About SPAN
SPAN analyzes all traffic between source ports by directing the SPAN session traffic to a destination port with an external analyzer attached to it.
You can define the sources and destinations to monitor in a SPAN session on the local device.
SPAN Sources
The interfaces from which traffic can be monitored are called SPAN sources. Sources designate the traffic to monitor and whether to copy ingress (Rx), egress (Tx), or both directions of traffic. SPAN sources include the following:
-
Ethernet ports (but not subinterfaces)
-
Port channels
-
The inband interface to the control plane CPU
Note
When you specify the supervisor inband interface as a SPAN source, the device monitors all packets that are sent by the Supervisor CPU.
-
VLANs
Note
When you specify a VLAN as a SPAN source, all supported interfaces in the VLAN are SPAN sources.
Note
VLANs can be SPAN sources only in the ingress direction.
-
Satellite ports and host interface port channels on the Cisco Nexus 2000 Series Fabric Extender (FEX)
Note
These interfaces are supported in Layer 2 access mode and Layer 2 trunk mode. They are not supported in Layer 3 mode, and Layer 3 subinterfaces are not supported.
Note
Cisco Nexus 9300 and 9500 platform switches (excluding the Cisco Nexus 9300-EX switches) support FEX ports as SPAN sources in the ingress direction for all traffic and in the egress direction only for known Layer 2 unicast traffic flows through the switch and FEX. Routed traffic might not be seen on FEX HIF egress SPAN. Cisco Nexus 9300-EX platform switches support FEX ports as SPAN sources only in the ingress direction.
Note |
A single SPAN session can include mixed sources in any combination of the above. |
Characteristics of Source Ports
SPAN source ports have the following characteristics:
-
A port configured as a source port cannot also be configured as a destination port.
-
If you use the supervisor inband interface as a SPAN source, the following packets are monitored:
- All packets that arrive on the supervisor hardware (ingress)
- All packets generated by the supervisor hardware (egress)
SPAN Destinations
SPAN destinations refer to the interfaces that monitor source ports. Destination ports receive the copied traffic from SPAN sources. SPAN destinations include the following:
-
Ethernet ports in either access or trunk mode
-
Port channels in either access or trunk mode
-
Uplink ports on Cisco Nexus 9300 Series switches
-
The CPU on Cisco Nexus 9200 Series switches, beginning with Cisco NX-OS Release 7.0(3)I4(1), and Cisco Nexus 9300-EX Series switches, beginning with Cisco NX-OS Release 7.0(3)I4(2)
Note |
FEX ports are not supported as SPAN destination ports. |
Characteristics of Destination Ports
SPAN destination ports have the following characteristics:
-
A port configured as a destination port cannot also be configured as a source port.
-
A destination port can be configured in only one SPAN session at a time.
-
Destination ports do not participate in any spanning tree instance. SPAN output includes bridge protocol data unit (BPDU) Spanning Tree Protocol hello packets.
SPAN Sessions
You can create SPAN sessions to designate sources and destinations to monitor.
See the Cisco Nexus 9000 Series NX-OS Verified Scalability Guide for information on the number of supported SPAN sessions.
This figure shows a SPAN configuration. Packets on three Ethernet ports are copied to destination port Ethernet 2/5. Only traffic in the direction specified is copied.
Localized SPAN Sessions
A SPAN session is localized when all of the source interfaces are on the same line card. A session destination interface can be on any line card.
Note |
A SPAN session with a VLAN source is not localized. |
SPAN Truncation
Beginning with Cisco NX-OS Release 7.0(3)I7(1), you can configure the truncation of source packets for each SPAN session based on the size of the MTU. Truncation helps to decrease SPAN bandwidth by reducing the size of monitored packets. Any SPAN packet that is larger than the configured MTU size is truncated to the given size. For example, if you configure the MTU as 300 bytes, the packets with greater than 300 bytes are truncated to 300 bytes.
SPAN truncation is disabled by default. To use truncation, you must enable it for each SPAN session.
Multicast Tx SPAN Across Different Slices
Beginning with Cisco NX-OS Release 7.0(3)I7(1), SPAN for multicast Tx traffic is supported across different leaf spine engine (LSE) slices on Cisco Nexus 9300-EX platform switches. The slices must be on the same LSE.
Eth1/15 can receive multicast traffic with a receiver on Eth1/16, and traffic egressing Eth1/16 can be spanned across to Eth1/17 because these ports are all on the same slice. With multicast Tx SPAN enabled, Eth1/27 (which is on a different slice) can be the SPAN destination for multicast Tx traffic with Eth1/16 as the SPAN source.
ACL TCAM Regions
You can change the size of the ACL ternary content addressable memory (TCAM) regions in the hardware. For information on the TCAM regions used by SPAN sessions, see the "Configuring IP ACLs" chapter of theCisco Nexus 9000 Series NX-OS Security Configuration Guide.
High Availability
The SPAN feature supports stateless and stateful restarts. After a reboot or supervisor switchover, the running configuration is applied. For more information on high availability, see the Cisco Nexus 9000 Series NX-OS High Availability and Redundancy Guide.