-
Traffic that is denied by an ACL may still reach the SPAN destination port because SPAN replication is performed on the ingress
side prior to the ACL enforcement (ACL dropping traffic).
-
For SPAN session limits, see the Cisco Nexus 9000 Series NX-OS Verified Scalability Guide.
-
All SPAN replication is performed in the hardware. The supervisor CPU is not involved.
-
The Cisco Nexus 3232C and 3264Q switches do not support SPAN on CPU as destination.
-
You can configure a SPAN session on the local device only. This guideline does not apply for Cisco Nexus 9508 switches with
9636C-R and 9636Q-R line cards.
-
Packets with FCS errors are not mirrored in a SPAN session.
-
FEX and SPAN port-channel destinations are not supported on the Cisco Nexus 9500 platform switches with an -EX or –FX type
line card.
-
You can configure only one destination port in a SPAN session.
-
SPAN mirroring is not supported for PBR traffic.
-
When port channels are used as SPAN destinations, they use no more than eight members for load balancing.
-
Beginning with Cisco NX-OS Release 7.0(3)I1(1), a maximum of 48 source interfaces are supported per SPAN session (Rx and Tx,
Rx, or Tx).
-
SPAN does not support destinations on Cisco Nexus 9408PC-CFP2 line card ports.
-
Configuring two SPAN or ERSPAN sessions on the same source interface with only one filter is not supported. If the same source
is used in multiple SPAN or ERSPAN sessions either all the sessions must have different filters or no sessions should have
filters.
-
Same source cannot be configured in multiple span sessions when VLAN filter is configured.
-
The following guidelines apply to SPAN copies of access port dot1q headers:
-
When traffic ingresses from a trunk port and egresses to an access port, an egress SPAN copy of an access port on a switch
interface always has a dot1q header.
-
When traffic ingresses from an access port and egresses to a trunk port, an ingress SPAN copy of an access port on a switch
interface does not have a dot1q header.
-
When traffic ingresses from an access port and egresses to an access port, an ingress/egress SPAN copy of an access port on
a switch interface does not have a dot1q header.
-
You cannot configure a port as both a source and destination port.
-
Enabling UniDirectional Link Detection (UDLD) on the SPAN source and destination ports simultaneously is not supported. If
UDLD frames are expected to be captured on the source port of such SPAN session, disable UDLD on the destination port of the
SPAN session.
-
SPAN is not supported for management ports.
-
Statistics are not support for the filter access group.
-
SPAN is supported in Layer 3 mode; however, SPAN is not supported on Layer 3 subinterfaces or Layer 3 port-channel subinterfaces.
-
Beginning with Cisco NX-OS Release 7.0(3)I4(1), the same source can be part of multiple sessions.
-
When a SPAN session contains source ports that are monitored in the transmit or transmit and receive direction, packets that
these ports receive might be replicated to the SPAN destination port even though the packets are not actually transmitted
on the source ports. Some examples of this behavior on source ports are as follows:
-
SPAN sessions cannot capture packets with broadcast or multicast MAC addresses that reach the supervisor, such as ARP requests
and Open Shortest Path First (OSPF) protocol hello packets, if the source of the session is the supervisor Ethernet in-band
interface. To capture these packets, you must use the physical interface as the source in the SPAN sessions.
-
VLAN SPAN monitors only the traffic that enters Layer 2 ports in the VLAN.
-
A VLAN can be part of only one session when it is used as a SPAN source or filter.
-
VLANs can be SPAN sources in the ingress and egress direction on Cisco Nexus 9508 switches with N9K-X9636C-R and N9K-X9636Q-R
line cards. For all other switches, VLANs are supported as SPAN sources only in the ingress direction.
-
VLAN ACL redirects to SPAN destination ports are not supported.
-
When using a VLAN ACL to filter a SPAN, only action forward is supported; action drop and action redirect are not supported.
