SPAN (Switched Port Analyzer)
Types of SPAN
Local SPAN
Support: Supported by Cisco.
Functionality:
Traffic is mirrored to an interface on the same leaf as the source of the SPAN.
Both the source and destination are on a single leaf switch.
Usage Note:
Only Access SPANs can be set up as local SPANs.
Remote SPAN (RSPAN)
Support: Not supported by Cisco.
Encapsulated Remote SPAN (ERSPAN)
Support: Supported by Cisco.
Functionality:
The destination IP must be learned as an endpoint within the fabric.
The destination IP can reside in the same or a different VRF, meaning it can be located anywhere in the fabric.
Fabric Policy
When to Configure:
You configure SPAN in the fabric policy when you want to monitor traffic across the entire ACI fabric. This includes traffic flowing between leaf and spine switches or fabric ports.
This is typically used when you're interested in capturing traffic traversing the internal fabric links, either for troubleshooting, diagnostics, or observing traffic between ACI nodes.
Use Case:
Monitoring inter-leaf or leaf-to-spine traffic.
Gathering traffic data that is not specific to any particular tenant or endpoint.
2. Access Policy
When to Configure:
SPAN is configured in the access policy when you want to monitor traffic entering or exiting specific physical ports, such as leaf ports connected to endpoints (servers, routers, firewalls, etc.).
This is useful for capturing endpoint traffic (traffic ingress/egress on an interface), but not necessarily tied to any specific tenant or EPG (Endpoint Group).
Use Case:
You want to monitor traffic on a specific access port (e.g., a port connected to a server or another network device).
This is common for scenarios like troubleshooting specific physical connections or mirroring traffic for IDS/IPS systems.
3. Tenant (EPG) Policy
When to Configure:
SPAN configured in a tenant's policy is when you need to monitor traffic specific to a tenant's EPGs (Endpoint Groups). This allows you to capture traffic within the context of a tenant, such as traffic between EPGs or from an EPG to an external device.
SPAN at the tenant level is useful for isolating traffic for specific applications or services tied to that tenant.
Use Case:
Monitoring inter-EPG traffic or traffic associated with particular applications that are defined within the tenant.
You want to observe traffic for compliance or security monitoring within a specific tenant.
Summary of When to Configure SPAN:
Fabric Policy: When monitoring traffic across the fabric (e.g., between leaves or spines).
Access Policy: When monitoring traffic entering or leaving specific physical ports on a leaf switch (e.g., server connections).
Tenant Policy: When monitoring traffic within a specific tenant’s EPGs (e.g., application-specific or tenant-isolated monitoring).
Types of SPAN in Cisco ACI
Fabric SPAN
Purpose: Captures packets from interfaces between Leaf and Spine switches.
Support: Supports ERSPAN.
Access SPAN
Purpose: Captures packets from interfaces between Leaf switches and external devices.
Support: Supports both Local SPAN and ERSPAN.
Tenant SPAN
Purpose: Captures packets from Endpoint Groups (EPGs) on ACI Leaf switches.
Support: Supports ERSPAN.
Let’s configure Local Span for both Source & Destination
Create a Destination Group name “Local_Span_Destination”... Let the Packet Sniffer Server be on Leaf 101 port 1.
Create a Source Group name “Local_Span_Source”... Let the Source be on Leaf 101 port 2.
Attach Destination SPAN group to Source group.
2. Destination is local & Source is EPG
3. Source & Destination both could be EPG
Note : In Destination EPG we need to define source & destination ip address.
Fabric SPAN
Fabric → Fabric Policies → Policies → Troubleshooting → SPAN → Destination GRP
Destination Group can be EPG only
Source can be optionally binded with traffic from VRF or BD instead of all traffic
Note : Interface of Spine switches connected to leaf are from range 49-52.
Comments