Solved: NX-OS SPAN "encapsulation replicate"

Isaiah · ‎04-13-2017

I am trying to see the original 802.1q vlan tags at a SPAN destination on NX-OS devices. In IOS, you had to be sure to specify "encapsulation replicate" and that would preserve everything. But that doesn't seem to be an option in my Nexus 7ks or 5ks. Here I can filter for specific vlans, but how can I simply observe what vlan the traffic I am monitoring was on?

Austin Sabio · ‎04-14-2017

This is the default SPAN behavior as it does not copy the encapsulation from trunk source.

"By default, SPAN does not copy the IEEE 802.1q tag from trunk source interfaces."

http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_SPAN_Comparison

The solution might be using

a filter option to include the whole range.

filter vlan vlan_mrange [ include-untagged ]

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_14span.html

or monitor all vlans per session with

source interface all

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/system-management/guide/b_Cisco_Nexus_7000_Series_NX-OS_System_Management_Configuration_Guide/configuring___span.html

Try this with caution :)

I hope this helps..Please rate/mark helpful answer as correct to benefit others. Thank you.

View solution in original post

Austin Sabio · ‎04-14-2017

*updated*

That's correct. No need to issue something similar to 'encapsulation replicate' to include vlan tags in NX-OS. but span destination needs to be set as 'trunk' which is true in both ios and nx-os.

"Note SPAN does not copy the encapsulation from trunk sources. You can configure SPAN destinations as trunks to tag the monitored traffic before it is transmitted for analysis."

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/span.html

View solution in original post

Austin Sabio · ‎04-14-2017

This is the default SPAN behavior as it does not copy the encapsulation from trunk source.

"By default, SPAN does not copy the IEEE 802.1q tag from trunk source interfaces."

http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_SPAN_Comparison

The solution might be using

a filter option to include the whole range.

filter vlan vlan_mrange [ include-untagged ]

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_nx_os_cg/sm_14span.html

or monitor all vlans per session with

source interface all

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/system-management/guide/b_Cisco_Nexus_7000_Series_NX-OS_System_Management_Configuration_Guide/configuring___span.html

Try this with caution :)

I hope this helps..Please rate/mark helpful answer as correct to benefit others. Thank you.

Isaiah · ‎04-14-2017

Thanks, I think I got it! Actually you do not need to configure vlan filtering in the SPAN in order to include the tags. It appears that in IOS the encapsulation is a function of the monitor session configuration itself. However in NX-OS the encapsulation is not configured as part of the monitor session, but depends on the configuration of the destination interface.

For example, if your SPAN destination interface is configured as an access interface, you will not get any vlan tags. But if the destination interface is configured as a trunk, you get them all.

Austin Sabio · ‎04-14-2017

Happy to help...Thanks for the rating :)

Austin Sabio · ‎04-14-2017

*updated*

That's correct. No need to issue something similar to 'encapsulation replicate' to include vlan tags in NX-OS. but span destination needs to be set as 'trunk' which is true in both ios and nx-os.

"Note SPAN does not copy the encapsulation from trunk sources. You can configure SPAN destinations as trunks to tag the monitored traffic before it is transmitted for analysis."

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/span.html