LAN Switching Configuration Guide, Cisco IOS XE Release 3S
Configuring ERSPAN
Downloads: This chapterpdf (PDF - 1.41MB) The complete bookPDF (PDF - 4.45MB) | The complete bookePub (ePub - 1.16MB) | Feedback

Configuring ERSPAN

Configuring ERSPAN

This module describes how to configure Encapsulated Remote Switched Port Analyzer (ERSPAN). The Cisco ERSPAN feature allows you to monitor traffic on one or more ports or VLANs and send the monitored traffic to one or more destination ports.


Note


The ERSPAN feature is not supported on Layer 2 switching interfaces.


Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Configuring ERSPAN

  • The maximum number of allowed ERSPAN sessions on a Cisco ASR 1000 Series Router is 1024. A Cisco ASR 1000 Series Router can be used as an ERSPAN source device on which only source sessions are configured, an ERSPAN destination device on which only destination sessions are configured, or an ERSPAN source and destination device on which both source and destination sessions are configured. However, total number of sessions must not exceed 1024.
  • The maximum number of available ports for each ERSPAN session is 128.
  • ERSPAN on Cisco ASR 1000 Series Routers supports only Fast Ethernet, Gigabit Ethernet, TenGigabit Ethernet, and port-channel interfaces as source ports for a source session.
  • ERSPAN on Cisco ASR 1000 Series Routers supports only Layer 3 interfaces. Ethernet interfaces are not supported on ERSPAN when configured as Layer 2 interfaces.
  • ERSPAN users on Cisco ASR 1000 Series Routers can configure a list of ports as a source or a list of VLANs as a source, but cannot configure both for a given session.
  • When a session is configured through the ERSPAN configuration CLI, the session ID and the session type cannot be changed. To change them, you must first use the no form of the configuration command to remove the session and then reconfigure the session.
  • The monitor session span-session-number type local command is not supported on Cisco ASR 1000 Series Routers.
  • The filter VLAN option is not functional in an ERSPAN monitoring session on WAN interfaces.

Information About Configuring ERSPAN

ERSPAN Overview

The Cisco ERSPAN feature allows you to monitor traffic on one or more ports or more VLANs, and send the monitored traffic to one or more destination ports. ERSPAN sends traffic to a network analyzer such as a Switch Probe device or other Remote Monitoring (RMON) probe. ERSPAN supports source ports, source VLANs, and destination ports on different routers, which provides remote monitoring of multiple routers across a network (see the figure below).

On a Cisco ASR 1000 Series Router, ERSPAN supports encapsulated packets of up to 9180 bytes. The default ERSPAN maximum transmission unit (MTU) size is 1500 bytes. If the ERSPAN payload length, which comprises the encapsulated IPv4 header, generic routing encapsulation (GRE) header, ERSPAN header, and the original packet, exceeds the ERSPAN MTU size, the replicated packet is truncated to the default ERSPAN MTU size.

ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE encapsulated traffic, and an ERSPAN destination session.

You can configure an ERSPAN source session, an ERSPAN destination session, or both on a Cisco ASR 1000 Series Router. A device that has only an ERSPAN source session configured is called an ERSPAN source device, and a device that has only an ERSPAN destination session configured is called an ERSPAN termination device. A Cisco ASR 1000 Series Router can act as both an ERSPAN source device and an ERSPAN termination device. You can terminate an ERSPAN session with a destination session on the same Cisco ASR 1000 Series Router.

An ERSPAN source session is defined by the following parameters:

  • A session ID
  • List of source ports or source VLANs to be monitored by the session
  • The destination and origin IP addresses, which are used as the destination and source IP addresses of the GRE envelope for the captured traffic, respectively
  • ERSPAN flow ID
  • Optional attributes, such as, IP type of service (TOS) and IP Time to Live (TTL), related to the GRE envelope

An ERSPAN destination session is defined by the following:

  • Session ID
  • Destination ports
  • Source IP address, which is the same as the destination IP address of the corresponding source session
  • ERSPAN flow ID, which is used to match the destination session with the source session

ERSPAN source sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have either ports or VLANs as sources, but not both.

