Port Mirroring (SPAN)

Port mirroring, also known as Switched Port Analyzer (SPAN), sends copies of packets that enter or exit one port to another physical port or LAG interface, where the packets can be analyzed.

The analyzer is locally connected to the SPAN destination interface of the SLX device. Unlike a hub, which broadcasts any incoming traffic to all ports, the SLX device forwards traffic accordingly. If you want to snoop on the traffic that passes through a specific port, use port mirroring to copy the packets to a port connected to the analyzer.

You use the monitor session command to enable a SPAN session. With this command, you can set the packet source, the packet destination, and the packet direction (egress, ingress, or both).

General considerations

Do not configure SPAN destination ports to carry normal traffic.
Configure only physical interfaces as SPAN source. For SPAN destinations, you can configure physical interfaces, LAG, or port-channels with manual trunks (with no protocols).
The maximum number of supported SPAN sessions is 512 per device.
The standard limitations of forwarding apply to port mirroring when the SPAN source and destination interfaces have different speeds. For example, when traffic is mirrored from a 40G port to a 10G port, the 10G port drops traffic that exceeds the 10G rate.
In one monitor session configuration, you can have only one SPAN source and only one SPAN destination. However, you can share the same destination port in another session with different source ports. In other words, you can use the same port as a SPAN destination in another SPAN session, which lets you have more SPAN sessions without consuming more SPAN hardware resources.

SLX 9150 and SLX 9250 considerations

The devices support four hardware SPAN sessions.
- One unique SPAN destination in the session configuration consumes one hardware SPAN session.
- Two hardware SPAN sessions are reserved for ACL logging and flow-based SPAN sessions.
- Therefore, you can configure two different destinations for port mirroring. If you try to configure mirror sessions with more than two different destination ports, the configuration fails and generates a RASLog message. You have to manually remove the failed configuration.
- The application telemetry feature consumes one hardware SPAN session. If you configure application telemetry, you can configure only one monitor session with a unique destination or multiple monitor sessions that share the same SPAN destination.
CPU-generated frames that do not enter the ingress pipeline of the ASIC cannot be mirrored by an egress SPAN session (an egress SPAN session is enabled on the interface from which the CPU-generated frame egresses). Egress SPAN occurs primarily in the ingress pipeline at the Memory Management Unit (MMU) stage of the ASIC pipeline. For example, a ping that is generated from the device and egresses on a physical Layer 3-routed port does not enter the ingress pipeline. The ping cannot be mirrored by an egress SPAN session.
The platforms do not support true egress mirroring. If incoming packets are modified and sent to egress ports, some fields, such as VLAN and TTL, in the mirrored captured frames are not identical to the egress frame.
Because egress SPAN occurs primarily at the MMU stage (which is the last stage of the ingress pipeline of the ASIC), mirrored copy is the same as the packet content seen at this stage. Any VLAN modifications that occurred before this stage are reflected in the mirror copy. However, the original packet can have modifications farther in the egress pipeline and those modifications are not reflected in the mirrored copy.
Because egress SPAN occurs in the ingress pipeline, the mirroring engine may replicate the egress packets even though the original egress packets could be dropped at later stage. This replication has various causes, such as the source suppression of unknown unicast, broadcast traffic. Source suppression drops unknown traffic before it is transmitted out of the ingress port. However, the replication engine replicates the traffic when the same ingress port is configured as a SPAN source with an egress direction. Therefore, there may not be actual egress frames on the SPAN source interface.

SLX 9540 and SLX 9640 considerations

The devices support 15 hardware SPAN sessions.
One unique SPAN destination in the monitor session configuration consumes one hardware SPAN session.
Twelve sessions are reserved for VxLAN visibility features, snooping applications, and flow-based SPAN sessions.
Therefore, you can configure three different destinations for port mirroring. If you try to configure mirror sessions with more than three different destination ports, the configuration fails and generates a RASLog message. You have to manually remove the failed configuration.
The application telemetry feature consumes one hardware SPAN session. If you configure application telemetry, you can configure only two monitor sessions, each with a unique destination, or multiple monitor sessions that share one of the SPAN destination.