About SPAN
SPAN analyzes all traffic between source ports by directing the SPAN session traffic to a destination port with an external analyzer attached to it.
You can define the sources and destinations to monitor in a SPAN session on the local device.
SPAN Sources
The interfaces from which traffic can be monitored are called SPAN sources. Sources designate the traffic to monitor and whether to copy ingress, egress, or both directions of traffic. SPAN sources include the following:
-
Ethernet ports (but not subinterfaces)
-
Port channels
-
The inband interface to the control plane CPU
Note
When you specify the supervisor inband interface as a SPAN source, the device monitors all packets that arrive on the supervisor hardware in the ingress direction.
-
VLANs
Note
When you specify a VLAN as a SPAN source, all supported interfaces in the VLAN are SPAN sources.
Note
VLANs can be SPAN sources only in the ingress direction.
-
Satellite ports and host interface port channels on the Cisco Nexus 2000 Series Fabric Extender (FEX)
Note
These interfaces are supported in Layer 2 access mode and Layer 2 trunk mode. They are not supported in Layer 3 mode, and Layer 3 subinterfaces are not supported.
Note
FEX ports are supported as SPAN sources in the ingress direction for all traffic and in the egress direction only for known Layer 2 unicast traffic.
Note |
A single SPAN session can include mixed sources in any combination of the above. |
Characteristics of Source Ports
SPAN source ports have the following characteristics:
-
A port configured as a source port cannot also be configured as a destination port.
-
If you use the supervisor inband interface as a SPAN source, the following packets are monitored:
- All packets that arrive on the supervisor hardware (ingress)
- All packets generated by the supervisor hardware (egress)
SPAN Destinations
SPAN destinations refer to the interfaces that monitor source ports. Destination ports receive the copied traffic from SPAN sources. SPAN destinations include the following:
-
Ethernet ports in either access or trunk mode
-
Port channels in either access or trunk mode
-
Uplink ports on Cisco Nexus 9300 Series switches
Note |
FEX ports are not supported as SPAN destination ports. |
Characteristics of Destination Ports
SPAN destination ports have the following characteristics:
-
A port configured as a destination port cannot also be configured as a source port.
-
A destination port can be configured in only one SPAN session at a time.
-
Destination ports do not participate in any spanning tree instance. SPAN output includes bridge protocol data unit (BPDU) Spanning Tree Protocol hello packets.
SPAN Sessions
You can create SPAN sessions to designate sources and destinations to monitor.
See the Cisco Nexus 9000 Series NX-OS Verified Scalability Guide for information on the number of supported SPAN sessions.
This figure shows a SPAN configuration. Packets on three Ethernet ports are copied to destination port Ethernet 2/5. Only traffic in the direction specified is copied.
Localized SPAN Sessions
A SPAN session is localized when all of the source interfaces are on the same line card. A session destination interface can be on any line card.
Note |
A SPAN session with a VLAN source is not localized. |
ACL TCAM Regions
You can change the size of the ACL ternary content addressable memory (TCAM) regions in the hardware. For information on the TCAM regions used by SPAN sessions, see the "Configuring IP ACLs" chapter of the Cisco Nexus 9000 Series NX-OS Security Configuration Guide.
High Availability
The SPAN feature supports stateless and stateful restarts. After a reboot or supervisor switchover, the running configuration is applied. For more information on high availability, see the Cisco Nexus 9000 Series NX-OS High Availability and Redundancy Guide.