The ERSPAN source sessions copy traffic from the source ports or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the ERSPAN destination session. The ERSPAN destination session switches the traffic to the destination ports.

Figure 1. ERSPAN Configuration

Monitored Traffic

For a source port or a source VLAN, the ERSPAN can monitor the ingress, egress, or both ingress and egress traffic. By default, ERSPAN monitors all traffic, including multicast and Bridge Protocol Data Unit (BPDU) frames.

ERSPAN Sources

The Cisco ERSPAN feature supports the following sources:

  • Source ports—A source port that is monitored for traffic analysis. Source ports in any VLAN can be configured and trunk ports can be configured as source ports along with nontrunk source ports.
  • Source VLANs—A VLAN that is monitored for traffic analysis.

The following tunnel interfaces are supported as source ports for a source session:

  • GRE
  • IPinIP
  • IPv6
  • IPv6 over IP tunnel
  • Multipoint GRE (mGRE)
  • Secure Virtual Tunnel Interfaces (SVTI)

Note


SVTI and IPinIP tunnel interfaces support the monitoring of both IPsec-protected and non-IPsec-protected tunnel packets. Monitoring of tunnel packets allows you to see the clear-text tunnel packet after IPsec decryption if that tunnel is IPsec protected.


The following limitations apply to the enhancements introduced in Cisco IOS XE Release 3.4S:
  • Monitoring of non-IPsec-protected tunnel packets is supported on IPv6 and IPv6 over IP tunnel interfaces.
  • The enhancements apply only to ERSPAN source sessions, not to ERSPAN destination sessions.

ERSPAN has the following behavior in Cisco IOS XE Release 3.4S:

  • The tunnel interface is removed from the ERSPAN database at all levels when the tunnel interface is deleted. If you want to create the same tunnel again, you must manually configure it in source monitor sessions to keep monitoring the tunnel traffic.
  • The Layer 2 Ethernet header is generated with both source and destination MAC addresses set to zero.

In Cisco IOS XE Release 3.5S, support was added for the following types of WAN interfaces as source ports for a source session:

  • Serial (T1/E1, T3/E3, DS0)
  • Packet over SONET (POS) (OC3, OC12)
  • Multilink PPP
  • The multilink, pos, and serial keywords were added to the source interface command.

ERSPAN Destination Ports

A destination port is a Layer 2 or Layer 3 LAN port to which ERSPAN sends traffic for analysis.

When you configure a port as a destination port, it can no longer receive any traffic and, the port is dedicated for use only by the ERSPAN feature. An ERSPAN destination port does not forward any traffic except that required for the ERSPAN session. You can configure trunk ports as destination ports, which allows destination trunk ports to transmit encapsulated traffic.

Using ERSPAN as Local SPAN

To use ERSPAN to monitor traffic through one or more ports or VLANs, you must create an ERSPAN source and ERSPAN destination sessions.

You can create the two sessions either on the same router or on different routers. If the two sessions are created on two different routers, the monitoring traffic will be forwarded from the source to the destination by ERSPAN. However, if the two sessions are created on the same router, data flow takes place inside the router, which is similar to that in local SPAN.

The following factors are applicable while using ERSPAN as a local SPAN:

  • Both sessions have the same ERSPAN ID.
  • Both sessions have the same IP address. This IP address is the router’s own IP address; that is, the loopback IP address or the IP address configured on any port.

ERSPAN Support on WAN Interface

In Cisco IOS Release 3.5S an ERSPAN source on WAN is added to allow monitoring of traffic on WAN interfaces. ERSPAN replicates the original frame and encapsulates the replicated frame inside an IP or GRE packet by adding Fabric Interface ASIC (FIA) entries on the WAN interface. The frame header of the replicated packet is modified for capturing. After encapsulation, ERSPAN sends the IP or GRE packet through an IP network to a device on the network. This device sends the original frame to an analyzing device that is directly connected to the network device.

How to Configure ERSPAN

ERSPAN uses separate source and destination sessions. You configure the source and destination sessions on either the same router or on different routers.

