This document provides some extra documentation and use cases on the use of port spanning or port mirroring.
You can monitor traffic passing in & out of a set of L2 or L3 Ethernet interfaces (including bundle-Ether).
ASR 9000 is the only platform implementing SPAN on XR (Only support on ethernet linecards, not on SIP-700.)
You can use SPAN/Mirror in the follow scenarios
- L2 & L3 interfaces. - Local, R-SPAN, and PW-SPAN only (no ER SPAN.) - Scale limits: 8 monitor sessions 800 total source ports 1.5 Gig bidirectional replication limit toward fabric for bundle interfaces and 10 Gig ports. Guideline: ~ 10% - 15% total bandwidth can be mirrored system-wide - Source ports: Physical, EFPs, and bundles interfaces (L2 & L3) - Destination ports: Ethernet interfaces, EFPs, and PW-SPAN. (No bundle) [ only L2 transport interfaces are supported as destination ports]
- Ability to use ACL's to define which traffic is to be captured
- Capture multicast traffic is possible
Note: some of the functionality mentioned are enhancements to the XR 4.0.1 release, this document assumes you are using this release or later.
A good reference on the terminology of SPAN/Mirror can be found here:
SPAN mirrors what is on the wire For ingress, this means packets are mirrored before QOS, ACL, and encapsulation rewrite operations. For egress, this means packets are mirrored after QOS, ACL, and encapsulation rewrite operations.
Partial Packet Mirroring
User can configure to mirror first 64 upto 256 bytes of the packet. Note: The actual mirrored packet will be the configured size plus 4-byte trailling CRC.
Note: The mirrored packet received at sniffer will have the size of 104 (4-byte of trailing CRC added by transmit MAC layer.)
ACL based Mirroring
“permit/deny” determines the behavior of the regular traffic (forwarded or dropped) “capture” determines whether the packet is mirrored to the SPAN destination.
On SPAN: mirror traffic on the wire (regardless with or without ACL.)
ACL on ingress direction: SPAN will mirror traffic even regular traffic dropped by ACL: Always mirror! ACL on egress direction Will mirror if regular traffic is forwarded (Permit) Will not mirror if regular traffic is dropped (Deny.)
Inconsistent configurations: “acl” is configured on SPAN source port but ACL has no “capture” keyword: No traffic gets mirrored. “acl” is NOT configured on SPAN source port but ACL has “capture” keyword: Mirroring traffic as normal, no ACL performed.
The ACL can also be an L2 ACL :
ethernet-services access-list esacl_t2 10 deny 1234.5678.90ab 0000.0000.0000 any capture
L3 Spanning Example
monitor-session TEST destination interface GigabitEthernet0/1/0/2 (<<<< this is NP3) ! interface GigabitEthernet0/1/0/14 (<<<< this is NP2) ipv4 address 184.108.40.206 255.255.255.0 monitor-session TEST acl ! load-interval 30 ipv4 access-group span ingress ! ipv4 access-list span 10 permit ipv4 any host 220.127.116.11 capture 15 permit ipv4 any host 18.104.22.168 capture 20 permit ipv4 any host 22.214.171.124 30 permit ipv4 any any
Sample TRAFFIC GEN: (sending multicast in this example) tgn rate 1000 L2-dest-addr 0100.5E01.0101 L2-src-addr 0003.A0FD.28A8 L3-src-addr 126.96.36.199 L3-dest-addr 188.8.131.52
Checking NP2: (the port that we are spanning) Show global stats counters for NP2, revision v3
Read 12 non-zero NP counters: Offset Counter FrameValue Rate (pps) ------------------------------------------------------------------------------- 22 PARSE_ENET_RECEIVE_CNT 5478 1001 31 PARSE_INGRESS_DROP_CNT 3 1 33 RESOLVE_INGRESS_DROP_CNT 5474 1000 (there is no mcast recipient for this mcast addr, but we’re still replicating, see red line) 40 PARSE_INGRESS_PUNT_CNT 1 0 50 MODIFY_RX_SPAN_CNT 5475 1000 54 MODIFY_FRAMES_PADDED_CNT 5475 1000 68 RESOLVE_INGRESS_L3_PUNT_CNT 1 0 104 LOOP 1 0 224 PUNT_STATISTICS 9 2 480 RESOLVE_IPM4_ING_RTE_DROP_CNT 5475 1000 565 UIDB_TCAM_MISS_AGG_DROP 3 1 570 UIDB_TCAM_MISS_PORT4_DROP_FOR_HOST 3 0
NP3 is the span monitor interface: Show global stats counters for NP3, revision v3
Packets received from fabric and sent off to the Ethernet on the span port!
