ERSPAN has the
following configuration guidelines and limitations:
-
For ERSPAN session
limits, see the
Cisco Nexus
7000 Series NX-OS Verified Scalability Guide.
-
All ERSPAN
replication is performed in the hardware. The supervisor CPU is not involved.
-
Control plane
traffic generated by Supervisor 2 can be ERSPAN encapsulated but cannot be
filtered by an ERSPAN ACL.
-
Control plane
packets generated by Supervisor 1 cannot be ERSPAN encapsulated or filtered by
an ERSPAN ACL.
-
When you configure ERSPAN source on a Cisco Nexus 7000 Series switch that acts as a MPLS PE and the destination of the ERSPAN
session is remote across the MPLS network, the ERSPAN packet will be transmitted as a regular IP packet and does not include
the MPLS label. It causes the packet being dropped at the remote PE.
-
ERSPAN and ERSPAN
ACLs are not supported on F1 Series modules. For the VDCs that have F1 Series
modules only, you can configure ERSPAN source and destination sessions and
ERSPAN ACL source sessions but never come up.
-
ERSPAN source
sessions are supported on F2 Series and F2e (enhanced) Series modules.
Beginning with Cisco NX-OS Release 6.2(2), ERPSPAN destination sessions are
also supported on these modules. However, ERSPAN ACL sessions are not supported
on F2 Series and F2e Series modules.
-
ERSPAN source,
destination, and ACL sessions are supported on M Series modules.
-
The decapsulation
of generic routing encapsulation (GRE) or ERSPAN packets received on an F1
Series module is not supported.
-
ERSPAN and ERSPAN
ACL sessions are terminated identically at the destination router.
-
ERSPAN is not
supported for management ports.
-
ERSPAN does not support packet fragmentation. The "do not fragment" bit is set in the IP header of ERSPAN packets.
-
A destination port
can be configured in only one ERSPAN session at a time.
-
You cannot
configure a port as both a source and destination port.
-
A single ERSPAN
session can include mixed sources in any combination of the following:
Note
|
ERSPAN does not
monitor any packets that are generated by the supervisor, regardless of their
source.
|
-
Destination
ports do not participate in any spanning tree instance or Layer 3 protocols.
-
When
an ERSPAN session contains source ports or VLAN sources that are monitored in
the transmit or transmit and receive direction, packets that these ports
receive might be replicated to the ERSPAN destination port even though the
packets are not actually transmitted on the source ports. Some examples of this
behavior on source ports are as follows:
-
You can enable
ERSPAN for a source port before it becomes operationally active. For Layer 2
ports, traffic flooded to the VLANs that contain these ports are captured even
when the link is not connected for the ports.
-
For VLAN ERSPAN
sessions with both ingress and egress configured, two packets (one from ingress
and one from egress) are forwarded from the destination port if the packets get
switched on the same VLAN.
-
You can monitor
the inband interface only from the default VDC. Inband traffic from all VDCs is
monitored.
-
A FabricPath
core port is not supported as an ERSPAN destination when an F2 Series or F2e
Series module is present in a VDC. However, a FabricPath core port can be
configured as an ERSPAN source interface.
-
When using
ERSPAN sessions on F2 Series or F2e Series modules, ensure that the total
amount of source traffic in a given session is less than or equal to the
capacity of the ERSPAN destination interface or port channel for that session.
If the ERSPAN source traffic exceeds the capacity of the ERSPAN destination,
packet drops might occur on the ERSPAN source interfaces.
-
Beginning with
Cisco NX-OS Release 5.2, you can configure the Cisco Nexus 2000 Series Fabric
Extender (FEX) interfaces and the fabric port channels connected to the Cisco
Nexus 2000 Series Fabric Extender as ERSPAN sources. However, you cannot
configure them as ERSPAN destinations.
Note
|
ERSPAN on
Fabric Extender interfaces and fabric port channels is supported on the M1
Series and M2 Series modules. ERSPAN runs on the Cisco Nexus 7000 Series
device, not on the Fabric Extender. F2 Series and F2e Series modules support
FEX, but they do not support FEX ERSPAN. Therefore, the FEX interfaces that are
connected through the F2 Series and F2e Series modules cannot be made ERSPAN
sources.
|
-
You can span
Fabric port channels on F2 Series and F2e Series modules.
-
VLANs that
contain FEX interfaces can be an ERSPAN source, but the ingress traffic through
the F2 Series or F2e Series module-based FEX ports cannot be captured.
-
Layer 3
multicast egress packets cannot be spanned on F2 Series or F2e Series modules.
-
ERSPAN is
supported on Fabric Extender interfaces in Layer 2 access mode, Layer 2 trunk
mode, and Layer 3 mode. Layer 3 subinterfaces are not supported.
-
For ERSPAN
sessions, the recommended MTU size is 144 bytes or greater because MTU
truncation occurs after the packets are encapsulated.
-
The rate limit
percentage of an ERSPAN session is based on 10G, 40G, and 100G for the
respective modules (that is, 1 percent corresponds to 0.1G, 0.4G, or 1G
respectively), and the value is applied per every forwarding engine instance.
-
MTU truncation
and the ERSPAN source rate limit are supported only on F2 Series, F2e Series,
and M2 Series modules and Supervisor 2. They are not supported on M1 Series
modules.
-
For F2 Series
and F2e Series modules, spanned FabricPath (core) packets have a 16-byte core
header at the ERSPAN destination, and ingress FEX packets spanned through the
fabric port channel have a 6-byte Vntag header at the ERSPAN destination. In
addition, when trunk ports are used as the ERSPAN destination, the spanned
packets have a 4-byte VLAN tag.
