SPAN is supported on all types of forwarding interfaces of the main interface (port level) such as, L2, L3 interfaces, sub-interface, bundle interface, and BNG interface. But Sampled SPAN is supported only at port level. Sampled SPAN is configurable in ingress direction only. SPAN and Sampled SPAN cannot be configured at the same time on main interface (at port level). When Sampled SPAN is enabled on main interface, SPAN is still configurable on rest of the forwarding interfaces on the port.

When Sampled SPAN is enabled on the underlying physical port and SPAN is configured on a forwarding interface, the packets are mirrored as follows:

• Sampled packet on the physical port is mirrored just to the destination port of the Sampled SPAN session.

• Non-sampled packet is mirrored for each of the regular SPAN session on the associated forwarding interface.

Sampled Traffic Mirroring allows you to:

1. Sample the packets based on a configured interval.

2. Apply Sampled SPAN on a physical port in order to include all forwarding interfaces on that port.

3. Configure the Sampling rate of monitoring that is configured for each source port. You can choose to configure one of these sampling rates; 1K, 2K, 4K, 8K, and 16K. For example, when 4K is configured as the sampling rate, for every 4K packets on the source port one packet is sampled and mirrored to the destination port.

4. Use Sampled SPAN along with Traffic Mirroring.

5. Enable Sampled SPAN on every bundle member, if the physical port is part of a link bundle.

6. Use all destination ports that were supported for SPAN.

7. Enable statistics support on each monitoring session.

8. Truncate and mirror a fixed portion of each mirrored packet (for example, the first 64 bytes of every packet received from the source port is mirrored to the destination port). You can configure the offset or the amount of fixed portion.

You can configure these source to destination combinations in sampled SPAN:

• Physical Port mirrored to Physical Port

• Physical Port mirrored to Pseudo-wire

• Bundle member port mirrored to Physical Port

• Bundle member port mirrored to Pseudo-wire

• Ingress traffic—Traffic that enters the switch.

• Egress traffic—Traffic that leaves the switch.

• Source port—A port that is monitored with the use of traffic mirroring. It is also called a monitored port.

• Destination port—A port that monitors source ports, usually where a network analyzer is connected. It is also called a monitoring port.

• Monitor session—A designation for a collection of traffic mirroring configurations consisting of a single destination and, potentially, many source interfaces.

A source port, also called a monitored port, is a switched or routed port that you monitor for network traffic analysis. In a single local or remote traffic mirroring session, you can monitor source port traffic, such as received (Rx) for ingress traffic, transmitted (Tx) for egress traffic, or bidirectional (for both ingress and egress traffic). Your router can support any number of source ports (up to a maximum number of 800).

A source port has these characteristics:

• It can be any port type, such as Bundle Interface, Gigabit Ethernet, 10-Gigabit Ethernet, or EFPs.

  Note	Bridge group virtual interfaces (BVIs) are not supported.

• Each source port can be monitored in only one traffic mirroring session.

• It cannot be a destination port.

• Partial Packet Mirroring. The first 64 to 256 bytes of the packet can be mirrored.

• Each source port can be configured with a direction (ingress, egress, or both) to monitor. For bundles, the monitored direction applies to all physical ports in the group.

  

In the figure above, the network analyzer is attached to a port that is configured to receive a copy of every packet that host A sends. This port is called a traffic mirroring port.

A monitor session is a collection of traffic mirroring configurations consisting of a single destination and, potentially, many source interfaces. For any given monitor session, the traffic from the source interfaces (called source ports) is sent to the monitoring port (called the destination port) . Some optional operations such as VLAN tag imposition and ACL filtering can be performed on the mirrored traffic streams. If there is more than one source port in a monitoring session, the traffic from the several mirrored traffic streams is combined at the destination port. The result is that the traffic that comes out of the destination port is a combination of the traffic from one or more source ports, and the traffic from each source port may or may not have VLAN push operations or ACLs applied to it.

