- Preface
- New and Changed Information
- Overview
- Configuring CDP
- Configuring the Domain
- Managing Server Connections
- Managing the Configuration
- Working with Files
- Managing Users
- Configuring NTP
- Configuring Local SPAN and ERSPAN
- Configuring SNMP
- Configuring NetFlow
- Configuring System Message Logging
- Configuring iSCSI Multipath
- Configuring VSM Backup and Recovery
- Enabling vTracker
- Configuring Virtualized Workload Mobility
- Index
- Information About SPAN and ERSPAN
- Guidelines and Limitations for SPAN
- Default Settings for SPAN
- Configuring SPAN
- Configuring a Local SPAN Session
- Configuring an ERSPAN Port Profile
- Configuring an ERSPAN Session
- Shutting Down a SPAN Session from Global Configuration Mode
- Shutting Down a SPAN Session from Monitor Configuration Mode
- Resuming a SPAN Session from Global Configuration Mode
- Resuming a SPAN Session from Monitor Configuration Mode
- Configuring the Allowable ERSPAN Flow IDs
- Verifying the SPAN Configuration
- Configuration Example for an ERSPAN Session
- Feature History for SPAN and ERSPAN
Configuring Local SPAN and ERSPAN
This chapter contains the following sections:
- Information About SPAN and ERSPAN
- Guidelines and Limitations for SPAN
- Default Settings for SPAN
- Configuring SPAN
- Verifying the SPAN Configuration
- Configuration Example for an ERSPAN Session
- Feature History for SPAN and ERSPAN
Information About SPAN and ERSPAN
The Switched Port Analyzer (SPAN) feature (sometimes called port mirroring or port monitoring) allows network traffic to be analyzed by a network analyzer such as a Cisco SwitchProbe or other Remote Monitoring (RMON) probes.
SPAN allows you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports where the network analyzer is attached.
SPAN Sources
The interfaces from which traffic can be monitored are called SPAN sources. These sources include Ethernet, virtual Ethernet, port-channel, port profile, and VLAN. When a VLAN is specified as a SPAN source, all supported interfaces in the VLAN are SPAN sources. When a port profile is specified as a SPAN source, all ports that inherit the port profile are SPAN sources. Traffic can be monitored in the receive direction, the transmit direction, or both directions for Ethernet and virtual Ethernet source interfaces as described by the following:
Characteristics of SPAN Sources
A local SPAN source has these characteristics:
-
Can be port type Ethernet, virtual Ethernet, port channel, port profile, or VLAN.
-
Cannot be a destination port or port profile
-
Can be configured to monitor the direction of traffic —receive, transmit, or both.
-
Can be in the same or different VLANs.
-
For VLAN SPAN sources, all active ports in the source VLAN are included as source ports.
-
Must be on the same host Virtual Ethernet Module (VEM) as the destination port.
-
For port profile sources, all active interfaces attached to the port profile are included as source ports.
SPAN Destinations
SPAN destinations refer to the interfaces that monitor source ports.
- Characteristics of Local SPAN Destinations
- Characteristics of ERSPAN Destinations
- Local SPAN
- Encapsulated Remote SPAN
- Network Analysis Module
Characteristics of Local SPAN Destinations
Each local SPAN session must have at least one destination port (also called a monitoring port) that receives a copy of traffic from the source ports or VLANs. A destination port has these characteristics:
-
Can be any physical or virtual Ethernet port, a port channel, or a port profile.
-
Cannot be a source port or port profile.
-
Is excluded from the source list and is not monitored if it belongs to a source VLAN of any SPAN session or a source port profile.
-
Receives copies of transmitted and received traffic for all monitored source ports in the same VEM module. If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.
-
Must not be private VLAN mode.
-
A destination port can only monitor sources on the same host (VEM)
-
Destination ports in access mode receive monitored traffic on all the VLANs.
- Do not receive any forwarded traffic except copies of transmitted and received traffic for all monitored source ports.
-
Destination ports in trunk mode receive monitored traffic only on the allowed VLANs in the trunk configuration.
Characteristics of ERSPAN Destinations
Local SPAN
In Local SPAN, the source interface and destination interface are on the same VEM. The network analyzer is attached directly to the SPAN destination port. The SPAN source can be a port, a VLAN interface, or a port profile.The destination can be a port or port profile.
The diagram shows that traffic transmitted by host A is received on the SPAN source interface. Traffic (ACLs, QoS, and so forth) is processed as usual. Traffic is then replicated. The original packet is forwarded on toward host B. The replicated packet is then sent to the destination SPAN interface where the monitor is attached.
