Showing results for 
Search instead for 
Did you mean: 

Rocky Scotti
Cisco Employee

SPAN best practice on Nexus 1000v

Hello, I recently was asked the following quesiton by my customer:

"What is Cisco best practice for SPAN ports on VMWare envrionments?  As you know, we are running Nexus 1000v that allows for SPAN sessions.  However, my concern is that we will saturate our uplinks for the ESX hosts if there is a lot of SPAN traffic.  One of the options is to dedicate a NIC on the ESX hosts for SPAN.  But I wanted to see what Cisco has done."

Is there a best practice for how to SPAN traffic for VM guests on the N1Kv? Is the customers assumption correct that the SPAN traffic would be duplicated across the VM Hosts uplinks?

Since they are using the 1000v vs the 1010 appliance, how would this be different if they were using the 1010 appliance with or without the NAM module?

Robert Burns
Cisco Employee

With the 1000v, the intention is you're SPAN/ERSPAN traffic to your own sniffing device.  Either another switch (Cat6500), Wireshark Host/VM or other traffic capturing device.

The SPAN is mirroring source traffic on a single VEM host.  SPAN does not utilize the uplinks for traffic in this regard.  The amount of extra traffic in a SPAN/ERSPAN session is dictated by the source (vEth, Eth, Port Channel, Port Profile, entire VLAN etc.).  The destination for a SPAN session can be another vEthernet, Ethernet or Port Channel interface on that host.  Most customers setup a Wireshark VM, migrate it to whichever VEM host they want to run a SPAN on, and then just set their SPAN destination to the vEth port of the Wireshark VM.  Simple and free way to capture traffic.

If you're looking at ERSPAN, then you will need to create a new VMKnic for sending the traffic to the remote desintation IP.  Again, depending on whether the source is a single vEth or entire VLAN, you may wish to allocate a dedicated NIC for this purpose.  In a 10G environment you can likely get away with ERSPAN for entire VLANs without saturating the link.  Each environment is different so you should monitor bandwidth accordingly. 

Using the 1010, you can utilize the NAM.  With the NAM your SPAN destination becomes the NAM so traffic can be sniffed and analyzed accordingly.  The NAM is a neat & effecient way to analyze traffic behavior and patterns.

Here's a good overview of the what the CIsco 1010 NAM offers:

Hope this helps,



Content for Community-Ad