Configuring SPAN

This chapter contains the following sections:

Information About SPAN

The Switched Port Analyzer (SPAN) feature (sometimes called port mirroring or port monitoring) selects network traffic for analysis by a network analyzer. The network analyzer can be a Cisco SwitchProbe or other Remote Monitoring (RMON) probes.

SPAN Sources

SPAN sources refer to the interfaces from which traffic can be monitored. The Cisco Nexus device supports Ethernet, port channels, SAN port channels, VSANs and VLANs as SPAN sources. With VLANs or VSANs, all supported interfaces in the specified VLAN or VSAN are included as SPAN sources. You can choose the SPAN traffic in the ingress direction, the egress direction, or both directions for Ethernet and virtual Fibre Channel source interfaces:

  • Ingress source (Rx)—Traffic entering the device through this source port is copied to the SPAN destination port.

  • Egress source (Tx)—Traffic exiting the device through this source port is copied to the SPAN destination port.


Note

VSAN ports cannot be configured as ingress source ports in a SPAN session.

Characteristics of Source Ports

A source port, also called a monitored port, is a switched interface that you monitor for network traffic analysis. The switch supports any number of ingress source ports (up to the maximum number of available ports on the switch) and any number of source VLANs or VSANs.

A source port has these characteristics:

  • Can be of Ethernet, port channel, virtual Fibre Channel, SAN port channel, VSAN or VLAN port type.

  • Cannot be monitored in multiple SPAN sessions.

  • Cannot be a destination port.

  • Can be configured with a direction (ingress, egress, or both) to monitor. For VLAN and VSAN sources, the monitored direction can only be ingress and applies to all physical ports in the group. The RX/TX option is not available for VLAN or VSAN SPAN sessions.

  • Can be in the same or different VLANs or VSANs.

  • For VLAN or VSAN SPAN sources, all active ports in the source VLAN or VSAN are included as source ports.


Note

  • If some of the FEX ports are being used by a SPAN session as source ports, the remaining FEX ports cannot be a part of a different SPAN session.

  • The maximum number of source ports per SPAN session is 128 ports.

  • The maximum number of SPAN sessions supported on the Nexus 5000 Series and Nexus 5500 Series switches is 4.

  • The maximum number of SPAN sessions supported on the Nexus 5600 Series and Nexus 6000 Series switches is 16.

SPAN Destinations

SPAN destinations refer to the interfaces that monitors source ports. The Cisco Nexus Series device supports Ethernet interfaces as SPAN destinations.

Starting with Cisco NX-OS Release 7.2(0)N1(1), HIF and virtual ethernet (Veth) ports as SPAN destination is supported.

Source SPAN

Dest SPAN

Ethernet

Ethernet

Virtual Fibre Channel

Ethernet (FCoE)

Characteristics of Destination Ports

Each local SPAN session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source ports, VSANs, or VLANs. A destination port has these characteristics:

  • Can be any physical port. Source Ethernet and FCoE ports cannot be destination ports.

  • Cannot be a source port.

  • Cannot be a port channel or SAN port channel group.

  • Does not participate in spanning tree while the SPAN session is active.

  • Is excluded from the source list and is not monitored if it belongs to a source VLAN of any SPAN session.

  • Receives copies of sent and received traffic for all monitored source ports.

  • The FEX interface cannot be a span destination.

Multiple SPAN Destinations

Local SPAN and SPAN-on-Drop sessions can support multiple destination ports. This allows traffic in a single local SPAN session or a SPAN-on-Drop session also to be monitored and send to multiple destinations.

Note
Multiple destinations are not supported on ERSPAN, or SPAN-on-Latency sessions.

SPAN on Drop

The SPAN-on-drop feature enables the spanning of packets which would normally be dropped due to unavailable buffer or queue space on ingress. Instead of dropping a packet when congestion occurs, the system stores the packet in a separate SPAN-on-drop buffer and then sends the packet to the specified SPAN-on-drop destination port.

SPAN-on-Latency Sessions

The SPAN-on-Latency feature allows the system to SPAN packets that exceed a pre-configured latency threshold.

For high-latency flows the system can be configured to send a copy to any pre-configured SPAN destination. This creates a data set for analytics that can be used to check which applications are impacted by increased latency in the network. This feature can also be used to identify traffic flows that experience congestion.

Packets exceeding the latency measurements, egressing out of the source port only will be spanned.