Local SPAN can replicate to one or more destination ports. Traffic can be filtered so that only traffic of interest is sent out the destination SPAN interface.
Local SPAN can monitor all traffic received on the source interface including Bridge Protocol Data Unit (BPDU).
Encapsulated Remote SPAN
Encapsulated remote SPAN (ERSPAN) monitors traffic in multiple network devices across an IP network and sends that traffic in an encapsulated envelope to destination analyzers. In contrast, Local SPAN cannot forward traffic through the IP network. ERSPAN can be used to monitor traffic remotely. ERSPAN sources can be ports, VLANs, or port profiles.
In the following figure, the ingress and egress traffic for Host A are monitored using ERSPAN. Encapsulated ERSPAN packets are routed from Host A through the routed network to the destination device where they are decapsulated and forwarded to the attached network analyzer. The destination may also be on the same Layer 2 network as the source.
Network Analysis Module
You can also use the Cisco Network Analysis Module (NAM) to monitor ERSPAN data sources for application performance, traffic analysis, and packet header analysis.
To use NAM for monitoring the Cisco Nexus 1000V ERSPAN data sources, see the Cisco Nexus 1010 Network Analysis Module Installation and Configuration Note.
SPAN Sessions
You can create up to 64 total SPAN sessions (Local SPAN plus ERSPAN) on the VEM.
You must configure an ERSPAN session ID that is added to the ERSPAN header of the encapsulated frame to differentiate between ERSPAN streams of traffic at the termination box. You can also configure the range of flow ID numbers.
When trunk ports are configured as SPAN sources and destinations, you can filter VLANs to send to the destination ports from among those allowed. Both sources and destinations must be configured to allow the VLANs.
The following figure shows one example of a VLAN-based SPAN configuration in which traffic is copied from three VLANs to three specified destination ports. You can choose which VLANs to allow on each destination port to limit the traffic transmitted. In the figure, the device transmits packets from one VLAN at each destination port. The destinations in this example are trunks on which allowed VLANs are configured.
Note | VLAN-based SPAN sessions cause all source packets to be copied to all destinations, whether the packets are required at the destination or not. VLAN traffic filtering occurs at transmit destination ports. |
Guidelines and Limitations for SPAN
-
A maximum of 64 SPAN sessions (Local SPAN plus ERSPAN) can be configured on the Virtual Supervisor Module (VSM).
-
A maximum of 32 source VLANs are allowed in a session.
-
A maximum of 32 destination interfaces are allowed for a Local SPAN session.
-
A maximum of 8 destination port-profiles are allowed for a Local SPAN session.
-
A maximum of 16 source port-profiles are allowed in a session.
-
A maximum of 128 source interfaces are allowed in a session.
Caution | Overload Potential To avoid an overload on uplink ports, use caution when configuring ERSPAN, especially when sourcing VLANs. The uplink that the VM kernel uses might get overloaded due to ERSPAN traffic. VSM-VEM communication might also be impacted. For example, when the Nexus 1000V is configured for Layer 3 connectivity, both AIPC traffic and ERSPAN traffic use the same VM kernel NIC. |
-
A port can be configured in a maximum of four SPAN sessions.
-
A port can be a source in a maximum of four SPAN sessions.
-
You cannot configure a port as both a source and destination port.
-
In a SPAN session, packets that source ports receive may be replicated even though they are not transmitted on the ports. The following are examples of this behavior:
-
For VLAN SPAN sessions switched on the same VLAN with both receive and transmit configured, two packets (one from receive and one from transmit) are forwarded from the destination port.
-
ERSPAN traffic might compete with regular data traffic.
-
Only ERSPAN source sessions are supported. Destination sessions are not supported.
-
When a session is configured through the ERSPAN configuration commands, the session ID and the session type cannot be changed. In order to change them, you must first delete the session and then create a new session.
Default Settings for SPAN
Parameters |
Default |
---|---|
State |
SPAN sessions are created in the shut state. |
Description |
blank |
Traffic direction for source interface or port profile |
both |
Traffic direction for source VLAN |
receive (ingress or RX) |
Configuring SPAN
This section describes how to configure SPAN and includes the following procedures:
- Configuring a Local SPAN Session
- Configuring an ERSPAN Port Profile
- Configuring an ERSPAN Session
- Shutting Down a SPAN Session from Global Configuration Mode
- Shutting Down a SPAN Session from Monitor Configuration Mode
- Resuming a SPAN Session from Global Configuration Mode
- Resuming a SPAN Session from Monitor Configuration Mode
- Configuring the Allowable ERSPAN Flow IDs
Configuring a Local SPAN Session
This procedure involves creating the SPAN session in monitor configuration mode, and then, optionally, configuring allowed VLANs in interface configuration mode.
