reas FAC: Port mirroring (SPAN) on News 2000 & Nexus 5000 FAQ: Port mirroring (SPAN) on 24st January 2013 "Nexus 2000 & Nexus 5000 1. Can I run vPC from both destination ports to a IDS ( or any other traffic monitoring device) ? No. Because destination ports can’t be a port-channel see Cisco Doc here [http://www cisco. com/c/en/usitd/docs/switches/datacenter/nexus5000/sw/system_manageme rnl/503_n1_1/b_cisco_nSk_system_mgmt_cg_rel_503_n1_1/b_cisco_nSk_system_mgmt_cg_re |_603_n1_1_chapter_01111.htmi#con_1167306] Characteristics of Destination Ports [nttosnwnwlogger-connal Each local SPAN session must have a destination port (also called a monitoring port) that receives a copy of trafic from the source ports, VLANs, or VSANs. A destination port has. these characteristics: Ihtos Aww bloggerconvnal + _[ntpsufwwnw-blogger cominul Can be any physical port, Ethernet, Ethernet (FCoE), of Fibre Channel, and virtual Fibre Channel ports cannot be destination ports. + Cannot be a source port, ‘+ [htps:#wonv.blogger.com/nul| Cannot be a port channel or SAN port channel group, ‘+ _{nipsivawwblogges-cominul] Does not participate In spanning tee while the SPAN session is active. + ihtlesmwerw-biogger comnul) ls excluded from the source list and is not monitored if it belongs to a source VLAN of any SPAN session, + Recelves copies of sent and received traffic for all monitored source ports. a destination port is oversubscribed, it can become congested. This congestion can affect, traffic forwarding on one or more ofthe source port, 2. How can I mirror traffic from both switches to my IDS then? Depends on the IDS capability, if it can support 2 active connections, the topology will work without vPC between NSKs and IDS. So two N5SKs send through the SPAN traffic separately. If the IDS only supports one active connection, you can configure ERSPAN on one of the N5Ks, and forward the traffic from the source ports in this NSK to the destination port on the other NSK. however, you do need to consider if the bandwidth will allow this to happen. although the switch will accept SPAN configuration on only one side, and missing SPAN configuration on the other switch won't bring down the vPC, it is more recommended to apply the SPAN configuration on both VPC ipsociedatacertre blogspotiv201390tiag-port-mirrring-span-onnexus-2000 18reas FAQ: Port mitraring (SPAN) on Newus 2000 & Nexus 5000, switches: "While using the SPAN feature to monitor the traffic flow, the communications between two hosts can be split between two vPC switches. Therefore, you may need to enable SPAN on both vPC switches to obtain a complete trace." http://mww.cisco.com/en/US/does/switches/datacenter/nexus5000/swioperations/n5 k_vpc_ops.htmii#wp424989 [http://www cisco, com/en/US/docs/switches/datacenter/nexus5000/sw/operations/n5k_vpc_op s.ntmi#wp424989] 3. How to configure ERSPAN in Nexus 5000 ? hitp:iwww.cisco. com/en/USIdocs/switches/datacenterinexusS000/sw/system_man agement/513_n1_1/b_Cisco_n5k_system_mgmt_cg_rel_513_n1_1_chapter_0100 01 .htm! [http:www.cisco.conven/US/docs/switches/datacenter/nexus5000/sw/system_management/5 13_n1_A/b_Cisco_nSk_system_mgmt_cg_rel_613_n*_1_chapter_010001. html] http:/iwww.cisco.com/en/US/products/ps9670/products_configuration_example091 86a0080bbcd00.shtm! [nttp://www.cisco.com/en/US/products/ps9670/products_configuration_example0318640080b bbed00. shim} The following figure shows an example ERSPAN configuration. [ntip: vw. blogger. com/blogger.gblogiD=5255654978134969910] Figure 1, ERSPAN Configuration ipsociedatacertre blogspotiv201390tiag-port-mirrring-span-onnexus-2000reas FAC: Port mirroring (SPAN) on News 2000 & Nexus 5000 Destination Switch Selig (Data Center) Routed D1 D2 GRE-Encapsulated _ Traffic Probe Routed Network Routed Routed GRE-Encapsulated GRE-Encapsulated_ _— Traffic Tratlic } \ Ag Ba Source