-
The combination of VLAN source session and port source session is not supported. If the traffic stream matches the VLAN source
session as well as port source session, two copies are needed at two destination ports. Due to the hardware limitation, only
the VLAN source SPAN and the specific destination port receive the SPAN packets. This limitation applies only to the following Cisco devices:
Table 1. Cisco Nexus 9000 Series Switches
Cisco Nexus 93120TX
|
Cisco Nexus 93128TX
|
Cisco Nexus 9332PQ
|
Cisco Nexus 9372PX
|
Cisco Nexus 9372PX-E
|
Cisco Nexus 9372TX
|
Cisco Nexus 9396PX
|
Cisco Nexus 9372TX-E
|
Cisco Nexus 9396TX
|
Table 2. Cisco Nexus 9000 Series Line Cards, Fabric Modules, and GEM Modules
N9K-X9408PC-CFP2
|
N9K-X9536PQ
|
N9K-C9508-FM
|
N9K-X9432PQ
|
N9K-X9564PX
|
N9K-C9504-FM
|
N9K-X9464PX
|
N9K-X9564TX
|
N9K-C9516-FM
|
N9K-X9464TX
|
N9K-X9636PQ
|
N9K-M4PC-CFP2
|
-
For VXLAN/VTEP, SPAN source or destination is supported on any port.
-
The number of SPAN sessions per line card reduces to two if the same interface is configured as a bidirectional source in
more than one session. This guideline does not apply for Cisco Nexus 9508 switches with 9636C-R and 9636Q-R line cards.
-
A single forwarding engine instance supports four SPAN sessions. For Cisco Nexus 9300 Series switches, if the first three
sessions have bidirectional sources, the fourth session has hardware resources only for Rx sources. This limitation might
also apply to Cisco Nexus 9500 Series switches, depending on the SPAN source's forwarding engine instance mappings. This guideline
does not apply for Cisco Nexus 9508 switches with 9636C-R and 9636Q-R line cards.
-
An access-group filter in a SPAN session must be configured as vlan-accessmap. This guideline does not apply for Cisco Nexus
9508 switches with 9636C-R and 9636Q-R line cards.
-
Beginning with Cisco NX-OS Release 7.0(3)I7(3), NetFlow, and SPAN functionality is supported on Cisco Nexus 9336C-FX2 and
Cisco Nexus 93240YC-FX2 switches.
-
Supervisor-generated stream of bytes module header (SOBMH) packets have all of the information to go out on an interface and
can bypass all forwarding lookups in the hardware, including SPAN and ERSPAN. CPU-generated frames for Layer 3 interfaces
and the Bridge Protocol Data Unit (BPDU) class of packets are sent using SOBMH. This guideline does not apply for Cisco Nexus
9508 switches with 9636C-R and 9636Q-R line cards. The Cisco Nexus 9636C-R and 9636Q-R both support inband SPAN and local
SPAN.
-
In Cisco NX-OS Release 7.0(3)I2(1) and earlier releases, IPv6 ACL filters for Layer 2 ports are not supported on Cisco Nexus 9000 Series switches and the Cisco Nexus 3164Q switch.
-
Cisco NX-OS does not span Link Layer Discovery Protocol (LLDP) or Link Aggregation Control Protocol (LACP) packets when the
source interface is not a host interface port channel.
-
Beginning with Cisco NX-OS Release 7.0(3)I4(1), Cisco Nexus 9300, and 9500 platform switches support multiple ACL filters
on the same source.
-
The following limitations apply to egress (Tx) SPAN and these switches:
-
Cisco Nexus 92160YC-X
-
Cisco Nexus 92304QC
-
Cisco Nexus 9272Q
-
Cisco Nexus 9236C
-
Cisco Nexus 92300YC
ACL filtering is not supported (applies to both unicast and Broadcast, Unknown Unicast and Multicast (BUM) traffic)
VLAN filtering is supported, but only for unicast traffic
VLAN filtering is not supported for BUM traffic
-
SPAN copies for multicast packets are made prior to rewrite. Therefore, the TTL, VLAN ID, any remarking due to egress policy,
and so on, are not captured in the SPAN copy.