It is important to know the following information about SPAN:
SPAN sessions are created in the shut state by default.
When you create a SPAN session that already exists, any additional configuration is added to that session. To make sure the session is cleared of any previous configuration, you can delete the session first. This procedure includes how to do this.
The source and destination ports are already configured in either access or trunk mode. For more information, see the Cisco Nexus 1000V Interface Configuration Guide.
Before beginning this procedure, you must be logged in to the CLI in EXEC mode and be sure you know the number of the SPAN session you are going to configure.
switch# configure terminal switch(config)# no monitor session 3 switch(config)# monitor session 3 switch(config-monitor)# description my_span_session_3 switch(config-monitor)# source interface ethernet 2/1-3, ethernet 3/1 rx switch(config-monitor)# filter vlan 3-5, 7 switch(config-monitor)# destination interface ethernet 2/5, ethernet 3/7 switch(config-monitor)# no shut switch(config-monitor)# exit switch(config-if)# show monitor session 3 switch(config-if)# show interface ethernet 2/5 switchport switch(config-if)# copy running-config startup-config
Configuring an ERSPAN Port Profile
You can configure a port profile on the VSM to carry ERSPAN packets through the IP network to a remote destination analyzer.
You must complete this configuration for all hosts in vCenter Server.
The ERSPAN configuration requires a L3 capable port-profile. To configure this feature in a L2 mode, you must configure the L3 capable port profile as described in this section. However, if you configure this feature in a L3 mode, then you must use the existing L3 capable port profile.
This procedure includes steps to configure the port profile for the following requirements:
Only one VMKNIC can be assigned to this Layer 3 control port profile per host as follows:
-
If more than one VMKNIC is assigned to a host, the first one assigned takes effect. The second one is not considered a Layer 3 control VMKNIC.
-
If more than one VMKNIC is assigned to a host, and you remove the second assigned one, the VEM does not use the first assigned one. Instead, you must remove both VMKNICs and then add one back.
Before beginning this procedure, be sure you have done the following:
-
Logged in to the CLI in EXEC mode
-
Established the name to be used for this port profile
Note
The port profile name is used to configure the VM Kernal NIC (VMKNIC). A VMKNIC is required on each ESX host to send ERSPAN-encapsulated IP packets; and must have IP connectivity to the ERSPAN destination IP address.
-
Established the name of the VMware port group to which this profile maps.
-
Created the system VLAN that sends IP traffic to the ERSPAN destination; and you know the VLAN ID that will be used in this configuration.
-
Obtained the VMware documentation for adding a new virtual adapter.
Note
In order to ensure VSM-VEM control communication messages are not dropped, it is recommended to configure the QoS queuing feature on the uplink interface to which the vmknic with capability L3 control is mapped. For more details, see the Cisco Nexus 1000V Quality of Service Configuration Guide.
For more information about system port profiles, see the Cisco Nexus 1000V Port Profile Configuration Guide.
switch# configure terminal switch(config)# port-profile erspan_profile switch(config-port-prof)# capability l3control switch(config-port-prof)# vmware port-group erspan switch(config-port-prof)# switchport mode access switch(config-port-prof)# switchport access vlan 2 switch(config-port-prof)# no shutdown switch(config-port-prof)# system vlan 2 switch(config-port-prof)# state enabled switch(config-port-prof)# show port-profile name erspan port-profile erspan description: status: enabled capability uplink: no capability l3control: yes system vlans: 2 port-group: access max-ports: 32 inherit: config attributes: switchport access vlan 2 no shutdown evaluated config attributes: switchport access vlan 2 no shutdown assigned interfaces: n1000v(config-port-prof)# copy running-config startup-config
Configuring an ERSPAN Session
This procedure involves creating the SPAN session in ERSPAN source configuration mode (config-erspan-source).
SPAN sessions are created in the shut state by default.
When you create a SPAN session that already exists, any additional configuration is added to that session. To make sure the session is cleared of any previous configuration, you can delete the session first. The step to do this is included in the procedure.
Before beginning this procedure, be sure you have done the following:
-
Logged in to the CLI in EXEC mode
-
Obtained the number of the SPAN session that you are going to configure
-
Configured an ERSPAN-capable port profile on the VSM
-
Using the VMware documentation for adding a new virtual adapter, you have already configured the required VMKNIC on each ESX host. The VMKNIC must have IP connectivity to the ERSPAN destination IP address for sending ERSPAN-encapsulated packets.
