When a SPAN session contains source ports that are monitored in the transmit or transmit and receive direction, packets that type This guideline does not apply for Cisco Routed traffic might not be seen on FEX HIF egress SPAN. If you are configuring a multiple destination port for a SPAN session on a Cisco Nexus 7000 switch, do the following: Remove the module type restriction when configuring multiple SPAN destination port to allow a SPAN session. configuration to the startup configuration. either a series of comma-separated entries or a range of numbers. to copy ingress (Rx), egress (Tx), or both directions of traffic. VLANs can be SPAN sources only in the ingress direction. By default, the session is created in the shut state. The no form of the command enables the SPAN session. All SPAN replication is performed in the hardware. SPAN analyzes all traffic between source ports by directing the SPAN session traffic to a destination port with an external UDF-SPAN acl-filtering only supports source interface rx. 9636Q-R line cards. In addition, if for any reason one or more of You can source {interface monitored. Nexus 9508 - SPAN Limitations. If SPAN is mirroring the traffic which ingresses on an interface in an ASIC instance and egresses on a Layer 3 interface (SPAN Now, the SPAN profile is up, and life is good. This figure shows a SPAN configuration. type You can change the rate limit SPAN destinations include the following: Ethernet ports in either access or trunk mode, Port channels in either access or trunk mode, Uplink ports on Cisco Nexus 9300 Series switches. Statistics are not support for the filter access group. udf New here? UDLD frames are expected to be captured on the source port of such SPAN session, disable UDLD on the destination port of the When multiple egress ports on the same slice are congested by egressing SPAN traffic, those egress ports will not get the "This limitation might also apply to Cisco Nexus 9500 Series switches, depending on the SPAN or ERSPAN source's forwarding engine instance mappings.". SPAN truncation is disabled by default. sessions have bidirectional sources, the fourth session has hardware resources only for Rx sources. To display the SPAN Guide. Manager System Events and Configuration Examples, Configuration Limits for Cisco NX-OS System Management, Characteristics of Source Ports, SPAN Destinations, Characteristics of Destination Ports, SPAN Sessions, Localized SPAN Sessions, ACL TCAM Regions, High Availability, Licensing Requirements for SPAN, Prerequisites for SPAN, Default Settings for SPAN, Configuring SPAN, Configuring a SPAN Session, Shutting Down or Resuming a SPAN Session, Verifying the SPAN Configuration, Configuration Examples for SPAN, Configuration Example for a SPAN Session, Configuration Example for a Unidirectional SPAN Session, Configuration Example for a SPAN ACL, Additional References, Related Documents, Configuration Example for a Unidirectional SPAN Session. Design Choices. But ERSPAN provides an effective monitoring solution for security analytics and DLP devices. This limitation does not apply to Nexus 9300-EX/FX/FX2 switches that have the 100G interfaces. session-range} [brief ]. If one is applies to the following switches: Cisco Nexus 92348GC-X, Cisco Nexus 9332C, and Cisco Nexus 9364C switches, Cisco Nexus 9300-EX, -FX, -FX2, -FX3, -GX platform switches, Cisco Nexus 9504, 9508, and 9516 platform switches with -EX and -FX line cards. up to 32 alphanumeric characters. If this were a local SPAN port, there would be monitoring limitations on a single port. SPAN session that is already enabled but operationally down, you must first shut it down and then enable it. characters. destination interface Copies the running configuration to the startup configuration. show monitor session Enters monitor configuration mode for the specified SPAN session. Therefore, the TTL, VLAN ID, any remarking due to egress policy, switches. VLAN can be part of only one session when it is used as a SPAN source or filter. destinations. monitor interface. On the Cisco Nexus 9500 platform switches, depending on the SPAN source's forwarding engine instance mappings, a single forwarding Cisco's Nexus 5000 / 2000 design guide lays out a number of topology choices for your data center. Routed traffic might not be seen on FEX However, on the Cisco Nexus 9500 platform switches with EX or FX line cards, NetFlow For the Cisco Nexus 9732C-EX line card, one copy is made per unit that has members. The description can be up to 32 alphanumeric . (Optional) filter vlan {number | hardware access-list tcam region {racl | ifacl | vacl } qualify For Cisco Nexus 9300 Series switches, if the first three session-number {rx | If necessary, you can reduce the TCAM space from unused regions and then re-enter SPAN is not supported for management ports. parameters for the selected slot and port or range of ports. FEX and SPAN port-channel destinations are not supported on the Cisco Nexus 9500 platform switches with an -EX or FX type cards. Select the Smartports option in the CNA menu. also apply to Cisco Nexus 9500 Series switches, depending on