-
The same source can be part of multiple sessions.
-
Multiple ACL filters are supported on the same
source.
-
Two ERSPAN destination sessions are not supported on Cisco Nexus 3000, 3100, and 3200 platform switches.
-
The following limitations apply to the Cisco Nexus 34180YC platform switch:
-
Portchannel as a Destination interface is not supported in ERSPAN.
-
ACL filters and VLAN filters are not supported.
-
ERSPAN UDF based ACL support is not supported
-
The Cisco Nexus 34180YC platform switch supports a total of 32 sessions SPAN and ERSPAN sessions together configured on the
switch and, all 32 can be active at the same time.
-
The filter access-group command is not supported on the Cisco Nexus 34180YC platform switch.
-
ERSPAN to Supervisor is not supported.
-
IPv6 based routing and IPv6 UDF on Erspan is not supported.
-
ERSPAN supports the following:
-
From 4 to 6 tunnels
-
Nontunnel packets
-
IP-in-IP tunnels
-
IPv4 tunnels (limited)
-
Cisco Nexus 3000 Series switches use a generic GRE ERSPAN header format for spanning packets matching ERSPAN source session.
This format does not conform to the Cisco ERSPAN Type 1/2/3 header format. Cisco ASIC based platforms support ERSPAN termination
and decapsulation only for ERSPAN packets conforming to Cisco ERSPAN encapsulation format Type. Hence, ERSPAN packets originating
from Cisco Nexus 3000 Series switches to the local destination IP address of the CISCO ASIC based switch will not match the
ERSPAN termination filter; If the destination IP address is also the local IP address on the Cisco ASIC platform, the ERSPAN
packets are sent to software and dropped in software.
-
ERSPAN destination session type (however, support for decapsulating the ERSPAN packet is not available. The entire encapsulated
packet is spanned to a front panel port at the ERSPAN terminating point.)
-
ERSPAN packets are dropped if the encapsulated mirror packet fails Layer 2 MTU checks.
-
There is a 112-byte limit for egress encapsulation. Packets that exceed this limit are dropped. This scenario might be encountered
when tunnels and mirroring are intermixed.
-
ERSPAN sessions are shared with local sessions. A maximum of 18 sessions can be configured; however only a maximum of four
sessions can be operational at the same time. If both receive and transmit sources are configured in the same session, only
two sessions can be operational.
-
If you install Release NX-OS 5.0(3)U2(2), configure ERSPAN, and then downgrade to a lower version of software, the ERSPAN
configuration is lost. This situation occurs because ERSPAN is not supported in versions before Release NX-OS 5.0(3)U2(2).
For information about a similar SPAN limitation, see Guidelines and Limitations for SPAN .
-
ERSPAN and ERSPAN with ACL filtering are not supported for packets generated by the supervisor.
-
ACL filtering is supported only for Rx ERSPAN. Tx ERSPAN that mirrors all traffic egressed at the source interface.
-
ACL filtering is not supported for IPv6 and MAC ACLs because of TCAM width limitations.
-
If the same source is configured in more than one ERSPAN session, and each session has an ACL filter configured, the source
interface will be programmed only for the first active ERSPAN session. The ACEs that belong to the other sessions will not
have this source interface programmed.
-
If you configure an ERSPAN session and a local SPAN session (with filter access-group and allow-sharing option) to use the
same source, the local SPAN session goes down when you save the configuration and reload the switch.
-
The drop action is not supported with the VLAN access-map configuration with the filter access-group for a monitor session.
The monitor session goes into an error state if the VLAN access-map with a drop action is configured with the filter access-group
in the monitor session.
-
Both permit and deny ACEs are treated alike. Packets that match the ACE are mirrored irrespective of whether they have a permit
or deny entry in the ACL.
-
ERSPAN is not supported for management ports.
-
A destination port can be configured in only one ERSPAN session at a time.
-
You cannot configure a port as both a source and destination port.
-
A single ERSPAN session can include mixed sources in any combination of the following:
-
Ethernet ports or port channels but not subinterfaces.
-
VLANs or port channels, which can be assigned to port channel subinterfaces.
-
Port channels to the control plane CPU.