PW SPAN example
For PW span to work, you need to define a local monitor session with a destination pseudo wire. You apply that span session to the interface of interest and define an xconnect group that also leverages that span session as one of the pw ends.
On the remote side where the PW terminates, you just configure regular VPWS.
Here an example:
On the Local Side, besides my Span configuration, there is also a local cross connect between the interested session we want to span over the PW
xconnect group TEST p2p TEST interface GigabitEthernet0/1/0/39
! port 39 is the port where we apply the span on. interface GigabitEthernet0/1/0/20.100 ! this is just a random AC to have traffic flowing between the spanned port. !
interface GigabitEthernet0/1/0/20.100 l2transport encapsulation dot1q 100 rewrite ingress tag pop 1 symmetric ! the tag is popped because the other XCON end is a plain ethernet without vlan. The explanation and use cases of tag popping can be found a related
! Tech note article.
Configuration on the remote side:
Regular VPWS configuration:
RP/0/RSP0/CPU0:A9K-TOP#sh run l2vpn l2vpn xconnect group PW-SPAN p2p PW-SPAN_1 interface GigabitEthernet0/0/0/39 neighbor 184.108.40.206 pw-id 1 ! ! ! interface GigabitEthernet0/0/0/39 load-interval 30 transceiver permit pid all l2transport ! !
the neighbor in the l2vpn configuration is the LDP neighbor ID between which the PW is built.
Show on remote side: RP/0/RSP0/CPU0:A9K-TOP#show l2vpn xcon group PW-SPAN det
Group PW-SPAN, XC PW-SPAN_1, state is up; Interworking none AC: GigabitEthernet0/0/0/39, state is up Type Ethernet MTU 1500; XC ID 0x4000a; interworking none Statistics: packets: received 0, sent 16570475 bytes: received 0, sent 994228500
! packets received from the PW are sent out hte Attachment circuit's interface. The analyzer is connected to G0/0/0/39 PW: neighbor 220.127.116.11, PW ID 1000, state is up ( established ) PW class not set, XC ID 0x4000a Encapsulation MPLS, protocol LDP PW type Ethernet, control word disabled, interworking none PW backup disable delay 0 sec Sequencing not set
MPLS Local Remote ------------ ------------------------------ ----------------------------- Label 16002 16027 Group ID 0xa40 0x2 Interface GigabitEthernet0/0/0/39 PW/TM/MS MTU 1500 1500 Control word disabled disabled PW type Ethernet Ethernet VCCV CV type 0x2 0x2 (LSP ping verification) (LSP ping verification) VCCV CC type 0x6 0x6 (router alert label) (router alert label) (TTL expiry) (TTL expiry) ------------ ------------------------------ ----------------------------- MIB cpwVcIndex: 4294705162 Create time: 04/04/2011 14:36:42 (00:20:07 ago) Last time status changed: 04/04/2011 14:36:42 (00:20:07 ago) Statistics: packets: received 16570475, sent 0 bytes: received 994228500, sent 0
! Packets received on the Pseudo Wire from the SPAN port
NOTE: Pseudo Wire counters on the span side are not incrementing.That is the XCON group "cisco" in this picture config example.
This is intentional. You can review the SPANNING also with this command: