Cisco ACI SPAN Explained and Configuration

Cisco ACI SPAN Categories

In the ACI Fabric, the SPAN feature can be defined in three categories:
Access: for monitoring traffic originating from access ports in leaf nodes
Fabric: for monitoring traffic from fabric ports in leaf or spine nodes (on ports between Leafs and Spines)
Tenant: for monitoring traffic from endpoint groups (EPGs) within a tenant

ACI SPAN session Type

For each category, there are specific SPAN sessions types you can perform, the SPAN sessions are detailed in the following table:

Session Type




Access Local

Access Ports, Port-channels local to one  leaf


Port local to same leaf as sources


Access Ports, Port-channels, VPCs among one or more leaf nodes


EPG anywhere in the fabric


Fabric ports in one or mode leaf or spine nodes


EPG anywhere in the fabric


EPG anywhere in the fabric

EPG anywhere in the fabric

Cisco SPAN Configuration

A Cisco ACI SPAN session configuration consists of configuring 2 main policies:

  • SPAN Source groups
  • SPAN Destination groups

According to the following topology, we will SPAN traffic from the VPC connected to Leaf-101 and Leaf-102 to a destination EPG (CLD-EPG).

So, in this case: the source is vPC and the Destination is EPG, then the session type is Access ERSPAN.

SPAN Destination Group Configuration:

Navigate to: Fabric -> Access Policies -> Policies -> Troubleshooting -> SPAN -> SPAN Source Groups

Right-click on SPAN Destination Group and chose “Create SPAN Destination Group”

Destination type: Can be Access Interface or EPG.

Destination IP: IP address of your sniffer monitor. In my example:

Source IP/Prefix: Source IP of ERSPAN packets, in my case, it can be to bridge domain IP of the destination monitor device EPG

SPAN Source Group Configuration:

Navigate to: Fabric -> Access Policies -> Policies -> Troubleshooting -> SPAN -> SPAN Source Groups

Right-Click and Create SPAN Source Group:

Create SPAN Source Group dialog box will pop up, fill in the policy name, the Admin State, and chose the Destination group created previously.

Admin State: SPAN source state. If set to Disabled then no data is sent to the configured monitor.

Now let’s specify the SPAN sources, click on the (+) sign:

The final step is to Add the Path of the source group:

That’s it, hope that was helpful.


When using Wireshark, You have Enforce to decode fake ERSPAN frame” under Edit -> Preference -> Protocols -> ERSPAN.

Bilel A

Bilel A

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments
Learn Duty
Would love your thoughts, please comment.x