Configuring SPAN and ERSPAN
In the ACI Fabric, SPAN feature can be configured in three categories:
-
Access – for monitoring traffic originating from access ports in leaf nodes
-
Fabric – for monitoring traffic from fabric ports in leaf or spine nodes
-
Tenant – for monitoring traffic from endpoint groups (EPGs) within a tenant
The following table shows the different configuration elements for each session.
Session Type |
Sources |
Filters |
Destination |
---|---|---|---|
Access Local |
Access Ports, Port-channels local to one leaf |
EPG |
Port local to same leaf as sources |
Access ERSPAN |
Access Ports, Port-channels, VPCs among one or more leaf nodes |
EPG |
EPG anywhere in the fabric |
Fabric ERSPAN |
Fabric ports in one or mode leaf or spine nodes |
BD or VRF |
EPG anywhere in the fabric |
Tenant ERSPAN |
EPG anywhere in the fabric |
- |
EPG anywhere in the fabric |
SPAN Guidelines and Restrictions
-
You cannot specify an l3extLIfP layer 3 subinterface as a SPAN source. You must use the entire port for monitoring traffic from external sources.
-
In local SPAN for FEX interfaces, the FEX interfaces can only be used as SPAN sources, not SPAN destinations.
-
On Generation 1 switches (Cisco Nexus 9000 Series switches without EX or FX on the switch name), Tx SPAN does not work for any Layer 3 switched traffic.
-
On Generation 2 switches (with EX or FX on the switch name), Tx SPAN does not work whether traffic is Layer 2 or Layer 3 switched.
There are no limitations for Rx SPAN.
-
-
For SPAN of FEX fabric port-channel (NIF), the member interfaces are supported as SPAN source interfaces on Generation 1 leaf switches (Cisco Nexus 9000 Series switches without EX or FX on the switch name).
Note
While it is also possible to configure FEX fabric port-channel (NIF) member interfaces as SPAN source interfaces on Generation 2 switches (Cisco Nexus 9000 Series switches with EX or FX on the switch name) for releases prior to Cisco APIC Release 4.1, this is not supported.
-
The type of SPAN supported varies:
-
For Generation 1 switches, tenant and access SPAN use the encapsulated remote extension of SPAN (ERSPAN) type I (Version 1 option in the APIC GUI). Generation 1 switches can be identified by the lack of "EX", "FX", or "FX2" at the end of the switch name (for example, N9K-9312TX).
-
For Generation 2 switches, tenant and access SPAN use the encapsulated remote extension of SPAN (ERSPAN) type II (Version 2 option in the APIC GUI). Generation 2 switches can be identified with "EX", "FX", or "FX2" at the end of the switch name.
-
Fabric SPAN uses ERSPAN type II.
For information regarding ERSPAN headers, refer to the IETF Internet Draft at this URL: https://tools.ietf.org/html/draft-foschiano-erspan-00.
-
-
ERSPAN destination IPs must be learned in the fabric as an endpoint.
-
SPAN supports IPv6 traffic but the destination IP for the ERSPAN cannot be an IPv6 address.
-
See the Verified Scalability Guide for Cisco ACI document for SPAN-related limits, such as the maximum number of active SPAN sessions.
Configuring Local SPAN in Access Mode
This is the traditional SPAN configuration local to an Access leaf node. Traffic originating from one or more access ports or port-channels can be monitored and sent to a destination port local to the same leaf node.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure Example:
|
Enters global configuration mode. |
Step 2 |
[no] monitor access session session-name Example:
|
Creates an access monitoring session configuration. |
Step 3 |
[no] description text Example:
|
Adds a description for this access monitoring session. If the text includes spaces, it must be enclosed in single quotes. |
Step 4 |
[no] destination interface ethernet slot/port leaf node-id Example:
|
Specifies the destination interface. The destination interface cannot be a FEX port or port-channel. |
Step 5 |
[no] source interface ethernet { [fex/] slot/port | port-range} leaf node-id Example:
|
Specifies the source interface port or port range. |
Step 6 |
[no] direction {rx | tx | both} Example:
|
Specifies direction of traffic to be monitored. The direction can be configured independently for each source port range. |
Step 7 |
[no] filter tenant tenant-name application application-name epg epg-name Example:
|
Filters traffic to be monitored. The filter can be configured independently for each source port range. |
Step 8 |
exit Example:
|
Returns to access monitor session configuration mode. |
Step 9 |
[no] source interface port-channel port-channel-name-list leaf node-id [fex fex-id] Example:
|
Specifies the source interface port channel. (Enters the traffic direction and filter configuration, not shown here.) |
Step 10 |
[no] shutdown Example:
|
Disables (or enables) the monitoring session. |
Examples
This example shows how to configure a local access monitoring session.