Configuring an ERSPAN Source Session

The ERSPAN source session defines the session configuration parameters and the ports or VLANs to be monitored.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface interface-type interface-number

    4.    plim ethernet vlan filter disable

    5.    monitor session span-session-number type erspan-source

    6.    description string

    7.    source interface interface-name interface-number

    8.    source vlan {id-single | id-list | id-range | id-mixed} [rx | tx | both]

    9.    filter vlan {id-single | id-list | id-range | id-mixed}

    10.    destination

    11.    erspan-id erspan-flow-id

    12.    ip address ip-address

    13.    ip prec prec-value

    14.    ip dscp dscp-value

    15.    ip ttl ttl-value

    16.    mtu mtu-size

    17.    origin ip address ip-address [force]

    18.    vrf vrf-id

    19.    no shutdown

    20.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 interface interface-type interface-number


    Example:
    Device(config)# interface GigabitEthernet1/0/1
     

    Specifies the interface on which ERSPAN source session is configured.

     
    Step 4 plim ethernet vlan filter disable


    Example:
    Device(config-if)# plim ethernet vlan filter disable
     

    (Optional) Disables the VLAN filtering option for Ethernet interfaces. Use this command if you are using the vlan filter command or if the source interface is using dot1q encapsulation.

     
    Step 5 monitor session span-session-number type erspan-source


    Example:
    Device(config)# monitor session 1 type erspan-source
     

    Defines an ERSPAN source session using the session ID and the session type, and enters ERSPAN monitor source session configuration mode.

    • The span-session-number argument range is from 1 to 1024. The same session number cannot be used more than once.
    • The session IDs for source sessions or destination sessions are in the same global ID space, so each session ID is globally unique for both session types.
    • The session ID (configured by the span-session-number argument) and the session type (configured by the erspan-source keyword) cannot be changed once entered. Use the no form of this command to remove the session and then re-create the session, with a new session ID or a new session type.
     
    Step 6 description string


    Example:
    Device(config-mon-erspan-src)# description source1
     

    (Optional) Describes the ERSPAN source session.

    • The string argument can be up to 240 characters and cannot contain special characters or spaces.
     
    Step 7 source interface interface-name interface-number


    Example:
    Device(config-mon-erspan-src)# source interface GigabitEthernet1/0/1 rx
     

    Configures more than one WAN interface in a single ERSPAN session.

     
    Step 8 source vlan {id-single | id-list | id-range | id-mixed} [rx | tx | both]


    Example:
    Device(config-mon-erspan-src)# source vlan 1
     

    (Optional) Associates the ERSPAN source session number with the VLANs, and selects the traffic direction to be monitored.

    • You cannot include source VLANs and filter VLANs in the same session. You can either include source VLANs or filter VLANs, but not both at the same time.
     
    Step 9 filter vlan {id-single | id-list | id-range | id-mixed}


    Example:
    Device(config-mon-erspan-src)# filter vlan 1
     

    (Optional) Configures source VLAN filtering when the ERSPAN source is a trunk port.

    • You cannot include source VLANs and filter VLANs in the same session. You can have source VLANs or filter VLANs, but not both at the same time.
     
    Step 10 destination


    Example:
    Device(config-mon-erspan-src)# destination
     

    Enters ERSPAN source session destination configuration mode.

     
    Step 11 erspan-id erspan-flow-id


    Example:
    Device(config-mon-erspan-src-dst)# erspan-id 100
     

    Configures the ID used by the source and destination sessions to identify the ERSPAN traffic, which must also be entered in the ERSPAN destination session configuration.

     
    Step 12 ip address ip-address


    Example:
    Device(config-mon-erspan-src-dst)# ip address 10.10.0.1
     

    Configures the IP address that is used as the destination of the ERSPAN traffic.

     
    Step 13 ip prec prec-value


    Example:
    Device(config-mon-erspan-src-dst)# ip prec 5
     

    (Optional) Configures the IP precedence value of the packets in the ERSPAN traffic.

