Configuring ERSPAN

This chapter contains the following sections:

Information About Encapsulated Remote SPAN

Encapsulated remote SPAN (ERSPAN) monitors traffic in multiple network devices across an IP network and sends that traffic in an encapsulated envelope to destination analyzers. ERSPAN can be used to monitor traffic remotely. ERSPAN sources can be ports, VLANs, or port profiles.

ERSPAN Sources

The interfaces from which traffic can be monitored are called ERSPAN sources. These sources include Ethernet, virtual Ethernet, port profile, and VLAN. When a VLAN is specified as an ERSPAN source, all supported interfaces in the VLAN are ERSPAN sources. When a port profile is specified as an ERSPAN source, all ports that inherit the port profile are ERSPAN sources. Traffic can be monitored in the receive direction, the transmit direction, or both directions for Ethernet and virtual Ethernet source interfaces as described by the following:

  • Receive source (Rx)—Traffic that enters the switch through this source port is copied to the ERSPAN destination port.

  • Transmit source (Tx)—Traffic that exits the switch through this source port is copied to the ERSPAN destination port.

Characteristics of ERSPAN Sources

An ERSPAN source has these characteristics:

  • Can be port type Ethernet, virtual Ethernet, port channel, port profile, or VLAN.

  • Cannot be a destination port or port profile.

  • Can be configured to monitor the direction of traffic—receive, transmit, or both.

  • Can be in the same or different VLANs.

  • For VLAN ERSPAN sources, all active ports in the source VLAN are included as source ports.

  • For port profile sources, all active interfaces attached to the port profile are included as source ports.

ERSPAN Destinations

An ERSPAN destination is an IP address on a remote device.

Characteristics of ERSPAN Destinations

  • An ERSPAN destination is specified by an IP address.

  • In ERSPAN, the source SPAN interface and destination SPAN interface can be on different devices interconnected by an IP network. ERSPAN traffic uses generic routing encapsulation (GRE).

Network Analysis Module

You can also use the Cisco Network Analysis Module (NAM) to monitor ERSPAN data sources for application performance, traffic analysis, and packet header analysis.

ERSPAN Sessions

You can create up to 64 total ERSPAN sessions on the Virtual Ethernet Module (VEM).

You must configure an ERSPAN session ID that is added to the ERSPAN header of the encapsulated frame to differentiate between ERSPAN streams of traffic at the termination box. You can also configure the range of flow ID numbers.

Guidelines and Limitations for ERSPAN

  • ERSPAN is supported only on Intercloud Fabric Switch (ICS) (no ERSPAN sources on Intercloud Fabric Extender (ICX)).

  • A maximum of 64 ERSPAN sessions can be configured on the Virtual Supervisor Module (VSM).

  • A maximum of 32 source VLANs are allowed in a session.

  • A maximum of 16 source port profiles are allowed in a session.

  • A maximum of 128 source interfaces are allowed in a session.


Caution

Overload Potential

To avoid an overload on uplink ports, use caution when configuring ERSPAN, especially when sourcing VLANs. The uplink that the VM kernel uses might get overloaded due to ERSPAN traffic. VSM-VEM communication might also be impacted. For example, when the Nexus 1000V is configured for Layer 3 connectivity, both AIPC traffic and ERSPAN traffic use the same VM kernel NIC.

  • A port can be configured in a maximum of four ERSPAN sessions.

  • A port can be a source in a maximum of four ERSPAN sessions.

Configuring ERSPAN

This section describes how to configure ERSPAN and includes the following procedures:

  • Configuring an ERSPAN Port Profile

  • Configuring an ERSPAN Session

Configuring an ERSPAN Port Profile

You can configure a port profile on the VSM to carry ERSPAN packets through the IP network to a remote destination analyzer.

You must complete this configuration for all hosts in the OpenStack Horizon server.

This procedure includes steps to configure the port profile for the following requirements:

  • ERSPAN for Layer 3 control.

  • An access port profile. It cannot be a trunk port profile.

Only one ERSPAN local Layer 3 interface can be assigned to this Layer 3 control port profile per host as follows:

  • If more than one ERSPAN local Layer 3 interface is assigned to a host, the first one assigned takes effect. The second one is not considered a Layer 3 interface.