Switch(es) Switch A = pele (Access) AIA A Brkeekes: 5 e SUMMARY STEPS 1. configuration terminal 2. monitor session span-session-number type {erspan-source | local} 3. (Optional) description erspan_session_description 4. source interface { ethernet slot/chassis number | portchannel number } 5. source vlan number 6. source vsan number 7. destination ip ip-address 8. erspan-id flow-id 9. vrf {vrf-name | default } 10. (Optional) ip ttl ttl-number 11. (Optional) ip dscp dscp_value 12. no shut 13. exit 14, (Optional) copy running-config startup-config 4. Do I need to configure SPAN on both switches if I am running vPC? Yes and no, Yes is for the complete capture: " While using the SPAN feature to monitor the traffic flow, the communications between two hosts can be split between two vPC switches, Therefore, you may need to enable SPAN on both vPC switches to obtain a complete trace." ipsociedatacertre blogspotiv201390tiag-port-mirrring-span-onnexus-2000reas FAO: Pot mirroring (SPAN) on Nexus 2000 & Nexus 5000, Cisco link {http://www cisco.conven/US/docs/switches/datacenterinexusS000/sw/oper ationsink_vpe_ops himiitwp424989] (the very last line here) No is for identical configuration. SPAN configuration is not required to be the same on both switches to keep the vPC consistency. 5, How many SPAN sessions can I have? Up to 18 sessions can be configured, however, only 2 active sessions are supported per switch. You can find more about configuration limits in document such as this: http:/iww.cisco.com/en/US/docs/switches/datacenter/nexusS000/swiconfigura tion_limitsslimits_513/exus_5000_config_limits_513.htm| {htip:/www.cisco.com/en/USidocs/switches/datacenter/nexusS000/sw/configuration_imit ‘shlmits_$13/nexus_S000_config_limits_$13.html Key takeaway about SPAN/Port mirroring in N5K: 1. At the moment, “a FEX port cannot be configured as a SPAN destination. Only a switch port can be configured and used as a SPAN destination”. The workaround is to configure the destination port on the nexus 5596, and if it is dual home fex setup, you will need to configure the monitor on both N5Ks. Monitoring multiple sources ports created on FEX in a single session is supported, however, you may need to consider if there will cause an Oversubscription issue. ipsociedatacertre blogspotiv201390tiag-port-mirrring-span-onnexus-2000reas FAQ: Port mitraring (SPAN) on Newus 2000 & Nexus 5000, Flow 3 aa1as8 [http://vnnw.cisco, com/en/US/i/200001-300000/280001-290000/281001-282000/281855, jpg] 3. ‘The destination port should be configured to be” monitor” mode. We can monitor multiple sources (can be UCS blades or any Rack Servers) through single session without an conflicts/problems. We can’t configure wPC on nexus 5548 for the IDS because destination ports can't be port-channel. Depends on the IDS capability, if it can support 2 active connections, the topology will work without vPC between N5Ks and IDS, like attached diagram 1, So two N5Ks send through the SPAN traffic separately, If the IDS only supports one active connection, you can configure ERSPAN on one of the NSKs, and forward the traffic from the source ports in this NSK to the destination port on the other NSK ipsociedatacertre blogspotiv201390tiag-port-mirrring-span-onnexus-2000reas FAC: Port mirroring (SPAN) on News 2000 & Nexus 5000 8. Only one destination is allowed per session. 9. You can monitor multiple vians as source ports. 10, The switch supports a maximum of two egress SPAN source ports. 11. "While using the SPAN feature to monitor the traffic flow, the communications between two hosts can be split between two vPC switches. Therefore, you may need to enable SPAN on both vPC switches to obtain a complete trace." 