Guest

Cisco ASR 1000 Series Aggregation Services Routers

ASR1000 Local ERSPAN Configuration Example

Document ID: 116212

Updated: Jul 24, 2013

Contributed by Tim Perry, David Chen, and Manigandan B, Cisco TAC Engineers.

   Print

Introduction

This document describes how to configure a local Switched Port Analyzer (SPAN) quickly and easily on an Aggregation Services Router (ASR) 1000. This type of SPAN is called a local Encapsulated Remote SPAN (ERSPAN).

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the ASR1002 Router that runs 3.4.6S.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

There are many knobs that can be adjusted, which can be seen in detail in the LAN Switching Configuration Guide, Cisco IOS XE Release 3S.

Configure

Network Diagram

Traffic flows in and out of G0/0/0. The sniffer application is on G0/0/2.

G0/0/0 --- ASR1002 ----G0/0/2

Configuration

  1. Define a session in order to monitor the traffic and another session in order to send that traffic out the local interface. 

  2. Ensure that the IP address and origin-IP in both session definitions are exactly the same. This is required. Use an address that is local to the router; an unused loopback is suggested. 

  3. Ensure that the ERSPAN-ID is also the same.
    interface GigabitEthernet0/0/0
     ip address 192.168.1.1 255.255.255.0
     negotiation auto
    !
    interface GigabitEthernet0/0/2
     no ip address
     negotiation auto
    !
    interface Loopback1
     ip address 10.1.1.1 255.255.255.255
    !
    monitor session 10 type erspan-source
     source interface Gi0/0/0
     destination
      erspan-id 10
      ip address 10.1.1.1
      origin ip address 10.1.1.1
    monitor session 20 type erspan-destination
     destination interface Gi0/0/2
     source
      erspan-id 10
      ip address 10.1.1.1

Another common ERSPAN configuration is a local SPAN when the source interface is a trunk.

  1. For this configuration, set the physical interface as the ERSPAN source.

  2. On the ERSPAN destination, disable the VLAN filter with the plim ethernet vlan filter disable command. If the filter is not disabled, the SPAN session does not send the replicated traffic.
    G0/0/0 --dot1q-- ASR1002 ----G0/0/2

    interface GigabitEthernet0/0/0
     no ip address
     negotiation auto
    !
    interface GigabitEthernet0/0/0.2
     encapsulation dot1Q 2
     ip address 192.168.1.1 255.255.255.0
    !
    interface GigabitEthernet0/0/2
     no ip address
     negotiation auto
     plim ethernet vlan filter disable
    !
    interface Loopback1
     ip address 10.1.1.1 255.255.255.255
    !
    monitor session 10 type erspan-source
     source interface Gi0/0/0
     destination
      erspan-id 10
      ip address 10.1.1.1
      origin ip address 10.1.1.1
    monitor session 20 type erspan-destination
     destination interface Gi0/0/2
     source
      erspan-id 10
      ip address 10.1.1.1

Verify

The simplest verification is to check that the output packet count increases on the ERSPAN destination interface. Since this interface does not have a configuration on it, there is no other traffic.

ASR1002#show int gig 0/0/2 | i packets out
     2073 packets output, 242097 bytes, 0 underruns

You can also look at the session information in the Quad Flat Package (QFP). In these examples, the Statistics increase as packets are copied.

ASR2#show platform hardware qfp active feature erspan session 10
ERSPAN Session: 10
  Type         : SRC
  Config Valid : Yes
  User On/Off  : On
  DP Debug Cfg : 0x00000000
Statistics:
  Src session transmit :               4165 /             634836
Configuration:
  VRF ID       : 0
  Dest IP addr : 10.1.1.1
  Orig IP addr : 10.1.1.1
  Flow ID      : 10
  GRE protocol : 0x88BE
  MTU          : 1464
  IP TOS       : 0
  IP TTL       : 255
  COS          : 0
Encapsulation:
  00000000  4500  0000  0000  4000  ff2f  0000  0a01  0101
  00000010  0a01  0101  1000  88be  0000  0000  1001  000a
  00000020  0000  0000  0000  0000  0000  0000  0000  0000
Port Configurations:
  VF      Interface Name                              Flag    Status       
  -----------------------------------------------------------------------

  No      GigabitEthernet0/0/0                        BOTH    Enable   
ASR2#show platform hardware qfp active feature erspan session 20
ERSPAN Session: 20
  Type         : TERM
  Config Valid : Yes
  User On/Off  : On
  DP Debug Cfg : 0x00000000
Statistics:
  Term session receive :               4167 /             635644
Configuration:
  VRF ID       : 0
  Dest IP addr : 10.1.1.1
  Flow ID      : 10
Port Configurations:
  VF      Interface Name                              Flag    Status       
  -----------------------------------------------------------------------
  No      GigabitEthernet0/0/2                        TX      Enable       

Troubleshoot

  • When a monitor session is first configured, it is shut down. The session must be enabled with the no shutdown command.

  • ERSPAN only works on Layer 3 interfaces. It does not work for Ethernet interfaces that are Layer 2, such as Bridge Domain Interfaces or service instances.

  • If any of the sources that are monitored are part of a Dot1q trunk, the traffic analyzed with SPAN is dropped by the outgoing interface. In order to fix this issue, add the plim ethernet vlan filter disable command to the physical ERSPAN destination interface.

  • The ERSPAN destination interface should not contain any configuration besides what is required in order to bring the link online. No IP addresses are needed. The interface is used solely for ERSPAN traffic.
Updated: Jul 24, 2013
Document ID: 116212