- Preface
- Troubleshooting Overview
- Troubleshooting Tools
- Troubleshooting the Installation
- Troubleshooting the Licensing
- Troubleshooting Modules
- Troubleshooting Ports and Port Profiles
- Troubleshooting Port Channels and Trunking
- Troubleshooting Layer 2 Switching
- Troubleshooting ACLs
- Troubleshooting QoS
- Troubleshooting Netflow
- Troubleshooting VLANs
- Troubleshooting PVLANs
- Troubleshooting Multicast IGMP Issues
- Troubleshooting SPAN
- Troubleshooting High Availability
- Troubleshooting System Issues
- Before Contacting Technical Support
- Index
Cisco Nexus 1000V Troubleshooting Guide, Release 4.0(4)SV(1)
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- May 20, 2009
Chapter: Troubleshooting SPAN
SPAN
This chapter describes how to identify and resolve problems that relate to SPAN.
This chapter includes the following sections
•
Troubleshooting SPAN Problems
Information About SPAN
The Switched Port Analyzer (SPAN) feature (sometimes called port mirroring or port monitoring) selects network traffic for analysis by a network analyzer. The network analyzer can be a Cisco SwitchProbe or other Remote Monitoring (RMON) probe.
Cisco Nexus 1000V supports two types of SPAN:
•SPAN (local SPAN) that can monitor sources within a host or VEM
•Encapsulated remote SPAN (ERSPAN) that can send monitored traffic to an IP destination
For detailed information about how to configure SPAN, see the Cisco Nexus 1000V System Management Configuration Guide, Release 4.0(4)SV1(1).
SPAN Sources
The interfaces from which traffic can be monitored are called SPAN sources. These include Ethernet, virtual Ethernet, port-channel, and VLAN. When a VLAN is specified as a SPAN source, all supported interfaces in the VLAN are SPAN sources. Traffic can be monitored in the receive direction, the transmit direction, or both directions for Ethernet and virtual Ethernet source interfaces.
•Receive source (Rx)—Traffic that enters the switch through this source port is copied to the SPAN destination port.
•Transmit source (Tx)—Traffic that exits the switch through this source port is copied to the SPAN destination port.
Source Ports
Cisco Nexus 1000V supports multiple source ports and multiple source VLANs. A source port has these characteristics:
•Can be port type Ethernet, virtual Ethernet, port-channel, or VLAN.
•Cannot be a destination port.
•Can be configured to monitor the direction of traffic —receive, transmit, or both.
•Source ports can be in the same or different VLANs.
•For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.
•Must be on the same host (linecard) as the destination port.
SPAN Destinations
The Cisco Nexus 1000V supports Ethernet and virtual Ethernet interfaces as SPAN destinations.
Destination Ports
Each local SPAN session must have at least one destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs. A destination port has these characteristics:
•Can be port type Ethernet, virtual Ethernet, or a port channel.
•Cannot be a source port.
•Is excluded from the source list and is not monitored if it belongs to a source VLAN of any SPAN session.
•Receives copies of transmitted and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.
•Must be on the same host (linecard) as the source port.
ERSPAN Destinations
ERSPAN destinations refer to an IP address to which the monitored traffic sent. In the Cisco Nexus 1000V, the destination IP can belong to an IP of a sniffer device, ERSPAN capable switch (such as a Catalyst 6000 series switch), or a PC running a sniffer application. The only limitation is that the destination IP should be reachable through the configured ERSPAN enabled VMKnic on the host. For detailed information about how to configure ERSPAN, see the Cisco Nexus 1000V System Management Configuration Guide, Release 4.0(4)SV1(1).
SPAN Sessions
You can create up to a total of 64 SPAN and ERSPAN sessions to define sources and destinations on the local device.You can also create a SPAN session to monitor multiple VLAN sources and choose only VLANs of interest to transmit on multiple destination ports. For example, you can configure SPAN on a trunk port and monitor traffic from different VLANs on different destination ports.
Troubleshooting SPAN Problems
When troubleshooting issues with SPAN, make sure you have followed these configuration guidelines and limitations:
•A maximum total of 64SPAN and ERSPAN sessions can be configured per VSM.
•You can configure a particular destination port in only one SPAN session.
•You cannot configure a port as both a source and destination port.
•When a SPAN session contains multiple transmit source ports, packets that these ports receive may be replicated even though they are not transmitted on the ports. Some examples of this behavior on source ports are as follows:
–Traffic that results from flooding
–Broadcast and multicast traffic
•For VLAN SPAN sessions with both receive and transmit configured, two packets (one from receive and one from transmit) are forwarded from the destination port if the packets get switched on the same VLAN.
•After VMotion:
–A session is stopped if the source and destination ports are separated
–A session resumes if the source and destination ports end up on the same host
Local SPAN Session Problems
A running SPAN session must meet these requirements:
•The limit of 64 SPAN sessions has not been exceeded.
•At least one operational source has been configured.
•At least one operational destination has been configured.
•The configured source and destination are on the same host.
•The session has been enabled with the no shut command.
A session is stopped if the follow events occur:
•All the source ports go down or are removed.
•All the destination ports go down or are removed.
•All the source and destination ports are separated by a VMotion.
•The session is disabled by a shut command.
Troubleshooting Commands
Uses the show monitor session command to troubleshoot a SPAN session. The output of this command shows the current state of the session and the reason it is down.
To collect additional information, use the following commands:
•show monitor internal errors
•show monitor internal event-history msgs
•show monitor internal info global-info
•show monitor internal mem-stats
•module vem module-number execute vemcmd show span
Problems and Solutions
Examples
The following example shows the output of the show monitor session command.
n1000v(config)# show monitor session 1
session 1
---------------
type : erspan-source
state : up
source intf :
rx : Eth3/3
tx : Eth3/3
both : Eth3/3
source VLANs :
rx :
tx :
both :
filter VLANs : filter not specified
destination IP : 10.54.54.1
ERSPAN ID : 999
ERSPAN TTL : 64
ERSPAN IP Prec. : 0
ERSPAN DSCP : 0
ERSPAN MTU : 1000
The following example shows the output of the module vem module-number execute vemcmd show span command.
n1000v# module vem 3 execute vemcmd show span
VEM SOURCE IP: 10.54.54.10
HW SSN ID DST LTL/IP ERSPAN ID
0 10.54.54.1 999
1 48 local
Feedback