SPAN Configuration on Cisco Nexus switches
What is SPAN:
SPAN analyzes all traffic between source ports by directing the SPAN session traffic to a destination port with an external analyzer (sniffer) attached to it.
SPAN Sources:
The interfaces from which traffic can be monitored are called SPAN sources. Sources designate the traffic to monitor and whether to copy ingress, egress, or both directions of traffic. SPAN sources include the following:
- Ethernet ports (but not subinterfaces)
- Port channels
- The inband interface to the control plane CPU
- VLANs
Some Consideration for SPAN Sources:
- A port configured as a source port cannot also be configured as a destination port.
- If you use the supervisor inband interface as a SPAN source, the following packets are monitored:
- All packets that arrive on the supervisor hardware (ingress)
- All packets generated by the supervisor hardware (egress)
SPAN Destinations:
SPAN destinations refer to the interfaces that monitor source ports. Destination ports receive the copied traffic from SPAN sources. SPAN destinations include the following:
- Ethernet ports in either access or trunk mode
- Port channels in either access or trunk mode
- Uplink ports on Cisco Nexus 9300 Series switches
Consideration for SPAN Destinations:
- A port configured as a destination port cannot also be configured as a source port.
- A destination port can be configured in only one SPAN session at a time.
- Destination ports do not participate in any spanning tree instance. SPAN output includes bridge protocol data unit (BPDU) Spanning Tree Protocol hello packets.
SPAN Sessions:
You can create SPAN sessions to designate sources and destinations to monitor.
Localized SPAN Sessions
- A SPAN session is localized when all of the source interfaces are on the same line card.
- A session destination interface can be on any line card.
- A SPAN session with a VLAN source is not localized.
SPAN Configuration NX-OS:
Step-1: Configure SPAN destinations:
configure SPAN destination as “switchport monitor“:
switch# configure terminal
switch(config)# interface ethernet 2/5
switch(config-if)# switchport
switch(config-if)# switchport monitor
Step-2: Configure SPAN session:
You can specify the traffic direction to copy as ingress (rx), egress (tx), or both.
! monitor session session-number {rx | tx } [shut ]
switch(config)# monitor session 3 rx
switch(config-monitor)# source interface ethernet 2/1-3, ethernet 3/1 rx
Source port-channel:
switch(config-monitor)# source interface port-channel 2
Source Supervisor:
switch(config-monitor)# source interface sup-eth 0 both
Source VLAN:
switch(config-monitor)# source vlan 3, 6-8 rx
Destination Interface:
switch(config-monitor)# destination interface ethernet 2/5
switch(config-monitor)# no shut
We can also apply an ACL on the SPAN session:
switch(config-monitor)# filter access-group ACL1
Notes for session sources:
- Source VLANs are supported only in the ingress direction.
- Source FEX ports are supported in the ingress direction for all traffic and in the egress direction only for known Layer 2 unicast traffic.
- For a unidirectional session, the direction of the source must match the direction specified in the session.
Full SPAN configuration on Nexus switch:
switch# configure terminal
switch(config)# interface ethernet 2/5
switch(config-if)# switchport
switch(config-if)# switchport monitor
switch(config)# monitor session 3 rx
switch(config-monitor)# source interface ethernet 3/1 rx
switch(config-monitor)# destination interface ethernet 2/5
switch(config-monitor)# no shut
SPAN on Drop feature on Nexus 5000:
SPAN-on-Drop enables the Cisco Switched Port Analyzer (SPAN) feature to be applied to packets that would normally be dropped due to lack of available buffer or queue space on ingress. With SPAN-on-Drop, instead of dropping a packet when congestion occurs, the system stores the packet in a separate SPAN-on-Drop buffer and then sends the packet to the specified SPAN-on-Drop destination port.
When a lot of ports are sending data to port 3/1. At some point, the buffers for port 3/1 start to fill up, leading to tail drops. To identify which application is experiencing loss, you can configure a SPAN-on-Drop session using port 3/1 as the source.
SPAN-on-Drop with Local Destination SPAN Port
This configuration creates a SPAN session with the type SPAN-on-DROP. In the following example, the source interface, where congestion may be present, is port e3/1. The destination port is e3/2, which must be in switchport monitor mode.
switch(config)# monitor session <session_number> type SPAN-on-DROP
switch(config-SPAN-on-DROP)# source interface e3/1
switch(config-SPAN-on-DROP)# destination interface e3/2
Reference:
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_14span.html
https://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/white-paper-c11-733022.html