PDF(77.4 KB) View with Adobe Reader on a variety of devices
ePub(71.2 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(66.2 KB) View on Kindle device or Kindle app on multiple devices
Updated:August 28, 2017
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure a local Switched Port Analyzer (SPAN) quickly and easily on an Aggregation Services Router (ASR) 1000. This type of SPAN is called a local Encapsulated Remote SPAN (ERSPAN).
There are no specific requirements for this document.
The information in this document is based on the ASR1002 Router that runs 3.4.6S.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Traffic flows in and out of G0/0/0. The sniffer application is on G0/0/2.
G0/0/0 --- ASR1002 ----G0/0/2
Define a session in order to monitor the traffic and another session in order to send that traffic out the local interface.
Ensure that the IP address and origin-IP in both session definitions are exactly the same. This is required. Use an address that is local to the router; an unused loopback is suggested.
Ensure that the ERSPAN-ID is also the same.
interface GigabitEthernet0/0/0 ip address 192.168.1.1 255.255.255.0 negotiation auto ! interface GigabitEthernet0/0/2 no ip address negotiation auto ! interface Loopback1 ip address 10.1.1.1 255.255.255.255 ! monitor session 10 type erspan-source source interface Gi0/0/0 destination erspan-id 10 ip address 10.1.1.1 origin ip address 10.1.1.1 monitor session 20 type erspan-destination destination interface Gi0/0/2 source erspan-id 10 ip address 10.1.1.1
Another common ERSPAN configuration is a local SPAN when the source interface is a trunk.
For this configuration, set the physical interface as the ERSPAN source.
On the ERSPAN destination, disable the VLAN filter with the plim ethernet vlan filter disable command. If the filter is not disabled, the SPAN session does not send the replicated traffic.
G0/0/0 --dot1q-- ASR1002 ----G0/0/2
interface GigabitEthernet0/0/0 no ip address negotiation auto ! interface GigabitEthernet0/0/0.2 encapsulation dot1Q 2 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet0/0/2 no ip address negotiation auto plim ethernet vlan filter disable ! interface Loopback1 ip address 10.1.1.1 255.255.255.255 ! monitor session 10 type erspan-source source interface Gi0/0/0 destination erspan-id 10 ip address 10.1.1.1 origin ip address 10.1.1.1 monitor session 20 type erspan-destination destination interface Gi0/0/2 source erspan-id 10 ip address 10.1.1.1
Use this section in order to confirm that your configuration works properly.
The simplest verification is to check that the output packet count increases on the ERSPAN destination interface. Since this interface does not have a configuration on it, there is no other traffic.
ASR1002#show int gig 0/0/2 | i packets out 2073 packets output, 242097 bytes, 0 underruns
You can also look at the session information in the Quantum Flow Processor (QFP). In these examples, the Statistics increase as packets are copied.
ASR2#show platform hardware qfp active feature erspan session 10 ERSPAN Session: 10 Type : SRC Config Valid : Yes User On/Off : On DP Debug Cfg : 0x00000000 Statistics: Src session transmit : 4165 / 634836 Configuration: VRF ID : 0 Dest IP addr : 10.1.1.1 Orig IP addr : 10.1.1.1 Flow ID : 10 GRE protocol : 0x88BE MTU : 1464 IP TOS : 0 IP TTL : 255 COS : 0 Encapsulation: 00000000 4500 0000 0000 4000 ff2f 0000 0a01 0101 00000010 0a01 0101 1000 88be 0000 0000 1001 000a 00000020 0000 0000 0000 0000 0000 0000 0000 0000 Port Configurations: VF Interface Name Flag Status -----------------------------------------------------------------------
No GigabitEthernet0/0/0 BOTH Enable
ASR2#show platform hardware qfp active feature erspan session 20 ERSPAN Session: 20 Type : TERM Config Valid : Yes User On/Off : On DP Debug Cfg : 0x00000000 Statistics: Term session receive : 4167 / 635644 Configuration: VRF ID : 0 Dest IP addr : 10.1.1.1 Flow ID : 10 Port Configurations: VF Interface Name Flag Status ----------------------------------------------------------------------- No GigabitEthernet0/0/2 TX Enable
This section provides information you can use in order to troubleshoot your configuration.
When a monitor session is first configured, it is shut down. The session must be enabled with the no shutdown command.
ERSPAN only works on Layer 3 interfaces. It does not work for Ethernet interfaces that are Layer 2, such as Bridge Domain Interfaces or service instances.
If any of the sources that are monitored are part of a Dot1q trunk, the traffic analyzed with SPAN is dropped by the outgoing interface. In order to fix this issue, add the plim ethernet vlan filter disable command to the physical ERSPAN destination interface.
The ERSPAN destination interface should not contain any configuration besides what is required in order to bring the link online. No IP addresses are needed. The interface is used solely for ERSPAN traffic.