Solved: Re: SPAN ACL for source FEX ports not working [Nexus 5500 Series]

mihaicodrean · ‎04-24-2020

Hi Everyone,

I'm having trouble setting IP ACLs on a SPAN for source FEX ports on a Nexus 5500 Series. I do get the traffic just fine when the ACL is not in place, but once I set the ACL for the monitoring session, that traffic is not longer mirrored. Is this a limitation of FEX?

I read that it is a limitation on the 9000 Series, for example, in the context of ERSPAN:

ACL filters are not supported for FEX ports

But does this apply to older series as well?

Thanks,
Mihai

Sergiu.Daniluk · ‎04-25-2020

Hi @mihaicodrean

SPAN with ACL filtering should work with FEX HIF (Host Interface) ports as well.

Config guide is mentioning the maximum number of ACL entries for SPANing the HIF ports:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/system_management/7x/b_5500_System_Mgmt_Config_7x/configuring_span.html#concept_96B0378EEF4544088A48585D2442132A

Scenario	Maximum ACL Size
SPAN has single Switch Port as source with both Tx and Rx.	Current Available TCAM Entries/2

SPAN has multiple Switch Ports as source with both Tx and Rx.	Current Available TCAM Entries/3
SPAN has Port Channel (with one or more member switch ports) as source with both Tx and Rx.	Current Available TCAM Entries/3
SPAN has single HIF Ports as source with both Tx and Rx.	Current Available TCAM Entries/3
SPAN has multiple HIF Ports as source with both Tx and Rx.	Current Available TCAM Entries/4
SPAN has HIF Port Channel (with one or more member HIF ports) as source with both Tx and Rx.	Current Available TCAM Entries/4

How does your ACL looks like? Do you have enough TCAM space? Do you receive any errors / syslog messages when configuring the ACL on SPAN? Which version are you running on your switch?

Regards,

Sergiu

View solution in original post

balaji.bandi · ‎04-24-2020

We generally do not SPAN and Monitor on FEX Ports, since its dumb device - and it was controlled by parent any way.

coming back to yout issue, should be achivable as per document - not sure what version code you running.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/system_management/7x/b_5500_System_Mgmt_Config_7x/configuring_span.html#id_21794

Good span session for referece with ACL :

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/BRKDCT-1890.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mihaicodrean · ‎04-25-2020

Thanks for the reply. To clarify, in my case:

SPAN without ACL
- Works for source ports on both the parent switch and the FEX(es)
SPAN with ACL
- Works for the source ports on the parent switch
- Does not work for source ports on the FEX(es).

So I would really like confirmation on whether the last item above is actually possible.

Is anyone willing to actually try it out?

PS: I already checked out BRKDCT-1890.pdf, but found no confirmation for the specific case of SPAN ACL on source FEX ports.

balaji.bandi · ‎04-25-2020

not tried this option in our case most time we span on parent switch as mentioned.

"Does not work for source ports on the FEX(es)."

totally change freeze around, if i get chance will try later and feed my inputs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sergiu.Daniluk · ‎04-25-2020

Hi @mihaicodrean

SPAN with ACL filtering should work with FEX HIF (Host Interface) ports as well.

Config guide is mentioning the maximum number of ACL entries for SPANing the HIF ports:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/system_management/7x/b_5500_System_Mgmt_Config_7x/configuring_span.html#concept_96B0378EEF4544088A48585D2442132A

Scenario	Maximum ACL Size
SPAN has single Switch Port as source with both Tx and Rx.	Current Available TCAM Entries/2

SPAN has multiple Switch Ports as source with both Tx and Rx.	Current Available TCAM Entries/3
SPAN has Port Channel (with one or more member switch ports) as source with both Tx and Rx.	Current Available TCAM Entries/3
SPAN has single HIF Ports as source with both Tx and Rx.	Current Available TCAM Entries/3
SPAN has multiple HIF Ports as source with both Tx and Rx.	Current Available TCAM Entries/4
SPAN has HIF Port Channel (with one or more member HIF ports) as source with both Tx and Rx.	Current Available TCAM Entries/4

How does your ACL looks like? Do you have enough TCAM space? Do you receive any errors / syslog messages when configuring the ACL on SPAN? Which version are you running on your switch?

Regards,

Sergiu

mihaicodrean · ‎04-29-2020

It's a bit embarrassing to report this, but the source traffic was actually missing upstream (COVID-19 lockdown).

@balaji.bandi& @Sergiu.Daniluk, thank you both for the referenced docs and suggestions on what to verify. The TCAM space was indeed tight, but OK.

Sergiu.Daniluk · ‎04-29-2020

Hi @mihaicodrean

Haha. No worries ^_^ . At least we know that everything is working as expected.

Stay safe!

Sergiu

mihaicodrean · ‎04-29-2020

Thanks, you too!

-Mihai