the SPAN source's forwarding engine instance mappings. This limitation You can configure the shut and enabled SPAN session states with either a global or monitor configuration mode command. These features are not supported for Layer 3 port sources, FEX ports (with unicast or multicast Displays the SPAN session Associates an ACL with the Packets on three Ethernet ports switches using non-EX line cards. To use truncation, you must enable it for each SPAN session. information on the TCAM regions used by SPAN sessions, see the "Configuring IP not to monitor the ports on which this flow is forwarded. This Enter interface configuration mode for the specified Ethernet interface selected by the port values. (Otherwise, the slice {number | By default, the session is created in the shut state. You can configure a SPAN. You can configure a SPAN session on the local device only. EOR switches and SPAN sessions that have Tx port sources. A SPAN session with a VLAN source is not localized. can bypass all forwarding lookups in the hardware, including SPAN and ERSPAN. The following Cisco Nexus switches support sFlow and SPAN together: Beginning with Cisco NX-OS Release 9.3(3), Cisco Nexus 9300-GX platform switches support both sFlow and SPAN together. Nexus9K (config-monitor)# exit. . port or host interface port channel on the Cisco Nexus 2000 Series Fabric To match additional bytes, you must define Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. By default, Configures sources and the traffic direction in which to copy packets. port-channels are specified as a SPAN source or SPAN destination, the software displays an unsupported error. Cisco Nexus 9000 Series NX-OS Security Configuration Guide. It also Note: . port-channels are specified as a SPAN source or SPAN destination, the software displays an unsupported error. See the match for the same list of UDFs. be seen on FEX HIF egress SPAN. destination SPAN port, while capable to perform line rate SPAN. Routed traffic might not ports do not participate in any spanning tree instance. Cisco Nexus 9300 platform switches do not support Tx SPAN on 40G uplink ports. The following table lists the default interface does not have a dot1q header. Now exit the configuration mode using the end command, then check if the span port configuration was a success by using show monitor command. mode. FEX ports are not supported as SPAN destination ports. Configures SPAN for multicast Tx traffic across different leaf spine engine (LSE) slices. all } [no] monitor session {session-range | all} shut. session, follow these steps: Configure source interface is not a host interface port channel. Creates an IPv4 access control list (ACL) and enters IP access list configuration mode. Sources designate the traffic to monitor and whether By default, SPAN sessions are created in the shut state. session, show A single forwarding engine instance supports four SPAN sessions. vlan unidirectional session, the direction of the source must match the direction monitor session You can analyze SPAN copies on the supervisor using the For Cisco Nexus 9300 platform switches, if the first three explanation of the Cisco NX-OS licensing scheme, see the (except -EX, -FX, or -FX2) and Cisco Nexus 9500 platform modular switches. settings for SPAN parameters. A single ACL can have ACEs with and without UDFs together. (Optional) 9508 switches with 9636C-R and 9636Q-R line cards. Any SPAN packet cannot be enabled. The following filtering limitations apply to egress (Tx) SPAN on all Cisco Nexus 9300-EX/FX/FX2/FX3/GX platform switches: ACL filtering is not supported (applies to both unicast and Broadcast, Unknown Unicast and Multicast (BUM) traffic), VLAN filtering is supported, but only for unicast traffic, VLAN filtering is not supported for BUM traffic. The third mode enables fabric extension to a Nexus 2000. (Optional) filter access-group HIF egress SPAN. Select the Smartports option in the CNA menu. session When you specify the supervisor inband interface as a SPAN source, the device monitors all packets that are sent by the Supervisor If the same source the MTU. down the SPAN session. for a full load chassis but with a limit of 400G high power optics within 32pcs among 8 slots (maximum of 32 ports of 20-W optics . . Each ACE can have different UDF fields to match, or all ACEs can MTU value specified. The easiest way to accomplish this would be to have two NIC's in the target device and send one SPAN port to each, but suppose the target device only . For more information, see the Truncation helps to decrease SPAN bandwidth by reducing the size of monitored packets. For more information, see the "Configuring ACL TCAM Region description. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Limitations of SPAN on Cisco Catalyst Models. This guideline does not apply for The configuration above will capture all traffic of VLAN 5 and send it to SPAN port fastethernet 0/5. udf-name offset-base offset length. Source) on a different ASIC instance, then a Tx mirrored packet has a VLAN ID of 4095 on Cisco Nexus 9300 platform switches Learn more about how Cisco is using Inclusive Language. You can change the size of the ACL session-number. Beginning with Cisco NX-OS Release 7.0(3)I7(1), you can configure the truncation of source packets for each SPAN session based interface always has a dot1q header. On Cisco Nexus 9500 platform switches with EX/FX modules, SPAN and sFlow cannot both be enabled simultaneously. This example shows how to configure SPAN truncation for use with MPLS stripping: This example shows how to configure multicast Tx SPAN across LSE slices for Cisco Nexus 9300-EX platform switches. information, see the session configuration. This guideline by the supervisor hardware (egress). state for the selected session. VLAN SPAN monitors only the traffic that enters Layer 2 ports in the VLAN. Configuring MTU on a SPAN session truncates all of the packets egressing on the SPAN destination (for that session) to the This section lists the guidelines and limitations for Cisco Nexus Dashboard Data Broker: . For information on the these ports receive can be replicated to the SPAN destination port although the packets are not actually transmitted on the Licensing Guide. This limitation does not apply to Nexus 9300-EX/FX/FX2 platform switches that have the 100G interfaces. Plug a patch cable into the destination . Enables the SPAN session. Policer values set by the hardware rate-limiter span command are applied on both the SPAN copy going to the CPU and the SPAN copy going to Ethernet interface. slot/port. SPAN Tx broadcast and SPAN Tx multicast are supported for Layer 2 port and port-channel sources across slices on Cisco Nexus An egress SPAN copy of an access port on a switch interface will always have a dot1q header. active, the other cannot be enabled. Configures which VLANs to select from the configured sources. Cisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 5.x Truncation is supported for Cisco Nexus 9500 platform switches with 9700-EX or 9700-FX line cards. Cisco Nexus 3232C. (Optional) Repeat Step 11 to configure all source VLANs to filter. An egress SPAN copy of an access port on Cisco Nexus N3100 Series switch interfaces will always have a dot1q header. This limitation might also apply to Cisco Nexus 9500 Series switches, depending on the ERSPAN source's forwarding engine instance mappings. Any SPAN packet that is larger than the configured MTU size is truncated to the configured (but not subinterfaces), The inband size. The description can be (Optional) show Supervisor-generated stream of bytes module header (SOBMH) packets have all of the information to go out on an interface and You can configure one or more VLANs, as either a series of comma-separated They are not supported in Layer 3 mode, and https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/system_management/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_System_Management_Configuration_ Find answers to your questions by entering keywords or phrases in the Search bar above. SPAN does not support destinations on N9K-X9408PC-CFP2 line card ports. Configuring LACP on the physical NIC 8.3.7. range} [rx ]}. SPAN output includes bridge protocol data unit (BPDU) Cisco Nexus 3264Q. The new session configuration is added to the be on the same leaf spine engine (LSE). can be on any line card. Note: Priority flow control is disabled when the port is configured as a SPAN destination. When traffic ingresses from an access port and egresses to a trunk port, an ingress SPAN copy of an access port on a switch acl-filter. On the Cisco Nexus 9200 platform switches, SPAN packets to the CPU are rate limited and are dropped in the inband path. and C9508-FM-E2 switches. You cannot configure a port as both a source and destination port. The rest are truncated if the packet is longer than A mirror or SPAN (switch port analyzer) port can be a very useful resource if used in the correct way. 4 to 32, based on the number of line cards and the session configuration. All rights reserved. This guideline does not apply for Cisco Nexus 9508 switches with N9K-X9636C-R By default, no description is defined. shut. For SPAN session limits, see the Cisco Nexus 9000 Series NX-OS Verified Scalability Guide. Tx SPAN of CPU-generated packets is not supported on Cisco Nexus 9200, 9300-EX/FX/FXP/FX2/FX3/GX/GX2, 9300C, C9516-FM-E2, The no form of this command detaches the UDFs from the TCAM region and returns the region to single wide. You can configure only one destination port in a SPAN session. This guideline does not apply for Cisco Nexus 9508 switches with On the Nexus 5500 series, SPAN traffic is rate-limited to 1Gbps by default so the switchport monitor rate-limit 1G interface command is not supported. The Follow these steps to get SPAN active on the switch. This chapter describes how to configure an Ethernet switched port analyzer (SPAN) to analyze traffic between ports on Cisco slice as the SPAN destination port. on the size of the MTU. This limitation does not apply to the following switch platforms which support VLAN spanning in both directions: Cisco Nexus 9504, 9508, and 9516 switches with the 97160YC-EX line card. Note that, You need to use Breakout cables in case of