Cisco NX-OS/IOS SPAN Comparison
From DocWiki
Objective
This tech note outlines the main differences in the Switched Port Analyzer (SPAN) between Cisco® NX-OS Software and Cisco IOS® Software. Sample configurations are included for Cisco NX-OS and Cisco IOS Software for some common features to demonstrate the similarities and differences. Please refer to the NX-OS documentation on Cisco.com for a complete list of supported features.
SPAN Overview
The SPAN feature allows traffic to be mirrored from within a switch from a specified source to a specified destination. This feature is typically used when detailed packet information is required for troubleshooting, traffic analysis, and security-threat prevention.
Important Cisco NX-OS and Cisco IOS Software Differences
In Cisco NX-OS:
- Local SPAN and Encapsulated Remote SPAN (ERSPAN) are supported.
- Remote SPAN (RSPAN) VLANs can be configured only as SPAN sources.
- 48 monitor sessions can be configured. Only 2 SPAN sessions (SPAN, ERSPAN source) sessions can be active simultaneously (23 ERSPAN destination sessions can be active simultaneously).
- Cisco NX-OS uses a hierarchical configuration based on the monitor session <#> command, whereas Cisco IOS Software has the option for flat for hierarchical configuration in Cisco IOS Software release 12.2SXH and later.
- A single SPAN session can include mixed sources (Ethernet ports, Ethernet Port-Channels, RSPAN sources, VLANs, and the CPU control-plane interface).
- Destination SPAN interfaces must be configured as a layer-2 interface with the switchport and the switchport monitor interface commands.
- The SPAN feature supports stateless and stateful process restarts.
Things You Should Know
The following list provides some additional facts about Cisco NX-OS that should be helpful when configuring the SPAN feature.
- Two active sessions are supported for all virtual device contexts (VDCs).
- 128 source interfaces can be configured per session.
- 32 source VLANs can be configured per session.
- 32 destination interfaces can be configured per session.
- Monitor sessions are disabled by default. They can be enabled with the no shut command.
- An active SPAN session uses hardware resources and should always be disabled with the shut command when monitoring is not required.
- The supervisor module management interface (mgmt0) cannot be configured as a SPAN source or destination interface.
- An interface cannot be configured as both a source and destination interface.
- Ethernet and Port-Channel sub-interfaces cannot be configured as source or destination interfaces. When configuring a source interface, specify the primary interface as the source interface and use the filter-vlan command to specify the 802.1q tag associated to the sub-interface.
- The in-band control-plane interface to the CPU can be monitored only from the default VDC. (All traffic to and from the CPU for all VDC's is visible.)
- The source traffic direction can be configured as rx, tx, or both. The default is both.
- When a VLAN is specified as a source, traffic to and from the layer-2 physical interfaces associated to the specified VLAN are sent to the SPAN destination (Ingress and egress traffic between SVI/VLANs are not captured if the traffic does not go in our out a physical interface).
- By default, SPAN does not copy the IEEE 802.1q tag from trunk source interfaces.
- A destination interface can be configured in switchport access or switchport trunk mode. (Trunk mode allows you to tag traffic toward a destination or to perform destination VLAN filtering.)
- A destination interface does not participate in a spanning-tree instance.
- A destination interface can be configured with the switchport monitor ingress interface command to allow the destination device (IE: IDS) to disrupt packet flows.
- A destination port can be configured in only one SPAN session at a time.
- ERSPAN is VRF aware. The vrf command can be configured under the monitor session to specify which VRF instance the source and destination addresses belong too.
- ERSPAN uses the erspan-id <#> monitor session command to associate the source and destination ERSPAN monitors sessions.
- An ERSPAN source can be configured with an extended ACL to preserve bandwidth by filtering unwanted traffic prior to sending the interesting traffic to the remote destination.
Configuration Comparison
The following sample code shows the configuration similarities and differences between the Cisco NX-OS and Cisco IOS Software command-line interfaces (CLIs). The Cisco IOS Software syntax shown here is from Cisco IOS Software release 12.2SXH, so its hierarchy is similar to the Cisco NX-OS Software. Older versions of Cisco IOS Software only support a flat configuration.
| Cisco IOS CLI | Cisco NX-OS CLI | |
|---|---|---|
| Configuring the Destination Switchport Mode |
| Cisco IOS Software does not require any destination port configuration. | interface ethernet 2/2
switchport switchport monitor |
|---|
| Configuring Destination Port Ingress Forwarding and Learning |
| monitor session 1 type local
destination interface gigabitethernet2/2 ingress learning | interface ethernet 2/2
switchport switchport monitor ingress learning |
|---|
| Configuring a SPAN Monitor (Ethernet Source and Destination) |
| monitor session 1 type local
source interface gigabitethernet 2/1 destination interface gigabitethernet 2/2 no shutdown | monitor session 1
source interface ethernet 2/1 both destination interface ethernet 2/2 no shut |
|---|
| Configuring a SPAN Monitor (VLAN Source) |
| monitor session 1 type local
source vlan 10 , 20 both destination interface gigabitethernet 2/2 no shutdown | monitor session 1
source vlan 10,20 both destination interface ethernet 2/2 no shut |
|---|
| Filtering VLANs for IEEE 802.1q Trunk Sources |
| interface gigabitethernet 2/1
switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 10-20 switchport mode trunk
filter vlan 15 - 20 source interface gigabitethernet 2/1 destination interface gigabitethernet 2/1 no shutdown | interface ethernet 2/1
switchport switchport mode trunk switchport trunk allowed vlan 10-20
source interface ethernet 2/1 both destination interface ethernet 2/2 filter vlan 15-20 no shut |
|---|
| Configuring a SPAN Monitor (CPU Source) |
| monitor session 1 type local
source cpu rp rx destination interface gigabitethernet 2/2 no shutdown | monitor session 1
source interface sup-eth0 rx destination interface ethernet 2/2 no shut |
|---|
| Configuring an ERSPAN Monitor (Source) |
| monitor session 1 type erspan-source
source interface gigabitethernet 2/2 destination ip address 192.168.2.1 origin ip address 192.168.1.1 erspan-id 1 no shutdown | monitor erspan origin ip-address 192.168.1.1 global
destination ip 192.168.2.1 erspan-id 1 vrf default source interface ethernet 1/26 both no shut |
|---|
| Configuring an ERSPAN Monitor (Destination) |
| monitor session 1 type erspan-destination
destination interface gigabitethernet 1/26 source ip address 192.168.2.1 erspan-d 1 no shutdown | interface ethernet 1/26
switchport switchport monitor
monitor session 1 type erspan-destination source ip 192.168.2.1 destination interface ethernet 1/26 erspan-id 1 vrf default no shut |
|---|
Verification Command Comparison
The following table compares some useful show commands for verifying and troubleshooting the SPAN feature.
| Cisco NX-OS SPAN | Cisco IOS Software SPAN | Command Description |
|---|---|---|
| show interface | show interface | Displays interface status and characteristics |
| - | - | - |
| show monitor session <#> | show monitor session <#> | Displays a specific monitor session |
| show monitor session <#> brief | - | Displays brief information for a specific monitor session |
| show monitor session all | show monitor session all | Displays all SPAN and monitor sessions |
| show monitor session all brief | - | Displays brief information for all monitor sessions |
| show monitor range <#-#> | show monitor range <#-#> | Displays a range of specific monitor sessions |
| show monitor range <#-#> brief | - | Displays brief information for a range of specific monitor sessions |
