You can use port mirroring to analyze network traffic for debugging or troubleshooting purposes. Port mirroring allows you to copy all network packets or specific packets that are seen on the segment port (or an entire segment) to another segment port.

You can create the following port mirror session types:
  • Local SPAN
  • Remote SPAN
  • Remote L3 SPAN
  • Logical SPAN

Note that logical SPAN is supported for overlay logical switches only and not VLAN logical switches.

If a lot of traffic is mirrored to a monitor VM, there is a potential for the driver's buffer ring to become full and packets to be dropped. To alleviate the problem, you can take one or more of the following actions:

  • Increase the rx buffer ring size.
  • Assign more CPU resources to the VM.
  • Use the Data Plane Development Kit (DPDK) to improve packet processing performance.
Note: Make sure that the monitor VM's MTU setting is large enough to handle the packets. This is especially important for encapsulated packets because encapsulation increases the size of packets. Otherwise, packets might be dropped. This is not an issue with ESXi VMs with VMXNET3 NICs, but is a potential issue with other types of NICs.

Prior to NSX 4.2, only remote L3 SPAN was supported for ENS fastpath. If local SPAN or remote SPAN (RSPAN) sessions were created, production packets went through pktHandle slowpath. Starting with NSX 4.2, both local SPAN and RSPAN are supported for ENS fastpath.

This feature has the following restrictions:

  • A source mirror port cannot be in more than one mirror session.
  • For an local SPAN session, the mirror session source and destination ports must be on the same host vSwitch. Therefore, if you vMotion the VM that has the source or destination port to another host, traffic on that port can no longer be mirrored.
  • For local SPAN and RSPAN destination sessions, normal traffic on mirror destination ports is not allowed.
  • On ESXi, when mirroring is enabled on the uplink, raw production TCP packets are encapsulated using the Geneve protocol by VDL2 into UDP packets. A physical NIC that supports TSO (TCP segmentation offload) can change the packets and mark the packets with the MUST_TSO flag. On a monitor VM with VMXNET3 or E1000 vNICs, the driver treats the packets as regular UDP packets and cannot handle the MUST_TSO flag, and will drop the packets.
  • IPFIX will not sample mirrored packets and Traceflow and Live Traffic Analysis will not trace mirrored packets.
  • If you plan to create an RSPAN session, it is recommend that you reserve a few VLANs across your network to be used as RSPAN VLANs. Do not assign segment ports to these VLANs. RSPAN VLANs must be dedicated VLANs and should not be used as switching VLAN or transport VLAN. If you have included an RSPAN VLAN as transport, switching, or trunk VLAN, then during the upgrade to NSX 4.2 you will get an error to update those RSPAN VLANs in RSPAN source and destination sessions.
  • You can create up to 16 RSPAN VLANs for RSPAN destination sessions.
  • You cannot include one VLAN as a mirror source across multiple RSPAN destination sessions.
  • RSPAN destination will not monitor vNIC ingress traffic.
  • You must implement mirror filtering at RSPAN source and not at RSPAN destination as RSPAN destination is used to receive mirrored packets. If you have configured mirror filtering for RSPAN destination before upgrading to NSX 4.2, then you must remove mirror filtering configuration.

Prerequisites

Verify that Manager mode is selected in the NSX Manager user interface. See NSX Manager. If you do not see the Policy and Manager mode buttons, see Configure the User Interface Settings.

Procedure

  1. With admin privileges, log in to NSX Manager.
  2. Select Plan & Troubleshoot > Port Mirroring > Port Mirroring Session.
  3. Click Add and select a session type.
    The available types are Local SPAN, Remote SPAN, Remote L3 SPAN, and Logical SPAN.
  4. Enter a session name and optionally a description.
  5. Provide additional parameters.
    Session Type Parameters
    Local SPAN
    • Transport Node - Select a transport node.
    • Direction - Select Bidirectional, Ingress, or Egress.
    • Packet Truncation - Select a packet truncation value.
    Remote SPAN
    • Session Type - Select RSPAN Source session or RSPAN Destination session.
    • Transport Node - Select a transport node.
    • Direction - Select Bidirectional, Ingress, or Egress.
    • Packet Truncation - Select a packet truncation value.
    • Encap. VLAN ID - Specify an encapsulation VLAN ID.
    • Preserve Orig. VLAN - Select whether to preserve the original VLAN ID.
    Remote L3 SPAN
    • Encapsulation - Select GRE, ERSPAN TWO, or ERSPAN THREE.
    • GRE Key - Specify a GRE key if encapsulation is GRE. ERSPAN ID - Specify an ERSPAN ID if encapsulation is ERSPAN TWO or ERSPAN THREE.
    • Direction - Select Bidirectional, Ingress, or Egress.
    • Packet Truncation - Select a packet truncation value.
    Logical SPAN
    • Logical Switch - Select a logical switch.
    • Direction - Select Bidirectional, Ingress, or Egress.
    • Packet Truncation - Select a packet truncation value.
  6. Click Next.
  7. Provide source information.
    Session Type Parameters
    Local SPAN
    • Select a VDS.
    • Select physical interfaces.
    • Enable or disable encapsulated packet.
    • Select virtual machines.
    • Select virtual interfaces.
    Remote SPAN
    • Select virtual machines.
    • Select virtual interfaces.
    Remote L3 SPAN
    • Select virtual machines.
    • Select virtual interfaces.
    • Select a logical switch.
    Logical SPAN
    • Select logical ports.
  8. Click Next.
  9. Provide destination information.
    Session Type Parameters
    Local SPAN
    • Select virtual machines.
    • Select virtual interfaces.
    Remote SPAN
    • Select a VDS.
    • Select physical interfaces.
    Remote L3 SPAN
    • Specify an IPv4 address.
    Logical SPAN
    • Select logical ports.
  10. Click Save.
    You cannot change the source or destination after saving the port mirroring session.