12. (yet to confirm)what is the limitation of Span per interface? according to cisco, in 5.1.3 for example: hitp:/iwmw.cisco.com/en/US/docs/switches/datacenter/nexus5000/swirelease/notes IRel_5_1_3_N2_1/Nexus5000_Release_Notes_5_1_3_N2.himl [http:/!vamw. cisco. com/en/USIdocs/switches/datacenter/nexus5000/swirelease/notes/Rel_6_1 -3.N2_1/Nexus6000_Release_Notes_5_1_3_N2.html] imitations on the Cisco Nexus 5010 and Cisco Nexus 5020 [ntips:twvaw blogger comiblogger g?blogID=5255664978134959910] The limitations on the Cisco Nexus 5010 switch and the Cisco Nexus 5020 svitch are as follows: [htips:twaw blogger-comiblogger.g?bloglD=5255664978134969810] + Trafic going out the Ethernet SPAN destination is always tagged. The SPAN destination can be in the access or trunk mode and frames on the SPAN source port can be taggod or untagged. Frames, ‘are always tagged internally as they travel thvough the system. Information about whether the frame ‘was originally tagged or untagged, as it appeared in the SPAN source, is not preserved in the SPAN destination. The spanned traffic exting the SPAN destination port always has the VLAN tag on it.The correct VLAN tag is applied on the frame as it goes out the SPAN destination. The only exception is if ‘rames ingress on a SPAN source port on an invalid VLAN, tn this case, van 0 is applied on @ spanned frame, [ntipsunwwaw blogger comiblogger g?bogID=5255654976134959910] + Spanned FCoE frames do not preserve original SMAC and DMAG fields. The Ethernet header gets ‘modified as the frame is spanned to the destination. The modified header felds are displayed when ‘monitored on the SPAN destination, [hupsutwaw blogger comiblogger g?bnglD=5255654978134969010] + The CoS value in spanned FCoE frames on the Ethernet SPAN destination port does not mateh with the CoS value in the SPAN FCoE source frame, The CoS value on the captured SPAN FCoE frame should be ignored, ipsociedatacertre blogspotiv201390tiag-port-mirrring-span-onnexus-2000reas FAC: Port mirroring (SPAN) on News 2000 & Nexus 5000 Reference: http:sAwww.cisco.com/en/US/dacs/switches/datacenterinexus5000/swireleas e/notes/Rel_5_0_3_N1_1/Nexus5000_Release_Notes_5_0_3_N1_te.htmitwp172 330 [http:/www.cisco.com/en/US/docs/switches/datacenter/nexusS000/swirelease/notes/Rel_ 5 0 _3_N1_1/Nexus6000_Release_Notes_§ 0 3.N1_tc.htmitwp172330} hitp:/iwnw.cisco.com/en/US/docs/switches/datacenter/nexus5000/swiconfiguration! ‘guide/cli/Span.ntmitwp1 167251 [nttp:/hwww.cisco.com/en/USidocs/switches/datacenter/nexus5000/sw/configuration/guide/cl! ‘Span. htmifwyp1 187251] http:/iwmw.cisco.com/en/US/doos/switches/datacenter/nexusS000/switroubl eshooting/guide/nSK_ts_oview.htmi#wp 1026252 [http:wwu.cisco.conven/US/docs/switches/datacenter/nexus500/switroubleshootin g/guide/nSk_ts_oview htmi#wp1026252] http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/ sw/operations/nSk_vpc_ops.htm|#wp424989 [nttp:/www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/operations/nSk_vpe_op s.himitivp424989] Posted 21st January 2013 by Ming Tang Labels: capture, cco doc extract, cisco, datacentre, nSk, nexus, span, ‘troubleshooting, vpc [2] View comments e Keith Clarke March 4, 2014 at 1:33 PM Very useful thanks Reply Replies Ming Tang March 12, 2014 at 7-33 PM thanks Keith! -) ly | Fernando Cardoso April 2, 2014 al 5:37 AM Many thanks Ming Tang :-) Reply Replies 6 Ming Tang August 15, 2014 at 7:47 PM. thanks for taking your time to comment, Femando:) ipsociedatacertreblogspotiv20130tiag-port-mirrring-span-onnexus-2000 ml 78FAC: Port mirroring (SPAN) on News 2000 & Nexus 5000 reas Reply 2 Anonymous February 14, 2015 at 5:02 PM ‘Thank you for creating this, Reply Enter your comment. Comment as: Google Accou. ¥ Publish Preview o Overviews of oscilloscope architecture, key controls, and more FREE OSCILLOSCOPE E-BOOK Tektronix | Naw to using asoillessapas or just want SOIT 2 cuick “revesher’ on interpreting ther specs?" nosaiteccnos nipseciedatacertreblogspotiv20130tiag-port-mirrring-span-onnexus-2000 ml