  • If more than one ERSPAN local Layer 3 interface is assigned to a host, and you remove the second assigned one, the VEM does not use the first assigned one. Instead, you must remove both the ERSPAN local Layer 3 interfaces and then add one back.

Before You Begin

  • Log in to the CLI in EXEC mode.

  • Ensure that a name has been established for this port profile.


    Note

    The port profile name is used to configure the ERSPAN local Layer 3 interface. An ERSPAN local Layer 3 interface is required on each KVM host to send ERSPAN-encapsulated IP packets, and must have IP connectivity to the ERSPAN destination IP address.

  • Ensure that a name has been established for the OpenStack policy profile to which this profile maps. For information, see the Cisco Nexus 1000V for KVM Virtual Network Configuration Guide.

  • Create the system VLAN that sends IP traffic to the ERSPAN destination and note the VLAN ID to use in this configuration.

  • Obtain the documentation for adding a new virtual adapter.

For more information about system port profiles, see the Cisco Nexus 1000V Port Profile Configuration Guide.

Procedure
     Command or ActionPurpose
    Step 1switch# configure terminal  

    Enters global configuration mode.

     
    Step 2 switch(config)# port-profile port_profile_name  

    Creates the port profile and places you in global configuration mode for the specified port profile. This command saves the port profile in the running configuration.

    The port profile name can be up to 80 characters and must be unique for each port profile on the Cisco Nexus 1000V.

     
    Step 3switch(config-prot-prof)# capability l3control  

    Configures the port profile to carry ERSPAN traffic and saves the port profile in the running configuration.

     
    Step 4switch(config-prot-prof)# publish port-profilename  

    Designates the port profile as an OpenStack policy profile and adds the name of the OpenStack policy profile to which this profile maps. This command saves the settings in the running configuration.

    The port profile is mapped to an OpenStack policy profile of the same name. When an OpenStack Horizon server connection is established, the port group created in Cisco Nexus 1000V is then distributed to the virtual switch on the OpenStack Horizon server.

    The name argument is the same as the port profile name if you do not specify a port group name. If you want to map the port profile to a different port group name, use the name option followed by the alternate name.

     
    Step 5switch(config-prot-prof)# switchport mode access  

    Designates the interfaces as switch access ports (the default).

     
    Step 6switch(config-prot-prof)# switchport access vlan id  

    Assigns a VLAN ID to the access port for this port profile and saves the setting in the running configuration.

    This VLAN is used to send IP traffic to the ERSPAN destination.

     
    Step 7switch(config-prot-prof)# no shutdown  

    Enables the interface in the running configuration.

     
    Step 8switch(config-prot-prof)# state enabled  

    Enables the port profile in the running configuration.

    This port profile is now ready to send out ERSPAN packets on all KVM hosts with ERSPAN sources.

     
    Step 9switch(config-prot-prof)# show port-profile name port_profile_name   (Optional)

    Displays the configuration for the specified port profile as it exists in the running configuration.

     
    Step 10switch(config-port-prof)# copy running-config startup-config   (Optional)

    Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

     
    Step 11To configure the ERSPAN local Layer 3 interface, navigate to the /etc/n1kv/n1kv.conf file and enter the details such as the port name, port profile, IP address, subnet, and the MAC address. For example, virt erspan0 profile erspan-pp mode static address 30.30.30.20 netmask 255.255.255.0 mac 00:22:44:34:ab:cd.     
    switch# configure terminal
switch(config)# port-profile erspan_profile
switch(config-port-prof)# capability l3control
switch(config-port-prof)# publish port-profile
switch(config-port-prof)# switchport mode access
switch(config-port-prof)# switchport access vlan 2
switch(config-port-prof)# no shutdown
switch(config-port-prof)# state enabled
switch(config-port-prof)# show port-profile name erspan
port-profile erspan
  description: 
  status: enabled
  capability uplink: no
  capability l3control: yes
  system vlans: 2
  port-group: access
  max-ports: 32
  inherit:
  config attributes:
    switchport access vlan 2
    no shutdown
  evaluated config attributes:
    switchport access vlan 2
    no shutdown
  assigned interfaces:
n1000v(config-port-prof)# copy running-config startup-config

    Configuring an ERSPAN Session

    This procedure involves creating the SPAN session in ERSPAN source configuration mode (config-erspan-source).