Monitor sessions have these characteristics:

• A single Cisco ASR 9000 Router can have a maximum of eight monitor sessions.

• A single monitor session can have only one destination port.

• A single destination port can belong to only one monitor session.

• A single Cisco ASR 9000 Router can have a maximum of 800 source ports.

• A monitor session can have a maximum of 800 source ports, as long as the maximum number of source ports from all monitoring sessions does not exceed 800.

Each local session or remote destination session must have a destination port (also called a monitoring port) that receives a copy of the traffic from the source ports.

A destination port has these characteristics:

• A destination port must reside on the same router as the source port.

• A destination port can be any Ethernet physical port, EFP, pseudowire, or a bundle interface.

• A destination port can only be a Layer 2 transport interface. An L3 interface as a SPAN destination cannot be configured on the Cisco ASR 9000 Series Router.

• A destination port can be a trunk (main) interface or a subinterface.

• At any one time, a destination port can participate in only one traffic mirroring session. 
A destination port in one traffic mirroring session cannot be a destination port for a second traffic mirroring session. In other words, no two monitor sessions can have the same destination port.

• A destination port cannot also be a source port.

1

Source traffic mirroring ports (can be ingress or egress traffic ports)

2

Destination traffic mirroring port

These traffic mirroring types are supported:

• Local traffic mirroring. This is the most basic form of traffic mirroring. The network analyzer or sniffer is directly attached to the destination interface. In other words, all monitored ports are all located on the same switch as the destination port.

• Remote traffic mirroring (known as R-SPAN). In this case, the network analyzer is not attached directly to the destination interface, but is on a VLAN accessible to the switch. For example, the destination interface is a sub-interface with a VLAN encapsulation.

  A restricted form of remote traffic mirroring can be implemented by sending traffic to a single destination port that pushes a VLAN tag, instead of switching through a bridge domain. Remote traffic mirroring:

  • Allows decoupling of the network analyzer and destination, but there is no on-the-box redundancy.

  • Allows multiple remote network analyzers as long as they can attach to the traffic mirroring VLAN.

    This is supported on Cisco IOS XR software because the destination port is an EFP that can push a VLAN tag.

• Pseudowire traffic mirroring (known as PW-SPAN in Cisco IOS Software). Instead of using a standard destination interface, traffic is mirrored to a remote site through an MPLS pseudowire.

• ACL-based traffic mirroring. Traffic is mirrored based on the configuration of the global interface ACL.

• Partial Packet Mirroring. The first 64 to 256 bytes of the packet can be mirrored.

• Layer 2 or Layer 3 traffic mirroring is supported. Both Layer 2 and Layer 3 source ports can be mirrored.

You can configure the traffic mirroring destination port to be a pseudowire rather than a physical port. In this case, the system mirrors the designated traffic on the source port over the pseudowire to a central location. This allows the centralization of expensive network traffic analysis tools.

Because the pseudowire carries only mirrored traffic, this traffic is unidirectional. There must not be any traffic coming from the remote provider edge.

In such a pseudowire traffic mirroring scenario, though the system mirrors traffic successfully, the statistics for sent pseudowire packet statistics remains zero.

To protect the pseudowire traffic mirroring path against network failures, it is possible to configure a traffic engineering tunnel as the preferred path and enable fast reroute protection for the pseudowire.

You can mirror traffic based on the definition of a global interface access list (ACL). If you are mirroring Layer 2 traffic, the ACL is configured using the ethernet-services access-list command with the capture keyword. When you are mirroring Layer 3 traffic, the ACL is configured using the 
ipv4 access-list or ipv6 access-list command with the capture keyword. The permit and deny commands determine the behavior of regular traffic. The capture keyword designates that the packet is to be mirrored to the destination port.

These are the restrictions of Sampled Traffic Mirroring:

• Sampled SPAN can be applied to ingress traffic only.