Note

SPAN copies can be transported to a local analyzer port, or remote analyzer using IPFIX/ERSPAN encapsulation. The SPAN copies can be truncated to save bandwidth.

Guidelines and Limitations for SPAN

SPAN is not supported on a management interface.

If an interface is configured as a source port for a SPAN session, either directly as a source interface or indirectly as part of a port-channel, traffic from this interface will not be visible in VLAN SPAN sessions that include this interface as part of a configured VLAN. This limitation occurs as the Ternary Content-Addressable Memory (TCAM) entries for interface SPAN sources are always programmed before the TCAM entries for VLAN SPAN sources.

Cisco Nexus 6000 devices support 16 active local SPAN or ERSPAN-source sessions, 16 active ERSPAN-destination sessions and one active SPAN-on-Drop or SPAN-on-Drop-ERSPAN session.

The following guidelines and limitations apply to SPAN session where multiple destinations are configured:

  • Multiple destinations are supported for Local SPAN or SPAN-on-Drop sessions only. Multiple destinations are not supported on ERSPAN or SPAN-on-Latency sessions.

  • The maximum number of unique destinations configured on all active sessions is 16. A single SPAN session can have a maximum of 16 destinations, and a SPAN-on-Drop session can have a maximum of 17 destinations, in which case no further SPAN sessions can be configured.

  • You cannot SPAN a single source VLAN to multiple destination ports.

  • Connecting SPAN destination ports to a switch device is not supported.

The following guidelines and limitations apply to SPAN-on-Drop sessions:

  • Only Ethernet source interfaces are supported (port channels not supported). Sources can be a part of a SPAN-on-Drop session and a local SPAN session simultaneously.

  • At most one SPAN-on-Drop or SPAN-on-Drop ERSPAN session may be active at the same time.

  • Directions on source interfaces are not supported.

  • FEX interfaces are not supported as sources for SPAN-on-Drop sessions. However, fabric interfaces are supported. Setting all fabric interfaces associated with a FEX as sources allows SPAN-on-Drop sessions to be enabled on all FEX ports associated with that fabric interface.

  • Multicast egress drops are not spanned. SPAN-on-Drop applies only to packets dropped in ingress due to a lack of buffer resources or when the Virtual Output Queueing (VOQ) size exceeds the preprogrammed threshold.

  • ACL-based SPAN is not supported

  • Configuring the maximum transmission unit (MTU) truncation size for packets is not supported for SPAN-on-Drop sessions.

The following guidelines and limitations apply to SPAN-on-Latency sessions:

  • Although SPAN-on-Latency detection is performed on a per-port basis, the span pointer configuration is a global value.

  • The maximum latency threshold value configuration is per 40 Gigabit port. Therefore, if there the system has 10 Gigabit ports, the latency threshold is shared by four 10 Gigabit ports.

  • At most only one SPAN-on-Latency or SPAN-on-Latency ERSPAN session may be active at the same time.

  • You must issue the clear hardware profile latency monitor all command when the switch is reloaded or when a module is powered on. Until you issue this command no packets are spanned.

  • Even though fabric interfaces are supported as sources, FEX interfaces and Port Channel are not supported as sources.

  • Span-on-Latency Source cannot be part of any other span session i.e. Local Span or Span-on-drop.

  • ACL based SOL is not supported.

  • Local SPAN/SPAN on Drop/SPAN on Latency is not aware of VPC.

  • The following is the limitation for HIF and Virtual Ethernet (Veth) as SPAN destination:

    • Multi-destination SPAN is not supported. If HIF/VETH port is a destination, the monitor session must have single destination.

    • A SPAN destination port, which is part of an active SPAN session, receives flood traffic. You can prevent this behavior by using the unknown unicast flood block feature. To enable this feature, use the switchport block unicast command.

Creating or Deleting a SPAN Session

You create a SPAN session by assigning a session number using the monitor session command. If the session already exists, any additional configuration information is added to the existing session.

Procedure
     Command or ActionPurpose
    Step 1switch# configure terminal  

    Enters global configuration mode.

     
    Step 2 switch(config)# monitor session session-number
     

    Enters the monitor configuration mode. New session configuration is added to the existing session configuration.

     

    The following example shows how to configure a SPAN monitor session:

    switch# configure terminal
switch(config) # monitor session 2
switch(config) #

    Configuring an Ethernet Destination Port

    You can configure an Ethernet interface as a SPAN destination port.


