top of page
Writer's pictureMukesh Chanderia

ACI SPAN

Updated: Oct 24

SPAN (Switched Port Analyzer)


Types of SPAN

  1. Local SPAN

    • Support: Supported by Cisco.

    • Functionality:

      • Traffic is mirrored to an interface on the same leaf as the source of the SPAN.

      • Both the source and destination are on a single leaf switch.

    • Usage Note:

      • Only Access SPANs can be set up as local SPANs.

  2. Remote SPAN (RSPAN)

    • Support: Not supported by Cisco.

  3. Encapsulated Remote SPAN (ERSPAN)

    • Support: Supported by Cisco.

    • Functionality:

      • The destination IP must be learned as an endpoint within the fabric.

      • The destination IP can reside in the same or a different VRF, meaning it can be located anywhere in the fabric.


     Fabric Policy


    • When to Configure:

      • You configure SPAN in the fabric policy when you want to monitor traffic across the entire ACI fabric. This includes traffic flowing between leaf and spine switches or fabric ports.

      • This is typically used when you're interested in capturing traffic traversing the internal fabric links, either for troubleshooting, diagnostics, or observing traffic between ACI nodes.

    • Use Case:

      • Monitoring inter-leaf or leaf-to-spine traffic.

      • Gathering traffic data that is not specific to any particular tenant or endpoint.


    2. Access Policy


    • When to Configure:

      • SPAN is configured in the access policy when you want to monitor traffic entering or exiting specific physical ports, such as leaf ports connected to endpoints (servers, routers, firewalls, etc.).

      • This is useful for capturing endpoint traffic (traffic ingress/egress on an interface), but not necessarily tied to any specific tenant or EPG (Endpoint Group).

    • Use Case:

      • You want to monitor traffic on a specific access port (e.g., a port connected to a server or another network device).

      • This is common for scenarios like troubleshooting specific physical connections or mirroring traffic for IDS/IPS systems.


    3. Tenant (EPG) Policy


    • When to Configure:

      • SPAN configured in a tenant's policy is when you need to monitor traffic specific to a tenant's EPGs (Endpoint Groups). This allows you to capture traffic within the context of a tenant, such as traffic between EPGs or from an EPG to an external device.

      • SPAN at the tenant level is useful for isolating traffic for specific applications or services tied to that tenant.

    • Use Case:

      • Monitoring inter-EPG traffic or traffic associated with particular applications that are defined within the tenant.

      • You want to observe traffic for compliance or security monitoring within a specific tenant.


    Summary of When to Configure SPAN:

    • Fabric Policy: When monitoring traffic across the fabric (e.g., between leaves or spines).

    • Access Policy: When monitoring traffic entering or leaving specific physical ports on a leaf switch (e.g., server connections).

    • Tenant Policy: When monitoring traffic within a specific tenant’s EPGs (e.g., application-specific or tenant-isolated monitoring).



Types of SPAN in Cisco ACI

  1. Fabric SPAN

    • Purpose: Captures packets from interfaces between Leaf and Spine switches.

    • Support: Supports ERSPAN.

  2. Access SPAN

    • Purpose: Captures packets from interfaces between Leaf switches and external devices.

    • Support: Supports both Local SPAN and ERSPAN.

  3. Tenant SPAN

    • Purpose: Captures packets from Endpoint Groups (EPGs) on ACI Leaf switches.

    • Support: Supports ERSPAN.




  1. Let’s configure Local Span for both Source & Destination

Create a Destination Group name “Local_Span_Destination”... Let the Packet Sniffer Server be on Leaf 101 port 1.




Create a Source Group name “Local_Span_Source”... Let the Source be on Leaf 101 port 2.


Attach Destination SPAN group to Source group.





2. Destination is local & Source is EPG



3. Source & Destination both could be EPG



Note : In Destination EPG we need to define source & destination ip address.



Fabric SPAN



Fabric → Fabric Policies → Policies → Troubleshooting → SPAN → Destination GRP



Destination Group can be EPG only





Source can be optionally binded with traffic from VRF or BD instead of all traffic



Note : Interface of Spine switches connected to leaf are from range 49-52.

54 views0 comments

Recent Posts

See All

Comments


bottom of page