Cisco Nexus 7000 Series NX-OS System Management Configuration Guide, Release 6.x
Configuring ERSPAN
Downloads: This chapterpdf (PDF - 533.0KB) The complete bookPDF (PDF - 4.29MB) | Feedback

Table of Contents

Configuring ERSPAN

Finding Feature Information

Information About ERSPAN

ERSPAN Types

ERSPAN Sources

ERSPAN Destinations

ERSPAN Sessions

Extended ERSPAN Session

Rule-Based ERSPAN

Exception ERSPAN

Network Analysis Module

High Availability

Virtualization Support

Licensing Requirements for ERSPAN

Prerequisites for ERSPAN

Guidelines and Limitations for ERSPAN

Default Settings for ERSPAN

Configuring ERSPAN

Configuring an ERSPAN Source Session

Configuring an ERSPAN Destination Session

Shutting Down or Activating an ERSPAN Session

Configuring MTU Truncation for Each ERSPAN Session

Configuring a Source Rate Limit for Each ERSPAN Session

Configuring Sampling for Each ERSPAN Session

Configuring the Multicast Best Effort Mode for an ERSPAN Session

Configuring Rule-Based ERSPAN

Configuring Exception ERSPAN

Verifying the ERSPAN Configuration

Configuration Examples for ERSPAN

Configuration Example for an ERSPAN Type III Source Session

Configuration Example for a Unidirectional ERSPAN Session

Configuration Example for an ERSPAN Destination Session

Configuration Example for an ERSPAN ACL

Configuration Example for ERSPAN with MTU Truncation and ERSPAN Sampling

Configuration Example for ERSPAN Using the Multicast Best Effort Mode

Configuration Example for Rule-Based ERSPAN

Configuration Example for Exception ERSPAN

Additional References for ERSPAN

Related Documents

Standards

Feature History for ERSPAN

Configuring ERSPAN

This chapter describes how to configure an encapsulated remote switched port analyzer (ERSPAN) to transport mirrored traffic in an IP network on Cisco NX-OS devices.

This chapter includes the following sections:

Finding Feature Information

Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the “New and Changed Information” chapter or the Feature History table below.

Information About ERSPAN

ERSPAN transports mirrored traffic over an IP network. The traffic is encapsulated at the source router and is transferred across the network. The packet is decapsulated at the destination router and then sent to the destination interface.

ERSPAN consists of an ERSPAN source session, routable ERSPAN generic routing encapsulation (GRE)-encapsulated traffic, and an ERSPAN destination session. You separately configure ERSPAN source sessions and destination sessions on different switches.

This section includes the following topics:

ERSPAN Types

Cisco NX-OS Release 6.1 and later releases support ERSPAN Type II and Type III. All previous Cisco NX-OS releases support only ERSPAN Type II.

ERSPAN Type III supports all of the ERSPAN Type II features and functionality and adds these enhancements:

  • Provides timestamp information in the ERSPAN Type III header that can be used to calculate packet latency among edge, aggregate, and core switches
  • Identifies possible traffic sources using the ERSPAN Type III header fields
  • Provides the ability to configure timestamp granularity across all VDCs to determine how the clock manager synchronizes the ERSPAN timers

ERSPAN Sources

The interfaces from which traffic can be monitored are called ERSPAN sources . Sources designate the traffic to monitor and whether to copy ingress, egress, or both directions of traffic. ERSPAN sources include the following:

  • Ethernet ports and port channels.
  • The inband interface to the control plane CPU—You can monitor the inband interface only from the default virtual device context (VDC). Inband traffic from all VDCs is monitored.
  • VLANs—When a VLAN is specified as an ERSPAN source, all supported interfaces in the VLAN are ERSPAN sources.
  • Fabric port channels connected to the Cisco Nexus 2000 Series Fabric Extender (FEX).
  • Satellite ports and host interface port channels on the Cisco Nexus 2000 Series Fabric Extender—
    These interfaces are supported in Layer 2 access mode, Layer 2 trunk mode, and Layer 3 mode.

Note Layer 3 subinterfaces are not supported.



Note A single ERSPAN session can include mixed sources in any combination of the above.


See the Cisco Nexus 7000 Series NX-OS Verified Scalability Guide for information on the number of supported ERSPAN sessions.

ERSPAN source ports have the following characteristics:

  • A port configured as a source port cannot also be configured as a destination port.
  • ERSPAN does not monitor any packets that are generated by Supervisor 1, regardless of their source. This limitation does not apply to Supervisor 2.

ERSPAN Destinations

Destination ports receive the copied traffic from ERSPAN sources.

ERSPAN destination ports have the following characteristics:

  • Destinations for an ERSPAN session include Ethernet ports or port-channel interfaces in either access or trunk mode.
  • A port configured as a destination port cannot also be configured as a source port.
  • A destination port can be configured in only one ERSPAN session at a time.
  • Destination ports do not participate in any spanning tree instance or any Layer 3 protocols.
  • Ingress and ingress learning options are not supported on monitor destination ports.
  • F Series module core ports, Fabric Extender host interface (HIF) ports, HIF port channels, and fabric port-channel ports are not supported as ERSPAN destination ports.

ERSPAN Sessions

You can create ERSPAN sessions that designate sources and destinations to monitor.

Figure 17-1 shows an ERSPAN configuration.

Figure 17-1 ERSPAN Configuration

.

Extended ERSPAN Session

Cisco NX-OS Release 6.2(2) and later releases support extended ERSPAN sessions in addition to the two traditional ERSPAN sessions in prior releases. Extended ERSPAN sessions can be bidirectional or unidirectional. The session direction is specified during session creation. A pool of 12 independent session resources are available. Unidirectional sessions use one resource, and bidirectional use two resources. These 12 resources are shared between local and ERSPAN source sessions across all VDCs.

If you are configuring an extended SPAN session on a Cisco Nexus 7710 switch or a Cisco Nexus 7718 switch, the following applies:

  • You do not need to use the mode extended command. All sessions are extended by default.
  • You can configure 16 sessions as unidirectional or bidirectional, as required.
  • You do not need to maintain two traditional sessions.
  • You do not need to use the resource manager to reserve the two traditional sessions.
  • ERSPAN ACL-based filtering is not supported.

Rule-Based ERSPAN

Rule-based ERSPAN filters the ingress or egress ERSPAN traffic based on a set of rules. For Cisco NX-OS releases prior to 6.2(2), you can filter on VLANs, the destination index, and the source index. Beginning with Cisco NX-OS Release 6.2(2), you can filter the ERSPAN traffic based on a combination of fields in the Layer 2, Layer 3, or Layer 4 header packet.

Every ERSPAN session (traditional and extended) has an associated filter. Every ERSPAN session has one filter resource. A simple filter has only one rule, and you can add multiple fields or conditions to this rule. The packets are spanned only if all conditions are met.

Table 17-1 Supported Filter Fields

Ethernet
IPv4
IPv6
ARP/RARP
FCoE

Frame Type

VLAN

TR

BPDU

Port Channel Lane

Flow Hash

L2 MAC DA

L2 MAC SA

EtherType

CoS/VL

Frame Type

VLAN

TR

BPDU

Port Channel Lane

Flow Hash

L2 MAC DA

L2 MAC SA

EtherType

CoS/VL

ToS

L4 Protocol

IPv4 SA

IPv4 DA

Frame Type

VLAN

TR

BPDU

Port Channel Lane

Flow Hash

L2 MAC DA

L2 MAC SA

EtherType

CoS/VL

ToS

L4 Protocol

IPv6 SA

IPv6 DA

Frame Type

VLAN

TR

BPDU

Port Channel Lane

Flow Hash

L2 MAC DA

L2 MAC SA

EtherType

CoS/VL

ARP

Request

Sender IP

Target IP

Frame Type

VLAN

TR

BPDU

Port Channel Lane

Flow Hash

L2 MAC DA

L2 MAC SA

EtherType

CoS/VL

FCD_ID

FCS_ID

SOF

R_CTL

TYPE

Cmd_Code

Sec_Hdr Exists

Exception ERSPAN

Exception ERSPAN enables you to span exception packets. Packets that have failed an intrusion detection system (IDS), Layer 3 IP verification, and FabricPath are treated as exception packets.

The exception ERSPAN session is supported in either one of the two traditional ERSPAN sessions or in one of the extended ERSPAN sessions. Rate limiters, MTU truncation, and sampling are supported in the exception ERSPAN session. Only the exception packets sent to the drop destination interface are supported as an ERSPAN source. Exception packets that are pushed to the supervisor, the ACLQoS, or Layer 2 are not spanned. Each VDC supports one exception ERSPAN session.

