You can monitor port mirroring sessions for troubleshooting and other purposes.

Note that logical SPAN is supported for overlay logical switches only and not VLAN logical switches.

NSX Cloud Note: If using NSX Cloud, see How to use NSX-T Data Center Features with the Public Cloud for a list of auto-generated logical entities, supported features, and configurations required for NSX Cloud.

This feature has the following restrictions:

  • A source mirror port cannot be in more than one mirror session.
  • With KVM, multiple NICs can be attached to the same OVS port. The mirroring happens at the OVS uplink port, meaning that traffic on all the pNICs attached to the OVS port is mirrored.
  • For a local SPAN session, the mirror session source and destination ports must be on the same host vSwitch. Therefore, if you vMotion the VM that has the source or destination port to another host, traffic on that port can no longer be mirrored.
  • On ESXi, when mirroring is enabled on the uplink, raw production TCP packets are encapsulated using the Geneve protocol by VDL2 into UDP packets. A physical NIC that supports TSO (TCP segmentation offload) can change the packets and mark the packets with the MUST_TSO flag. On a monitor VM with VMXNET3 or E1000 vNICs, the driver treats the packets as regular UDP packets and cannot handle the MUST_TSO flag, and will drop the packets.

If a lot of traffic is mirrored to a monitor VM, there is a potential for the driver's buffer ring to become full and packets to be dropped. To alleviate the problem, you can take one or more of the following actions:

  • Increase the rx buffer ring size.
  • Assign more CPU resources to the VM.
  • Use the Data Plane Development Kit (DPDK) to improve packet processing performance.
Note: Make sure that the monitor VM's MTU setting (in the case of KVM, the hypervisor's virtual NIC device's MTU setting also) is large enough to handle the packets. This is especially important for encapsulated packets because encapsulation increases the size of packets. Otherwise, packets might be dropped. This is not an issue with ESXi VMs with VMXNET3 NICs, but is a potential issue with other types of NICs on both ESXi and KVM VMs.
Note: In an L3 port mirroring session involving VMs on KVM hosts, you must set the MTU size to be large enough to handle the extra bytes required by encapsulation. The mirror traffic goes through an OVS interface and OVS uplink. You must set the OVS interface's MTU to be at least 100 bytes larger than the size of the original packet (before encapsulation and mirroring). If you see dropped packets, increase the MTU setting for the host's virtual NIC and the OVS interface. Use the following command to set the MTU for an OVS interface: 
    ovs-vsctl -- set interface <ovs_Interface> mtu_request=<MTU>
Note: When you monitor the logical port of a VM and the uplink port of a host where the VM resides, you will see different behaviors depending on whether the host is ESXi or KVM. For ESXi, the logical-port mirror packets and the uplink mirror packets are tagged with the same VLAN ID and appear the same to the monitor VM. For KVM, the logical-port mirror packets are not tagged with a VLAN ID but the uplink mirror packets are tagged, and they appear different to the monitor VM.

Prerequisites

Verify that Manager mode is selected in the NSX Manager user interface. See NSX Manager. If you do not see the Policy and Manager mode buttons, see Configure User Interface Settings.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Select Plan & Troubleshoot > Port Mirroring > Port Mirroring Session.
  3. Click Add and select a session type.
    The available types are Local SPAN, Remote SPAN, Remote L3 SPAN, and Logical SPAN.
  4. Enter a session name and optionally a description.
  5. Provide additional parameters.
    Session Type Parameters
    Local SPAN
    • Transport Node - Select a transport node.
    • Direction - Select Bidirectional, Ingress, or Egress.
    • Packet Truncation - Select a packet truncation value.
    Remote SPAN
    • Session Type - Select RSPAN Source session or RSPAN Destination session.
    • Transport Node - Select a transport node.
    • Direction - Select Bidirectional, Ingress, or Egress.
    • Packet Truncation - Select a packet truncation value.
    • Encap. VLAN ID - Specify an encapsulation VLAN ID.
    • Preserve Orig. VLAN - Select whether to preserve the original VLAN ID.
    Remote L3 SPAN
    • Encapsulation - Select GRE, ERSPAN TWO, or ERSPAN THREE.
    • GRE Key - Specify a GRE key if encapsulation is GRE. ERSPAN ID - Specify an ERSPAN ID if encapsulation is ERSPAN TWO or ERSPAN THREE.
    • Direction - Select Bidirectional, Ingress, or Egress.
    • Packet Truncation - Select a packet truncation value.
    Logical SPAN
    • Logical Switch - Select a logical switch.
    • Direction - Select Bidirectional, Ingress, or Egress.
    • Packet Truncation - Select a packet truncation value.
  6. Click Next.
  7. Provide source information.
    Session Type Parameters
    Local SPAN
    • Select an N-VDS.
    • Select physical interfaces.
    • Enable or disable encapsulated packet.
    • Select virtual machines.
    • Select virtual interfaces.
    Remote SPAN
    • Select virtual machines.
    • Select virtual interfaces.
    Remote L3 SPAN
    • Select virtual machines.
    • Select virtual interfaces.
    • Select a logical switch.
    Logical SPAN
    • Select logical ports.
  8. Click Next.
  9. Provide destination information.
    Session Type Parameters
    Local SPAN
    • Select virtual machines.
    • Select virtual interfaces.
    Remote SPAN
    • Select an N-VDS.
    • Select physical interfaces.
    Remote L3 SPAN
    • Specify an IPv4 address.
    Logical SPAN
    • Select logical ports.
  10. Click Save.
    You cannot change the source or destination after saving the port mirroring session.