• The source for sampled SPAN must be on Cisco ASR 9000 Enhanced Ethernet Line Cards.

• Sampled SPAN works only on physical interfaces.

• The source port cannot be on bundles; however it can be applied to bundle member links.

• Sampled SPAN does not work on sub-interfaces, however it can be applied to a physical port with sub-interfaces(main port).

• Only these intervals are accepted: 512, 1K, 2K, 4K, 8K, and 16K. The default interval is 16K.

• Sampled SPAN is configurable at physical port level only.

• Sampled SPAN rate is ingress port specific and not session specific. This means that a destination port can take multiple ingress sampled ports at different sampling rates.

• In the case of a bundle interface, you must configure Sampled SPAN on all the physical ports that are members of the bundle.

• ACL filtering is not supported for Sampled Mirrored Traffic.

It is recommended that you do not mirror more than 15% of your total transit traffic. On the 
Cisco ASR 9000 Ethernet Line Card, that uses Ten Gigabit Ethernet interfaces or bundle interfaces there is a limit of 1.5G of data on each of the ingress and egress traffic that can be mirrored. This limitation is not applicable on the Cisco ASR 9000 Enhanced Ethernet Line Card.

• SPAN to File feature is designed for low traffic rate (Maximum: 500 Mbps). SPAN to File may not capture all the frames when SPAN is applied on higher traffic rate.

• If the SPAN traffic exceeds 10% of the line rate, it may lead to a loss of transit traffic.

• To limit the SPAN traffic, use SPAN along with ACL.

• Immediately after the SPAN to File configuration is applied, the network processor begins the SPAN processing. This processing continues regardless of the status of the action commands explained in the following section.

Action commands are added to start and stop network packet collection. The commands may only be run on sessions where the destination is a file. The action command auto-completes names of globally configured SPAN to File sessions. See the table below for more information on action commands.

Use the following command to configure SPAN to File:

monitor-session <name> [ethernet|ipv4|ipv6|mpls-ipv4|mpls-ipv6]
    destination file [size <kbytes>] [buffer-type linear]

The monitor-session <name> [ethernet|ipv4|ipv6|mpls-ipv4|mpls-ipv6] part of the command creates a monitor-session with the specified name and class and is a pre-existing chain point from the current SPAN feature. The destination file [size <kbytes>] [buffer-type linear] part of the command adds a new “file” option to the existing “destination”.

destination file has the following configuration options:

• Buffer size.

• Two types of buffer:

  • Circular: Once the buffer is full, the start is overwritten.

  • Linear: Once the buffer is full, no further packets are logged.

Note	The default buffer-type is circular. Only linear buffer is explicitly configurable. Changing any of the parameters (buffer size or type) recreates the session, and clears any buffers of packets.

All configuration options which are applied to an attachment currently supported for other SPAN types should also be supported by SPAN to file. This may include:

• ACLs

• Write only first X bytes of packet.

• Mirror interval from 512 to 16k.

Note	These options are implemented by the platform when punting the packet.

Once a session has been created, then interfaces may be attached to it using the following configuration:

interface GigabitEthernet 0/0/0/0
    monitor-session <name> [ethernet|ipv4|ipv6|mpls-ipv4|mpls-ipv6]

The attachment configuration is unchanged by SPAN to File feature.

Configuration Examples

To configure a mon1 monitor session, use the following commands:

monitor-session mon1 ethernet
          destination file size 230000 
         !

In the above example, omitting the buffer-type option results in default circular buffer.

To configure a mon2 monitor session, use the following commands:

monitor-session mon2 ethernet
          destination file size 1000 buffer-type linear
         !

To attach monitor session to a physical or bundle interface, use the following commands:

RP/0/RSP0/CPU0:router#show run interface Bundle-Ether 1
Fri Apr 24 12:12:59.348 EDT
interface Bundle-Ether1
monitor-session ms7 ethernet
!