Exception ERSPAN is supported in the egress direction only. In the case of an extended ERSPAN Rx session, the exception source configuration will be rejected.

Network Analysis Module

You can also use the Cisco Network Analysis Module (NAM) to monitor ERSPAN data sources for application performance, traffic analysis, and packet header analysis.

To use NAM for monitoring the Cisco Nexus 7000 ERSPAN data sources, see the Cisco Nexus 7000 Series Network Analysis Module (NAM-NX1) Quick Start Guide.

High Availability

The ERSPAN feature supports stateless and stateful restarts. After a reboot or supervisor switchover, the running configuration is applied.

For more information on high availability, see the Cisco Nexus 7000 Series NX-OS High Availability and Redundancy Guide .

Virtualization Support

A virtual device context (VDC) is a logical representation of a set of system resources. ERSPAN applies only to the VDC where the commands are entered.


Note You can monitor the inband interface only from the default VDC. Inband traffic from all VDCs is monitored.


For information about configuring VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide .

Licensing Requirements for ERSPAN

The following table shows the licensing requirements for this feature:

 

Product
License Requirement

Cisco NX-OS

ERSPAN requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide .

Prerequisites for ERSPAN

ERSPAN has the following prerequisite:

  • You must first configure the ports on each device to support the desired ERSPAN configuration. For more information, see the Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide .

Guidelines and Limitations for ERSPAN

ERSPAN has the following configuration guidelines and limitations:

  • For ERSPAN session limits, see the Cisco Nexus 7000 Series NX-OS Verified Scalability Guide .
  • All ERSPAN replication is performed in the hardware. The supervisor CPU is not involved.
  • Control plane traffic generated by Supervisor 2 can be ERSPAN encapsulated but cannot be filtered by an ERSPAN ACL.
  • Control plane packets generated by Supervisor 1 cannot be ERSPAN encapsulated or filtered by an ERSPAN ACL.
  • ERSPAN and ERSPAN ACLs are not supported on F1 Series modules. For the VDCs that have F1 Series modules only, you can configure ERSPAN source and destination sessions and ERSPAN ACL source sessions but never come up.
  • ERSPAN source sessions are supported on F2 Series and F2e (enhanced) Series modules. Beginning with Cisco NX-OS Release 6.2(2), ERPSPAN destination sessions are also supported on these modules. However, ERSPAN ACL sessions are not supported on F2 Series and F2e Series modules.
  • ERSPAN source, destination, and ACL sessions are supported on M Series modules.
  • The decapsulation of generic routing encapsulation (GRE) or ERSPAN packets received on an F1 Series module is not supported.
  • ERSPAN and ERSPAN ACL sessions are terminated identically at the destination router.
  • ERSPAN is not supported for management ports.
  • A destination port can be configured in only one ERSPAN session at a time.
  • You cannot configure a port as both a source and destination port.
  • A single ERSPAN session can include mixed sources in any combination of the following:

Ethernet ports or port channels but not subinterfaces

VLANs or port channels that can be assigned to port channel subinterfaces

The inband interface or port channels to the control plane CPU


Note ERSPAN does not monitor any packets that are generated by Supervisor 1, regardless of their source. This limitation does not apply to Supervisor 2.


  • Destination ports do not participate in any spanning tree instance or Layer 3 protocols.
  • When an ERSPAN session contains source ports that are monitored in the transmit or transmit and receive direction, packets that these ports receive might be replicated to the ERSPAN destination port even though the packets are not actually transmitted on the source ports. Some examples of this behavior on source ports are as follows:

Traffic that results from flooding

Broadcast and multicast traffic

  • You can enable ERSPAN for a source port before it becomes operationally active. For Layer 2 ports, traffic flooded to the VLANs that contain these ports are captured even when the link is not connected for the ports.
  • For VLAN ERSPAN sessions with both ingress and egress configured, two packets (one from ingress and one from egress) are forwarded from the destination port if the packets get switched on the same VLAN.
  • VLAN ERSPAN monitors only the traffic that leaves or enters Layer 2 ports in the VLAN.
  • You can monitor the inband interface only from the default VDC. Inband traffic from all VDCs is monitored.
  • A FabricPath core port is not supported as an ERSPAN destination when an F2 Series or F2e Series module is present in a VDC. However, a FabricPath core port can be configured as an ERSPAN source interface.
  • When using ERSPAN sessions on F2 Series or F2e Series modules, ensure that the total amount of source traffic in a given session is less than or equal to the capacity of the ERSPAN destination interface or port channel for that session. If the ERSPAN source traffic exceeds the capacity of the ERSPAN destination, packet drops might occur on the ERSPAN source interfaces.
  • Beginning with Cisco NX-OS Release 5.2, you can configure the Cisco Nexus 2000 Series Fabric Extender (FEX) interfaces and the fabric port channels connected to the Cisco Nexus 2000 Series Fabric Extender as ERSPAN sources. However, you cannot configure them as ERSPAN destinations.

Note ERSPAN on Fabric Extender interfaces and fabric port channels is supported on the M1 Series and M2 Series modules. ERSPAN runs on the Cisco Nexus 7000 Series device, not on the Fabric Extender. F2 Series and F2e Series modules support FEX, but they do not support FEX ERSPAN. Therefore, the FEX interfaces that are connected through the F2 Series and F2e Series modules cannot be made ERSPAN sources.


  • You can span Fabric port channels on F2 Series and F2e Series modules.
  • VLANs that contain FEX interfaces can be an ERSPAN source, but the ingress traffic through the F2 Series or F2e Series module-based FEX ports cannot be captured.
  • Layer 3 multicast egress packets cannot be spanned on F2 Series or F2e Series modules.
  • ERSPAN is supported on Fabric Extender interfaces in Layer 2 access mode, Layer 2 trunk mode, and Layer 3 mode. Layer 3 subinterfaces are not supported.
  • For ERSPAN sessions, the recommended MTU size is 144 bytes or greater because MTU truncation occurs after the packets are encapsulated.
  • The rate limit percentage of an ERSPAN session is based on 10G, 40G, and 100G for the respective modules (that is, 1 percent corresponds to 0.1G, 0.4G, or 1G respectively), and the value is applied per every forwarding engine instance.
  • MTU truncation and the ERSPAN source rate limit are supported only on F2 Series, F2e Series, and M2 Series modules and Supervisor 2. They are not supported on M1 Series modules.
  • For F2 Series and F2e Series modules, spanned FabricPath (core) packets have a 16-byte core header at the ERSPAN destination, and ingress FEX packets spanned through the fabric port channel have a 6-byte Vntag header at the ERSPAN destination. In addition, when trunk ports are used as the ERSPAN destination, the spanned packets have a 4-byte VLAN tag.
  • For F2 Series and F2e Series modules, egress ERSPAN packets of all traffic that ingresses on Layer 2 ports (including edge-to-edge traffic) have a 16-byte MAC-in-MAC header at the ERSPAN destination.
  • For MTU truncation on M2 Series modules, the truncated length of ERSPAN packets is rounded down to the nearest multiplier of 16 bytes. For example, with an MTU configuration value of 65 to 79, packets are truncated to 64 bytes.
  • For certain rate limit and packet size values on F2 Series modules, F2e Series modules, M2 Series modules, and Supervisor 2, the ERSPAN packet rate is less than the configured value because of the internal accounting of packet sizes and internal headers.
  • ERSPAN sampling is supported only on F2 Series and F2e Series modules. It is not supported on M Series modules.
  • Multicast best effort mode applies only to M1 Series modules.
  • Beginning with Cisco NX-OS Release 6.1, ERSPAN source sessions are supported on Supervisor 2, but ERSPAN ACL sessions are not.
  • ERSPAN Type III source is supported only on F2 Series, F2e Series, and M2 Series modules.
  • ERSPAN Type III termination is supported only on M2 Series modules. That is, Type III ERSPAN packets are decapsulated only when they reach their destination through M2 Series modules.
  • Beginning with Cisco NX-OS Release 6.2(2), ERSPAN packets ingressing the destination switch on F2 Series or F2e Series modules can be terminated. IPv4 termination is supported but not IPv6 termination. F2 Series module termination on VDC virtual routing and forwarding (VRF) instances is not supported.
  • Supervisor 2 supports ERSPAN Type II and ERSPAN Type III for inband ports, but timestamps are not synchronized with the Precision Time Protocol (PTP) master timers.
  • 1588 granularity mode is not supported in Cisco NX-OS Release 6.1 and is rejected if selected.
  • M2 Series modules support 100 microseconds (ms), 100 nanoseconds (ns), and ns granularity. F2 Series and F2e Series modules support only 100 ms and 100 ns granularity.
  • When ERSPAN traffic is terminated on M2 Series modules, drops can occur at higher rates because all ERSPAN traffic for one session converges into one forwarding instance.
  • If the global granularity configuration is not supported for a particular module, that module reverts to 100-ms granularity. For example, if granularity is set to ns, all M2 Series modules will enable ns granularities, and all F2 Series and F2e Series modules will internally enable and send packets with the 100-ms timestamp. Use the show monitor session command to display the supported and unsupported granularities for each module.
  • F2 Series and F2e Series modules do not use the access control list (ACL) complex for ERSPAN Type III ACLs, so an ACL filter cannot be applied to F2 Series and F2e Series module traffic. However, for M2 Series modules, it is possible to encapsulate the packets using the Type III header after applying an ACL.
  • F2 Series and F2e Series modules support a 32-bit timestamp in the ERSPAN Type III header while M2 Series modules support a 64-bit timestamp.
  • If you enable ERSPAN on a vPC and ERSPAN packets need to be routed to the destination through the vPC, packets that come through the vPC peer-link cannot be captured.
  • Extended ERSPAN sessions cannot source incoming traffic on M1 Series modules in either the ingress or egress direction.
  • Traditional SPAN sessions support traffic from F Series and M Series modules. Extended SPAN sessions support traffic only from F Series and M2 Series modules.
  • Hardware session 15 is used by NetFlow on F2 and F2e Series modules. Any extended session using this hardware ID will not span incoming traffic on the F2 and the F2e ports.
  • Only eight sessions can support rate limiting on M2 Series modules. Any additional hardware sessions will not apply the configured rate limiter on M2 Series modules.
  • M1 Series modules and Supervisor 1 do not support rule-based ERSPAN. They support only VLAN filtering.
  • M1 and M2 Series modules support exception ERSPAN only in the nonadministration VDC, and at least one interface of the module must be present for the VDC.
  • F1 Series modules have limited support for rule-based ERSPAN. They do not support the IPv6 source IP filter and the IPv6 destination IP filter. They support only IPv4 and IPv6 ToS filters with values from 0 to 3. Port-channel member lane, FCoE source ID, and FCoE destination ID are not supported.
  • F2 and F2e Series modules have limited support for rule-based ERSPAN. They do not support wildcards in the IPv6 source IP filter and IPv6 destination IP filter, and they do not support egress ERSPAN filtering for destination MAC addresses and source MAC addresses.
  • ERSPAN ACLs are not supported for use with OTV.