    SPAN sessions are created in the shut state by default.

    When you create a SPAN session that already exists, any additional configuration is added to that session. To make sure the session is cleared of any previous configuration, you can delete the session first. The step to do this is included in the procedure.

    Before You Begin

    • Log in to the CLI in EXEC mode.

    • Obtain the number of the SPAN session that you are going to configure.

    • Configure an ERSPAN-capable port profile on the VSM.

    Procedure
       Command or ActionPurpose
      Step 1switch# configure terminal  

      Enters global configuration mode.

       
      Step 2switch(config)# no monitor session session-number  

      Clears the specified session.

       
      Step 3switch(config)# monitor session session-number type erspan-source  

      Creates a session with the given session number and places you in ERSPAN source configuration mode. This configuration is saved in the running configuration.

       
      Step 4switch(config-erspan-src)# description description  

      For the specified ERSPAN session, adds a description and saves it in the running configuration.

      The description can be up to 32 alphanumeric characters.

      The default is blank (no description).

       

      Step 5switch(config-erspan-src)#source {interface type {number| range} | vlan {number | range} | port-profile {name}} [rx | tx | both]  

      For the specified session, configures the sources and the direction of traffic to monitor and saves them in the running configuration.

      • For the type argument, specify the interface type—ethernet, port-channel, vethernet.

      • For the number argument, specify the interface slot/port or range; or the VLAN number or range to monitor.

      • For the name argument, specify the name of the existing port profile.

      • For the traffic direction keywords, specify as follows:

        • rx (the VLAN default) indicates receive.

        • tx indicates transmit.

        • both is the default keyword.

       
      Step 6Repeat Step 5 to configure additional ERSPAN sources.   (Optional) 
      Step 7switch(config-erspan-src)# filter vlan {number | range}   (Optional)

      For the specified ERSPAN session, configures the VLANs, VLAN lists, or VLAN ranges to be monitored; and saves the VLAN arguments to the running configuration.

      On the monitor port, only the traffic from the VLANs that match the VLAN filter list is replicated to the destination.

       
      Step 8Repeat Step 7 to configure all source VLANs to filter.   (Optional) 
      Step 9switch(config-erspan-src)# destination ip ip_address  

      Configures the IP address of the host to which the encapsulated traffic is sent in this monitor session and saves it in the running configuration.

       
      Step 10switch(config-erspan-src)# ip ttl ttl_value   (Optional)

      Specifies the IP time-to-live value, from 1 to 255, for ERSPAN packets in this monitor session and saves it in the running configuration.

       
      Step 11switch(config-erspan-src)# mtu mtu_value   (Optional)

      Specifies an MTU size (from 50 to 1500) for ERSPAN packets in this monitor session and saves it in the running configuration. The 1500 MTU size limit includes a 50 byte overhead added to monitored packets by ERSPAN. Packets larger than this size are truncated.

      The default is 1500.

      Note   

      If the ERSPAN destination is a Cisco 6500 switch, truncated ERSPAN packets are dropped unless the no mls verify ip length consistent command is configured on the Cisco 6500.

       
      Step 12switch(config-erspan-src)# header-type value  

      Specifies the ERSPAN header type (2 or 3) used for ERSPAN encapsulation for this monitor session as follows:

      • 2 is the ERPSPANv2 header type (the default).

      • 3 is the ERSPANv3 header type. (Used with NAM setups. Any other type of destination works only with the default v2 headers.)

       
      Step 13switch(config-erspan-src)# erspan-id flow_id  

      Adds an ERSPAN ID (from 1 to 1023) to the session configuration and saves it in the running configuration.

      The session ERSPAN ID is added to the ERSPAN header of the encapsulated frame and can be used at the termination box to differentiate between various ERSPAN streams of traffic.

