Cisco Prime Network Analysis Module (NAM) for Nexus 1010 5.1 Installation and Configuration Guide - Configuring ERSPAN [Cisco Prime Network Analysis Module (NAM) for Nexus 1100 Series]

Table Of Contents

Configuring ERSPAN for Traffic Visibility

About ERSPAN

ERSPAN Overview

Monitored Traffic

Monitored Traffic Direction

Monitored Traffic

ERSPAN Sources

Source Ports

Source VLANs

ERSPAN Destination Ports

Prerequisites for Configuring ERSPAN

Configuring ERSPAN on the Cisco Nexus 1000V

Configuring ERSPAN Data Source on the NAM VSB

Configuring ERSPAN for Traffic Visibility

Encapsulated Remote Switched Port Analyzer (ERSPAN) records provide an aggregate view of the network traffic. When enabled on the branch router or switch, the ERSPAN data source becomes available on the Cisco NAM VSB. ERSPAN provides statistics for applications, hosts, and conversions. You can set up custom data sources for some specific interfaces. ERSPAN can be used to identify business critical applications hosted in the Data Center that are used in the branch.

This chapter contains the following sections:

•About ERSPAN

•Prerequisites for Configuring ERSPAN

•Configuring ERSPAN on the Cisco Nexus 1000V

•Configuring ERSPAN Data Source on the NAM VSB

About ERSPAN

ERSPAN Overview

ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports. ERSPAN sends traffic to a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. ERSPAN supports source ports, source VLANs, and destination ports on different routers, which provides remote monitoring of multiple routers across your network (see Figure 3-1).

ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination session. You separately configure ERSPAN source sessions and destination sessions on different routers.

An ERSPAN source session is defined by the following:

•A session ID

•A list of source ports or source VLANs to be monitored by the session

•The destination and the origin IP addresses, which are used as the destination and source IP addresses of the GRE envelope for the captured traffic, respectively

•An ERSPAN flow ID

•Optional attributes related to the GRE envelope such as IP TOS and TTL.

For a source port or a source VLAN, the ERSPAN can monitor ingress, egress, or both ingress and egress traffic.

ERSPAN source sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have either ports or VLANs as sources, but not both.

The ERSPAN source sessions copies traffic from the source ports or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the ERSPAN destination session. The ERSPAN destination session switches the traffic to the destination ports.

Figure 3-1 ERSPAN Configuration

Monitored Traffic

These sections describe the traffic that ERSPAN can monitor:

•Monitored Traffic Direction

•Monitored Traffic

Monitored Traffic Direction

For a source port or a source VLAN, the ERSPAN can monitor ingress, egress, or both ingress and egress traffic.

Monitored Traffic

By default, ERSPAN monitors all traffic, including multicast and bridge protocol data unit (BPDU) frames.

ERSPAN Sources

These sections describe ERSPAN sources:

•Source Ports

•Source VLANs

Source Ports

A source port is a port monitored for traffic analysis. You can configure source ports in any VLAN, and trunk ports can be configured as source ports and mixed with nontrunk source ports.

Source VLANs

A source VLAN is a VLAN monitored for traffic analysis.

ERSPAN Destination Ports

A destination port is a Layer 2 or Layer 3 LAN port to which ERSPAN sends traffic for analysis.

When you configure a port as a destination port, it can no longer receive any traffic. When you configure a port as a destination port, the port is dedicated for use only by the ERSPAN feature. An ERSPAN destination port does not forward any traffic except that required for the ERSPAN session. You can configure trunk ports as destination ports, which allows destination trunk ports to transmit encapsulated traffic.

Prerequisites for Configuring ERSPAN

ERSPAN can be configured after you have installed the Nexus 1000V software on the Nexus 1010.

You can configure ERSPAN source sessions, destination sessions, or both. A device that has only ERSPAN source sessions configured is called ERSPAN source device, and a device that has only ERSPAN destination sessions configured is called ERSPAN termination device.

Configuring ERSPAN on the Cisco Nexus 1000V

Configure ERSPAN traffic on the Branch edge router. You must enable ERSPAN on both the WAN and LAN interface to provide visibility into traffic flows entering and leaving the branch.

Refer to "Configuring Local SPAN and ERSPAN" in the Cisco Nexus 1000V System Management Configuration Guide, Release 4.2(1) SV1(4):

http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_4/system_management/configuration/guide/n1000v_system_9span.html

This chapter describes how to configure the local and encapsulated remote (ER) switched port analyzer (SPAN) feature to monitor traffic and includes the following topics:

•Information About SPAN and ERSPAN

•SPAN Guidelines and Limitations

•Default Settings

•Configuring SPAN

•Verifying the SPAN Configuration

•Example Configurations

•Additional References

Configuring ERSPAN Data Source on the NAM VSB

After you have configured ERSPAN on the Nexus 1000V, use the Network Analysis Module (NAM) to enable additional ERSPAN monitoring devices.

See the following sections about using ERSPAN as a data source:

•Enabling Autocreation of ERSPAN Data Sources Using the Web GUI

•Enabling Autocreation of ERSPAN Data Sources Using the CLI

•Disabling Autocreation of ERSPAN Data Sources Using the Web GUI

•Disabling Autocreation of ERSPAN Data Sources Using the CLI

•Creating ERSPAN Data Sources Using the Web GUI

•Creating ERSPAN Data Sources Using the CLI

•Deleting ERSPAN Data Sources Using the Web GUI

•Deleting ERSPAN Data Sources Using the CLI

•Configuring ERSPAN on Devices

Enabling Autocreation of ERSPAN Data Sources Using the Web GUI

There is a convenient "autocreate" feature for data sources, which is enabled by default. With the autocreate feature, a new data source will automatically be created for each device that sends ERSPAN traffic to the NAM, after the first packet is received. Manual creation of ERSPAN data sources using the NAM GUI or the CLI is typically not necessary. When manually creating a data source, you may specify any name you want for the data source. A data source entry must exist on the NAM in order for it to accept ERSPAN packets from an external device.

Autocreated ERSPAN data sources will be assigned a name in the format ERSPAN-<IP Address>-ID-<Integer>, where IP Address is the IP address of the sending device, and Integer is the Session-ID of the ERSPAN session on that device. For example, device 192.168.0.1 sending ERSPAN packets with the Session ID field set to 12 would be named "ERSPAN-192.168.0.1-ID-12." You can edit these autocreated data sources and change the name if desired.

One device can be configured to send multiple separate ERSPAN sessions to the same NAM. Each session will have a unique Session ID. The NAM can either group all sessions from the same device into one data source, or have a different data source for each Session ID. When data sources are autocreated, they will be associated with one particular Session ID. When manually created, you can instruct the NAM to group all traffic from the same device into one data source. If you check the Session check box, and enter a Session ID in the Value field, the data source will only apply to that specific session. If you leave the check box unchecked, all ERSPAN traffic from the device will be grouped together into this data source, regardless of Session ID.

To configure the NAM to automatically create data sources when it receives ERSPAN packets from an external device, use the following steps. Remember however, that the autocreate feature is turned on by default, so these steps are typically not necessary.

Step 1 Choose Setup > Traffic > NAM Data Sources.

Step 2 Click the Auto Create button on the bottom left of the window.

Step 3 Check the ERSPAN check box to toggle autocreation of ERSPAN data sources to "on".

Step 4 Click the Submit button.

Enabling Autocreation of ERSPAN Data Sources Using the CLI

Configuration of the autocreate feature is also possible using the NAM CLI. Because the autocreate feature is turned on by default, in most cases these steps are not necessary.

To configure the NAM to automatically create data sources when it receives ERSPAN packets from an external device, use the "autocreate-data-source" command as follows:
root@172-20-104-107.cisco.com# autocreate-data-source erspan
ERSPAN data source autocreate successfully ENABLED
The NAM will now automatically create a ERSPAN data source for each device that sends ERSPAN packets to it. The data source will have the specific Session ID that is populated by the device in the ERSPAN packets sent to the NAM. If the same device happens to send ERSPAN packets to the NAM with different Session ID values, a separate data source will be created for each unique Session ID sent from the device.

Disabling Autocreation of ERSPAN Data Sources Using the Web GUI

Step 1 Choose Setup > Traffic > NAM Data Sources.

Step 2 Click the Auto Create button on the bottom left of the window.

Step 3 Uncheck the ERSPAN check box to toggle autocreation of ERSPAN data sources to "off".

Step 4 Click the Submit button.

Disabling Autocreation of ERSPAN Data Sources Using the CLI

To disable autocreation of ERSPAN data sources, use the no autocreate-data-source command as follows:
root@172-20-104-107.cisco.com# no autocreate-data-source erspan
ERSPAN data source autocreate successfully DISABLED
root@172-20-104-107.cisco.com#
Creating ERSPAN Data Sources Using the Web GUI

To manually configure a ERSPAN data source on the NAM using the GUI, for example if the autocreation feature is turned off, use the following steps:

Step 1 Choose Setup > Traffic > NAM Data Sources.

Step 2 Click the Create button along the bottom of the window.

Step 3 From the Type drop-down list, choose "ERSPAN".

Step 4 Enter the IP address of the device that will export ERSPAN to the NAM.

Step 5 Give the Data Source a name. This name will appear anywhere there is a Data Source drop-down list.

Step 6 (Optional) Check the Session check box and enter an Session ID into the Value field if the data source should only apply to that specific session. If you leave the check box unchecked, all ERSPAN traffic from the device will be grouped together into this data source, regardless of Session ID.

Devices can be configured with multiple ERSPAN Sessions. The packets exported may have the same source IP address, but the Session ID exported will be a different for each session. If you want to include only one Session in the data source, you must check the "Session" box and provide the value of that Session ID.

Step 7 Click the Submit button.

Creating ERSPAN Data Sources Using the CLI

To manually configure a ERSPAN data source on the NAM using the CLI (for example if the autocreation feature is turned off), use the following steps. Note that when using the CLI, there are two separate phases involved: First, you must create a "device" entry on the NAM and remember the device ID, and then you must create a data source entry using this device ID. In the NAM GUI, these two phases for creating ERSPAN data sources are combined together.

Step 1 Enter the command device erspan. You will now be in erspan device subcommand mode as shown here:
root@172-20-104-107.cisco.com# device erspan
Entering into subcommand mode for this command.
Type 'exit' to apply changes and come out of this mode.
Type 'cancel' to discard changes and come out of this mode.
root@172-20-104-107.cisco.com(sub-device-erspan)#
Step 2 Enter ? to see all the command options available, as in the example below:
root@172-20-104-107.cisco.com(sub-device-netflow)# ?
?                         - display help
address                   - device IP address (*)
cancel                    - discard changes and exit from subcommand mode
exit                      - create device and exit from sub-command mode
help                      - display help
show                      - show current config that will be applied on exit
(*) - denotes a mandatory field for this configuration.
root@172-20-104-107.cisco.com(sub-device-netflow)#
Step 3 Enter the IP address of the device as shown in this example (required):
root@172-20-104-107.cisco.com(sub-device-erspan)# address 192.168.0.1
Step 4 Type show to look at the device configuration that will be applied and verify that it is correct:
root@172-20-104-107.cisco.com(sub-device-erspan)# show
DEVICE TYPE         : ERSPAN (Encapsulated Remote SPAN)
DEVICE ADDRESS      : 192.168.0.1
root@172-20-104-107.cisco.com(sub-device-erspan)#
Step 5 Type exit to come out of the subcommand mode and create the device. Remember the ID value that was assigned to the new device (you will need it to create the data source).
root@172-20-104-107.cisco.com(sub-device-erspan)# exit
Device created successfully, ID = 1
root@172-20-104-107.cisco.com#
Step 6 Enter the command data-source erspan. You will now be in erspan data source subcommand mode as shown here:
root@172-20-104-107.cisco.com# data-source erspan
Entering into subcommand mode for this command.
Type 'exit' to apply changes and come out of this mode.
Type 'cancel' to discard changes and come out of this mode.
root@172-20-104-107.cisco.com(sub-data-source-erspan)#
Step 7 Enter ? to see all the command options available, as in the example below:
root@172-20-104-107.cisco.com(sub-data-source-erspan)# ?
?                         - display help
cancel                    - discard changes and exit from subcommand mode
device-id                 - erspan device ID (*)
exit                      - create data-source and exit from sub-command mode
help                      - display help
name                      - data-source name (*)
session-id                - erspan Session ID
show                      - show current config that will be applied on exit
(*) - denotes a mandatory field for this configuration.
root@172-20-104-107.cisco.com(sub-data-source-erspan)#
Step 8 Enter the device ID from Step 4.
root@172-20-104-107.cisco.com(sub-data-source-erspan)# device-id 1
Step 9 Enter the name you would like for the data source (required):
root@172-20-104-107.cisco.com(sub-data-source-erspan)# name MyFirstErspanDataSource
Step 10 If desired, supply the specific Session ID for this ERSPAN data source (optional):
root@172-20-104-107.cisco.com(sub-data-source-erspan)# session-id 123
Step 11 Enter show to look at the data source configuration that will be applied and verify that it is correct:
root@172-20-104-107.cisco.com(sub-data-source-netflow)# show
DATA SOURCE NAME : MyFirstErspanDataSource
DATA SOURCE TYPE : ERSPAN (Encapsulated Remote SPAN)
DEVICE ID        : 1
DEVICE ADDRESS   : 192.168.0.1
SESSION ID       : 123
root@172-20-104-107.cisco.com(sub-data-source-erspan)#
Step 12 Enter exit to come out of the subcommand mode and create the data source:
root@172-20-104-107.cisco.com(sub-data-source-erspan)# exit
Data source created successfully, ID = 3
The data source is now created, and ERSPAN records from the device will be received and accepted by the NAM as they arrive.

Deleting ERSPAN Data Sources Using the Web GUI

To delete an existing ERSPAN data source, use the following steps. Note that if the autocreation feature is turned on, and the device continues to send ERSPAN packets to the NAM, the data source will be recreated again automatically as soon as the next ERSPAN packet arrives. Therefore, if you wish to delete an existing ERSPAN data source, it is usually advisable to first turn the ERSPAN autocreate feature off, as described earlier.

Step 1 Choose Setup > Traffic > NAM Data Sources.

Step 2 Choose the data source you would like to delete.

Step 3 Click the Delete button along the bottom of the window.

Deleting ERSPAN Data Sources Using the CLI

To delete a ERSPAN data source using the CLI, use the following steps. Note that when using the CLI, there are generally two separate phases involved. First you should delete the data source, then delete the device if you have no other data sources using the same device (for example with a different Engine ID value). As a shortcut, if you simply delete the device, then all data sources using that device will also be deleted.

Step 1 Show all data sources so you can find the ID of the one you want to delete:
root@172-20-104-107.cisco.com# show data-source
DATA SOURCE ID   : 1
DATA SOURCE NAME : DATA PORT 1
TYPE             : Data Port
PORT NUMBER      : 1
-----------
DATA SOURCE ID   : 2
DATA SOURCE NAME : DATA PORT 2
TYPE             : Data Port
PORT NUMBER      : 2
-----------
DATA SOURCE ID   : 3
DATA SOURCE NAME : MyFirstErspanDataSource	
TYPE             : ERSPAN (Encapsulated Remote SPAN)
DEVICE ID        : 2
DEVICE ADDRESS   : 192.168.0.1
ENGINE ID        : 123
-----------
root@172-20-104-107.cisco.com#
Step 2 Use the no data-source command to delete the data source:
root@172-20-104-107.cisco.com# no data-source 3
Successfully deleted data source 3
root@172-20-104-107.cisco.com#
Step 3 Show all devices so you can find the ID of the one you want to delete:
root@172-20-104-107.cisco.com# show device 
DEVICE ID            : 1
DEVICE TYPE          : ERSPAN (Encapsulated Remote SPAN)	
IP ADDRESS           : 192.168.0.1
INFORMATION          : No packets received
STATUS               : Inactive
------
root@172-20-104-107.cisco.com#
Step 4 Use the no device command to delete the device:
root@172-20-104-107.cisco.com# no device 1
Sucessfully deleted device 1
root@172-20-104-107.cisco.com#
Note that if the autocreation mode is on, and the device continues to send ERSPAN packets to the NAM, the data source (and device entry) will be recreated again automatically as soon as the next ERSPAN packet arrives. Therefore, if you wish to delete an existing ERSPAN data source, it is usually advisable to first turn the ERSPAN autocreate feature off, as described earlier.

Configuring ERSPAN on Devices

There is only one way to configure ERSPAN so that the NAM receives the data:

•Sending ERSPAN Data Directly to the NAM Management Interface

Sending ERSPAN Data Directly to the NAM Management Interface

To send the data directly to the NAM management IP address (management-port), configure the ERSPAN source session. No ERSPAN destination session configuration is required. After performing this configuration on the Catalyst 6500 switch or Cisco 7600 series router, when ERSPAN packets are sent to the NAM, it will automatically create a data source for that packet stream. If the autocreate feature is not enabled, you will have to manually create the data source for this ERSPAN stream of traffic (see Creating ERSPAN Data Sources Using the Web GUI).

Note This method causes the ERSPAN traffic to arrive on the NAM management port. If the traffic level is high, this could have negative impact on the NAM's performance and IP connectivity.

Sample Configuration
monitor session 1 type erspan-source
no shut
source interface Fa3/47
destination
erspan-id  Y 
ip address aa.bb.cc.dd
origin ip address ee.ff.gg.hh
Where:

•Interface fa3/47 is a local interface on the erspan-source switch to be monitored

•Y is any valid span session number

•aa.bb.cc.dd is the management IP address of the NAM

•ee.ff.gg.hh is the source IP address of the ERSPAN traffic

	Cisco Prime Network Analysis Module (NAM) for Nexus 1010 5.1 Installation and Configuration Guide
	Configuring ERSPAN
Cisco Prime Network Analysis Module (NAM) for Nexus 1010 5.1 Installation and Configuration Guide About this Guide Overview Installing the NAM Configuring ERSPAN Configuring NetFlow Configuring a Managed Device Troubleshooting Index	Download this chapter Configuring ERSPAN Download the complete book Cisco Prime Network Analysis Module (NAM) for Nexus 1010 5.1 Installation and Configuration Guide (PDF - 760 KB) Feedback Table Of Contents Configuring ERSPAN for Traffic Visibility About ERSPAN ERSPAN Overview Monitored Traffic Monitored Traffic Direction Monitored Traffic ERSPAN Sources Source Ports Source VLANs ERSPAN Destination Ports Prerequisites for Configuring ERSPAN Configuring ERSPAN on the Cisco Nexus 1000V Configuring ERSPAN Data Source on the NAM VSB Configuring ERSPAN for Traffic Visibility Encapsulated Remote Switched Port Analyzer (ERSPAN) records provide an aggregate view of the network traffic. When enabled on the branch router or switch, the ERSPAN data source becomes available on the Cisco NAM VSB. ERSPAN provides statistics for applications, hosts, and conversions. You can set up custom data sources for some specific interfaces. ERSPAN can be used to identify business critical applications hosted in the Data Center that are used in the branch. This chapter contains the following sections: •About ERSPAN •Prerequisites for Configuring ERSPAN •Configuring ERSPAN on the Cisco Nexus 1000V •Configuring ERSPAN Data Source on the NAM VSB About ERSPAN ERSPAN Overview ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports. ERSPAN sends traffic to a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. ERSPAN supports source ports, source VLANs, and destination ports on different routers, which provides remote monitoring of multiple routers across your network (see Figure 3-1). ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination session. You separately configure ERSPAN source sessions and destination sessions on different routers. An ERSPAN source session is defined by the following: •A session ID •A list of source ports or source VLANs to be monitored by the session •The destination and the origin IP addresses, which are used as the destination and source IP addresses of the GRE envelope for the captured traffic, respectively •An ERSPAN flow ID •Optional attributes related to the GRE envelope such as IP TOS and TTL. For a source port or a source VLAN, the ERSPAN can monitor ingress, egress, or both ingress and egress traffic. ERSPAN source sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have either ports or VLANs as sources, but not both. The ERSPAN source sessions copies traffic from the source ports or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the ERSPAN destination session. The ERSPAN destination session switches the traffic to the destination ports. Figure 3-1 ERSPAN Configuration Monitored Traffic These sections describe the traffic that ERSPAN can monitor: •Monitored Traffic Direction •Monitored Traffic Monitored Traffic Direction For a source port or a source VLAN, the ERSPAN can monitor ingress, egress, or both ingress and egress traffic. Monitored Traffic By default, ERSPAN monitors all traffic, including multicast and bridge protocol data unit (BPDU) frames. ERSPAN Sources These sections describe ERSPAN sources: •Source Ports •Source VLANs Source Ports A source port is a port monitored for traffic analysis. You can configure source ports in any VLAN, and trunk ports can be configured as source ports and mixed with nontrunk source ports. Source VLANs A source VLAN is a VLAN monitored for traffic analysis. ERSPAN Destination Ports A destination port is a Layer 2 or Layer 3 LAN port to which ERSPAN sends traffic for analysis. When you configure a port as a destination port, it can no longer receive any traffic. When you configure a port as a destination port, the port is dedicated for use only by the ERSPAN feature. An ERSPAN destination port does not forward any traffic except that required for the ERSPAN session. You can configure trunk ports as destination ports, which allows destination trunk ports to transmit encapsulated traffic. Prerequisites for Configuring ERSPAN ERSPAN can be configured after you have installed the Nexus 1000V software on the Nexus 1010. You can configure ERSPAN source sessions, destination sessions, or both. A device that has only ERSPAN source sessions configured is called ERSPAN source