    Note

    The SPAN destination port can only be a physical port on the switch.

    Procedure
       Command or ActionPurpose
      Step 1switch# configure terminal  

      Enters global configuration mode.

       
      Step 2 switch(config)# interface ethernet slot/port
       

      Enters interface configuration mode for the Ethernet interface with the specified slot and port.

      Note   

      If this is a 10G breakout port, the slot/port syntax is QSFP-module/port.

      Note    To enable the switchport monitor command on virtual ethernet ports, you can use the interface vethernet slot/port command.
       
      Step 3 switch(config-if)# switchport monitor
       

      Enters monitor mode for the specified Ethernet interface. Priority flow control is disabled when the port is configured as a SPAN destination.

       
      Step 4 switch(config-if)# exit
       

      Reverts to global configuration mode.

       
      Step 5 switch(config)# monitor session session-number
       

      Enters monitor configuration mode for the specified SPAN session.

       
      Step 6 switch(config-monitor)# destination interface ethernet slot/port
       

      Configures the Ethernet SPAN destination port.

      Note   

      If this is a 10G breakout port, the slot/port syntax is QSFP-module/port.

      Note    To enable the virtual ethernet port as destination interface in the monitor configuration, you can use the destination interface vethernet slot/port command.
       

      The following example shows how to configure an Ethernet SPAN destination port (HIF): 

      switch# configure terminal
switch(config)# interface ethernet100/1/24
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 1
switch(config-monitor)# destination interface ethernet100/1/24
switch(config-monitor)#

      The following example shows how to configure a virtual ethernet (VETH) SPAN destination port: 

      switch# configure terminal
switch(config)# interface vethernet10
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 2
switch(config-monitor)# destination interface vethernet10
switch(config-monitor)#

      Configuring MTU Truncation for Each SPAN Session

      To reduce the SPAN traffic bandwidth, you can configure the maximum bytes allowed for each replicated packet in a SPAN session. This value is called the maximum transmission unit (MTU) truncation size. Any SPAN packet larger than the configured size is truncated to the configured size.


      Note

      MTU Truncation is not supported for SPAN-on-Drop sessions.

      Procedure
         Command or ActionPurpose
        Step 1switch# configure terminal  

        Enters global configuration mode.

         
        Step 2switch(config) # monitor session session-number  

        Enters monitor configuration mode and specifies the SPAN session for which the MTU truncation size is to be configured.

         
        Step 3switch(config-monitor) # [no] mtu  

        Configures the MTU truncation size for packets in the specified SPAN session. The range is from 64 to 1518 bytes.

         
        Step 4switch(config-monitor) # show monitor session session-number   (Optional)

        Displays the status of SPAN sessions, including the configuration status of MTU truncation, the maximum bytes allowed for each packet per session, and the modules on which MTU truncation is and is not supported.

         
        Step 5switch(config-monitor) # copy running-config startup-config   (Optional)

        Copies the running configuration to the startup configuration.

         

        This example shows how to configure MTU truncation for a SPAN session: 

        switch# configure terminal
switch(config) # monitor session 3
switch(config-monitor) # mtu
switch(config-monitor) # copy running-config startup-config
switch(config-monitor) #

        Configuring Source Ports

        A source port can be an Ethernet port, port channel, Fiber Channel port, SAN port channel, VLAN, or a VSAN port. It cannot be a destination port.

        Procedure
           Command or ActionPurpose
          Step 1switch# configure terminal  

          Enters global configuration mode.

           
          Step 2switch(config) # monitor session session-number  

          Enters monitor configuration mode for the specified monitoring session.

           
          Step 3 switch(config-monitor) # source interface type slot/port [rx | tx | both]
           

          Adds an Ethernet SPAN source port and specifies the traffic direction in which to duplicate packets. You can enter a range of Ethernet, Fibre Channel, or virtual Fibre Channel ports. You can specify the traffic direction to duplicate as ingress (Rx), egress (Tx), or both. By default, the direction is both.

          Note   

          If this is a 10G breakout port, the slot/port syntax is QSFP-module/port.

           

          The following example shows how to configure a virtual Fibre Channel SPAN source port: 

          switch# configure terminal
switch(config)# monitor session 2
switch(config-monitor)# source interface vfc 129
switch(config-monitor)#

          Configuring the Description of a SPAN Session

          For ease of reference, you can provide a descriptive name for a SPAN session.

          Procedure
             Command or ActionPurpose
            Step 1switch# configure terminal  

            Enters global configuration mode.

             
            Step 2switch(config) # monitor session session-number 

            Enters monitor configuration mode for the specified SPAN session.

             
            Step 3 switch(config-monitor) # description description
             

            Creates a descriptive name for the SPAN session.

             

            The following example shows how to configure a SPAN session description: 

            switch# configure terminal
switch(config) # monitor session 2
switch(config-monitor) # description monitoring ports eth2/2-eth2/4
switch(config-monitor) #

            Configuring a SPAN-on-Drop Session

            Use the monitor session command to configure a SPAN-on-Drop session. Each session is identified by a unique SPAN-on-Drop session number.

            Note

            There can only be one active SPAN-on-Drop or SPAN-on-Drop ERSPAN session at any time.


            Note

            You can configure more than one destination for a SPAN-on-Drop sessions.

            Procedure
               Command or ActionPurpose
              Step 1switch# configure terminal  

              Enters global configuration mode.

               
              Step 2switch(config) # monitor session span-on-drop-session-number type span-on-drop  

              Enters SPAN-on-Drop monitor configuration mode for the specified SPAN-on-drop session.

               
              Step 3 switch(config-span-on-drop) # description description
               

              Creates descriptive name for the SPAN-on-Drop session.

               
              Step 4 switch(config-span-on-drop) # source interface ethernet slot/port rx
               

              Configures session sources. You can enter a range of Ethernet ports. SPAN-on-Drop sessions supports ingress traffic only.

               
              Step 5 switch(config-span-on-drop) # destination interface ethernet slot/port
               

              Configures the Ethernet SPAN-on-Drop destination port.

               
              Step 6switch(config) # show monitor session session-number   (Optional)

              Displays the status of SPAN-on-Drop sessions.

               
              Step 7switch(config) # copy running-config startup-config   (Optional)

              Copies the running configuration to the startup configuration.

               

              This example shows how to configure a SPAN-on-Drop session: 

              switch# configure terminal
switch(config) # monitor session 3 type span-on-drop
switch(config-span-on-drop) # description span-on-drop-session_3
switch(config-span-on-drop) # source interface ethernet 1/3
switch(config-span-on-drop) # destination interface ethernet 1/2
switch(config) # copy running-config startup-config
switch(config) #

              Configuring a SPAN-on-Latency Session

              You can configure a maximum transmission unit (MTU) size for the SPAN traffic to reduce the amount of fabric or network bandwidth used in sending SPAN packets.

              Procedure
                 Command or ActionPurpose
                Step 1 enable


                Example: 
                switch> enable
                 

                Enables privileged EXEC mode. Enter your password if prompted.

                 
                Step 2configure terminal


                Example: 
                switch# configure terminal
switch(config)#
                 

                Enters global configuration mode.

                 
                Step 3interface ethernet slot/port


                Example: 
                switch(config)# interface ethernet 1/1
                 

                Enters interface configuration mode.

                 
                Step 4packet latency threshold threshold


                Example: 
                switch(config-if)# packet latency threshold 53000000
                 

                Configures the latency threshold value on an interface. Valid values are from 8 to 536870904 nano seconds.

                 
                Step 5monitor session session_number type span-on-latency


                Example: 
                switch(config)# monitor session 1 type span-on-latency
switch(config-span-on-latency)#
                 

                Defines a SPAN source session using the session ID and the session type, and places the command in SPAN monitor source session configuration mode.

                The session_number argument range is from 1 to 1024. The same session number cannot be used more than once.

                The session ID (configured by the span_session number argument) and the session type (configured by the span-on-latency keyword) cannot be changed once entered. To change session ID or session type, use the no version of the command to remove the session and then re-create the session through the command with a new session ID or a new session type.

                 
                Step 6description description


                Example: 
                switch(config-span-on-latency)# description SPAN-on-Latency-session
                 

                Adds a description to the session configuration.

                 
                Step 7source interface ethernet slot/port


                Example: 
                switch(config-span-on-latency)# source interface ethernet 1/3
                 

                Specifies the Ethernet interface to use as the source SPAN port.

                 
                Step 8destination interface ethernet slot/port


                Example: 
                switch(config-span-on-latency)# destination interface ethernet 1/1
                 

                Specifies the Ethernet interface to use as the session destination port.

