The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Encapsulated remote SPAN (ERSPAN) monitors traffic in multiple network devices across an IP network and sends that traffic in an encapsulated envelope to destination analyzers. ERSPAN can be used to monitor traffic remotely. ERSPAN sources can be ports, VLANs, or port profiles.
The interfaces from which traffic can be monitored are called ERSPAN sources. These sources include Ethernet, virtual Ethernet, port profile, and VLAN. When a VLAN is specified as an ERSPAN source, all supported interfaces in the VLAN are ERSPAN sources. When a port profile is specified as an ERSPAN source, all ports that inherit the port profile are ERSPAN sources. Traffic can be monitored in the receive direction, the transmit direction, or both directions for Ethernet and virtual Ethernet source interfaces as described by the following:
An ERSPAN source has these characteristics:
Can be port type Ethernet, virtual Ethernet, port channel, port profile, or VLAN.
Cannot be a destination port or port profile.
Can be configured to monitor the direction of traffic—receive, transmit, or both.
Can be in the same or different VLANs.
For VLAN ERSPAN sources, all active ports in the source VLAN are included as source ports.
For port profile sources, all active interfaces attached to the port profile are included as source ports.
An ERSPAN destination is an IP address on a remote device.
You can also use the Cisco Network Analysis Module (NAM) to monitor ERSPAN data sources for application performance, traffic analysis, and packet header analysis.
You can create up to 64 total ERSPAN sessions on the Virtual Ethernet Module (VEM).
You must configure an ERSPAN session ID that is added to the ERSPAN header of the encapsulated frame to differentiate between ERSPAN streams of traffic at the termination box. You can also configure the range of flow ID numbers.
ERSPAN is supported only on Intercloud Fabric Switch (ICS) (no ERSPAN sources on Intercloud Fabric Extender (ICX)).
A maximum of 64 ERSPAN sessions can be configured on the Virtual Supervisor Module (VSM).
A maximum of 32 source VLANs are allowed in a session.
A maximum of 16 source port profiles are allowed in a session.
A maximum of 128 source interfaces are allowed in a session.
Caution | Overload Potential To avoid an overload on uplink ports, use caution when configuring ERSPAN, especially when sourcing VLANs. The uplink that the VM kernel uses might get overloaded due to ERSPAN traffic. VSM-VEM communication might also be impacted. For example, when the Nexus 1000V is configured for Layer 3 connectivity, both AIPC traffic and ERSPAN traffic use the same VM kernel NIC. |
This section describes how to configure ERSPAN and includes the following procedures:
You can configure a port profile on the VSM to carry ERSPAN packets through the IP network to a remote destination analyzer.
You must complete this configuration for all hosts in the OpenStack Horizon server.
This procedure includes steps to configure the port profile for the following requirements:
Only one ERSPAN local Layer 3 interface can be assigned to this Layer 3 control port profile per host as follows:
If more than one ERSPAN local Layer 3 interface is assigned to a host, the first one assigned takes effect. The second one is not considered a Layer 3 interface.
If more than one ERSPAN local Layer 3 interface is assigned to a host, and you remove the second assigned one, the VEM does not use the first assigned one. Instead, you must remove both the ERSPAN local Layer 3 interfaces and then add one back.
Log in to the CLI in EXEC mode.
Ensure that a name has been established for this port profile.
Note | The port profile name is used to configure the ERSPAN local Layer 3 interface. An ERSPAN local Layer 3 interface is required on each KVM host to send ERSPAN-encapsulated IP packets, and must have IP connectivity to the ERSPAN destination IP address. |
Ensure that a name has been established for the OpenStack policy profile to which this profile maps. For information, see the Cisco Nexus 1000V for KVM Virtual Network Configuration Guide.
Create the system VLAN that sends IP traffic to the ERSPAN destination and note the VLAN ID to use in this configuration.
Obtain the documentation for adding a new virtual adapter.