device, and a device that has only ERSPAN destination sessions configured is called ERSPAN termination device. Configuring ERSPAN on the Cisco Nexus 1000V Configure ERSPAN traffic on the Branch edge router. You must enable ERSPAN on both the WAN and LAN interface to provide visibility into traffic flows entering and leaving the branch. Refer to "Configuring Local SPAN and ERSPAN" in the Cisco Nexus 1000V System Management Configuration Guide, Release 4.2(1) SV1(4): http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_4/system_management/configuration/guide/n1000v_system_9span.html This chapter describes how to configure the local and encapsulated remote (ER) switched port analyzer (SPAN) feature to monitor traffic and includes the following topics: •Information About SPAN and ERSPAN •SPAN Guidelines and Limitations •Default Settings •Configuring SPAN •Verifying the SPAN Configuration •Example Configurations •Additional References Configuring ERSPAN Data Source on the NAM VSB After you have configured ERSPAN on the Nexus 1000V, use the Network Analysis Module (NAM) to enable additional ERSPAN monitoring devices. See the following sections about using ERSPAN as a data source: •Enabling Autocreation of ERSPAN Data Sources Using the Web GUI •Enabling Autocreation of ERSPAN Data Sources Using the CLI •Disabling Autocreation of ERSPAN Data Sources Using the Web GUI •Disabling Autocreation of ERSPAN Data Sources Using the CLI •Creating ERSPAN Data Sources Using the Web GUI •Creating ERSPAN Data Sources Using the CLI •Deleting ERSPAN Data Sources Using the Web GUI •Deleting ERSPAN Data Sources Using the CLI •Configuring ERSPAN on Devices Enabling Autocreation of ERSPAN Data Sources Using the Web GUI There is a convenient "autocreate" feature for data sources, which is enabled by default. With the autocreate feature, a new data source will automatically be created for each device that sends ERSPAN traffic to the NAM, after the first packet is received. Manual creation of ERSPAN data sources using the NAM GUI or the CLI is typically not necessary. When manually creating a data source, you may specify any name you want for the data source. A data source entry must exist on the NAM in order for it to accept ERSPAN packets from an external device. Autocreated ERSPAN data sources will be assigned a name in the format ERSPAN-<IP Address>-ID-<Integer>, where IP Address is the IP address of the sending device, and Integer is the Session-ID of the ERSPAN session on that device. For example, device 192.168.0.1 sending ERSPAN packets with the Session ID field set to 12 would be named "ERSPAN-192.168.0.1-ID-12." You can edit these autocreated data sources and change the name if desired. One device can be configured to send multiple separate ERSPAN sessions to the same NAM. Each session will have a unique Session ID. The NAM can either group all sessions from the same device into one data source, or have a different data source for each Session ID. When data sources are autocreated, they will be associated with one particular Session ID. When manually created, you can instruct the NAM to group all traffic from the same device into one data source. If you check the Session check box, and enter a Session ID in the Value field, the data source will only apply to that specific session. If you leave the check box unchecked, all ERSPAN traffic from the device will be grouped together into this data source, regardless of Session ID. To configure the NAM to automatically create data sources when it receives ERSPAN packets from an external device, use the following steps. Remember however, that the autocreate feature is turned on by default, so these steps are typically not necessary. Step 1 Choose Setup > Traffic > NAM Data Sources. Step 2 Click the Auto Create button on the bottom left of the window. Step 3 Check the ERSPAN check box to toggle autocreation of ERSPAN data sources to "on". Step 4 Click the Submit button. Enabling Autocreation of ERSPAN Data Sources Using the CLI Configuration of the autocreate feature is also possible using the NAM CLI. Because the autocreate feature is turned on by default, in most cases these steps are not necessary. To configure the NAM to automatically create data sources when it receives ERSPAN packets from an external device, use the "autocreate-data-source" command as follows: root@172-20-104-107.cisco.com# autocreate-data-source erspan ERSPAN data source autocreate successfully ENABLED The NAM will now automatically create a ERSPAN data source for each device that sends ERSPAN packets to it. The data source will have the specific Session ID that is populated by the device in the ERSPAN packets sent to the NAM. If the same device happens to send ERSPAN packets to the NAM with different Session ID values, a separate data source will be created for each unique Session ID sent from the device. Disabling Autocreation of ERSPAN Data Sources Using the Web GUI Step 1 Choose