-
ERSPAN traffic uses GRE encapsulation. If there are firewalls between the ERSPAN source and destinations, we recommend that you set a rule to allow GRE traffic. This traffic could be identified by IP protocol number 47.
switch# configure terminal switch(config)# no monitor session 3 switch(config)# monitor session 3 type erspan switch(config-erspan-src)# description my_erspan_session_3 switch(config-erspan-src)# source interface ethernet 2/1-3, ethernet 3/1 rx switch(config-erspan-src)# filter vlan 3-5, 7 switch(config-erspan-src)# destination ip 10.54.54.1 switch(config-erspan-src)# ip ttl 64 switch(config-erspan-src)# ip prec 1 switch(config-erspan-src)# ip dscp 24 switch(config-erspan-src)# mtu 1000 switch(config-erspan-src)# header-type 2 switch(config-erspan-src)# erspan-id 51 switch(config-erspan-src)# no shut switch(config-erspan-src)# show monitor session 3 switch(config-erspan-src)# copy running-config startup-config
Shutting Down a SPAN Session from Global Configuration Mode
Before beginning this procedure, be sure you have done the following:
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal |
Enters global configuration mode. |
Step 2 | switch(config)# monitor session {session-number | session-range | all} shut | Shuts down the specified SPAN monitor session(s) from global configuration mode. |
Step 3 | switch(config)# show monitor | (Optional) Displays the status of the SPAN sessions. |
Step 4 | switch(config)# copy running-config startup-config | (Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
switch# configure terminal switch(config)# monitor session 3 shut switch(config)# show monitor switch(config)# copy running-config startup-config
Shutting Down a SPAN Session from Monitor Configuration Mode
Before beginning this procedure, be sure you have done the following:
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal |
Enters global configuration mode. |
Step 2 | switch(config)# monitor session {session-number | session-range | all} [type erspan-source] | Specifies the SPAN monitor session(s) ) you want to shut down from monitor-configuration mode. |
Step 3 | switch(config)# shut | Shuts down the specified SPAN monitor session(s) from monitor configuration mode. |
Step 4 | switch(config-monitor)# show monitor | (Optional) Displays the status of the SPAN sessions. |
Step 5 | switch(config-monitor)# copy running-config startup-config | (Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
switch# configure terminal switch(config)# monitor session 3 switch(config-monitor)# shut switch(config-monitor)# show monitor switch(config-monitor)# copy running-config startup-config
Resuming a SPAN Session from Global Configuration Mode
You can discontinue copying packets from one source and destination and then resume from another source and destination in global configuration mode.
Before beginning this procedure, be sure you have done the following:
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal |
Enters global configuration mode. |
Step 2 | switch(config)# [no]monitor session {session-number | session-range | all} shut | Shuts down the specified SPAN monitor session(s) from global configuration mode. |
Step 3 | switch(config)# show monitor | (Optional) Displays the status of the SPAN sessions. |
Step 4 | switch(config)# copy running-config startup-config | (Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
switch# configure terminal switch(config)# no monitor session 3 shut switch(config)# show monitor switch(config)# copy running-config startup-config
Resuming a SPAN Session from Monitor Configuration Mode
You can discontinue copying packets from one source and destination and then resume from another source and destination in monitor configuration mode.
Before beginning this procedure, be sure you have done the following:
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal |
Enters global configuration mode. |
Step 2 | switch(config)# [no] monitor session {session-number | session-range | all} shut | Shuts down the specified SPAN monitor session(s) from monitor configuration mode. |
Step 3 | switch(config-monitor)# show monitor | (Optional) Displays the status of the SPAN sessions. |
Step 4 | switch(config-monitor)# show monitor session session-id | (Optional) Displays detailed configuration and status of a specific SPAN session for verification. |
Step 5 | switch(config-monitor)# copy running-config startup-config | (Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
switch# configure terminal switch(config)# monitor session 3 switch(config-monitor)# no shut switch(config-monitor)# show monitor switch(config-monitor)# show monitor session 3 switch(config-monitor)# copy running-config startup-config
Configuring the Allowable ERSPAN Flow IDs
Use this procedure to restrict the allowable range of available flow IDs that can be assigned to ERSPAN sessions
The available ERSPAN flow IDs are from 1 to 1023.
