Solved: Re: Local SPAN on Nexus 9k with filter access-group not working

Difan_Zhao · ‎03-19-2022

Hi experts, I have C93180YC-FX running NXOS 9.2(2). Here is my SPAN config. I am not receiving anything. I have a Ubuntu box doing the capture with tcpdump. It only has 1G port on the server so I have to do filtering to limit the amount of traffic being SPAN'ed.

interface Ethernet1/18
  switchport
  switchport mode trunk
  switchport monitor
  no snmp trap link-status
  no shutdown
!
ip access-list nmsprd010
  10 permit ip 10.9.58.90/32 52.112.0.0/14
  20 permit ip 52.112.0.0/14 10.9.58.90/32
!
monitor session 3
  filter access-group nmsprd010
  source interface port-channel29 rx
  source interface Ethernet1/22 rx
  destination interface Ethernet1/18
  no shut

Once I remove the filter, I would see packets pouring in.

I read in the Nexus 9K guide that "An access-group filter in a SPAN session must be configured as vlan-accessmap". What does it mean? It sounds vague to me... Does it mean that I have to use VLAN as the source? Anyway, I tried but still got no packets. I would see packets as soon as I remove the filter..

monitor session 3
  filter access-group nmsprd010
  source vlan 1023 rx
  destination interface Ethernet1/18
  no shut

I never SPAN'ed a VLAN before. Does it require the switch to have a VLAN interface to SPAN on the Layer 3 level? My switch is layer 2. Can it SPAN on all Layer 2 ports in this VLAN 1023?

Thanks!

Difan

Sergiu.Daniluk · ‎03-20-2022

Hi @Difan_Zhao

"vlan-accessmap" is what the name suggests - an VLAN ACL, or looking at the command, a "vlan access-map".

In the SPAN configuration guide, there is an example how to configure ACLs with SPAN:

switch# configure terminal
switch(config)# ip access-list match_11_pkts
switch(config-acl)# permit ip 11.0.0.0 0.255.255.255 any
switch(config-acl)# exit
switch(config)# ip access-list match_12_pkts
switch(config-acl)# permit ip 12.0.0.0 0.255.255.255 any
switch(config-acl)# exit
switch(config)# vlan access-map span_filter 5
switch(config-access-map)# match ip address match_11_pkts
switch(config-access-map)# action forward
switch(config-access-map)# exit
switch(config)# vlan access-map span_filter 10
switch(config-access-map)# match ip address match_12_pkts
switch(config-access-map)# action forward
switch(config-access-map)# exit
switch(config)# monitor session 1
switch(config-erspan-src)# filter access_group span_filter

In your case,since vlan access-map "nmsprd010" does not exists, the SPAN is blocked. Try configuring one similar with the exhibit above and let us know of the results.

Stay safe,

Sergiu

View solution in original post

Sergiu.Daniluk · ‎03-20-2022

Hi @Difan_Zhao

"vlan-accessmap" is what the name suggests - an VLAN ACL, or looking at the command, a "vlan access-map".

In the SPAN configuration guide, there is an example how to configure ACLs with SPAN:

switch# configure terminal
switch(config)# ip access-list match_11_pkts
switch(config-acl)# permit ip 11.0.0.0 0.255.255.255 any
switch(config-acl)# exit
switch(config)# ip access-list match_12_pkts
switch(config-acl)# permit ip 12.0.0.0 0.255.255.255 any
switch(config-acl)# exit
switch(config)# vlan access-map span_filter 5
switch(config-access-map)# match ip address match_11_pkts
switch(config-access-map)# action forward
switch(config-access-map)# exit
switch(config)# vlan access-map span_filter 10
switch(config-access-map)# match ip address match_12_pkts
switch(config-access-map)# action forward
switch(config-access-map)# exit
switch(config)# monitor session 1
switch(config-erspan-src)# filter access_group span_filter

In your case,since vlan access-map "nmsprd010" does not exists, the SPAN is blocked. Try configuring one similar with the exhibit above and let us know of the results.

Stay safe,

Sergiu

Difan_Zhao · ‎03-20-2022

Thanks, Sergiu! Sorry, I never heard of the VLAN access-map lol I assumed it was a typo. My bad!

Now I see the packets but somehow I see duplicates... It shouldn't be the real duplicates by the source/destination, because when I was doing the SPAN with the physical port as the source, I see just one copy. Here is my current config. Do you see any problems with it? Is there something I missed with using Vlan as the source? The Nexus 9K is in a VPC setup. The v1023 only exists on two interfaces - (one physical E1/22 and another VPC Po29, which are the source ports in my original SPAN config. Thanks!

ip access-list nmsprd010
  10 permit ip 10.9.58.90/32 52.112.0.0/14
  20 permit ip 52.112.0.0/14 10.9.58.90/32
!
vlan access-map nmsprd010 10
  match ip address nmsprd010
  action forward
!
monitor session 3
  filter access-group nmsprd010
  source vlan 1023 rx
  destination interface Ethernet1/18
  no shut

Sergiu.Daniluk · ‎03-21-2022

Config looks ok. Most likely a bug.