apic1# configure terminal
apic1(config)# monitor access session mySession
apic1(config-monitor-access)# description "This is my SPAN session"
apic1(config-monitor-access)# destination interface eth 1/2 leaf 101
apic1(config-monitor-access)# source interface eth 1/1 leaf 101
apic1(config-monitor-access-source)# direction tx
apic1(config-monitor-access-source)# filter tenant t1 application app1 epg epg1
apic1(config-monitor-access-source)# exit
apic1(config-monitor-access)# no shut
apic1(config-monitor-access)# show run
# Command: show running-config monitor access session mySession
# Time: Fri Nov 6 23:55:35 2015
monitor access session mySession
description "This is my SPAN session"
destination interface eth 1/2 leaf 101
source interface eth 1/1 leaf 101
direction tx
filter tenant t1 application app1 epg epg
exit
exit
Configuring ERSPAN in Access Mode
In the ACI fabric, an access mode ERSPAN configuration can be used for monitoring traffic originating from access ports, port-channels, and vPCs in one or more leaf nodes.
For an ERSPAN session, the destination is always an endpoint group (EPG) which can be deployed anywhere in the fabric. The monitored traffic is forwarded to the destination wherever the EPG is moved.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure Example:
|
Enters global configuration mode. |
Step 2 |
[no] monitor access session session-name Example:
|
Creates an access monitoring session configuration. |
Step 3 |
[no] description text Example:
|
Adds a description for this monitoring session. If the text includes spaces, it must be enclosed in single quotes. |
Step 4 |
[no] destination tenant tenant-name application application-name epg epg-name destination-ip dest-ip-address source-ip-prefix src-ip-address Example:
|
Specifies the destination interface as a tenant and enters destination configuration mode. |
Step 5 |
[no] erspan-id flow-id Example:
|
Configures the ERSPAN ID for the ERSPAN session. The ERSPAN range is from 1 to 1023. |
Step 6 |
[no] ip dscp dscp-code Example:
|
Configures the differentiated services code point (DSCP) value of the packets in the ERSPAN traffic. The range is from 0 to 64. |
Step 7 |
[no] ip ttl ttl-value Example:
|
Configures the IP time-to-live (TTL) value for the ERSPAN traffic. The range is from 1 to 255. |
Step 8 |
[no] mtu mtu-value Example:
|
Configures the maximum transmit unit (MTU) size for the ERSPAN session. The range is 64 to 9216 bytes. |
Step 9 |
exit Example:
|
Returns to monitor access configuration mode. |
Step 10 |
[no] source interface ethernet { [fex/] slot/port | port-range} leaf node-id Example:
|
Specifies the source interface port or port range. |
Step 11 |
[no] source interface port-channel port-channel-name-list leaf node-id [fex fex-id] Example:
|
Specifies the source interface port-channel. |
Step 12 |
[no] source interface vpc vpc-name-list leaf node-id1 node-id2 [fex fex-id1 fex-id2] Example:
|
Specifies the source interface vPC. |
Step 13 |
[no] direction {rx | tx | both} Example:
|
Specifies direction of traffic to be monitored. The direction can be configured independently for each source port range. |
Step 14 |
[no] filter tenant tenant-name application application-name epg epg-name Example:
|
Filters traffic to be monitored. The filter can be configured independently for each source port range. |
Step 15 |
exit Example:
|
Returns to access monitor session configuration mode. |
Step 16 |
[no] shutdown Example:
|
Disables (or enables) the monitoring session. |
Examples
This example shows how to configure an ERSPAN access monitoring session.
apic1# configure terminal
apic1(config)# monitor access session mySession
apic1(config-monitor-access)# description "This is my access ERSPAN session"
apic1(config-monitor-access)# destination tenant t1 application app1 epg epg1 destination-ip 192.0.20.123 source-ip-prefix 10.0.20.1
apic1(config-monitor-access-dest)# erspan-id 100
apic1(config-monitor-access-dest)# ip dscp 42
apic1(config-monitor-access-dest)# ip ttl 16
apic1(config-monitor-access-dest)# mtu 9216
apic1(config-monitor-access-dest)# exit
apic1(config-monitor-access)# source interface eth 1/1 leaf 101
apic1(config-monitor-access-source)# direction tx
apic1(config-monitor-access-source)# filter tenant t1 application app1 epg epg1
apic1(config-monitor-access-source)# exit
apic1(config-monitor-access)# no shut
apic1(config-monitor-access)# show run
# Command: show running-config monitor access session mySession
# Time: Fri Nov 6 23:55:35 2015
monitor access session mySession
description "This is my ERSPAN session"
source interface eth 1/1 leaf 101
direction tx
filter tenant t1 application app1 epg epg1
exit
destination tenant t1 application app1 epg epg1 destination-ip 192.0.20.123 source-ip-prefix 10.0.20.1
ip dscp 42
ip ttl 16
erspan-id 9216
mtu 9216
exit
exit
This example shows how to configure a port-channel as a monitoring source.
apic1(config-monitor-access)# source interface port-channel pc3 leaf 105
This example shows how to configure a one leg of a vPC as a monitoring source.
apic1(config-monitor-access)# source interface port-channel vpc3 leaf 105
This example shows how to configure a range of ports from FEX 101 as a monitoring source.
apic1(config-monitor-access)# source interface eth 101/1/1-2 leaf 105
Configuring ERSPAN in Fabric Mode
In the ACI fabric, a fabric mode ERSPAN configuration can be used for monitoring traffic originating from one or more fabric ports in leaf or spine nodes. Local SPAN is not supported in fabric mode.
For an ERSPAN session, the destination is always an endpoint group (EPG) which can be deployed anywhere in the fabric. The monitored traffic is forwarded to the destination wherever the EPG is moved. In the fabric mode, only fabric ports are allowed as source, but both leaf and spine switches are allowed.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure Example:
|
Enters global configuration mode. |
Step 2 |
[no] monitor fabric session session-name Example:
|
Creates a fabric monitoring session configuration. |
Step 3 |
[no] description text Example:
|
Adds a description for this monitoring session. If the text includes spaces, it must be enclosed in single quotes. |
Step 4 |
[no] destination tenant tenant-name application application-name epg epg-name destination-ip dest-ip-address source-ip-prefix src-ip-address Example:
|
Specifies the destination interface as a tenant and enters destination configuration mode. |
Step 5 |
[no] erspan-id flow-id Example:
|
Configures the ERSPAN ID for the ERSPAN session. The ERSPAN range is from 1 to 1023. |
Step 6 |
[no] ip dscp dscp-code Example:
|
Configures the differentiated services code point (DSCP) value of the packets in the ERSPAN traffic. The range is from 0 to 64. |
Step 7 |
[no] ip ttl ttl-value Example:
|
Configures the IP time-to-live (TTL) value for the ERSPAN traffic. The range is from 1 to 255. |
Step 8 |
[no] mtu mtu-value Example:
|
Configures the maximum transmit unit (MTU) size for the ERSPAN session. The range is 64 to 9216 bytes. |
Step 9 |
exit Example:
|
Returns to monitor access configuration mode. |
Step 10 |
[no] source interface ethernet {slot/port | port-range} switch node-id Example:
|
Specifies the source interface port or port range. |
Step 11 |
[no] direction {rx | tx | both} Example:
|
Specifies direction of traffic to be monitored. The direction can be configured independently for each source port range. |
Step 12 |
[no] filter tenant tenant-name bd bd-name Example:
|
Filters traffic by bridge domain. |
Step 13 |
[no] filter tenant tenant-name vrf vrf-name Example:
|
Filters traffic by VRF. |
Step 14 |
exit Example:
|
Returns to access monitor session configuration mode. |
Step 15 |
[no] shutdown Example:
|
Disables (or enables) the monitoring session. |
Examples
This example shows how to configure an ERSPAN fabric monitoring session.