Before beginning this procedure, be sure you have done the following:
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal |
Enters global configuration mode. |
Step 2 | switch(config)# [no] limit-resource erspan-flow-id minimum min_val maximum max_val | Restricts the allowable range of ERSPAN flow IDs that can be assigned. The allowable range is from 1 to 1023. The defaults are as follows: The minimum value = 1 The maximum value = 1023 The no form of this command removes any configured values and restores default values. |
Step 3 | switch(config)# show running monitor | (Optional) Displays changes to the default limit-resource erspan-flow-id values for verification |
Step 4 | switch(config)# copy running-config startup-config | (Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
switch# configure terminal switch(config)# limit-resource erspan-flow-id minimum 20 maximum 40 switch(config)# show monitor switch(config)# show running monitor switch(config)# copy running-config startup-config
Verifying the SPAN Configuration
Use one of the following commands to verify the configuration:
Command |
Purpose |
---|---|
show monitor session {all | session-number | range session-range} [brief] |
Displays the SPAN session configuration. |
show monitor |
Displays Ethernet SPAN information. |
module vem module-number execute vemcmd show span |
Displays the configured SPAN sessions on a VEM module. |
show port-profile name port_profile_name |
Displays a port profile. |
Configuration Example for an ERSPAN Session
The following example shows how to create an ERSPAN session for a source Ethernet interface and destination IP address on the Cisco Nexus 1000V.CSCtn56340 Packets arriving at the destination IP are identified by the ID 999 in their header.
switch# monitor session 2 type erspan-source switch(config-erspan-src)# source interface ethernet 3/3 switch(config-erspan-src)# source port-profile my_profile_src switch(config-erspan-src)# destination ip 10.54.54.1 switch(config-erspan-src)# erspan-id 999 switch(config-erspan-src)# mtu 1000 switch(config-erspan-src)# no shut switch(config-erspan-src)# show monitor session 2 session 2 --------------- type : erspan-source state : up source intf : rx : Eth3/3 tx : Eth3/3 both : Eth3/3 source VLANs : rx : tx : both : source port-profile : rx : my_profile_src tx : my_profile_src both : my_profile_src filter VLANs : filter not specified destination IP : 10.54.54.1 ERSPAN ID : 999 ERSPAN TTL : 64 ERSPAN IP Prec. : 0 ERSPAN DSCP : 0 ERSPAN MTU : 1000 ERSPAN Header Type: 2 switch(config-erspan-src)# module vem 3 execute vemcmd show span VEM SOURCE IP: 10.54.54.10 HW SSN ID ERSPAN ID HDR VER DST LTL/IP 1 local 49,51,52,55,56 2 999 2 10.54.54.1
Example of Configuring a SPAN Session
switch(config)# no monitor session 1 switch(config)# monitor session 1 switch(config-monitor)# source interface ethernet 2/1-3 switch(config-monitor)# source interface port-channel 2 switch(config-monitor)# source port-profile my_profile_src switch(config-monitor)# source vlan 3, 6-8 tx switch(config-monitor)# filter vlan 3-5, 7 switch(config-monitor)# destination interface ethernet 2/5 switch(config-monitor)# destination port-profile my_profile_dst switch(config-monitor)# no shut switch(config-monitor)# exit switch(config)# show monitor session 1 switch(config)# copy running-config startup-config switch(config)# show monitor session 1 session 1 --------------- type : local state : up source intf : rx : Eth2/1 Eth2/2 Eth2/3 tx : Eth2/1 Eth2/2 Eth2/3 both : Eth2/1 Eth2/2 Eth2/3 source VLANs : rx : tx : 3,6,7,8 both : source port-profile : rx : my_profile_src tx : my_profile_src both : my_profile_src filter VLANs : 3,4,5,7 destination ports : Eth2/5 destination port-profile : my_profile_dst switch# module vem 3 execute vemcmd show span VEM SOURCE IP NOT CONFIGURED. HW SSN ID ERSPAN ID HDR VER DST LTL/IP 1 local 49,51,52,55,56
Example of a Configuration to Enable SPAN Monitoring
This example shows how to configure destination ports in access or trunk mode, and enable SPAN monitoring.
switch# configure terminal switch(config)# interface ethernet 2/5 switch(config-if)# switchport switch(config-if)# switchport mode trunk switch(config-if)# no shut switch(config-if)# exit switch(config)#
Feature History for SPAN and ERSPAN
Feature Name |
Releases |
Feature Information |
---|---|---|
Port profile as Local SPAN and ERSPAN source |
4.2(1)SV1(4) |
You can specify a port profile as a source for local SPAN and ERSPAN monitor traffic. |
NAM support for ERSPAN data sources |
4.0(4)SV1(3) |
NAM support was introduced. |
ERSPAN Type III header |
4.0(4)SV1(3) |
ERSPAN Type III header format was introduced. |
SPAN and ERSPAN |
4.0(4)SV1(1) |
SPAN and ERSPAN were introduced. |