About SPAN
SPAN analyzes all traffic between source ports by directing the SPAN session traffic to a destination port with an external analyzer attached to it.
You can define the sources and destinations to monitor in a SPAN session on the local device.
SPAN Sources
The interfaces from which traffic can be monitored are called SPAN sources. Sources designate the traffic to monitor and whether to copy ingress (Rx), egress (Tx), or both directions of traffic. SPAN sources include the following:
-
Ethernet ports (but not subinterfaces)
-
The inband interface to the control plane CPU
Note
When you specify the supervisor inband interface as a SPAN source, the device monitors all packets that are sent by the Supervisor CPU.
-
VLANs
-
When you specify a VLAN as a SPAN source, all supported interfaces in the VLAN are SPAN sources.
-
VLANs can be SPAN sources only in the ingress direction.
Note
This applies to all switches except Cisco Nexus 9300-EX/-FX/-FX2/-FX3/-GX platform switches, and Cisco Nexus 9500 series platform switches with -EX/-FX line cards.
-
-
Satellite ports and host interface port channels on the Cisco Nexus 2000 Series Fabric Extender (FEX)
-
These interfaces are supported in Layer 2 access mode and Layer 2 trunk mode. They are not supported in Layer 3 mode, and Layer 3 subinterfaces are not supported.
-
Cisco Nexus 9300 and 9500 platform switches support FEX ports as SPAN sources in the ingress direction for all traffic and in the egress direction only for known Layer 2 unicast traffic flows through the switch and FEX. Routed traffic might not be seen on FEX HIF egress SPAN.
-
Note |
A single SPAN session can include mixed sources in any combination of the above. |
Characteristics of Source Ports
SPAN source ports have the following characteristics:
-
A port configured as a source port cannot also be configured as a destination port.
-
If you use the supervisor inband interface as a SPAN source, all packets generated by the supervisor hardware (egress) are monitored.
Note
Rx is from the perspective of the ASIC (traffic egresses from the supervisor over the inband and is received by the ASIC/SPAN).
SPAN Destinations
SPAN destinations refer to the interfaces that monitor source ports. Destination ports receive the copied traffic from SPAN sources. SPAN destinations include the following:
-
Ethernet ports in either access or trunk mode
-
Port channels in either access or trunk mode
-
CPU as destination port
-
Uplink ports on Cisco Nexus 9300 Series switches
Note |
FEX ports are not supported as SPAN destination ports. |
Characteristics of Destination Ports
SPAN destination ports have the following characteristics:
-
A port configured as a destination port cannot also be configured as a source port.
-
The same destination interface cannot be used for multiple SPAN sessions. However, an interface can act as a destination for a SPAN and an ERSPAN session.
-
Destination ports do not participate in any spanning tree instance. SPAN output includes bridge protocol data unit (BPDU) Spanning Tree Protocol hello packets.
SPAN Sessions
You can create SPAN sessions to designate sources and destinations to monitor.
See the Cisco Nexus 9000 Series NX-OS Verified Scalability Guide for information on the number of supported SPAN sessions.
This figure shows a SPAN configuration. Packets on three Ethernet ports are copied to destination port Ethernet 2/5. Only traffic in the direction specified is copied.
Localized SPAN Sessions
A SPAN session is localized when all of the source interfaces are on the same line card. A session destination interface can be on any line card.
Note |
A SPAN session with a VLAN source is not localized. |
SPAN Truncation
Beginning with Cisco NX-OS Release 7.0(3)I7(1), you can configure the truncation of source packets for each SPAN session based on the size of the MTU. Truncation helps to decrease SPAN bandwidth by reducing the size of monitored packets. Any SPAN packet that is larger than the configured MTU size is truncated to the given size. For example, if you configure the MTU as 300 bytes, the packets with greater than 300 bytes are truncated to 300 bytes.
SPAN truncation is disabled by default. To use truncation, you must enable it for each SPAN session.
ACL TCAM Regions
You can change the size of the ACL ternary content addressable memory (TCAM) regions in the hardware. For information on the TCAM regions used by SPAN sessions, see the Configuring IP ACLs chapter of the Cisco Nexus 9000 Series NX-OS Security Configuration Guide.
High Availability
The SPAN feature supports stateless and stateful restarts. After a reboot or supervisor switchover, the running configuration is applied. For more information on high availability, see the Cisco Nexus 9000 Series NX-OS High Availability and Redundancy Guide.