-
If SPAN is mirroring the traffic which ingresses on an interface in an ASIC instance and egresses on a Layer 3 interface (SPAN
Source) on a different ASIC instance, then TX mirrored packet will have a VLAN ID 4095 on Cisco Nexus 9500 platform modular
switches using non-EX line cards.
-
Only Cisco Nexus 9300-EX platform switches support SPAN for multicast Tx traffic across different slices, beginning with Cisco
NX-OS Release 7.0(3)I7(1). The slices must be on the same leaf spine engine (LSE).
-
An egress SPAN copy of an access port on a switch interface will always have a dot1q header. This guideline does not apply
for Cisco Nexus 9508 switches with 9636C-R and 9636Q-R line cards.
-
For Tx interface SPAN with Layer 2 switch port and port-channel sources on Cisco Nexus 9300-EX Series switches, only one copy
is made per receiver unit regardless of how many Layer 2 members are receiving the stream in the same VLAN. For example, if
e1/1-8 are all Tx direction SPAN sources and all are joined to the same group, the SPAN destination port sees one pre-rewrite
copy of the stream, not eight copies. In addition, if for any reason one or more of those ports drops the packets on egress
(for example, due to congestion), the packets may still reach the SPAN destination port. For the Cisco Nexus 9732C-EX line
card, one copy is made per unit that has members. For port-channel sources, the Layer 2 member that will SPAN is the first
port-channel member.
-
The flows for post-routed unknown unicast flooded packets are in the SPAN session, even if the SPAN session is configured
to not monitor the ports on which this flow is forwarded. This limitation applies to Network Forwarding Engine (NFE) and NFE2-enabled
EOR switches and SPAN sessions that have Tx port sources.
-
Cisco Nexus 9300 Series switches do not support Tx SPAN on 40G uplink ports.
Note
|
This limitation does not apply to Nexus 9300-EX/FX/FX2 platform switches that have the 100G interfaces.
|
-
Prior to Cisco NX-OS Release 7.0(3)I5(2), Tx SPAN is not supported for multicast, unknown multicast, and broadcast traffic
when the SPAN source port(s) and the SPAN destination port are on different forwarding engine slices. Beginning with Cisco
NX-OS Release 7.0(3)I5(2), SPAN Tx broadcast, and SPAN Tx multicast are supported for Layer 2 port and port-channel sources
across slices on Cisco Nexus 9300-EX platform switches and the Cisco Nexus 9732C-EX line card but only when IGMP snooping
is disabled. (Otherwise, the slice limitation still applies.) These features are not supported for Layer 3 port sources, FEX
ports (with unicast or multicast traffic), and VLAN sources.
The following guidelines and limitations apply to Cisco Nexus 9200 and 9300-EX Series switches:
-
Cisco Nexus 9300-EX platform switches support FEX ports as SPAN sources only in the ingress direction.
-
On Cisco Nexus 9300-EX/FX/FX2 platform switches, and Cisco Nexus 9500 platform switches with EX/FX modules, SPAN and sFlow
cannot both be enabled simultaneously. If one is active, the other cannot be enabled. However, on the Cisco Nexus 9300-EX/FX/FX2
and the Cisco Nexus 9500 platform switches with EX modules, both Netflow and SPAN can both be enabled simultaneously, providing
a viable alternative to using Sflow and SPAN.
-
UDF-based SPAN is supported beginning with Cisco NX-OS Release 7.0(3)I4(1).
-
Tx SPAN for multicast, unknown multicast, and broadcast traffic are not supported on the Cisco Nexus 9200 platform switches.
-
When multiple egress ports on the same slice are congested by egressing SPAN traffic, those egress ports will not get the
line rate.
-
Using the ACL filter to span subinterface traffic on the parent interface is not supported.
-
The CPU SPAN source can be added only for the Rx direction (SPAN packets coming from the CPU).
-
Multiple ACL filters are not supported on the same source.
-
SPAN packets to the CPU are rate limited and are dropped in the inband path. You can change the rate limit using the hardware rate-limiter span command. You can analyze SPAN copies on the supervisor using the ethanalyzer local interface inband mirror detail command.