This chapter describes how to identify and resolve problems that relate to SPAN.
This chapter includes the following sections
•Information About SPAN
•Troubleshooting SPAN Problems
Information About SPAN
The Switched Port Analyzer (SPAN) feature (sometimes called port mirroring or port monitoring) selects network traffic for analysis by a network analyzer. The network analyzer can be a Cisco SwitchProbe or other Remote Monitoring (RMON) probe.
Cisco Nexus 1000V supports two types of SPAN:
•SPAN (local SPAN) that can monitor sources within a host or VEM
•Encapsulated remote SPAN (ERSPAN) that can send monitored traffic to an IP destination
For detailed information about how to configure SPAN, see the Cisco Nexus 1000V System Management Configuration Guide, Release 4.0(4)SV1(1).
The interfaces from which traffic can be monitored are called SPAN sources. These include Ethernet, virtual Ethernet, port-channel, and VLAN. When a VLAN is specified as a SPAN source, all supported interfaces in the VLAN are SPAN sources. Traffic can be monitored in the receive direction, the transmit direction, or both directions for Ethernet and virtual Ethernet source interfaces.
•Receive source (Rx)—Traffic that enters the switch through this source port is copied to the SPAN destination port.
•Transmit source (Tx)—Traffic that exits the switch through this source port is copied to the SPAN destination port.
Cisco Nexus 1000V supports multiple source ports and multiple source VLANs. A source port has these characteristics:
•Can be port type Ethernet, virtual Ethernet, port-channel, or VLAN.
•Cannot be a destination port.
•Can be configured to monitor the direction of traffic —receive, transmit, or both.
•Source ports can be in the same or different VLANs.
•For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.
•Must be on the same host (linecard) as the destination port.
The Cisco Nexus 1000V supports Ethernet and virtual Ethernet interfaces as SPAN destinations.
Each local SPAN session must have at least one destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs. A destination port has these characteristics:
•Can be port type Ethernet, virtual Ethernet, or a port channel.
•Cannot be a source port.
•Is excluded from the source list and is not monitored if it belongs to a source VLAN of any SPAN session.
•Receives copies of transmitted and received traffic for all monitored source ports. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.
•Must be on the same host (linecard) as the source port.
ERSPAN destinations refer to an IP address to which the monitored traffic sent. In the Cisco Nexus 1000V, the destination IP can belong to an IP of a sniffer device, ERSPAN capable switch (such as a Catalyst 6000 series switch), or a PC running a sniffer application. The only limitation is that the destination IP should be reachable through the configured ERSPAN enabled VMKnic on the host. For detailed information about how to configure ERSPAN, see the Cisco Nexus 1000V System Management Configuration Guide, Release 4.0(4)SV1(1).
You can create up to a total of 64 SPAN and ERSPAN sessions to define sources and destinations on the local device.You can also create a SPAN session to monitor multiple VLAN sources and choose only VLANs of interest to transmit on multiple destination ports. For example, you can configure SPAN on a trunk port and monitor traffic from different VLANs on different destination ports.
Troubleshooting SPAN Problems
When troubleshooting issues with SPAN, make sure you have followed these configuration guidelines and limitations:
•A maximum total of 64SPAN and ERSPAN sessions can be configured per VSM.
•You can configure a particular destination port in only one SPAN session.
•You cannot configure a port as both a source and destination port.
•When a SPAN session contains multiple transmit source ports, packets that these ports receive may be replicated even though they are not transmitted on the ports. Some examples of this behavior on source ports are as follows:
–Traffic that results from flooding
–Broadcast and multicast traffic
•For VLAN SPAN sessions with both receive and transmit configured, two packets (one from receive and one from transmit) are forwarded from the destination port if the packets get switched on the same VLAN.
–A session is stopped if the source and destination ports are separated
–A session resumes if the source and destination ports end up on the same host
Local SPAN Session Problems
A running SPAN session must meet these requirements:
•The limit of 64 SPAN sessions has not been exceeded.
•At least one operational source has been configured.
•At least one operational destination has been configured.
•The configured source and destination are on the same host.
•The session has been enabled with the no shut command.
A session is stopped if the follow events occur:
•All the source ports go down or are removed.
•All the destination ports go down or are removed.
•All the source and destination ports are separated by a VMotion.
•The session is disabled by a shut command.
Uses the show monitor session command to troubleshoot a SPAN session. The output of this command shows the current state of the session and the reason it is down.
To collect additional information, use the following commands:
•show monitor internal errors
•show monitor internal event-history msgs
•show monitor internal info global-info
•show monitor internal mem-stats
•module vem module-number execute vemcmd show span
Problems and Solutions
You observe issues with VM traffic after configuring a session with Eth destinations.
Ensure that the Eth destination is not connected to the same uplink switch. The SPAN packets might cause problems with the IP tables, the MAC tables, or both on the uplink switch, which can cause problems with the regular traffic.
The session state is up and the packets are not received at the destination ports.
Check if the correct VLANs are allowed on the trunk destination ports.
The session displays an error.
Make sure that NX-OS VEM connectivity is working correctly.
Enter a shut command followed by a no shut command for the session to force reprogramming of the session on the VEM.
The ERSPAN session is up, but does not see packets at the destination.
The erspan-id is not configured.
Make sure that the correct erspan-id that matches with the destination session is configured.
An ERSPAN enabled VMKNic is not configured on the host or VEM.
Make sure you use create a VMKNic on the host using an erspan-capable port profile.
The ERSPAN enabled VMKNic is not configured with a proper IP, gateway, or both.
Make sure the ERSPAN IP destination is reachable from the host VMKNic. To test this, issue the vmkping dest-id command on the command line of the host.
The following example shows the output of the show monitor session command.
n1000v(config)# show monitor session 1
filter VLANs : filter not specified
destination IP : 10.54.54.1
The following example shows the output of the module vem module-number execute vemcmd show span command.
n1000v# module vem 3 execute vemcmd show span
VEM SOURCE IP: 10.54.54.10
HW SSN ID DST LTL/IP ERSPAN ID