Default Settings for ERSPAN

Table 17-2 lists the default settings for ERSPAN parameters.

 

Table 17-2 Default ERSPAN Parameters

Parameters
Default

ERSPAN sampling

Disabled

ERSPAN sessions

Created in the shut state

ERSPAN source rate limit for traditional ERSPAN sessions

Disabled

ERSPAN source rate limit for extended ERSPAN sessions

Enabled

Global granularity of ERSPAN Type III sessions

100 microseconds

MTU truncation

Disabled

Multicast best effort mode

Disabled

Configuring ERSPAN

This section includes the following topics:

Configuring an ERSPAN Source Session

You can configure an ERSPAN session on the local device only. By default, ERSPAN sessions are created in the shut state.

For sources, you can specify Ethernet ports, port channels, the supervisor inband interface, and VLANs. A single ERSPAN session can include mixed sources in any combination of Ethernet ports, VLANs, or the inband interface to the control plane CPU.

For traditional sessions, you can configure the sessions without specifying the direction of the traffic.

For extended ERSPAN sessions, you can configure the sessions in one of the following ways:

  • Configure a session by not specifying any direction when you create the session and changing the mode to extended by entering the mode extended command.
  • Configure a unidirectional session by specifying the traffic direction when you create the session.

Note ERSPAN does not monitor any packets that are generated by Supervisor 1, regardless of their source. This limitation does not apply to Supervisor 2.


BEFORE YOU BEGIN

Ensure that you are in the correct VDC. To switch VDCs, use the switchto vdc command. For more information, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide .

SUMMARY STEPS

1. configure terminal

2. monitor erspan origin ip-address ip-address global

3. (Optional) monitor erspan granularity {100_ms | 100_ns | 1588 | ns}

4. no monitor session { session-number | all }

5. monitor session { session-number | all} type erspan-source [ rx | tx ] [shut]

6. (Optional) mode extended

7. (Optional) header-type version

8. description description

9. source {[ interface [ type slot / port [- port ][, type slot / port [- port ]]] [ port-channel channel-number ] | [ vlan { number | range }]} [ rx | tx | both ]

10. (Optional) Repeat Step 9 to configure all ERSPAN sources.

11. (Optional) filter vlan { number | range } [include-untagged]

12. (Optional) Repeat Step 11 to configure all source VLANs to filter.

13. (Optional) filter access-group acl-filter

14. destination ip ip-address

15. erspan-id erspan-id

16. vrf vrf-name

17. (Optional) ip ttl ttl-number

18. (Optional) ip dscp dscp-number

19. no shut

20. exit

21. exit

22. (Optional) show monitor session { all | session-number | range session-range } [ brief ]

23. (Optional) show running-config monitor

24. (Optional) show startup-config monitor

25. (Optional) copy running-config startup-config [vdc-all]

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

monitor erspan origin ip-address ip-address global

 

Example:

switch(config)# monitor erspan origin ip-address 10.0.0.1 global

Configures the ERSPAN global origin IP address.

Note The global origin IP address can be configured in either the default VDC or the admin VDC. The value that is configured in this VDC is valid across all VDCs. Any change made in the default or admin VDC is applied across all nondefault VDCs.

Step 3

monitor erspan granularity { 100_ms | 100_ns | 1588 | ns }

 

Example:

switch(config)# monitor erspan granularity 100_ns

(Optional) Specifies the granularity of all ERSPAN Type III sessions across all VDCs. The granularity options are 100 microseconds (ms), 100 nanoseconds (ns), IEEE 1588 (in seconds or nanoseconds), and nanoseconds.

Note The clock manager adjusts the ERSPAN timers based on the granularity setting. If you configure IEEE 1588, the clock manager synchronizes the ERSPAN timers across switches. Otherwise, the clock manager synchronizes the ERSPAN timer with the master timer in the switch.

Note 1588 granularity mode is not supported in Cisco NX-OS Release 6.1 and is rejected if selected.

Note M2 Series modules support 100 ms, 100 ns, and ns granularity. F2 Series and F2e Series modules support only 100 ms and 100 ns granularity.

Note This command can be applied only in the default VDC.

Step 4

no monitor session { session-number | all }

 

Example:

switch(config)# no monitor session 3

Clears the configuration of the specified ERSPAN session. The new session configuration is added to the existing session configuration.

Step 5

monitor session { session-number | all} type erspan-source [rx | tx] [shut]

 

Example:

switch(config)# monitor session 3 type erspan-source

switch(config-erspan-src)#

Configures an ERSPAN Type II source session. By default the session is bidirectional. The optional keywords are as follows:

  • rx—Specifies an ingress extended ERSPAN source session.
  • tx—Specifies an egress extended ERSPAN source session.
  • shut—Specifies a shut state for the selected session.

Step 6

mode extended

 

Example:

switch(config-erspan-src)# mode extended

(Optional) Configures the ERSPAN source session as an extended bidirectional session.

Note You cannot use this command for a unidirectional ERSPAN source session.

Step 7

header-type version

 

Example:

switch(config-erspan-src)# header-type 3

(Optional) Changes the ERSPAN source session from Type II to Type III.

Note You can use the no form of this command to change an ERSPAN source session from Type III to Type II.

Step 8

description description

 

Example:

switch(config-erspan-src)# description erspan_src_session_3

Configures a description for the session. By default, no description is defined. The description can be up to 32 alphanumeric characters.

Step 9

source {[ interface [ type slot / port [- port ][, type slot / port [- port ]]] [ port-channel channel-number]] | [vlan { number | range }]}[ rx | tx | both ]

 

Example 1:

switch(config-erspan-src)# source interface ethernet 2/1-3, ethernet 3/1 rx

 

Example 2:

switch(config-erspan-src)# source interface port-channel 2

 

Example 3:

switch(config-erspan-src)# source interface sup-eth 0 both

 

Example 4:

switch(config-erspan-src)# source vlan 3, 6-8 tx

 

Example 5:

switch(config-erspan-src)# source interface ethernet 101/1/1-3

Configures the sources and traffic direction in which to copy packets. You can enter a range of Ethernet ports, a port channel, an inband interface, a range of VLANs, a Cisco Nexus 2000 Series Fabric Extender interface, or a fabric port channel connected to a Cisco Nexus 2000 Series Fabric Extender.