Setup > Traffic > NAM Data Sources. Step 2 Click the Auto Create button on the bottom left of the window. Step 3 Uncheck the ERSPAN check box to toggle autocreation of ERSPAN data sources to "off". Step 4 Click the Submit button. Disabling Autocreation of ERSPAN Data Sources Using the CLI To disable autocreation of ERSPAN data sources, use the no autocreate-data-source command as follows: root@172-20-104-107.cisco.com# no autocreate-data-source erspan ERSPAN data source autocreate successfully DISABLED root@172-20-104-107.cisco.com# Creating ERSPAN Data Sources Using the Web GUI To manually configure a ERSPAN data source on the NAM using the GUI, for example if the autocreation feature is turned off, use the following steps: Step 1 Choose Setup > Traffic > NAM Data Sources. Step 2 Click the Create button along the bottom of the window. Step 3 From the Type drop-down list, choose "ERSPAN". Step 4 Enter the IP address of the device that will export ERSPAN to the NAM. Step 5 Give the Data Source a name. This name will appear anywhere there is a Data Source drop-down list. Step 6 (Optional) Check the Session check box and enter an Session ID into the Value field if the data source should only apply to that specific session. If you leave the check box unchecked, all ERSPAN traffic from the device will be grouped together into this data source, regardless of Session ID. Devices can be configured with multiple ERSPAN Sessions. The packets exported may have the same source IP address, but the Session ID exported will be a different for each session. If you want to include only one Session in the data source, you must check the "Session" box and provide the value of that Session ID. Step 7 Click the Submit button. Creating ERSPAN Data Sources Using the CLI To manually configure a ERSPAN data source on the NAM using the CLI (for example if the autocreation feature is turned off), use the following steps. Note that when using the CLI, there are two separate phases involved: First, you must create a "device" entry on the NAM and remember the device ID, and then you must create a data source entry using this device ID. In the NAM GUI, these two phases for creating ERSPAN data sources are combined together. Step 1 Enter the command device erspan. You will now be in erspan device subcommand mode as shown here: root@172-20-104-107.cisco.com# device erspan Entering into subcommand mode for this command. Type 'exit' to apply changes and come out of this mode. Type 'cancel' to discard changes and come out of this mode. root@172-20-104-107.cisco.com(sub-device-erspan)# Step 2 Enter ? to see all the command options available, as in the example below: root@172-20-104-107.cisco.com(sub-device-netflow)# ? ? - display help address - device IP address () cancel - discard changes and exit from subcommand mode exit - create device and exit from sub-command mode help - display help show - show current config that will be applied on exit () - denotes a mandatory field for this configuration. root@172-20-104-107.cisco.com(sub-device-netflow)# Step 3 Enter the IP address of the device as shown in this example (required): root@172-20-104-107.cisco.com(sub-device-erspan)# address 192.168.0.1 Step 4 Type show to look at the device configuration that will be applied and verify that it is correct: root@172-20-104-107.cisco.com(sub-device-erspan)# show DEVICE TYPE : ERSPAN (Encapsulated Remote SPAN) DEVICE ADDRESS : 192.168.0.1 root@172-20-104-107.cisco.com(sub-device-erspan)# Step 5 Type exit to come out of the subcommand mode and create the device. Remember the ID value that was assigned to the new device (you will need it to create the data source). root@172-20-104-107.cisco.com(sub-device-erspan)# exit Device created successfully, ID = 1 root@172-20-104-107.cisco.com# Step 6 Enter the command data-source erspan. You will now be in erspan data source subcommand mode as shown here: root@172-20-104-107.cisco.com# data-source erspan Entering into subcommand mode for this command. Type 'exit' to apply changes and come out of this mode. Type 'cancel' to discard changes and come out of this mode. root@172-20-104-107.cisco.com(sub-data-source-erspan)# Step 7 Enter ? to see all the command options available, as in the example below: root@172-20-104-107.cisco.com(sub-data-source-erspan)# ? ? - display help cancel - discard changes and exit from subcommand mode device-id - erspan device ID () exit - create data-source and exit from sub-command mode help - display help name - data-source name () session-id - erspan Session ID show - show current config that will be applied on exit () - denotes a mandatory field for this configuration. root@172-20-104-107.cisco.com(sub-data-source-erspan)# Step 8* Enter the device ID from Step 4. root@172-20-104-107.cisco.com(sub-data-source-erspan)# device-id 1 Step 9 Enter the name you would like for the data source (required): root@172-20-104-107.cisco.com(sub-data-source-erspan)# name