For more information about system port profiles, see the Cisco Nexus 1000V Port Profile Configuration Guide.
switch# configure terminal switch(config)# port-profile erspan_profile switch(config-port-prof)# capability l3control switch(config-port-prof)# publish port-profile switch(config-port-prof)# switchport mode access switch(config-port-prof)# switchport access vlan 2 switch(config-port-prof)# no shutdown switch(config-port-prof)# state enabled switch(config-port-prof)# show port-profile name erspan port-profile erspan description: status: enabled capability uplink: no capability l3control: yes system vlans: 2 port-group: access max-ports: 32 inherit: config attributes: switchport access vlan 2 no shutdown evaluated config attributes: switchport access vlan 2 no shutdown assigned interfaces: n1000v(config-port-prof)# copy running-config startup-config
This procedure involves creating the SPAN session in ERSPAN source configuration mode (config-erspan-source).
SPAN sessions are created in the shut state by default.
When you create a SPAN session that already exists, any additional configuration is added to that session. To make sure the session is cleared of any previous configuration, you can delete the session first. The step to do this is included in the procedure.
switch# configure terminal switch(config)# no monitor session 3 switch(config)# monitor session 3 type erspan switch(config-erspan-src)# description my_erspan_session_3 switch(config-erspan-src)# source interface ethernet 2/1-3, ethernet 3/1 rx switch(config-erspan-src)# filter vlan 3-5, 7 switch(config-erspan-src)# destination ip 10.54.54.1 switch(config-erspan-src)# ip ttl 64 switch(config-erspan-src)# mtu 1000 switch(config-erspan-src)# header-type 2 switch(config-erspan-src)# erspan-id 51 switch(config-erspan-src)# no shut switch(config-erspan-src)# show monitor session 3 switch(config-erspan-src)# copy running-config startup-config
Use this procedure to restrict the allowable range of available flow IDs that can be assigned to ERSPAN sessions.
The available ERSPAN flow IDs are from 1 to 1023.
Command or Action | Purpose | |
---|---|---|
Step 1 | switch# configure terminal |
Enters global configuration mode. |
Step 2 | switch(config)# [no] limit-resource erspan-flow-id minimum min_val maximum max_val |
Restricts the allowable range of ERSPAN flow IDs that can be assigned. The allowable range is from 1 to 1023. The defaults are as follows: The no form of this command removes any configured values and restores default values. |
Step 3 | switch(config)# show running monitor | (Optional)
Displays changes to the default limit-resource erspan-flow-id values for verification. |
Step 4 | switch(config)# copy running-config startup-config | (Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
switch# configure terminal switch(config)# limit-resource erspan-flow-id minimum 20 maximum 40 switch(config)# show monitor switch(config)# show running monitor switch(config)# copy running-config startup-config
The following example shows how to create an ERSPAN session for a source Ethernet interface and destination IP address on the Cisco Nexus 1000V. Packets arriving at the destination IP are identified by the ID 999 in their header.
switch# monitor session 2 type erspan-source switch(config-erspan-src)# source interface ethernet 3/3 switch(config-erspan-src)# source port-profile my_profile_src switch(config-erspan-src)# destination ip 10.54.54.1 switch(config-erspan-src)# erspan-id 999 switch(config-erspan-src)# mtu 1000 switch(config-erspan-src)# no shut switch(config-erspan-src)# show monitor session 2 session 2 --------------- type : erspan-source state : up source intf : rx : Eth3/3 tx : Eth3/3 both : Eth3/3 source VLANs : rx : tx : both : source port-profile : rx : my_profile_src tx : my_profile_src both : my_profile_src filter VLANs : filter not specified destination IP : 10.54.54.1 ERSPAN ID : 999 ERSPAN TTL : 64 ERSPAN IP Prec. : 0 ERSPAN DSCP : 0 ERSPAN MTU : 1000 ERSPAN Header Type: 2 switch(config-erspan-src)# module vem 3 execute vemcmd show span VEM SOURCE IP: 10.54.54.10 HW SSN ID ERSPAN ID HDR VER DST LTL/IP 1 local 49,51,52,55,56 2 999 2 10.54.54.1
Feature Name |
Releases |
Feature Information |
---|---|---|
ERSPAN |
5.2(1)SK3(2.1) |
ERSPAN was introduced. |