SPAN Configuration on Cisco Nexus switches

SPAN Configuration on Cisco Nexus switches

What is SPAN:

SPAN analyzes all traffic between source ports by directing the SPAN session traffic to a destination port with an external analyzer (sniffer) attached to it.

Catalyst Switched Port Analyzer (SPAN) Configuration Example - Cisco

SPAN Sources:

The interfaces from which traffic can be monitored are called SPAN sources. Sources designate the traffic to monitor and whether to copy ingress, egress, or both directions of traffic. SPAN sources include the following:

  • Ethernet ports (but not subinterfaces)
  • Port channels
  • The inband interface to the control plane CPU
  • VLANs


Some Consideration for SPAN Sources:

  • A port configured as a source port cannot also be configured as a destination port.
  • If you use the supervisor inband interface as a SPAN source, the following packets are monitored:
    • All packets that arrive on the supervisor hardware (ingress)
    • All packets generated by the supervisor hardware (egress)


SPAN Destinations:

SPAN destinations refer to the interfaces that monitor source ports. Destination ports receive the copied traffic from SPAN sources. SPAN destinations include the following:

  • Ethernet ports in either access or trunk mode
  • Port channels in either access or trunk mode
  • Uplink ports on Cisco Nexus 9300 Series switches

Consideration for SPAN Destinations:

  • A port configured as a destination port cannot also be configured as a source port.
  • A destination port can be configured in only one SPAN session at a time.
  • Destination ports do not participate in any spanning tree instance. SPAN output includes bridge protocol data unit (BPDU) Spanning Tree Protocol hello packets.


SPAN Sessions:

You can create SPAN sessions to designate sources and destinations to monitor.

Localized SPAN Sessions

  • A SPAN session is localized when all of the source interfaces are on the same line card.
  • A session destination interface can be on any line card.
  • A SPAN session with a VLAN source is not localized.


SPAN Configuration NX-OS:

Step-1: Configure SPAN destinations:

configure SPAN destination as “switchport monitor“:

switch# configure terminal
switch(config)# interface ethernet 2/5
switch(config-if)# switchport
switch(config-if)# switchport monitor


Step-2: Configure SPAN session:

You can specify the traffic direction to copy as ingress (rx), egress (tx), or both.

! monitor session session-number {rx | tx } [shut ]
switch(config)# monitor session 3 rx
switch(config-monitor)# source interface ethernet 2/1-3, ethernet 3/1 rx

Source port-channel:

switch(config-monitor)# source interface port-channel 2

Source Supervisor:

switch(config-monitor)# source interface sup-eth 0 both

Source VLAN:

switch(config-monitor)# source vlan 3, 6-8 rx

Destination Interface:

switch(config-monitor)# destination interface ethernet 2/5
switch(config-monitor)# no shut

We can also apply an ACL on the SPAN session:

switch(config-monitor)# filter access-group ACL1



Notes for session sources:

  • Source VLANs are supported only in the ingress direction.
  • Source FEX ports are supported in the ingress direction for all traffic and in the egress direction only for known Layer 2 unicast traffic.
  • For a unidirectional session, the direction of the source must match the direction specified in the session.

Full SPAN configuration on Nexus switch:

switch# configure terminal
switch(config)# interface ethernet 2/5
switch(config-if)# switchport
switch(config-if)# switchport monitor

switch(config)# monitor session 3 rx
switch(config-monitor)# source interface ethernet 3/1 rx
switch(config-monitor)# destination interface ethernet 2/5
switch(config-monitor)# no shut


SPAN on Drop feature on Nexus 5000:

SPAN-on-Drop enables the Cisco Switched Port Analyzer (SPAN) feature to be applied to packets that would normally be dropped due to lack of available buffer or queue space on ingress. With SPAN-on-Drop, instead of dropping a packet when congestion occurs, the system stores the packet in a separate SPAN-on-Drop buffer and then sends the packet to the specified SPAN-on-Drop destination port.

When a lot of ports are sending data to port 3/1. At some point, the buffers for port 3/1 start to fill up, leading to tail drops. To identify which application is experiencing loss, you can configure a SPAN-on-Drop session using port 3/1 as the source.

SPAN-on-Drop with Local Destination SPAN Port

This configuration creates a SPAN session with the type SPAN-on-DROP. In the following example, the source interface, where congestion may be present, is port e3/1. The destination port is e3/2, which must be in switchport monitor mode.

switch(config)# monitor session <session_number> type SPAN-on-DROP
switch(config-SPAN-on-DROP)# source interface e3/1
switch(config-SPAN-on-DROP)# destination interface e3/2


Reference:

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide/sm_14span.html

https://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/white-paper-c11-733022.html

Bilel A

Bilel A

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Learn Duty
0
Would love your thoughts, please comment.x
()
x