cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
448
Views
10
Helpful
7
Replies
mihaicodrean
Beginner

SPAN ACL for source FEX ports not working [Nexus 5500 Series]

Hi Everyone,

I'm having trouble setting IP ACLs on a SPAN for source FEX ports on a Nexus 5500 Series. I do get the traffic just fine when the ACL is not in place, but once I set the ACL for the monitoring session, that traffic is not longer mirrored. Is this a limitation of FEX?

I read that it is a limitation on the 9000 Series, for example, in the context of ERSPAN:

ACL filters are not supported for FEX ports

But does this apply to older series as well?

Thanks,
Mihai

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @mihaicodrean 

SPAN with ACL filtering should work with FEX HIF (Host Interface) ports as well.

Config guide is mentioning the maximum number of ACL entries for SPANing the HIF ports:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/system_management/7x/b_5500_System_Mgmt_Config_7x/configuring_span.html#concept_96B0378EEF4544088A48585D2442132A 

ScenarioMaximum ACL Size

SPAN has single Switch Port as source with both Tx and Rx.

Current Available TCAM Entries/2

 

 

SPAN has multiple Switch Ports as source with both Tx and Rx.

Current Available TCAM Entries/3

SPAN has Port Channel (with one or more member switch ports) as source with both Tx and Rx.

Current Available TCAM Entries/3

SPAN has single HIF Ports as source with both Tx and Rx.

Current Available TCAM Entries/3

SPAN has multiple HIF Ports as source with both Tx and Rx.

Current Available TCAM Entries/4

SPAN has HIF Port Channel (with one or more member HIF ports) as source with both Tx and Rx.

Current Available TCAM Entries/4

How does your ACL looks like? Do you have enough TCAM space? Do you receive any errors / syslog messages when configuring the ACL on SPAN? Which version are you running on your switch?

 

Regards,

Sergiu

 

View solution in original post

7 REPLIES 7
balaji.bandi
VIP Expert

We generally do not SPAN and Monitor on FEX Ports, since its dumb device - and it was controlled by parent any way.

 

coming back to yout issue, should be achivable as per document - not sure what version code you running.

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/system_management/7x/b_5500_System_Mgmt_Config_7x/configuring_span.html#id_21794

 

Good span session for referece with ACL :

 

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/BRKDCT-1890.pdf



BB


*** Rate All Helpful Responses ***

Thanks for the reply. To clarify, in my case:

  • SPAN without ACL
    • Works for source ports on both the parent switch and the FEX(es)
  • SPAN with ACL
    • Works for the source ports on the parent switch
    • Does not work for source ports on the FEX(es).

So I would really like confirmation on whether the last item above is actually possible.

Is anyone willing to actually try it out?

PS: I already checked out BRKDCT-1890.pdf, but found no confirmation for the specific case of SPAN ACL on source FEX ports.

not tried this option in our case most time we span on parent switch as mentioned.

 

"Does not work for source ports on the FEX(es)."

 

totally change freeze around, if i get chance will try later and feed my inputs.



BB


*** Rate All Helpful Responses ***

Hi @mihaicodrean 

SPAN with ACL filtering should work with FEX HIF (Host Interface) ports as well.

Config guide is mentioning the maximum number of ACL entries for SPANing the HIF ports:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/system_management/7x/b_5500_System_Mgmt_Config_7x/configuring_span.html#concept_96B0378EEF4544088A48585D2442132A 

ScenarioMaximum ACL Size

SPAN has single Switch Port as source with both Tx and Rx.

Current Available TCAM Entries/2

 

 

SPAN has multiple Switch Ports as source with both Tx and Rx.

Current Available TCAM Entries/3

SPAN has Port Channel (with one or more member switch ports) as source with both Tx and Rx.

Current Available TCAM Entries/3

SPAN has single HIF Ports as source with both Tx and Rx.

Current Available TCAM Entries/3

SPAN has multiple HIF Ports as source with both Tx and Rx.

Current Available TCAM Entries/4

SPAN has HIF Port Channel (with one or more member HIF ports) as source with both Tx and Rx.

Current Available TCAM Entries/4

How does your ACL looks like? Do you have enough TCAM space? Do you receive any errors / syslog messages when configuring the ACL on SPAN? Which version are you running on your switch?

 

Regards,

Sergiu

 

View solution in original post

It's a bit embarrassing to report this, but the source traffic was actually missing upstream (COVID-19 lockdown).

@balaji.bandi& @Sergiu.Daniluk, thank you both for the referenced docs and suggestions on what to verify. The TCAM space was indeed tight, but OK.

Hi @mihaicodrean 

Haha. No worries ^_^ . At least we know that everything is working as expected.

 

Stay safe!

Sergiu

Thanks, you too!

-Mihai