)# exit
switch(config)# show monitor session 3
switch(config)# copy running-config startup-config


Configuration Example for a Unidirectional SPAN Session

To configure a unidirectional SPAN session, follow these steps:

SUMMARY STEPS

  1. Configure destination ports in access mode and enable SPAN monitoring.
  2. Configure a SPAN session.

DETAILED STEPS


Step 1

Configure destination ports in access mode and enable SPAN monitoring.

Example:

switch# configure terminal
switch(config)# interface ethernet 2/5
switch(config-if)# switchport
switch(config-if)# switchport monitor
switch(config-if)# no shut
switch(config-if)# exit
switch(config)# 

Step 2

Configure a SPAN session.

Example:

switch(config)# no monitor session 3
switch(config)# monitor session 3 rx
switch(config-monitor)# source interface ethernet 2/1-3, ethernet 3/1 rx
switch(config-monitor)# filter vlan 3-5, 7
switch(config-monitor)# destination interface ethernet 2/5
switch(config-monitor)# no shut
switch(config-monitor)# exit
switch(config)# show monitor session 3
switch(config)# copy running-config startup-config 


Configuration Example for a SPAN ACL

This example shows how to configure a SPAN ACL:

switch# configure terminal
switch(config)# ip access-list match_11_pkts
switch(config-acl)# permit ip 11.0.0.0 0.255.255.255 any
switch(config-acl)# exit
switch(config)# ip access-list match_12_pkts
switch(config-acl)# permit ip 12.0.0.0 0.255.255.255 any
switch(config-acl)# exit
switch(config)# vlan access-map span_filter 5
switch(config-access-map)# match ip address match_11_pkts
switch(config-access-map)# action forward
switch(config-access-map)# exit
switch(config)# vlan access-map span_filter 10
switch(config-access-map)# match ip address match_12_pkts
switch(config-access-map)# action forward
switch(config-access-map)# exit
switch(config)# monitor session 1
switch(config-erspan-src)# filter access-group span_filter 

Configuration Examples for UDF-Based SPAN

This example shows how to configure UDF-based SPAN to match on the inner TCP flags of an encapsulated IP-in-IP packet using the following match criteria:

  • Outer source IP address: 10.0.0.2

  • Inner TCP flags: Urgent TCP flag is set

  • Bytes: Eth Hdr (14) + Outer IP (20) + Inner IP (20) + Inner TCP (20, but TCP flags at 13th byte)

  • Offset from packet-start: 14 + 20 + 20 + 13 = 67

  • UDF match value: 0x20

  • UDF mask: 0xFF

udf udf_tcpflags packet-start 67 1
hardware access-list tcam region racl qualify udf udf_tcpflags
copy running-config startup-config
reload
ip access-list acl-udf
	 permit ip 10.0.0.2/32 any udf udf_tcpflags 0x20 0xff
monitor session 1
  source interface Ethernet 1/1
  filter access-group acl-udf

This example shows how to configure UDF-based SPAN to match regular IP packets with a packet signature (DEADBEEF) at 6 bytes after a Layer 4 header start using the following match criteria:

  • Outer source IP address: 10.0.0.2

  • Inner TCP flags: Urgent TCP flag is set

  • Bytes: Eth Hdr (14) + IP (20) + TCP (20) + Payload: 112233445566DEADBEEF7788

  • Offset from Layer 4 header start: 20 + 6 = 26

  • UDF match value: 0xDEADBEEF (split into two-byte chunks and two UDFs)

  • UDF mask: 0xFFFFFFFF

udf udf_pktsig_msb header outer l4 26 2
udf udf_pktsig_lsb header outer l4 28 2
hardware access-list tcam region racl qualify udf udf_pktsig_msb udf_pktsig_lsb
copy running-config startup-config
reload
ip access-list acl-udf-pktsig
		permit udf udf_pktsig_msb 0xDEAD 0xFFFF udf udf_pktsig_lsb 0xBEEF 0xFFFF 
monitor session 1
		source interface Ethernet 1/1
		filter access-group acl-udf-pktsig