Running Configuration

!! IOS XR Configuration 7.1.1.124I
!! Last configuration change at Tue Nov 26 19:29:05 2019 by root
!
hostname OC
logging console informational
!
monitor-session mon1 ethernet
 destination file size 230000 buffer-type circular
!
monitor-session mon2 ethernet
 destination file size 1000 buffer-type linear

!
interface Bundle-Ether1
monitor-session ms7 ethernet
end

Verification

To verify monitor session counters:

RP/0/RP0/CPU0:router#show monitor-session counters
Monitor-session mon2
  Bundle-Ether2.1
    Rx replicated: 9463555 packets, 1287043296 octets
    Tx replicated: 0 packets, 0 octets
    Non-replicated: 0 packets, 0 octets

 Monitor-session mon4
  Bundle-Ether1.1
    Rx replicated: 0 packets, 0 octets
    Tx replicated: 9732869 packets, 1284738317 octets
    Non-replicated: 0 packets, 0 octets

To verify packet collection status:

RP/0/RP0/CPU0:router#show monitor-session status
Monitor-session mon1
Destination File - Packet collecting
=============================================
Source Interface      Dir   Status
--------------------- ----  ------------------
Hu0/9/0/2             Rx    Operational
 
Monitor-session mon2
Destination File - Packet collecting
=========================================
Source Interface      Dir   Status
--------------------- ----  --------------
BE2.1                 Rx    Operational

If packet collection is not active, the following line is displayed:

Monitor-session mon2
Destination File - Not collecting

The following limitations apply to file mirroring:

• Supported only on Dual RP systems.

• Supports syncing only from active to standby RP. If files are copied into standby /harddisk:/mirror location, it won’t be synced to active RP.

• A slight delay is observed in show mirror command output when mirror checksum configuration is enabled.

• Not supported on multichassis systems.

File mirroring has to be enabled explicitly on the router. It is not enabled by default.

RP/0/RSP0/CPU0:router#show run mirror

Thu Jun 25 10:12:17.303 UTC
mirror enable
mirror checksum

Following is an example of copying running configuration to harddisk:/mirror location:

RP/0/RSP0/CPU0:router#copy running-config harddisk:/mirror/run_config
Wed Jul  8 10:25:51.064 PDT
Destination file name (control-c to abort): [/mirror/run_config]?
Building configuration..
32691 lines built in 2 seconds (16345)lines/sec
[OK]

Verification

To verify the syncing of file copied to mirror directory, use the show mirror command.

RP/0/RSP0/CPU0:router#show mirror 
Wed Jul  8 10:31:21.644 PDT
% Mirror rsync is using checksum, this show command may take several minutes if you have many files. Use Ctrl+C to abort
MIRROR DIR: /harddisk:/mirror/
% Last sync of this dir ended at Wed Jul  8 10:31:11 2020
Location   |Mirrored |MD5 Checksum                     |Modification Time
--------------------------------------------------------------------------
run_config |yes      |76fc1b906bec4fe08ecda0c93f6c7815 |Wed Jul  8 10:25:56 2020 

If checksum is disabled, show mirror command displays the following output:

RP/0/RSP0/CPU0:router#show mirror
Wed Jul 8 10:39:09.646 PDT
MIRROR DIR: /harddisk:/mirror/
% Last sync of this dir ended at Wed Jul  8 10:31:11 2020
Location   |Mirrored |Modification Time 
-----------------------------------------
run_config |yes         |Wed Jul  8 10:25:56 2020 

If there is a mismatch during the syncing process, use show mirror mismatch command to verify.

RP/0/RP0/CPU0:router# show mirror mismatch
Wed Jul  8 10:31:21.644 PDT
 MIRROR DIR: /harddisk:/mirror/
 % Last sync of this dir ended at Wed Jul  8 10:31:11 2020 
 Location  |Mismatch Reason     |Action Needed 
------------------------------------------------
 test.txt  |newly created item. |send to standby