You can configure one or more sources,as either a series of comma-separated entries or a range of numbers. You can specify up to 128 interfaces. The VLAN range is from 1 to 3967. The VLAN range of 4048 to 4093 is also supported for Cisco NX-OS releases prior to 6.1.

You can specify the traffic direction to copy as ingress, egress, or both. The default direction is both.

Note You can monitor the inband interface only from the default VDC. The inband traffic from all VDCs is monitored.

For a unidirectional session, the direction of the source must match the direction specified in the session.

Step 10

(Optional) Repeat Step 9 to configure all ERSPAN sources.

Step 11

filter vlan { number | range } [include-untagged]

 

Example:

switch(config-erspan-src)# filter vlan 3-5, 7

(Optional) Configures which VLANs to select from the configured sources. You can configure one or more VLANs, as either a series of comma-separated entries or a range of numbers. The VLAN range is from 1 to 3967. The VLAN range of 4048 to 4093 is also supported for Cisco NX-OS releases prior to 6.1.

The include-untagged keyword applies a VLAN access map to one or more VLANs and includes untagged frames on a port with Layer 3 subinterfaces.

Step 12

(Optional) Repeat Step 11 to configure all source VLANs to filter.

Step 13

filter access-group acl-filter

 

Example:

switch(config-erspan-src)# filter access-group ACL1

(Optional) Associates an ACL with the ERSPAN session.

Note You can create an ACL using the standard ACL configuration process. For more information, see the Cisco Nexus 7000 Series NX-OS Security Configuration Guide.

Step 14

destination ip ip-address

 

Example:

switch(config-erspan-src)# destination ip 10.1.1.1

Configures the destination IP address in the ERSPAN session. Only one destination IP address is supported per ERSPAN source session.

Note The Cisco Nexus 2000 Series Fabric Extender interfaces and the fabric port channels connected to the Cisco Nexus 2000 Series Fabric Extender cannot be configured as ERSPAN destinations.

Step 15

erspan-id erspan-id

 

Example:

switch(config-erspan-src)# erspan-id 5

Configures the ERSPAN ID for the ERSPAN session. The ERSPAN range is from 1 to 1023.

Step 16

vrf vrf-name

 

Example:

switch(config-erspan-src)# vrf default

 

Configures the VRF that the ERSPAN source session uses for traffic forwarding. The VRF name can be any case-sensitive, alphanumeric string up to 32 characters.

Step 17

ip ttl ttl-number

 

Example:

switch(config-erspan-src)# ip ttl 25

(Optional) Configures the IP time-to-live (TTL) value for the ERSPAN traffic. The range is from 1 to 255.

Step 18

ip dscp dscp-number

 

Example:

switch(config-erspan-src)# ip dscp 42

(Optional) Configures the differentiated services code point (DSCP) value of the packets in the ERSPAN traffic. The range is from 0 to 63.

Step 19

no shut

 

Example:

switch(config-erspan-src)# no shut

Enables the ERSPAN source session. By default, the session is created in the shut state.

Step 20

exit

 

Example:

switch(config-erspan-src)# exit

switch(config)#

Exits monitor configuration mode.

Step 21

exit

 

Example:

switch(config)# exit

switch#

Exits global configuration mode.

Step 22

show monitor session { all | session-number | range session-range } [ brief ]

 

Example:

switch# show monitor session 3

(Optional) Displays the ERSPAN session configuration.

Step 23

show running-config monitor

 

Example:

switch# show running-config monitor

(Optional) Displays the running ERSPAN configuration.

Step 24

show startup-config monitor

 

Example:

switch# show startup-config monitor

(Optional) Displays the ERSPAN startup configuration.

Step 25

copy running-config startup-config [vdc-all]

 

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring an ERSPAN Destination Session

You can configure an ERSPAN destination session to copy packets from a source IP address to destination ports on the local device. By default, ERSPAN destination sessions are created in the shut state.

BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

Ensure that you have already configured the destination ports in monitor mode. For more information, see the Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide .

SUMMARY STEPS

1. configure terminal

2. interface ethernet slot / port [- port ]

3. switchport

4. switchport mode [access | trunk]

5. switchport monitor

6. (Optional) Repeat Steps 2 to 5 to configure monitoring on additional ERSPAN destinations.

7. no monitor session { session-number | all }

8. monitor session { session-number | all } type erspan-destination

9. description description

10. source ip ip-address

11. destination {[ interface [ type slot / port [- port ][, type slot / port [- port ]]] | [ port-channel channel-number] ]}

12. (Optional) Repeat Step 11 to configure all ERSPAN destination ports.

13. erspan-id erspan-id

14. vrf vrf-name

15. no shut

16. exit

17. exit

18. (Optional) show monitor session { all | session-number | range session-range } [ brief ]

19. (Optional) show running-config monitor

20. (Optional) show startup-config monitor

21. (Optional) copy running-config startup-config [vdc-all]

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

interface ethernet slot / port [- port ]

 

Example:

switch(config)# interface ethernet 2/5

switch(config-if)#

Enters interface configuration mode on the selected slot and port or range of ports.

Step 3

switchport

 

Example:

switch(config-if)# switchport

Configures switchport parameters for the selected slot and port or range of ports.

Step 4

switchport mode [access | trunk]

 

Example:

switch(config-if)# switchport mode trunk

Configures the following switchport modes for the selected slot and port or range of ports:

  • access
  • trunk

Step 5

switchport monitor

 

Example:

switch(config-if)# switchport monitor

Configures the switchport interface as an ERSPAN destination.

Step 6

(Optional) Repeat Steps 2 to 5 to configure monitoring on additional ERSPAN destinations.

Step 7

no monitor session { session-number | all }

 

Example:

switch(config-if)# no monitor session 3

Clears the configuration of the specified ERSPAN session. The new session configuration is added to the existing session configuration.

Step 8

monitor session { session-number | all } type erspan-destination

 

Example:

switch(config-if)# monitor session 3 type erspan-destination

switch(config-erspan-dst)#

Configures an ERSPAN destination session.

Step 9

description description

 

Example:

switch(config-erspan-dst)# description erspan_dst_session_3

Configures a description for the session. By default, no description is defined. The description can be up to 32 alphanumeric characters.

Step 10

source ip ip-address

 

Example:

switch(config-erspan-dst)# source ip 10.1.1.1

Configures the source IP address in the ERSPAN session. Only one source IP address is supported per ERSPAN destination session.

Step 11

destination {[ interface [ type slot / port [- port ][, type slot / port [- port ]]] [ port-channel channel-number]]}

 

Example:

switch(config-erspan-dst)# destination interface ethernet 2/5, ethernet 3/7

Configures a destination for copied source packets. You can configure one or more interfaces as a series of comma-separated entries.

Note You can configure destination ports as trunk ports. For more information, see the Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide.

Step 12

(Optional) Repeat Step 11 to configure all ERSPAN destinations.

Step 13

erspan-id erspan-id

 

Example:

switch(config-erspan-dst)# erspan-id 5

Configures the ERSPAN ID for the ERSPAN session. The range is from 1 to 1023.

Step 14

vrf vrf-name

 

Example:

switch(config-erspan-dst)# vrf default

Configures the VRF that the ERSPAN destination session uses for traffic forwarding.

Step 15

no shut

 

Example:

switch(config-erspan-dst)# no shut

Enables the ERSPAN destination session. By default, the session is created in the shut state.

Step 16

exit

 

Example:

switch(config-erspan-dst)# exit

switch(config)#

Exits monitor configuration mode.

Step 17

exit

 

Example:

switch(config)# exit

switch#

Exits global configuration mode.

Step 18

show monitor session { all | session-number | range session-range } [ brief ]

 

Example:

switch# show monitor session 3

(Optional) Displays the ERSPAN session configuration.

Step 19

show running-config monitor

 

Example:

switch# show running-config monitor

(Optional) Displays the running ERSPAN configuration.

Step 20

show startup-config monitor

 

Example:

switch# show startup-config monitor

(Optional) Displays the ERSPAN startup configuration.

Step 21

copy running-config startup-config [vdc-all]

 

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Shutting Down or Activating an ERSPAN Session

You can shut down ERSPAN sessions to discontinue the copying of packets from sources to destinations. You can shut down one session in order to free hardware resources to enable another session. By default, ERSPAN sessions are created in the shut state.

You can enable ERSPAN sessions to activate the copying of packets from sources to destinations. To enable an ERSPAN session that is already enabled but operationally down, you must first shut it down and then enable it. You can shut down and enable the ERSPAN session states with either a global or monitor configuration mode command.

BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. monitor session { session-range | all } shut

3. no monitor session { session-range | all } shut

4. monitor session session-number type erspan-source

5. monitor session session-number type erspan-destination

6. shut

7. no shut

8. exit

9. exit

10. (Optional) show monitor session all

11. (Optional) show running-config monitor

12. (Optional) show startup-config monitor

13. (Optional) copy running-config startup-config [vdc-all]

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

monitor session { session-range | all } shut

 

Example:

switch(config)# monitor session 3 shut

Shuts down the specified ERSPAN sessions. The session range is from 1 to 48. By default, sessions are created in the shut state.

Step 3

no monitor session { session-range | all } shut

 

Example:

switch(config)# no monitor session 3 shut

Resumes (enables) the specified ERSPAN sessions. The session range is from 1 to 48. By default, sessions are created in the shut state.

If a monitor session is enabled but its operational status is down, to enable the session, you must first specify the monitor session shut command followed by the no monitor session shut command.

Step 4

monitor session session-number type erspan-source

 

Example:

switch(config)# monitor session 3 type erspan-source

switch(config-erspan-src)#

Enters the monitor configuration mode for the ERSPAN source type. The new session configuration is added to the existing session configuration.

Step 5

monitor session session-number type erspan-destination

 

Example:

switch(config-erspan-src)# monitor session 3 type erspan-destination

Enters the monitor configuration mode for the ERSPAN destination type.

Step 6

shut

 

Example:

switch(config-erspan-src)# shut

Shuts down the ERSPAN session. By default, the session is created in the shut state.

Step 7

no shut

 

Example:

switch(config-erspan-src)# no shut

Enables the ERSPAN session. By default, the session is created in the shut state.

Step 8

exit

 

Example:

switch(config-erspan-src)# exit

switch(config)#

Exits monitor configuration mode.

Step 9

exit

 

Example:

switch(config)# exit

switch#

Exits global configuration mode.

Step 10

show monitor session all

 

Example:

switch# show monitor session all

(Optional) Displays the status of ERSPAN sessions.

Step 11

show running-config monitor

 

Example:

switch# show running-config monitor

(Optional) Displays the ERSPAN running configuration.

Step 12

show startup-config monitor

 

Example:

switch# show startup-config monitor

(Optional) Displays the ERSPAN startup configuration.

Step 13

copy running-config startup-config [vdc-all]

 

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring MTU Truncation for Each ERSPAN Session

Beginning with Cisco NX-OS Release 6.1, in order to reduce the ERSPAN traffic bandwidth, you can configure the maximum bytes allowed for each replicated packet in an ERSPAN session. This value is called the maximum transmission unit (MTU) truncation size. Any ERSPAN packet larger than the configured size is truncated to the configured size.


Note MTU truncation and ERSPAN sampling can be enabled at the same time and have no precedence over each other because they are applied to different aspects of the source packet (size versus packet count).



Note Do not enable MTU truncation if the destination ERSPAN router is a Cisco Catalyst 6000 Series switch because the Cisco Catalyst 6000 Series switch drops these truncated packets.


BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. monitor session session-number type erspan-source

3. (Optional) header-type version

4. [no] mtu mtu

5. exit

6. exit

7. (Optional) show monitor session session-number

8. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

monitor session session-number type erspan-source

 

Example:

switch(config)# monitor session 3 type erspan-source

switch(config-erspan-src)#

Enters the monitor configuration mode for the ERSPAN source type and specifies the ERSPAN session for which the MTU truncation size is to be configured.

Step 3

header-type version

 

Example:

switch(config-erspan-src)# header-type 3

(Optional) Changes the ERSPAN source session from Type II to Type III.

Step 4

[no] mtu mtu

 

Example:

switch(config-erspan-src)# mtu 100

Configures the MTU truncation size for packets in the specified ERSPAN session. The range is from 176 to 1500 bytes.

Step 5

exit

 

Example:

switch(config-erspan-src)# exit

switch(config)#

Exits monitor configuration mode.

Step 6

exit

 

Example:

switch(config)# exit

switch#

Exits global configuration mode.

Step 7

show monitor session session-number

 

Example:

switch# show monitor session 3

(Optional) Displays the status of ERSPAN sessions, including the configuration status of MTU truncation, the maximum bytes allowed for each packet per session, and the modules on which MTU truncation is and is not supported.

Step 8

copy running-config startup-config

 

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring a Source Rate Limit for Each ERSPAN Session

When an ERSPAN session is configured with multiple interfaces as the sources in a high-traffic environment, the destination port can be overloaded, causing the normal data traffic to be disrupted at the source port. Beginning with Cisco NX-OS Release 6.1, you can alleviate this problem as well as traffic overload on the source forwarding instance by configuring a source rate limit for each ERSPAN session.


Note ERSPAN sampling takes precedence over ERSPAN source rate limiting. Rate limiting takes effect after sampling is completed on ERSPAN source packets.


BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. monitor session session-number type erspan-source

3. (Optional) header-type version

4. [no] rate-limit {auto | rate-limit }

5. exit

6. exit

7. (Optional) show monitor session session-number

8. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

monitor session session-number type erspan-source

 

Example:

switch(config)# monitor session 3 type erspan-source

switch(config-erspan-src)#

Enters the monitor configuration mode for the ERSPAN source type and specifies the ERSPAN session for which the source rate limit is to be configured.

Step 3

header-type version

 

Example:

switch(config-erspan-src)# header-type 3

(Optional) Changes the ERSPAN source session from Type II to Type III.

Step 4

[no] rate-limit {auto | rate-limit }

 

Example:

switch(config-erspan-src)# rate-limit auto

Configures the source rate limit for ERSPAN packets in the specified ERSPAN session in automatic or manual mode:

  • Auto mode—Automatically calculates the rate limit on a per-gigabyte basis as follows: destination bandwidth / aggregate source bandwidth. For example, if the rate limit per gigabyte is 0.5, for every 1G of source traffic, only 0.5G of packets are spanned.

For ingress traffic, the per-gigabyte limit is applied to each forwarding engine of the F2 Series or F2e Series module based on how many ports are used as the ERSPAN source so that the source can be spanned at the maximum available bandwidth. For egress traffic, the per-gigabyte limit is applied to each forwarding engine of the F2 Series or F2e Series module without considering how many ports are used as the ERSPAN source.

  • Manual mode—Specifies the percentage of the maximum rate of ERSPAN packets that can be sent out from each forwarding engine on a module. The range is from 1 to 100. For example, if the rate limit is 10 percent, the maximum rate of ERSPAN packets that can be sent out from each of the forwarding engines on an F2 Series or F2e Series module is 1G (or 10 percent of the 10G line rate).

Step 5

exit

 

Example:

switch(config-erspan-src)# exit

switch(config)#

Exits monitor configuration mode.

Step 6

exit

 

Example:

switch(config)# exit

switch#

Exits global configuration mode.

Step 7

show monitor session session-number

 

Example:

switch# show monitor session 3

(Optional) Displays the status of ERSPAN sessions, including the configuration status of the rate limit, the percentage of the maximum ERSPAN rate allowed per session, and the modules on which the rate limit is and is not supported.

Step 8

copy running-config startup-config

 

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring Sampling for Each ERSPAN Session

Beginning with Cisco NX-OS Release 6.1, you can configure a sampling range for spanned traffic in order to reduce the ERSPAN traffic bandwidth and to monitor peer-to-peer traffic. Packet range-based sampling is used to provide an accurate count of the ERSPAN source packets.


Note Sampling and MTU truncation can be enabled at the same time and have no precedence over each other because they are applied to different aspects of the source packet (packet count versus size). However, sampling takes precedence over ERSPAN source rate limiting. Rate limiting takes effect after sampling is completed on ERSPAN source packets.


BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. monitor session session-number type erspan-source

3. (Optional) header-type version

4. [no] sampling range

5. exit

6. exit

7. (Optional) show monitor session session-number

8. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

monitor session session-number type erspan-source

 

Example:

switch(config)# monitor session 3 type erspan-source

switch(config-erspan-src)#

Enters the monitor configuration mode for the ERSPAN source type and specifies the ERSPAN session for which ERSPAN sampling is to be configured.

Step 3

header-type version

 

Example:

switch(config-erspan-src)# header-type 3

(Optional) Changes the ERSPAN source session from Type II to Type III.

Step 4

[no] sampling range

 

Example:

switch(config-erspan-src)# sampling 100

Configures the sampling range for ERSPAN source packets. The sampling value is the range in which one packet out of x packets will be spanned, where x is from 2 to 1023. In this example, 1 out of every 100 packets will be spanned.

Step 5

exit

 

Example:

switch(config-erspan-src)# exit

switch(config)#

Exits monitor configuration mode.