Note
|
ERSPAN does not monitor any packets that are generated by the supervisor, regardless of their source.
|
-
Destination ports do not participate in any spanning tree instance or Layer 3 protocols.
-
When an ERSPAN session contains source ports that are monitored in the transmit or transmit and receive direction, packets
that these ports receive may be replicated to the ERSPAN destination port even though the packets are not actually transmitted
on the source ports. Some examples of this behavior on source ports are as follows:
-
For VLAN ERSPAN sessions with both ingress and egress configured, two packets (one from ingress and one from egress) are forwarded
from the destination port if the packets get switched on the same VLAN.
-
VLAN ERSPAN monitors only the traffic that leaves or enters Layer 2 ports in the VLAN.
-
When the Cisco Nexus 3000 series switch is the ERSPAN destination, GRE headers are not stripped off before sending mirrored
packets out of the terminating point. Packets are sent along with the GRE headers as GRE packets and the original packet as
the GRE payload.
-
The egress interface for the ERSPAN source session is now printed in the output of the show monitor session <session-number> CLI command. The egress interface can be a physical port or a port-channel. For ECMP, one interface among the ECMP members
is displayed in the output. This particular interface is used for the traffic egress.
-
You can view the SPAN/ERSPAN ACL statistics using the show monitor filter-list command. The output of the command displays all the entries along with the statistics from the SPAN TCAM. The ACL name is
not printed, but only the entries are printed in the output. You can clear the statistics using the clear monitor filter-list statistics command. The output is similar to show ip access-list command. The Cisco Nexus 3000 series switch does not provide support per ACL level statistics. This enhancement is supported
for both local SPAN and ERSPAN.
-
The traffic to and/or from the CPU is spanned. It is similar to any other interface SPAN. This enhancement is supported only
in local SPAN. It is not supported with ACL source. The Cisco Nexus 3000 series switch does not span the packets with (RCPU.dest_port
!= 0) header that is sent out from the CPU.
-
For SPAN forward drop traffic, SPAN only the packets that get dropped due to various reasons in the forwarding plane. This
enhancement is supported only for ERSPAN Source session. It is not supported along with SPAN ACL, Source VLAN, and Source
interface. Three ACL entries are installed to SPAN dropped traffic. Priority can be set for the drop entries to have a higher/lower
priority than the SPAN ACL entries and the VLAN SPAN entries of the other monitor sessions. By default, the drop entries have
a higher priority.
-
SPAN UDF (User Defined Field) based ACL support
-
You can match any packet header or payload (certain length limitations) in the first 128 bytes of the packet.
-
You can define the UDFs with particular offset and length to match.
-
You can match the length as 1 or 2 bytes only.
-
Maximum of 8 UDFs are supported.
-
Additional UDF match criteria is added to ACL.
-
The UDF match criteria can be configured only for SPAN ACL. This enhancement is not supported for other ACL features, for
example, RACL, PACL, and VACL.
-
Each ACE can have up to 8 UDF match criteria.
-
The UDF and http-redirect configuration should not co-exist in the same ACL.
-
The UDF names need to be qualified for the SPAN TCAM.
-
The UDFs are effective only if they are qualified by the SPAN TCAM.
-
The configuration for the UDF definition and the UDF name qualification in the SPAN TCAM require the use of copy r s command and reload.
-
The UDF match is supported for both Local SPAN and ERSPAN Src sessions.
-
The UDF name can have a maximum length of 16 characters.
-
The UDF offset starts from 0 (zero). If offset is specified as an odd number, 2 UDFs are used in the hardware for one UDF
definition in the software. The configuration is rejected if the number of UDFs usage in the hardware goes beyond 8.
-
The UDF match requires the SPAN TCAM region to go double-wide. Therefore, you have to reduce the other TCAM regions' size
to make space for SPAN.
-
The SPAN UDFs are not supported in tap-aggregation mode.
-
If a sup-eth source interface is configured in the erspan-src session, the acl-span cannot be added as a source into that
session and vice-versa.
-
ERSPAN source and ERSPAN destination sessions must use dedicated loopback interfaces. Such loopback interfaces should not
be having any control plane protocols.
-
The ERSPAN market-packet UDP data payload is 58 bytes in Cisco Nexus 3000 Series switches.