    • You can optionally use either the ip prec command or the ip dscp command, but not both.
     
    Step 14 ip dscp dscp-value


    Example:
    Device(config-mon-erspan-src-dst)# ip dscp 10
     

    (Optional) Enables the use of IP differentiated services code point (DSCP) for packets that originate from a circuit emulation (CEM) channel.

    • You can optionally use either the ip prec command or the ip dscp command, but not both.
     
    Step 15 ip ttl ttl-value


    Example:
    Device(config-mon-erspan-src-dst)# ip ttl 32
     

    (Optional) Configures the IP TTL value of the packets in the ERSPAN traffic.

     
    Step 16mtu mtu-size


    Example:
    Device(config-mon-erspan-src-dst)# mtu 1500
     

    Configures the maximum transmission unit (MTU) size, in bytes, for ERSPAN encapsulation.

    • Valid values are from 64 to 9180. The default value is 1500.
     
    Step 17 origin ip address ip-address [force]


    Example:
    Device(config-mon-erspan-src-dst)# origin ip address 10.10.0.1
     

    Configures the IP address used as the source of the ERSPAN traffic.

     
    Step 18 vrf vrf-id


    Example:
    Device(config-mon-erspan-src-dst)# vrf 1
     

    (Optional) Configures the VRF name to use instead of the global routing table.

     
    Step 19no shutdown


    Example:
    Device(config-mon-erspan-src-dst)# no shutdown
     

    Enables the configured sessions on an interface.

     
    Step 20 end


    Example:
    Device(config-mon-erspan-src-dst)# end
     

    Exits ERSPAN source session destination configuration mode, and returns to privileged EXEC mode.

     

    Configuring an ERSPAN Destination Session

    Perform this task to configure an Encapsulated Remote Switched Port Analyzer (ERSPAN) destination session. The ERSPAN destination session defines the session configuration parameters and the ports that will receive the monitored traffic.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    monitor session session-number type erspan-destination

      4.    description string

      5.    destination interface {gigabitethernet | port-channel} [interface-number]

      6.    source

      7.    erspan-id erspan-flow-id

      8.    ip address ip-address [force]

      9.    vrf vrf-id

      10.    no shutdown

      11.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 monitor session session-number type erspan-destination


      Example:
      Device(config)# monitor session 1 type erspan-destination
       

      Defines an ERSPAN destination session using the session ID and the session type, and enters in ERSPAN monitor destination session configuration mode.

      • The session-number argument range is from 1 to 1024. The session number must be unique and cannot be used more than once.
      • The session IDs for source sessions or destination sessions are in the same global ID space, so each session ID is globally unique for both session types.
      • The session ID (configured by the session-number argument) and the session type (configured by the erspan-destination) cannot be changed once entered. Use the no form of this command to remove the session, and then recreate the session with a new session ID or a new session type.
       
      Step 4 description string


      Example:
      Device(config-mon-erspan-dst)# description source1
       

      (Optional) Describes the ERSPAN destination session.

      • The string argument can be up to 240 characters in length and cannot contain special characters or spaces.
       
      Step 5 destination interface {gigabitethernet | port-channel} [interface-number]


      Example:
      Device(config-mon-erspan-dst)# destination interface GigabitEthernet1/0/1
       

      Associates the ERSPAN destination session number with the source ports, and selects the traffic direction to be monitored.

       
      Step 6 source


      Example:
      Device(config-mon-erspan-dst)# source
       

      Enters ERSPAN destination session source configuration mode.

       
      Step 7 erspan-id erspan-flow-id


      Example:
      Device(config-mon-erspan-dst-src)# erspan-id 100
       

      Configures the ID used by the source and destination sessions to identify the ERSPAN traffic, which must also be entered in the ERSPAN source session configuration.

       
      Step 8 ip address ip-address [force]


      Example:
      Device(config-mon-erspan-dst-src)# ip address 10.10.0.1
       
      Configures the IP address that is used as the source of the ERSPAN traffic.
      • The ip address ip-address force command changes the source IP address for all ERSPAN destination sessions.
       
