Are you really receiving this DHCP discover the delivery team is talking about? Let’s improve your time to innocence today, by capturing traffic directly on your switch. Erspan and destination interfaces are not needed anymore!

How is it working

Quick post about a feature I love to use : SPAN to CPU. It allows you to capture traffic directly on your switch, and save it to a pcap file. It is very useful when you want to capture traffic on a remote switch, or when you don’t have a SPAN destination available.

Use case

No erspan destination available? No problem. We can use SPAN to CPU to capture traffic directly on the switch, and save it to a pcap file.

# configure
# monitor session 1 
# source interface Ethernet1/1 rx
# destination interface sup-eth0
# no shut
# exit  

You can then use ethanalyzer to capture traffic on the CPU, and save it to a pcap file.

# ethanalyzer local interface inband mirror limit-captured-frames 0 write bootflash:icmp.pcap

Limitations

By default the rate of traffic replicated to the control plane through a SPAN-to-CPU monitor session is limited to 50 kbps. This rate limiting is a self-protection mechanism to ensure the control plane of the device is not overwhelmed with replicated traffic. You can use the show hardware rate-limiter span command to view the current rate limit. You can use the hardware rate-limiter span command to change the rate limit. The rate limit can be set to a value between 1 kbps and 1000 kbps.

SPAN-to-CPU Hardware Rate Limiter Allowed Counter is not Supported. In order to determine how much traffic has been replicated to the control plane, use the show system internal access-list tcam ingress region span command.

More info : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva37512

Best practices is to shutdown SPAN-to-CPU monitor sessions when not actively used for troubleshooting. Failure to do so might result in performance degradation, and increased CPU utilization of the Cisco Nexus 9000. This feature is available starting version 9.3(x), running the cloud-scale ASIC.

More details are available here : https://www.cisco.com/c/en/us/support/docs/switches/nexus-9000-series-switches/215329-nexus-9000-cloud-scale-asic-nx-os-span-t.html