Step 6

exit

 

Example:

switch(config)# exit

switch#

Exits global configuration mode.

Step 7

show monitor session session-number

 

Example:

switch# show monitor session 3

(Optional) Displays the status of ERSPAN sessions, including the configuration status of ERSPAN sampling, the sampling value, and the modules on which sampling is and is not supported.

Step 8

copy running-config startup-config

 

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring the Multicast Best Effort Mode for an ERSPAN Session

You can configure the multicast best effort mode for any ERSPAN session. By default, ERSPAN replication occurs on both the ingress and egress modules. When you enable the multicast best effort mode, ERSPAN replication occurs only on the ingress module for multicast traffic or on the egress module for packets that egress out of Layer 3 interfaces (that is, on the egress module, packets that egress out of Layer 2 interfaces are not replicated for ERSPAN).


Note For Layer 3 multicast traffic, ERSPAN replication occurs on the egress module. If traffic is multicasted to multiple egress modules, you could capture multiple ERSPAN copies for each packet (that is, one copy from each egress module).


BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. monitor session session-number type erspan-source

3. (Optional) header-type version

4. [no] multicast best-effort

5. exit

6. exit

7. (Optional) show monitor session session-number

8. (Optional) copy running-config startup-config [vdc-all]

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

monitor session session-number type erspan-source

 

Example:

switch(config)# monitor session 3 type erspan-source

switch(config-erspan-src)#

Enters the monitor configuration mode for the ERSPAN source type and specifies the ERSPAN session for which the multicast best effort mode is to be configured.

Step 3

header-type version

 

Example:

switch(config-erspan-src)# header-type 3

(Optional) Changes the ERSPAN source session from Type II to Type III.

Step 4

[no] multicast best-effort

 

Example:

switch(config-erspan-src)# multicast best-effort

Configures the multicast best effort mode for the specified ERSPAN session.

Step 5

exit

 

Example:

switch(config-erspan-src)# exit

switch(config)#

Exits monitor configuration mode.

Step 6

exit

 

Example:

switch(config)# exit

switch#

Exits global configuration mode.

Step 7

show monitor session session-number

 

Example:

switch# show monitor session 3

(Optional) Displays the status of ERSPAN sessions, including the configuration status of the multicast best effort mode and the modules on which the best effort mode is and is not supported.

Step 8

copy running-config startup-config [vdc-all]

 

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring Rule-Based ERSPAN

You can configure filters for ingress or egress ERSPAN traffic based on a set of rules. A simple filter has only one rule, and multiple fields or conditions can be added to this rule. The packets are spanned only if all conditions are met.

BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. monitor erspan origin ip-address ip-address global

3. (Optional) monitor erspan granularity {100_ms | 100_ns | 1588 | ns}

4. no monitor session {session-number | all}

5. monitor session {session-number | all} type erspan-source [rx | tx] [shut]

6. (Optional) mode extended

7. (Optional) header-type version

8. (Optional) description description

9. [no] filter [access-group acl-filter] [vlan vlan-range] [bpdu [true | false]] [cos cos-value] [dest-mac dest-mac] [eth-type eth-value] [flow-hash flow-value] [frame-type [eth | arp | fcoe | ipv4 | ipv6]] [pc-lane port-number] [src_mac mac-address] [trace-route [true | false]]

10. (Optional) [no] filter frame-type eth

11. ((Optional) [no] filter frame-type arp [[arp-rarp [arp | rarp]] [req-resp [req | rsp]] [sender-ip ip-address] [target-ip ip-address]]

12. (Optional) [no] filter frame-type fcoe [[fc-sid FC-source-ID] [fc-did FC-dest-ID] [fcoe-type fcoe-value] [r-ctl r-ctl-value] [sof sof-value] [cmd-code cmd-value]]

13. (Optional) [no] filter frame-type ipv4 [[src-ip src-ip] [dest-ip dest-ip] [tos tos-value] [l4-protocol l4-value]]

14. (Optional) [no] filter frame-type ipv6 [[src-ip src-ip ] [ dest-ip dest-ip] [tos tos-value] [l4-protocol l4-value]]

15. (Optional) Repeat Steps 9 to 14 for all filters for the session.

16. source {[interface [type slot/port [-port] [,type slot/port[-port]]] [port-channel channel-number]] | [vlan {number | range}]} [rx | tx | both]

17. (Optional) Repeat Step 16 to configure all ERSPAN sources.

18. destination ip ip-address

19. erspan-id erspan-id

20. vrf vrf-name

21. (Optional) ip ttl ttl-number

22. (Optional) ip dscp dscp-number

23. no shut

24. exit

25. exit

26. (Optional) show monitor session {all | session-number | range session-range} [brief]

27. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

monitor erspan origin ip-address ip-address global

 

Example:

switch(config)# monitor erspan origin ip-address 10.0.0.1 global

 

Configures the ERSPAN global origin IP address.

The global origin IP address can be configured in either the default VDC or the admin VDC. The value that is configured in this VDC is valid across all VDCs. Any change made in the default or admin VDC is applied across all nondefault VDCs.

Step 3

monitor erspan granularity {100_ms | 100_ns | 1588 | ns}

 

Example:

switch(config)# monitor erspan granularity 100_ns

 

(Optional) Specifies the granularity of all ERSPAN Type III sessions across all VDCs. The granularity options are 100 microseconds (ms), 100 nanoseconds (ns), IEEE 1588 (in seconds or nanoseconds), and nanoseconds.

Note The clock manager adjusts the ERSPAN timers based on the granularity setting. If you configure IEEE 1588, the clock manager synchronizes the ERSPAN timers across switches. Otherwise, the clock manager synchronizes the ERSPAN timer with the master timer in the switch.

Note 1588 granularity mode is not supported in Cisco NX-OS Release 6.1 and is rejected if selected.

Note M2 Series modules support 100 ms, 100 ns, and ns granularity. F2 series and F2e Series modules support only 100 ms and 100 ns granularity.

Note This command can be applied only in the default VDC.

Step 4

no monitor session {session-number | all}

 

Example:

switch(config)# no monitor session 1

Clears the configuration of the specified ERSPAN session. The new session configuration is added to the existing session configuration.

Step 5

monitor session { session-number | all} type erspan-source [rx | tx] [shut]

 

Example:

switch(config)# monitor session 3 type erspan-source

switch(config-erspan-src)#

Configures an ERSPAN Type II source session. By default the session is bidirectional. The optional keywords are as follows:

  • rx—Specifies an ingress extended ERSPAN source session.
  • tx—Specifies an egress extended ERSPAN source session.
  • shut—Specifies a shut state for the selected session.

Step 6

mode extended

 

Example:

switch(config-erspan-src)# mode extended

(Optional) Configures the ERSPAN source session as an extended bidirectional session.

Note You cannot use this command on a unidirectional ERSPAN source session.

Step 7

header-type version

 

Example:

switch(config-erspan-src)# header-type 3

 

(Optional) Changes the ERSPAN source session from Type II to Type III.

Note You can use the no form of this command to change an ERSPAN source session from Type III to Type II.

Step 8

description description

 

Example:

switch(config-erspan-src)# description erspan_src_session_3

 

(Optional) Configures a description for the session. By default, no description is defined. The description can be up to 32 alphanumeric characters.

Step 9

[no] filter [access-group acl-filter] [vlan vlan-range] [bpdu [true | false]] [cos cos-value] [dest-mac dest-mac] [eth-type eth-value] [flow-hash flow-value] [frame-type [eth | arp | fcoe | ipv4 | ipv6]] [pc-lane port-number] [src-mac mac-address] [trace-route [true | false]]

 

Example:

switch(config-erspan-src)# filter vlan 10,20

 

Example:

switch(config-erspan-src)# filter frame-type arp

 

Example:

switch(config-erspan-src)# filter bpdu false

 

Configures the filter for the ERSPAN session. To remove the filter from the session, enter the no form of the command. The optional keywords are as follows:

  • access-group—Specifies a filter based on an access control group.
  • vlan—Specifies a filter based on a VLAN range.
  • bpdu—Specifies a filter based on the bridge protocol data unit (BPDU) class of packets.
  • cos—Specifies a filter based on the class of service (CoS) in the dotlq header.
  • dest-mac—Specifies a filter based on a destination MAC address.
  • eth-type—Specifies a filter based on the Ethernet type.
  • flow-hash—Specifies a filter based on the result bundle hash (RBH) value.
  • frame-type—Specifies a filter based on a frame type.
  • pc-lane—Specifies a filter based on a member of the port channel.
  • src-mac—Specifies a filter based on a source MAC address.
  • trace-route—Specifies a filter based on the route bit in the header.