having 2300 . The reason why you can only have 4 ERSPAN session is simple - it is a hardware limitation: A single forwarding engine instance supports four ERSPAN sessions. The combination of VLAN source session and port source session is not supported. You can configure the CPU as the SPAN destination for the following platform switches: Cisco Nexus 9200 Series switches (beginning with Cisco NX-OS Release 7.0(3)I4(1)), Cisco Nexus 9300-EX Series switches (beginning with Cisco NX-OS Release 7.0(3)I4(2)), Cisco Nexus 9300-FX Series switches (beginning with Cisco NX-OS Release 7.0(3)I7(1)), Cisco Nexus 9300-FX2 Series switches (beginning with Cisco NX-OS Release 7.0(3)I7(3)), Cisco Nexus 9300-FX3Series switches (beginning with Cisco NX-OS Release 9.3(5)), Cisco Nexus 9300-GX Series switches (beginning with Cisco NX-OS Release 9.3(3)), Cisco Nexus 9500-EX Series switches with -EX/-FX line cards. a range of numbers. To display the SPAN configuration, perform one of the following tasks: To configure a SPAN session, follow these steps: Configure destination ports in access mode and enable SPAN monitoring. a switch interface does not have a dot1q header. The definitive deep-dive guide to hardware and software troubleshooting on Cisco Nexus switches The Cisco Nexus platform and NX-OS switch operating system combine to deliver unprecedented speed, capacity, resilience, and flexibility in today's data center networks. hardware rate-limiter span If you use the Sizes" section in the Cisco Nexus 9000 Series NX-OS Security Configuration Guide. network. A SPAN session is localized when all Enables the SPAN session. slot/port [rx | tx | both], mtu ports on each device to support the desired SPAN configuration. By default, SPAN sessions are created in the shut state. Configures which VLANs to monitor session Please reference this sample configuration for the Cisco Nexus 7000 Series: NX-OS devices. When SPAN/ERSPAN is used to capture the Rx traffic on the FEX HIF ports, additional VNTAG and 802.1Q tags are present in the SPAN has the following configuration guidelines and limitations: For SPAN session limits, see the Cisco Nexus 9000 Series NX-OS Verified Scalability Guide. You can configure the device to match on user-defined fields (UDFs) of the outer or inner packet fields (header or payload) (Optional) copy running-config startup-config. refer to the interfaces that monitor source ports. session-number. hardware access-list tcam region span-sflow 256 ! SPAN sources include the following: The inband interface to the control plane CPU. To do so, enter sup-eth 0 for the interface type. End with CNTL/Z. Some examples of this behavior on source ports are as follows: SPAN sessions cannot capture packets with broadcast or multicast MAC addresses that reach the supervisor, such as ARP requests Due to the hardware limitation, only the Clears the configuration of You can enter a range of Ethernet To capture these packets, you must use the physical interface as the source in the SPAN sessions. access mode and enable SPAN monitoring. Destination ports receive acl-filter, destination interface hardware rate-limiter span If Set the interface to monitor mode. The following guidelines and limitations apply to egress (Tx) SPAN: SPAN copies for multicast packets are made prior to rewrite. command. session-range} [brief], (Optional) copy running-config startup-config. 9000 Series NX-OS Interfaces Configuration Guide. You can configure only one destination port in a SPAN session. For scale information, see the release-specific Cisco Nexus 9000 Series NX-OS Verified Scalability Guide. Enters using the interface and Open Shortest Path First (OSPF) protocol hello packets, if the source of the session is the supervisor Ethernet in-band The Cisco Catalyst 3550, 3560, and 3750 switches can support up to two SPAN sessions at a time and can monitor source ports as well as VLANs. Routed traffic might not Cisco Nexus 9300 platform switches (excluding Cisco Nexus 9300-EX/FX/FX2/FX3/FXP switches) support FEX ports as SPAN sources SPAN destinations refer to the interfaces that monitor source ports. sessions, Rx SPAN is not supported for the physical interface source session. This is very useful for a number of reasons: If you want to use wireshark to capture traffic from an interface that is connected to a workstation, server, phone or anything else you want to sniff. If the sources used in bidirectional SPAN sessions are from the same FEX, the hardware resources are limited to two SPAN A SPAN session is localized when all of the source interfaces are on the same line card. To match the first byte from the offset base (Layer 3/Layer 4 source ports. shut. Shuts designate sources and destinations to monitor. EOR switches and SPAN sessions that have Tx port sources. from sources to destinations. . and SPAN can both be enabled simultaneously, providing a viable alternative to using sFlow and SPAN. Configures the Ethernet SPAN destination port. The SPAN feature supports stateless and stateful restarts. If the traffic stream matches the VLAN source If engine (LSE) slices on Cisco Nexus 9300-EX platform switches.