      Step 9 vrf vrf-id


      Example:
      Device(config-mon-erspan-dst-src)# vrf 1
       

      (Optional) Configures the VRF name to use instead of the global routing table.

       
      Step 10no shutdown


      Example:
      Device(config-mon-erspan-dst-src)# no shutdown
       

      Enables the configured sessions on an interface.

       
      Step 11 end


      Example:
      Device(config-mon-erspan-dst-src)# end
       

      Exits ERSPAN destination session source configuration mode, and returns to privileged EXEC mode.

       

      Configuration Examples for ERSPAN

      Example: Configuring an ERSPAN Source Session

      The following example shows how to configure an ERSPAN source session:

      Device> enable
      Device# configure terminal
      Device(config)# monitor session 1 type erspan-source
      Device(config-mon-erspan-src)# description source1
      Device(config-mon-erspan-src)# source interface GigabitEthernet1/0/1 rx
      Device(config-mon-erspan-src)# source interface GigabitEthernet1/0/4 - 8 tx
      Device(config-mon-erspan-src)# source interface GigabitEthernet1/0/3
      Device(config-mon-erspan-src)# destination
      Device(config-mon-erspan-src-dst)# erspan-id 100
      Device(config-mon-erspan-src-dst)# origin ip address 10.1.0.1
      Device(config-mon-erspan-src-dst)# ip prec 5
      Device(config-mon-erspan-src-dst)# ip ttl 32
      Device(config-mon-erspan-src-dst)# mtu 1700
      Device(config-mon-erspan-src-dst)# origin ip address 10.10.0.1
      Device(config-mon-erspan-src-dst)# vrf 1
      Device(config-mon-erspan-src-dst)# no shutdown
      Device(config-mon-erspan-src-dst)# end
      
        
        

      Example: Configuring an ERSPAN Source Session on a WAN Interface

      The following example shows how to configure more than one WAN interface in a single ERSPAN source monitor session. Multiple interfaces have been separated by a commas.

      monitor session 100 type erspan-source
          source interface Serial 0/1/0:0, Serial 0/1/0:6

      Example: Configuring an ERSPAN Destination Session

      The following example shows how to configure an ERSPAN destination session:

      monitor session 2 type erspan-destination
       destination interface GigabitEthernet1/3/2
       destination interface GigabitEthernet2/2/0
       source
        erspan-id 100
        ip address 10.10.0.1

      Example: Configuring an ERSPAN as a Local SPAN

      The following example shows how to configure an ERSPAN as a local SPAN.

      monitor session 10 type erspan-source
       source interface GigabitEthernet0/0/0
       destination
       erspan-id 10
       ip address 10.10.10.1
       origin ip address 10.10.10.1
      monitor session 20 type erspan-destination
      destination interface GigabitEthernet0/0/1
       source
        erspan-id 10
        ip address 10.10.0.1
            

      Additional References for Configuring ERSPAN

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Cisco IOS Master Command List, All Releases

      LAN Switching commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

      LAN Switching Command Reference

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​techsupport

      Feature Information for Configuring ERSPAN

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

      Table 1 Feature Information for Configuring ERSPAN

      Feature Name

      Releases

      Feature Information

      ERSPAN

      Cisco IOS XE Release 2.1

      Cisco IOS XE Release 3.8S

      The Cisco ERSPAN feature allows you to monitor traffic on one or more ports or VLANs, and send the monitored traffic to one or more destination ports.

      The following commands were introduced or modified by this feature: description, destination, erspan-id, filter, ip dscp, ip prec, ip ttl, monitor permit-list, monitor session, origin ip address, show monitor permit-list, source, switchport, switchport mode trunk, switchport nonegotiate, switchport trunk encapsulation, vrf.

      In Cisco IOS XE 3.8S release, ERSPAN was enhanced to support MTU data size up to 9180 bytes. The following command was added by this feature: mtu.

      ERSPAN Support on WAN Interface

      Cisco IOS XE Release 3.5S

      ERSPAN has been enhanced to support WAN interface as an ERSPAN source.

      The following command was modified by this feature: source interface.