Step 10

[no] filter frame-type eth

 

Example:

switch(config-erspan-src)# filter frame-type eth

(Optional) Configures the Ethernet frame type filter for the ERSPAN session. To remove the filter from the session, enter the no form of the command.

Step 11

[no] filter frame-type arp [arp-rarp [arp | rarp] [req-resp [req | rsp]] [sender-ip ip-address] [target-ip ip-address]]

 

Example:

switch(config-erspan-src)# filter frame-type arp arp-rarp arp

 

(Optional) Configures the ARP frame type filter for the ERSPAN session. To remove the filter from the session, enter the no form of the command.

  • arp-rarp—Specifies an ARP or RARP frame type filter.
  • req-resp—Specifies a filter based on a request or response.
  • sender-ip—Specifies a filter based on a sender IP address.
  • target-ip—Specifies a filter based on a target IP address.

Step 12

[no] filter frame-type fcoe [[fc-sid FC-source-ID ] [fc-did FC-dest-ID ] [fcoe-type fcoe-value ] [r-ctl r-ctl-value ] [sof sof-value] [cmd-code cmd-code]]

 

Example:

switch(config-erspan-src)# filter frame-type fcoe fc-did 2

 

Configures the FCoE frame type filter for the ERSPAN session. To remove the filter from the session, enter the no form of the command. The optional keywords are as follows:

  • fc-sid—Specifies a filter based on an FC source ID.
  • fc-did—Specifies a filter based on an FC destination ID.
  • fcoe-type—Specifies a filter based on an FCoE type.
  • r-ctl—Specifies a filter based on the routing control flags (R CTL) value.
  • sof—Specifies a filter based on the start of frame (SOF) packets.
  • cmd-code—Specifies a filter based on a command code.

Step 13

[no] filter frame-type ipv4 [[src-ip src-ip] [dest-ip dest-ip] [tos tos-value] [l4-protocol l4-value]]

 

Example:

switch(config-erspan-src)# filter frame-type ipv4 l4-protocol 3

 

Configures the IPv4 frame type filter for the ERSPAN session. To remove the filter from the session, enter the no form of the command. The optional keywords are as follows:

  • src-ip—Specifies a filter based on an IPv4 source IP address.
  • dest-ip—Specifies a filter based on an IPv4 destination IP address.
  • tos—Specifies a filter based on the type of service (ToS) in the IP header.
  • l4-protocol—Specifies a filter based on a Layer 4 protocol number set in the protocol field of the IP header.

Step 14

[no] filter frame-type ipv6 [[src-ip src-ip] [dest-ip dest-ip] [tos tos-value] [l4-protocol l4-value]]

 

Example:

switch(config-erspan-src)# filter frame-type ipv6 src-ip 10.0.0.1

 

 

Configures the IPv6 frame type filter for the ERSPAN session. To remove the filter from the session, enter the no form of the command. The optional keywords are as follows:

  • src-ip—Specifies a filter based on an IPv6 source IP address.
  • dest-ip—Specifies a filter based on an IPv6 destination IP address.
  • tos—Specifies a filter based on the type of service (ToS) in the IP header.
  • l4-protocol—Specifies a filter based on a Layer 4 protocol number set in the protocol field of the IP header.

Step 15

Repeat Steps 9 to 14 for all filters for the session.

Step 16

source {[ interface [ type slot / port [- port ] [, type slot / port [- port ]]] [ port-channel channel-number]] | [vlan { number | range }]} [ rx | tx | both ]

 

 

Example:

switch(config-erspan-src)# source interface ethernet 2/1-3, ethernet 3/1 rx

 

Configures sources and the traffic direction in which to copy packets. You can enter a range of Ethernet ports, a port channel, an inband interface, a range of VLANs, a Cisco Nexus 2000 Series Fabric Extender interface, or a fabric port channel connected to a Cisco Nexus 2000 Series Fabric Extender.

You can configure one or more sources, as either a series of comma-separated entries or a range of numbers. You can specify up to 128 interfaces. The VLAN range is from 1 to 3967. The VLAN range of 4048 to 4093 is also supported for Cisco NX-OS releases prior to 6.1.

You can specify the traffic direction to copy as ingress (rx), egress (tx) , or both. By default, the direction is both.

For a unidirectional session, the direction of the source must match the direction specified in the session.

Step 17

Repeat Step 16 to configure all ERSPAN sources.

Step 18

destination ip ip-address

 

Example:

switch(config-erspan-src)# destination ip 10.1.1.1

 

Configures the destination IP address in the ERSPAN session. Only one destination IP address is supported per ERSPAN source session.

Note The Cisco Nexus 2000 Series Fabric Extender interfaces and the fabric port channels connected to the FEX cannot be configured as ERSPAN destinations.

Step 19

erspan-id erspan-id

 

Example:

switch(config-erspan-src)# erspan-id 5

Configures the ERSPAN ID for the ERSPAN session. The ERSPAN range is from 1 to 1023.

Step 20

vrf vrf-name

 

Example:

switch(config-erspan-src)# vrf default

Configures the VRF instance that the ERSPAN source session uses for traffic forwarding. The VRF name can be any case-sensitive, alphanumeric string up to 32 characters.

Step 21

ip ttl ttl-number

 

Example:

switch(config-erspan-src)# ip ttl 25

(Optional) Configures the IP time-to-live (TTL) value for the ERSPAN traffic. The range is from 1 to 255.

Step 22

ip dscp dscp-number

 

Example:

switch(config-erspan-src)# ip dscp 42

(Optional) Configures the differentiated services code point (DSCP) value of the packets in the ERSPAN traffic. The range is from 0 to 63.

Step 23

no shut

 

Example:

switch(config-erspan-src)# no shut

Enables the ERSPAN session. By default, the session is created in the shut state.

Step 24

exit

 

Example:

switch(config-erspan-src)# exit

switch(config)#

Exits monitor configuration mode.

Step 25

exit

 

Example:

switch(config)# exit

switch#

Exits global configuration mode.

Step 26

show monitor session {all | session-number | range session-range} [brief]

 

Example:

switch# show monitor session 3

(Optional) Displays the status of ERSPAN sessions, including the configuration status of the multicast best effort mode and the modules on which the best effort mode is and is not supported.

Step 27

copy running-config startup-config

 

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Configuring Exception ERSPAN

You can configure the device to span exception packets.

BEFORE YOU BEGIN

Ensure that you are in the correct VDC (or use the switchto vdc command).

SUMMARY STEPS

1. configure terminal

2. monitor session session-number type erspan-source [rx | tx] [shut]

3. (Optional) mode extended

4. source exception {layer3 | fabricpath | other | all}

5. destination IP ip-address

6. no shut

7. exit

8. exit

9. (Optional) show monitor session session-number

10. (Optional) copy running-config startup-config

DETAILED STEPS

 

Command
Purpose

Step 1

configure terminal

 

Example:

switch# configure terminal

switch(config)#

Enters global configuration mode.

Step 2

monitor session session-number type erspan-source [tx | rx] [shut]

 

Example:

switch(config)# monitor session 3 type erspan-source

switch(config-erspan-src)#

Enters the monitor configuration mode and specifies the ERSPAN session. The exception ERSPAN is supported in the egress direction only. In the case of an extended ERSPAN Rx session, the exception source configuration will be rejected. The optional keywords are as follows:

  • rx—Specifies an ingress extended ERSPAN source session.
  • tx—Specifies an egress extended ERSPAN source session.
  • shut—Specifies a shut state for the selected session.

Step 3

mode extended

 

Example:

switch(config-erspan-src)# mode extended

(Optional) Configures the ERSPAN session as an extended bidirectional session.

Step 4

source exception {layer3 | fabricpath | other | all}

 

Example:

switch(config-erspan-src)# source exception all

Configures the source as an exception ERSPAN session. These exception types are supported:

  • layer3—Specifies the Layer 3 exception type for F2 Series and M Series modules.
  • fabricpath—Specifies the FabricPath exception type for F Series modules.
  • other—Specifies exceptions for M Series modules that are dropped through redirect registers programmed with a drop destination interface.
  • all—Includes all Layer 3, FabricPath, and other exceptions.

Step 5

destination-ip ip-address

 

Example:

switch(config-erspan-src)# destination-ip 10.1.1.1

Configures the destination IP address in the ERSPAN session. Only one destination IP address is supported per ERSPAN source session.

Note The Cisco Nexus 2000 Series Fabric Extender interfaces and the fabric port channels connected to the FEX cannot be configured as ERSPAN destinations.