MyFirstErspanDataSource Step 10 If desired, supply the specific Session ID for this ERSPAN data source (optional): root@172-20-104-107.cisco.com(sub-data-source-erspan)# session-id 123 Step 11 Enter show to look at the data source configuration that will be applied and verify that it is correct: root@172-20-104-107.cisco.com(sub-data-source-netflow)# show DATA SOURCE NAME : MyFirstErspanDataSource DATA SOURCE TYPE : ERSPAN (Encapsulated Remote SPAN) DEVICE ID : 1 DEVICE ADDRESS : 192.168.0.1 SESSION ID : 123 root@172-20-104-107.cisco.com(sub-data-source-erspan)# Step 12 Enter exit to come out of the subcommand mode and create the data source: root@172-20-104-107.cisco.com(sub-data-source-erspan)# exit Data source created successfully, ID = 3 The data source is now created, and ERSPAN records from the device will be received and accepted by the NAM as they arrive. Deleting ERSPAN Data Sources Using the Web GUI To delete an existing ERSPAN data source, use the following steps. Note that if the autocreation feature is turned on, and the device continues to send ERSPAN packets to the NAM, the data source will be recreated again automatically as soon as the next ERSPAN packet arrives. Therefore, if you wish to delete an existing ERSPAN data source, it is usually advisable to first turn the ERSPAN autocreate feature off, as described earlier. Step 1 Choose Setup > Traffic > NAM Data Sources. Step 2 Choose the data source you would like to delete. Step 3 Click the Delete button along the bottom of the window. Deleting ERSPAN Data Sources Using the CLI To delete a ERSPAN data source using the CLI, use the following steps. Note that when using the CLI, there are generally two separate phases involved. First you should delete the data source, then delete the device if you have no other data sources using the same device (for example with a different Engine ID value). As a shortcut, if you simply delete the device, then all data sources using that device will also be deleted. Step 1 Show all data sources so you can find the ID of the one you want to delete: root@172-20-104-107.cisco.com# show data-source DATA SOURCE ID : 1 DATA SOURCE NAME : DATA PORT 1 TYPE : Data Port PORT NUMBER : 1 ----------- DATA SOURCE ID : 2 DATA SOURCE NAME : DATA PORT 2 TYPE : Data Port PORT NUMBER : 2 ----------- DATA SOURCE ID : 3 DATA SOURCE NAME : MyFirstErspanDataSource TYPE : ERSPAN (Encapsulated Remote SPAN) DEVICE ID : 2 DEVICE ADDRESS : 192.168.0.1 ENGINE ID : 123 ----------- root@172-20-104-107.cisco.com# Step 2 Use the no data-source command to delete the data source: root@172-20-104-107.cisco.com# no data-source 3 Successfully deleted data source 3 root@172-20-104-107.cisco.com# Step 3 Show all devices so you can find the ID of the one you want to delete: root@172-20-104-107.cisco.com# show device DEVICE ID : 1 DEVICE TYPE : ERSPAN (Encapsulated Remote SPAN) IP ADDRESS : 192.168.0.1 INFORMATION : No packets received STATUS : Inactive ------ root@172-20-104-107.cisco.com# Step 4 Use the no device command to delete the device: root@172-20-104-107.cisco.com# no device 1 Sucessfully deleted device 1 root@172-20-104-107.cisco.com# Note that if the autocreation mode is on, and the device continues to send ERSPAN packets to the NAM, the data source (and device entry) will be recreated again automatically as soon as the next ERSPAN packet arrives. Therefore, if you wish to delete an existing ERSPAN data source, it is usually advisable to first turn the ERSPAN autocreate feature off, as described earlier. Configuring ERSPAN on Devices There is only one way to configure ERSPAN so that the NAM receives the data: •Sending ERSPAN Data Directly to the NAM Management Interface Sending ERSPAN Data Directly to the NAM Management Interface To send the data directly to the NAM management IP address (management-port), configure the ERSPAN source session. No ERSPAN destination session configuration is required. After performing this configuration on the Catalyst 6500 switch or Cisco 7600 series router, when ERSPAN packets are sent to the NAM, it will automatically create a data source for that packet stream. If the autocreate feature is not enabled, you will have to manually create the data source for this ERSPAN stream of traffic (see Creating ERSPAN Data Sources Using the Web GUI). Note This method causes the ERSPAN traffic to arrive on the NAM management port. If the traffic level is high, this could have negative impact on the NAM's performance and IP connectivity. Sample Configuration monitor session 1 type erspan-source no shut source interface Fa3/47 destination erspan-id Y ip address aa.bb.cc.dd origin ip address ee.ff.gg.hh Where: •Interface fa3/47 is a local interface on the erspan-source switch to be monitored •Y is any valid span session number •aa.bb.cc.dd is the management IP address of the NAM •ee.ff.gg.hh is the source IP address of the ERSPAN traffic
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks