SPAN

This chapter describes how to identify and resolve problems that relate to SPAN and includes the following topics:

Information About SPAN

The Switched Port Analyzer (SPAN) feature (sometimes called port mirroring or port monitoring) selects network traffic for analysis by a network analyzer. The network analyzer can be a Cisco SwitchProbe or other Remote Monitoring (RMON) probe.

The Cisco Nexus 1000VE supports two types of SPAN:

  • SPAN (local SPAN) that can monitor sources within a host or VSE.
  • Encapsulated remote SPAN (ERSPAN) that can send monitored traffic to an IP destination.

For detailed information about how to configure local SPAN or ERSPAN, see the Cisco Nexus 1000VE System Management Configuration Guide.

SPAN Session Guidelines

The following are SPAN session guidelines:

  • When a SPAN session contains multiple transmit source ports, packets that these ports receive might be replicated even though they are not transmitted on the ports. Examples include the following:

blank.gif Traffic that results from flooding

blank.gif Broadcast and multicast traffic

  • For VLAN SPAN sessions with both receive and transmit configured, two packets (one from receive and one from transmit) are forwarded from the destination port if the packets get switched on the same VLAN.
  • After VMotion, the following might occur:

blank.gif A session is stopped if the source and destination ports are separated.

blank.gif A session resumes if the source and destination ports end up on the same host.

  • The following are required for a running SPAN session:

blank.gif The limit of 64 SPAN sessions is not exceeded.

blank.gif At least one operational source is configured.

blank.gif At least one operational destination is configured.

blank.gif The configured source and destination are on the same host.

blank.gif The session is enabled with the no shut command.

  • A session is stopped if any of the following occurs:

blank.gif All the source ports go down or are removed.

blank.gif All the destination ports go down or are removed.

blank.gif All the source and destination ports are separated by VMotion.

blank.gif The session is disabled by a shut command.

Problems with SPAN

The following are symptoms, possible causes, and solutions for problems with SPAN.

 

Symptom
Possible Causes
Solution

You observe issues with VM traffic after configuring a session with Ethernet destinations.

Ensure that the Ethernet destination is not connected to the same uplink switch. The SPAN packets might cause problems with the IP tables, the MAC tables, or both on the uplink switch, which can cause problems with the regular traffic.

A session state is up and the packets are not received at the destination ports.

Verify that the correct VLANs are allowed on the trunk destination ports.

The session displays an error.

1.blank.gif Make sure that VSM-VSE connectivity is working correctly.

2.blank.gif Force reprogramming of the session on the VSE.

shut
no
shut

The ERSPAN session is up, but does not see packets at the destination.

The ERSPAN ID is not configured.

Make sure that the ERSPAN ID is configured at the destination.

An ERSPAN-enabled VMKernel NIC is not configured on the host or VSE.

Make sure that you create a VMKernel NIC on the host using a port profile configured for ERSPAN.

The ERSPAN-enabled VMKernel NIC is not configured with a proper IP, gateway, or both.

Ping the ERSPAN IP destination from the host VMKernel NIC.

vmkping dest-id

Use the vempkt command to capture packets on the VMKernel NIC LTL and ensure ERSPAN packets are being sent. Use the vemlog debug sfspan d command so that the ERSPAN packets appear in the VSEpkt capture log.

SPAN Troubleshooting Commands

You can use the commands in this section to troubleshoot problems related to SPAN.

 

Command
Purpose

show monitor

Displays the status of SPAN sessions.

See Example 14-1 on page 14-3 .

show monitor session

Displays the current state of a SPAN session, the reason it is down, and the session configuration.

See Example 14-2 on page 14-3 .

module vse module-number execute vemcmd show span

Displays the VSE source IP and SPAN configuration.

See Example 14-3 on page 14-4 .

Additional commands:

  • show monitor internal errors
  • show monitor internal event-history msgs
  • show monitor internal info global-info
  • show monitor internal mem-stats

Example 14-1 show monitor Command

switch# show monitor
Session State Reason Description
------- ----------- ---------------------- --------------------------------
17 down Session admin shut folio

Example 14-2 show monitor session Command

switch(config)# show monitor session 1
session 1
---------------
type : erspan-source
state : up
source intf :
rx : Eth3/1
tx : Eth3/1
both : Eth3/1
source VLANs :
rx :
tx :
both :
filter VLANs : filter not specified
destination IP : 10.54.54.1
ERSPAN ID : 999
ERSPAN TTL : 64
ERSPAN IP Prec. : 0
ERSPAN DSCP : 0
ERSPAN MTU : 1000

Example 14-3 module vse execute vemcmd show span Command

switch# vemcmd show span
ERSPAN Local Encap Interface Information:
-----------------------------------------
LTL: 0 cap 0 ()
SF_LTL_L3_CTRL: 0 cap 0
IP: 0.0.0.0
MAC: 0000:0000:0000
HWBD: 0
Port State: Down
-----------------------------------------
 
VEM SOURCE IP NOT CONFIGURED.
 
HW SSN ID ERSPAN ID HDR VER DST LTL/IP
switch#