Solved: SPAN ACL for source FEX ports not working [Nexus 5500 Series]

mihaicodrean · ‎04-24-2020

Hi Everyone,

I'm having trouble setting IP ACLs on a SPAN for source FEX ports on a Nexus 5500 Series. I do get the traffic just fine when the ACL is not in place, but once I set the ACL for the monitoring session, that traffic is not longer mirrored. Is this a limitation of FEX?

I read that it is a limitation on the 9000 Series, for example, in the context of ERSPAN:

ACL filters are not supported for FEX ports

But does this apply to older series as well?

Thanks,
Mihai

Sergiu.Daniluk · ‎04-25-2020

Hi @mihaicodrean

SPAN with ACL filtering should work with FEX HIF (Host Interface) ports as well.

Config guide is mentioning the maximum number of ACL entries for SPANing the HIF ports:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/system_management/7x/b_5500_System_Mgmt_Config_7x/configuring_span.html#concept_96B0378EEF4544088A48585D2442132A

Scenario	Maximum ACL Size
SPAN has single Switch Port as source with both Tx and Rx.	Current Available TCAM Entries/2

SPAN has multiple Switch Ports as source with both Tx and Rx.	Current Available TCAM Entries/3
SPAN has Port Channel (with one or more member switch ports) as source with both Tx and Rx.	Current Available TCAM Entries/3
SPAN has single HIF Ports as source with both Tx and Rx.	Current Available TCAM Entries/3
SPAN has multiple HIF Ports as source with both Tx and Rx.	Current Available TCAM Entries/4
SPAN has HIF Port Channel (with one or more member HIF ports) as source with both Tx and Rx.	Current Available TCAM Entries/4

How does your ACL looks like? Do you have enough TCAM space? Do you receive any errors / syslog messages when configuring the ACL on SPAN? Which version are you running on your switch?

Regards,

Sergiu

View solution in original post