SPAN

This chapter describes how to identify and resolve problems that relate to SPAN.

This chapter includes the following sections

Information About SPAN

Troubleshooting SPAN Problems

Information About SPAN

The Switched Port Analyzer (SPAN) feature (sometimes called port mirroring or port monitoring) selects network traffic for analysis by a network analyzer. The network analyzer can be a Cisco SwitchProbe or other Remote Monitoring (RMON) probe.

Cisco Nexus 1000V supports two types of SPAN:

SPAN (local SPAN) that can monitor sources within a host or VEM

Encapsulated remote SPAN (ERSPAN) that can send monitored traffic to an IP destination

For detailed information about how to configure SPAN, see the Cisco Nexus 1000V System Management Configuration Guide, Release 4.0(4)SV1(1).

SPAN Sources

The interfaces from which traffic can be monitored are called SPAN sources. These include Ethernet, virtual Ethernet, port-channel, and VLAN. When a VLAN is specified as a SPAN source, all supported interfaces in the VLAN are SPAN sources. Traffic can be monitored in the receive direction, the transmit direction, or both directions for Ethernet and virtual Ethernet source interfaces.

Receive source (Rx)—Traffic that enters the switch through this source port is copied to the SPAN destination port.

Transmit source (Tx)—Traffic that exits the switch through this source port is copied to the SPAN destination port.

Source Ports

Cisco Nexus 1000V supports multiple source ports and multiple source VLANs. A source port has these characteristics:

Can be port type Ethernet, virtual Ethernet, port-channel, or VLAN.

Cannot be a destination port.

Can be configured to monitor the direction of traffic —receive, transmit, or both.

Source ports can be in the same or different VLANs.

For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.

Must be on the same host (linecard) as the destination port.

SPAN Destinations

The Cisco Nexus 1000V supports Ethernet and virtual Ethernet interfaces as SPAN destinations.

Destination Ports

Each local SPAN session must have at least one destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs. A destination port has these characteristics:

Can be port type Ethernet, virtual Ethernet, or a port channel.

Cannot be a source port.

Is excluded from the source list and is not monitored if it belongs to a source VLAN of any SPAN session.

Receives copies of transmitted and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.

Must be on the same host (linecard) as the source port.

ERSPAN Destinations

ERSPAN destinations refer to an IP address to which the monitored traffic sent. In the Cisco Nexus 1000V, the destination IP can belong to an IP of a sniffer device, ERSPAN capable switch (such as a Catalyst 6000 series switch), or a PC running a sniffer application. The only limitation is that the destination IP should be reachable through the configured ERSPAN enabled VMKnic on the host. For detailed information about how to configure ERSPAN, see the Cisco Nexus 1000V System Management Configuration Guide, Release 4.0(4)SV1(1).

SPAN Sessions

You can create up to a total of 64 SPAN and ERSPAN sessions to define sources and destinations on the local device.You can also create a SPAN session to monitor multiple VLAN sources and choose only VLANs of interest to transmit on multiple destination ports. For example, you can configure SPAN on a trunk port and monitor traffic from different VLANs on different destination ports.

Troubleshooting SPAN Problems

When troubleshooting issues with SPAN, make sure you have followed these configuration guidelines and limitations:

A maximum total of 64SPAN and ERSPAN sessions can be configured per VSM.

You can configure a particular destination port in only one SPAN session.

You cannot configure a port as both a source and destination port.

When a SPAN session contains multiple transmit source ports, packets that these ports receive may be replicated even though they are not transmitted on the ports. Some examples of this behavior on source ports are as follows:

Traffic that results from flooding

Broadcast and multicast traffic

For VLAN SPAN sessions with both receive and transmit configured, two packets (one from receive and one from transmit) are forwarded from the destination port if the packets get switched on the same VLAN.

After VMotion:

A session is stopped if the source and destination ports are separated

A session resumes if the source and destination ports end up on the same host

Local SPAN Session Problems

A running SPAN session must meet these requirements:

The limit of 64 SPAN sessions has not been exceeded.

At least one operational source has been configured.

At least one operational destination has been configured.

The configured source and destination are on the same host.

The session has been enabled with the no shut command.

A session is stopped if the follow events occur:

All the source ports go down or are removed.

All the destination ports go down or are removed.

All the source and destination ports are separated by a VMotion.

The session is disabled by a shut command.

Troubleshooting Commands

Uses the show monitor session command to troubleshoot a SPAN session. The output of this command shows the current state of the session and the reason it is down.

To collect additional information, use the following commands:

show monitor internal errors

show monitor internal event-history msgs

show monitor internal info global-info

show monitor internal mem-stats

module vem module-number execute vemcmd show span

Problems and Solutions

Symptom
Possible Causes
Solution

You observe issues with VM traffic after configuring a session with Eth destinations.

Ensure that the Eth destination is not connected to the same uplink switch. The SPAN packets might cause problems with the IP tables, the MAC tables, or both on the uplink switch, which can cause problems with the regular traffic.

The session state is up and the packets are not received at the destination ports.

Check if the correct VLANs are allowed on the trunk destination ports.

The session displays an error.

Make sure that NX-OS VEM connectivity is working correctly.

Enter a shut command followed by a no shut command for the session to force reprogramming of the session on the VEM.

The ERSPAN session is up, but does not see packets at the destination.

The erspan-id is not configured.

Make sure that the correct erspan-id that matches with the destination session is configured.

An ERSPAN enabled VMKNic is not configured on the host or VEM.

Make sure you use create a VMKNic on the host using an erspan-capable port profile.

The ERSPAN enabled VMKNic is not configured with a proper IP, gateway, or both.

Make sure the ERSPAN IP destination is reachable from the host VMKNic. To test this, issue the vmkping dest-id command on the command line of the host.


Examples

The following example shows the output of the show monitor session command. 

n1000v(config)# show monitor session 1 

   session 1

---------------

type              : erspan-source

state             : up

source intf       : 

    rx            : Eth3/3 

    tx            : Eth3/3 

    both          : Eth3/3 

source VLANs      : 

    rx            : 

    tx            : 

    both          : 

filter VLANs      : filter not specified

destination IP    : 10.54.54.1

ERSPAN ID         : 999

ERSPAN TTL        : 64

ERSPAN IP Prec.   : 0

ERSPAN DSCP       : 0

ERSPAN MTU        : 1000

The following example shows the output of the module vem module-number execute vemcmd show span command. 

n1000v# module vem 3 execute vemcmd show span

VEM SOURCE IP: 10.54.54.10

HW SSN ID DST LTL/IP ERSPAN ID

0 10.54.54.1 999

1 48 local