                 
                Step 9mtu mtu-value


                Example: 
                switch(config-span-on-latency)# mtu 1500
                 

                Defines the MTU truncation size for SPAN packets. Valid values are from 64 to 1518.

                The default is no truncation enabled.

                 
                Step 10exit


                Example: 
                switch(config-span-on-latency)# exit
                 

                Updates the configuration and exits SPAN-on-Latency session configuration mode.

                 
                Step 11copy running-config startup-config


                Example: 
                switch(config)# copy running-config startup-config
                                  		(Optional)

                Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

                 

                Activating a SPAN Session

                The default is to keep the session state shut. You can open a session that duplicates packets from sources to destinations.

                Procedure
                   Command or ActionPurpose
                  Step 1switch# configure terminal  

                  Enters global configuration mode.

                   
                  Step 2 switch(config) # no monitor session {all | session-number} shut
                   

                  Opens the specified SPAN session or all sessions.

                   

                  The following example shows how to activate a SPAN session: 

                  switch# configure terminal
switch(config) # no monitor session 3 shut

                  Troubleshooting SPAN session issues

                  If a SPAN session is down, do the following:

                  • Check if one of the destination port is operational by performing the following:

                    • Use the show running interface interface command and check if the switchport monitor is configured.

                    • Use the show interface interface command and check if the destination interface shows the status as "admin up".

                  • Use the show interface interface command to check if one of the source port is operational and if the source interface shows the status as "admin up".

                  Troubleshooting SPAN session with large number of source ports issues

                  Table 1 Troubleshooting SPAN session with large number of source ports

                  Problem Description

                  Solution

                  Recommendation

                  When a SPAN session is configured with maximum supported range of 128 source ports at one go, the configuration session may encounter "Service not responding" message.

                  Remove the ports and configure them in smaller ranges (example, 1 to 48) and then use the shutdown and no shutdown command on the session.

                  Configure the individual ports in small ranges (example, 1 to 48).

                  After using the shutdown and then no shutdown on a range of SPAN session configured with maximum of ports (example, 128), some sessions do not come up.

                  Remove some ports from the specific SPAN session. Add the removed ports back to the same SPAN session and then use the no shutdown command.

                  Use the shutdown command on each port.

                  After creating a SPAN session with 128 source ports, the no shutdown command displays a "Service not responding" message.

                  Use the no shutdown command repeatedly to bring up the SPAN session.

                  Displaying SPAN Information

                  Procedure
                     Command or ActionPurpose
                    Step 1 switch# show monitor [session {all | session-number | range session-range} [brief]]
                     

                    Displays the SPAN configuration.

                     

                    The following example shows how to display SPAN session information: 

                    switch# show monitor
SESSION  STATE        REASON                  DESCRIPTION
-------  -----------  ----------------------  --------------------------------
2        up           The session is up
3        down         Session suspended
4        down         No hardware resource

                    The following example shows how to display SPAN session details: 

                    switch# show monitor session 2
   session 2
---------------
type              : local
state             : up
acl-name	   			   : acl1
source intf       :

source VLANs      :
    rx            :
source VSANs      :
    rx            : 1
destination ports : Eth3/1

                    This example shows details for a SPAN session with multiple destination ports: 

                    switch(config-monitor)# show monitor session 5
   session 5
---------------
type              : local
state             : up
source intf       : 
    rx            : Eth1/1
    tx            : Eth1/1      
    both          : Eth1/1      
source VLANs      : 
    rx            : 
source VSANs      : 
    rx            : 
destination ports : Eth1/8, Eth1/9

                    This example shows details for a SPAN-on-Drop session: 

                    switch(config-monitor)# show monitor session 48
  session 48
---------------
description       : span-on-drop-session
type              : span-on-drop
state             : up
mtu               : 0
source ports      : Eth1/2
destination ports : Eth1/3

                    Configuration Example for SPAN-on-Latency Session

                    This example shows how to configure an SPAN-on-Latency session: 

                    switch# configure terminal
switch(config) # interface ethernet 1/1
switch(config-if) # packet latency threshold 530000000
switch(config) # monitor session 11 type span-on-latency
switch(config-span-on-latency) # description span-on-latency-session_11
switch(config-span-on-latency) # source interface ethernet 1/3
switch(config-span-on-latency) # destination interface ethernet 1/1
switch(config-span-on-latency) # mtu 1500
switch(config) # copy running-config startup-config
switch(config) #