       
      Step 14switch(config-erspan-src)# no shut  

      Enables the ERSPAN session and saves it in the running configuration.

      By default, the session is created in the shut state.

       
      Step 15switch(config-erspan-src)# show monitor session session_id   (Optional)

      Displays the ERSPAN session configuration as it exists in the running configuration.

       
      Step 16switch(config-erspan-src)# copy running-config startup-config   (Optional)

      Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

        
      switch# configure terminal
switch(config)# no monitor session 3
switch(config)# monitor session 3 type erspan
switch(config-erspan-src)# description my_erspan_session_3
switch(config-erspan-src)# source interface ethernet 2/1-3, ethernet 3/1 rx
switch(config-erspan-src)# filter vlan 3-5, 7
switch(config-erspan-src)# destination ip 10.54.54.1
switch(config-erspan-src)# ip ttl 64
switch(config-erspan-src)# mtu 1000
switch(config-erspan-src)# header-type 2
switch(config-erspan-src)# erspan-id 51
switch(config-erspan-src)# no shut
switch(config-erspan-src)# show monitor session 3
switch(config-erspan-src)# copy running-config startup-config

      Configuring the Allowable ERSPAN Flow IDs

      Use this procedure to restrict the allowable range of available flow IDs that can be assigned to ERSPAN sessions.

      The available ERSPAN flow IDs are from 1 to 1023.

      Before You Begin

      • Log in to the CLI in EXEC mode.

      • Determine the restricted range of ERSPAN flow IDs that you want to designate.

      Procedure
         Command or ActionPurpose
        Step 1switch# configure terminal  

        Enters global configuration mode.

         
        Step 2switch(config)# [no] limit-resource erspan-flow-id minimum min_val maximum max_val  

        Restricts the allowable range of ERSPAN flow IDs that can be assigned.

        The allowable range is from 1 to 1023.

        The defaults are as follows:

        • The minimum value = 1

        • The maximum value = 1023

        The no form of this command removes any configured values and restores default values.

         
        Step 3switch(config)# show running monitor   (Optional)

        Displays changes to the default limit-resource erspan-flow-id values for verification.

         
        Step 4switch(config)# copy running-config startup-config   (Optional)

        Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

          
        switch# configure terminal
switch(config)# limit-resource erspan-flow-id minimum 20 maximum 40 
switch(config)# show monitor
switch(config)# show running monitor
switch(config)# copy running-config startup-config

        Configuration Example for an ERSPAN Session

        The following example shows how to create an ERSPAN session for a source Ethernet interface and destination IP address on the Cisco Nexus 1000V. Packets arriving at the destination IP are identified by the ID 999 in their header. 

        switch# monitor session 2 type erspan-source 
switch(config-erspan-src)# source interface ethernet 3/3
switch(config-erspan-src)# source port-profile my_profile_src
switch(config-erspan-src)# destination ip 10.54.54.1
switch(config-erspan-src)# erspan-id 999
switch(config-erspan-src)# mtu 1000
switch(config-erspan-src)# no shut

switch(config-erspan-src)# show monitor session 2
   session 2
---------------
type              : erspan-source
state             : up
source intf       : 
    rx            : Eth3/3    
    tx            : Eth3/3    
    both          : Eth3/3    
source VLANs      : 
    rx            : 
    tx            : 
    both          :
source port-profile : 
    rx            : my_profile_src
    tx            : my_profile_src
    both          : my_profile_src
filter VLANs      : filter not specified
destination IP    : 10.54.54.1
ERSPAN ID         : 999
ERSPAN TTL        : 64
ERSPAN IP Prec.   : 0
ERSPAN DSCP       : 0
ERSPAN MTU        : 1000
ERSPAN Header Type: 2

switch(config-erspan-src)# module vem 3 execute vemcmd show span

VEM SOURCE IP: 10.54.54.10

HW SSN ID   ERSPAN ID   HDR VER   DST LTL/IP
        1                 local   49,51,52,55,56
        2         999         2   10.54.54.1

        Feature History for ERSPAN

        Feature Name

        Releases

        Feature Information

        ERSPAN

        5.2(1)SK3(2.1)

        ERSPAN was introduced.