-
For F2 Series
and F2e Series modules, egress ERSPAN packets of all traffic that ingresses on
Layer 2 ports (including edge-to-edge traffic) have a 16-byte MAC-in-MAC header
at the ERSPAN destination.
-
While setting IP
TTL in the ERSPAN header,
-
In M-series
LC, after ERSPAN encapsulation / de-capsulation, the packets are sent to EARL
for recirculating and hence, the TTL is decremented by EARL.
-
In F2/F2e,
there are no overheads of recirculating and hence, there is digression from the
actual behavior of TTL decrements.
-
F1 series
does not support ERSPAN.
-
For MTU
truncation on M2 Series modules, the truncated length of ERSPAN packets is
rounded down to the nearest multiplier of 16 bytes. For example, with an MTU
configuration value of 65 to 79, packets are truncated to 64 bytes.
-
For certain rate
limit and packet size values on F2 Series modules, F2e Series modules, M2
Series modules, and Supervisor 2, the ERSPAN packet rate is less than the
configured value because of the internal accounting of packet sizes and
internal headers.
-
ERSPAN sampling
is supported only on F2 Series and F2e Series modules. It is not supported on M
Series modules.
-
Multicast best
effort mode applies only to M1 Series modules.
-
Beginning with
Cisco NX-OS Release 6.1, ERSPAN source sessions are supported on Supervisor 2,
but ERSPAN ACL sessions are not.
-
ERSPAN Type III
source is supported only on F2 Series, F2e Series, and M2 Series modules.
-
ERSPAN Type III
termination is supported only on M2 Series modules. That is, Type III ERSPAN
packets are decapsulated only when they reach their destination through M2
Series modules.
-
Beginning with
Cisco NX-OS Release 6.2(2), ERSPAN packets ingressing the destination switch on
F2 Series or F2e Series modules can be terminated. IPv4 termination is
supported but not IPv6 termination. F2 Series module termination on VDC virtual
routing and forwarding (VRF) instances is not supported.
-
Supervisor 2
supports ERSPAN Type II and ERSPAN Type III for inband ports, but timestamps
are not synchronized with the Precision Time Protocol (PTP) master timers.
-
1588 granularity
mode is not supported in Cisco NX-OS Release 6.1 and is rejected if selected.
-
M2 Series
modules support 100 microseconds (ms), 100 nanoseconds (ns), and ns
granularity. F2 Series and F2e Series modules support only 100 ms and 100 ns
granularity.
-
When ERSPAN
traffic is terminated on M2 Series modules, drops can occur at higher rates
because all ERSPAN traffic for one session converges into one forwarding
instance.
-
If the global
granularity configuration is not supported for a particular module, that module
reverts to 100-ms granularity. For example, if granularity is set to ns, all M2
Series modules will enable ns granularities, and all F2 Series and F2e Series
modules will internally enable and send packets with the 100-ms timestamp. Use
the
show
monitor session command to display the supported and unsupported
granularities for each module.
-
F2 Series and
F2e Series modules do not use the access control list (ACL) complex for ERSPAN
Type III ACLs, so an ACL filter cannot be applied to F2 Series and F2e Series
module traffic. However, for M2 Series modules, it is possible to encapsulate
the packets using the Type III header after applying an ACL.
-
F2 Series and
F2e Series modules support a 32-bit timestamp in the ERSPAN Type III header
while M2 Series modules support a 64-bit timestamp.
-
If you enable
ERSPAN on a vPC and ERSPAN packets need to be routed to the destination through
the vPC, packets that come through the vPC peer-link cannot be captured.
-
Extended ERSPAN
sessions cannot source incoming traffic on M1 Series modules in either the
ingress or egress direction.
-
Traditional SPAN
sessions support traffic from F Series and M Series modules. Extended SPAN
sessions support traffic only from F Series and M2 Series modules.
-
Hardware session
15 is used by NetFlow on F2 and F2e Series modules. Any extended session using
this hardware ID will not span incoming traffic on the F2 and the F2e ports.
-
Only eight
sessions can support rate limiting on M2 Series modules. Any additional
hardware sessions will not apply the configured rate limiter on M2 Series
modules.
-
M1 Series
modules and Supervisor 1 do not support rule-based ERSPAN. They support only
VLAN filtering.
-
M1 and M2 Series
modules support exception ERSPAN only in the nonadministration VDC, and at
least one interface of the module must be present for the VDC.
-
F1 Series
modules have limited support for rule-based ERSPAN. They do not support the
IPv6 source IP filter and the IPv6 destination IP filter. They support only
IPv4 and IPv6 ToS filters with values from 0 to 3. Port-channel member lane,
FCoE source ID, and FCoE destination ID are not supported.
-
F2 and F2e
Series modules have limited support for rule-based ERSPAN. They do not support
wildcards in the IPv6 source IP filter and IPv6 destination IP filter, and they
do not support egress ERSPAN filtering for destination MAC addresses and source
MAC addresses.
-
ERSPAN ACLs are
not supported for use with OTV.
-
ERSPAN source
sessions are supported on F3 Series modules. Beginning with Cisco NX-OS Release
7.2, ERPSPAN destination sessions are also supported on these modules. However,
ERSPAN ACL sessions are not supported on F3 Series modules.
-
The ERSPAN termination takes place at the ingress point of entry of
the destination switch (and not the final destination), so the ingress module
at the destination switch must support ERSPAN termination. Beginning with Cisco
NX-OS release 7.2(0)D1(1), ERSPAN Termination is supported on F3 linecards.
-
Beginning with
Cisco NX-OS Release 7.3(0)DX(1), ERSPAN source and destination sessions are
supported on M3 Series modules.