apic1# configure terminal
apic1(config)# monitor fabric session mySession
apic1(config-monitor-fabric)# description "This is my fabric ERSPAN session"
apic1(config-monitor-fabric)# destination tenant t1 application app1 epg epg1 destination-ip 192.0.20.123 source-ip-prefix 10.0.20.1
apic1(config-monitor-fabric-dest)# erspan-id 100
apic1(config-monitor-fabric-dest)# ip dscp 42
apic1(config-monitor-fabric-dest)# ip ttl 16
apic1(config-monitor-fabric-dest)# mtu 9216
apic1(config-monitor-fabric-dest)# exit
apic1(config-monitor-fabric)# source interface eth 1/1 switch 101
apic1(config-monitor-fabric-source)# direction tx
apic1(config-monitor-fabric-source)# filter tenant t1 bd bd1
apic1(config-monitor-fabric-source)# filter tenant t1 vrf vrf1
apic1(config-monitor-fabric-source)# exit
apic1(config-monitor-fabric)# no shut
Configuring ERSPAN in Tenant Mode
In the ACI fabric, a tenant mode ERSPAN configuration can be used for monitoring traffic originating from endpoint groups within a tenant.
In the tenant mode, traffic originating from a source EPG is sent to a destination EPG within the same tenant. The monitoring of traffic is not impacted if the source or destination EPG is moved within the fabric.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
configure Example:
|
Enters global configuration mode. |
Step 2 |
[no] monitor tenant tenant-name session session-name Example:
|
Creates a tenant monitoring session configuration. |
Step 3 |
[no] description text Example:
|
Adds a description for this access monitoring session. If the text includes spaces, it must be enclosed in single quotes. |
Step 4 |
[no] destination tenant tenant-name application application-name epg epg-name destination-ip dest-ip-address source-ip-prefix src-ip-address Example:
|
Specifies the destination interface as a tenant and enters destination configuration mode. |
Step 5 |
[no] erspan-id flow-id Example:
|
Configures the ERSPAN ID for the ERSPAN session. The ERSPAN range is from 1 to 1023. |
Step 6 |
[no] ip dscp dscp-code Example:
|
Configures the differentiated services code point (DSCP) value of the packets in the ERSPAN traffic. The range is from 0 to 64. |
Step 7 |
[no] ip ttl ttl-value Example:
|
Configures the IP time-to-live (TTL) value for the ERSPAN traffic. The range is from 1 to 255. |
Step 8 |
[no] mtu mtu-value Example:
|
Configures the maximum transmit unit (MTU) size for the ERSPAN session. The range is 64 to 9216 bytes. |
Step 9 |
exit Example:
|
Returns to monitor access configuration mode. |
Step 10 |
[no] source application application-name epg epg-name Example:
|
Specifies the source interface port or port range. |
Step 11 |
[no] direction {rx | tx | both} Example:
|
Specifies direction of traffic to be monitored. The direction can be configured independently for each source port range. |
Step 12 |
exit Example:
|
Returns to access monitor session configuration mode. |
Step 13 |
[no] shutdown Example:
|
Disables (or enables) the monitoring session. |
Examples
This example shows how to configure an ERSPAN tenant monitoring session.
apic1# configure terminal
apic1(config)# monitor access session mySession
apic1(config-monitor-tenant)# description "This is my tenant ERSPAN session"
apic1(config-monitor-tenant)# destination tenant t1 application app1 epg epg1 destination-ip 192.0.20.123 source-ip-prefix 10.0.20.1
apic1(config-monitor-tenant-dest)# erspan-id 100
apic1(config-monitor-tenant-dest)# ip dscp 42
apic1(config-monitor-tenant-dest)# ip ttl 16
apic1(config-monitor-tenant-dest)# mtu 9216
apic1(config-monitor-tenant-dest)# exit
apic1(config-monitor-tenant)# source application app2 epg epg5
apic1(config-monitor-tenant-source)# direction tx
apic1(config-monitor-tenant-source)# exit
apic1(config-monitor-tenant)# no shut