Step 6

no shut

 

Example:

switch(config-erspan-src)# no shut

Enables the ERSPAN session. By default, the session is created in the shut state.

Step 7

exit

 

Example:

switch(config-erspan-src)# exit

switch(config)#

Exits module configuration mode.

Step 8

exit

 

Example:

switch(config)# exit

switch#

Exits global configuration mode.

Step 9

show monitor session session-number

 

Example:

switch# show monitor session 3

(Optional) Displays the status of ERSPAN sessions, including the configuration status of the multicast best effort mode and the modules on which the best effort mode is and is not supported.

Step 10

copy running-config startup-config

 

Example:

switch# copy running-config startup-config

(Optional) Copies the running configuration to the startup configuration.

Verifying the ERSPAN Configuration

To display the ERSPAN configuration, perform one of the following tasks:

 

Command
Purpose

show monitor session { all | session-number | range session-range } [ brief ]

Displays the ERSPAN session configuration.

show running-config monitor

Displays the running ERSPAN configuration.

show startup-config monitor

Displays the ERSPAN startup configuration.

show resource monitor-session-extended

Displays the resources that are available for the extended session.

show resource monitor-session-mx-exception-src

Displays the resources that are available for the exception session.

For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS System Management Command Reference .

Configuration Examples for ERSPAN

This section includes the following topics:

Configuration Example for an ERSPAN Type III Source Session

This example shows how to configure an ERSPAN Type III source session:

switch# configure terminal
switch(config)# interface ethernet 14/30
switch(config-if)# no shut
switch(config-if)# exit
switch(config)# monitor erspan origin ip-address 3.3.3.3 global
switch(config)# monitor erspan granularity 100_ns
switch(config)# monitor session 1 type erspan-source
switch(config-erspan-src)# mode extended
switch(config-erspan-src)# header-type 3
switch(config-erspan-src)# source interface ethernet 14/30
switch(config-erspan-src)# erspan-id 1
switch(config-erspan-src)# ip ttl 16
switch(config-erspan-src)# ip dscp 5
switch(config-erspan-src)# vrf default
switch(config-erspan-src)# destination ip 9.1.1.2
switch(config-erspan-src)# no shut
switch(config-erspan-src)# exit
switch(config)# show monitor session 1

Configuration Example for a Unidirectional ERSPAN Session

This example shows how to configure a unidirectional SPAN session.

switch# configure terminal
switch(config)# interface ethernet 14/30
switch(config-if)# no shut
switch(config-if)# exit
switch(config)# no monitor session 3
switch(config)# monitor session 3 rx
switch(config-erspan-src)# source interface ethernet 2/1-3 rx
switch(config-erspan-src)# erspan-id 1
switch(config-erspan-src)# ip ttl 16
switch(config-erspan-src)# ip dscp 5
switch(config-erspan-src)# vrf default
switch(config-erspan-src)# destination ip 9.1.1.2
switch(config-erspan-src)# no shut
switch(config-erspan-src)# exit
switch(config)# show monitor session 1

Configuration Example for an ERSPAN Destination Session

This example shows how to configure an ERSPAN destination session:

switch# configure terminal
switch(config)# interface e14/29
switch(config-if)# no shut
switch(config-if)# switchport
switch(config-if)# switchport monitor
switch(config-if)# exit
switch(config)# monitor session 2 type erspan-destination
switch(config-erspan-dst)# source ip 9.1.1.2
switch(config-erspan-dst)# destination interface e14/29
switch(config-erspan-dst)# erspan-id 1
switch(config-erspan-dst)# vrf default
switch(config-erspan-dst)# no shut
switch(config-erspan-dst)# exit
switch(config)# show monitor session 2

Configuration Example for an ERSPAN ACL

This example shows how to configure an ERSPAN ACL:

switch# configure terminal
switch(config)# ip access-list match_11_pkts
switch(config-acl)# permit ip 11.0.0.0 0.255.255.255 any
switch(config-acl)# exit
switch(config)# ip access-list match_12_pkts
switch(config-acl)# permit ip 12.0.0.0 0.255.255.255 any
switch(config-acl)# exit
switch(config)# vlan access-map erspan_filter 5
switch(config-access-map)# match ip address match_11_pkts
switch(config-access-map)# action forward
switch(config-access-map)# exit
switch(config)# vlan access-map erspan_filter 10
switch(config-access-map)# match ip address match_12_pkts
switch(config-access-map)# action forward
switch(config-access-map)# exit
switch(config)# monitor session 1 type erspan-source
switch(config-erspan-src)# header-type 3
switch(config-erspan-src)# filter access_group erspan_filter
 

Configuration Example for ERSPAN with MTU Truncation and ERSPAN Sampling

This example shows how to configure MTU truncation and ERSPAN sampling for an ERSPAN session:

switch# configure terminal
switch(config)# monitor session 1 type erspan-source
switch(config-erspan-src)# mtu 100
switch(config-erspan-src)# sampling 10
switch(config-erspan-src)# show monitor session 1

Configuration Example for ERSPAN Using the Multicast Best Effort Mode

This example shows how to configure the multicast best effort mode for an ERSPAN session:

switch# configure terminal
switch(config)# monitor session 1 type erspan-source
switch(config-erspan-src)# multicast best-effort
switch(config-erspan-src)# show monitor session 1

Configuration Example for Rule-Based ERSPAN

This example shows how to configure a rule-based ERSPAN session:

switch# configure terminal
switch(config)# monitor erspan origin ip-address 10.0.0.1 global
switch(config)# monitor erspan granularity 100_ns
switch(config)# no monitor session 3
switch(config)# monitor session 3 type erspan-source
switch(config-erspan-src)# mode extended
switch(config-erspan-src)# header-type 3
switch(config-erspan-src)# description erspan_src_session_3
switch(config-erspan-src)# filter frame-type ipv4 src-ip 10.1.1.1/24
switch(config-erspan-src)# filter vlan 10,20
switch(config-erspan-src)# source interface ethernet 2/1-3, ethernet 3/1 rx
switch(config-erspan-src)# destination ip 10.1.1.1
switch(config-erspan-src)# erspan-id 5
switch(config-erspan-src)# vrf default
switch(config-erspan-src)# ip ttl 25
switch(config-erspan-src)# ip dscp 42
switch(config-erspan-src)# no shut
switch# show monitor session 3

Configuration Example for Exception ERSPAN

This example shows how to configure an exception ERSPAN session:

switch# configure terminal
switch(config)# monitor session 3 type erspan-source
switch(config-erspan-src)# mode extended
switch(config-erspan-src)# source exception all
switch(config-erspan-src)# destination ip 10.1.1.1
switch(config-erspan-src)# no shut
switch# show monitor session 3

Additional References for ERSPAN

For additional information related to implementing ERSPAN, see the following sections:

Related Documents

Related Topic
Document Title

Cisco Network Analysis Module (NAM)

Cisco Network Analysis Module (NAM) for Nexus 7000 Quick Start Guide

VDCs

Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide

Fabric Extender

Cisco Nexus 2000 Series Fabric Extender Software Configuration Guide

ERSPAN commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Cisco Nexus 7000 Series NX-OS System Management Command Reference

Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

Feature History for ERSPAN

Table 17-3 lists the release history for this feature.

 

Table 17-3 Feature History for ERSPAN

Feature Name
Releases
Feature Information

ERSPAN

6.2(2)

Added support for ERSPAN destination sessions on F2 and F2e Series modules.

ERSPAN

6.2(2)

Added NAM support for ERSPAN data sources.

ERSPAN

6.2(2)

Added support for extended ERSPAN.

ERSPAN

6.2(2)

Added support for rule-based ERSPAN.

ERSPAN

6.2(2)

Added support for exception ERSPAN.

ERSPAN

6.2(2)

Added support for ERSPAN termination on F2 or F2e Series modules.

ERSPAN

6.1(2)

Added support for F2e Series modules.

ERSPAN

6.1(1)

Added support for ERSPAN Type III.

ERSPAN

6.1(1)

Added support for Supervisor 2.

ERSPAN

6.1(1)

Added support for F2 and M2 Series modules.

ERSPAN

6.1(1)

Added support for ERSPAN sampling.

ERSPAN

6.1(1)

Added the ability to configure MTU truncation and the source rate limit for each ERSPAN session.

ERSPAN

6.0(1)

ERSPAN and ERSPAN ACLs are not supported on F2 Series modules.

ERSPAN

5.2(1)

Added ERSPAN source support for Cisco Nexus 2000 Series Fabric Extender interfaces.

ERSPAN

5.2(1)

Added the ability to configure the multicast best effort mode for an ERSPAN session.

ERSPAN and ERSPAN ACLs

5.1(1)

This feature was introduced.