Cisco ACI SPAN Explained and Configuration
Cisco ACI SPAN Categories
In the ACI Fabric, the SPAN feature can be defined in three categories:
• Access: for monitoring traffic originating from access ports in leaf nodes
• Fabric: for monitoring traffic from fabric ports in leaf or spine nodes (on ports between Leafs and Spines)
• Tenant: for monitoring traffic from endpoint groups (EPGs) within a tenant
ACI SPAN session Type
For each category, there are specific SPAN sessions types you can perform, the SPAN sessions are detailed in the following table:
Session Type | Sources | Filters | Destination |
Access Local | Access Ports, Port-channels local to one leaf | EPG | Port local to same leaf as sources |
Access ERSPAN | Access Ports, Port-channels, VPCs among one or more leaf nodes | EPG | EPG anywhere in the fabric |
Fabric ERSPAN | BD or VRF | EPG anywhere in the fabric | |
Tenant ERSPAN | EPG anywhere in the fabric | – | EPG anywhere in the fabric |
Cisco SPAN Configuration
A Cisco ACI SPAN session configuration consists of configuring 2 main policies:
- SPAN Source groups
- SPAN Destination groups
According to the following topology, we will SPAN traffic from the VPC connected to Leaf-101 and Leaf-102 to a destination EPG (CLD-EPG).
So, in this case: the source is vPC and the Destination is EPG, then the session type is Access ERSPAN.
SPAN Destination Group Configuration:
Navigate to: Fabric -> Access Policies -> Policies -> Troubleshooting -> SPAN -> SPAN Source Groups
Right-click on SPAN Destination Group and chose “Create SPAN Destination Group”
Destination type: Can be Access Interface or EPG.
Destination IP: IP address of your sniffer monitor. In my example: 172.29.20.20.
Source IP/Prefix: Source IP of ERSPAN packets, in my case, it can be to bridge domain IP of the destination monitor device EPG 172.29.20.1.
SPAN Source Group Configuration:
Navigate to: Fabric -> Access Policies -> Policies -> Troubleshooting -> SPAN -> SPAN Source Groups
Right-Click and Create SPAN Source Group:
Create SPAN Source Group dialog box will pop up, fill in the policy name, the Admin State, and chose the Destination group created previously.
Admin State: SPAN source state. If set to Disabled then no data is sent to the configured monitor destination.
We can specify a filter group to get only the needed traffic, for example:
Now let’s specify the SPAN sources, click on the (+) sign:
The final step is to Add the Path of the source group:
That’s it, hope that was helpful.
Note
When using Wireshark, You have Enforce to decode fake ERSPAN frame” under Edit -> Preference -> Protocols -> ERSPAN.
