The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module describes how to configure Encapsulated Remote Switched Port Analyzer (ERSPAN). ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports.
Note |
The Configuring ERSPAN feature is not supported on Layer 2 switching interfaces. |
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports. ERSPAN sends traffic to a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. ERSPAN supports source ports, source VLANs, and destination ports on different routers, which provides remote monitoring of multiple routers across your network (see the figure below).
ERSPAN consists of an ERSPAN source session, routable ERSPAN generic routing encapsulation (GRE) encapsulated traffic, and an ERSPAN destination session.
You can configure an ERSPAN source session and an ERSPAN destination session, or both, on a Cisco ASR 1000 Series Aggregation Services Router. A device that has only an ERSPAN source session configured is called an ERSPAN source device, and a device that has only an ERSPAN destination session configured is called an ERSPAN termination device. A Cisco ASR 1000 Series Router can act as both an ERSPAN source device and termination device. Also, an ERSPAN session can be terminated with a destination session on the same Cisco ASR 1000 Series Router.
An ERSPAN source session is defined by the following:
For a source port or a source VLAN, the ERSPAN can monitor ingress, egress, or both ingress and egress traffic.
An ERSPAN destination session is defined by the following:
ERSPAN source sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have either ports or VLANs as sources, but not both.
The ERSPAN source sessions copy traffic from the source ports or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the ERSPAN destination session. The ERSPAN destination session switches the traffic to the destination ports.
Figure 1 | ERSPAN Configuration |
Monitored Traffic
For a source port or a source VLAN, the ERSPAN can monitor ingress, egress, or both ingress and egress traffic. By default, ERSPAN monitors all traffic, including multicast and Bridge Protocol Data Unit (BPDU) frames.
The Cisco ERSPAN feature supports the following sources:
Note |
GRE, mGRE, SVTI, and IPinIP tunnel interfaces support monitoring of both IPsec-protected and non-IPsec-protected tunnel packets. Monitoring allows you to see the clear-text tunnel packet after IPsec decryption if that tunnel is IPsec protected. |
ERSPAN has the following behavior in Cisco IOS XE Release 3.4S:
A destination port is a Layer 2 or Layer 3 LAN port to which ERSPAN sends traffic for analysis.
When you configure a port as a destination port, it can no longer receive any traffic. When you configure a port as a destination port, the port is dedicated for use only by the ERSPAN feature. An ERSPAN destination port does not forward any traffic except that required for the ERSPAN session. You can configure trunk ports as destination ports, which allows destination trunk ports to transmit encapsulated traffic.
To use ERSPAN to monitor traffic through one or more ports, or one or more VLANs, you must create an ERSPAN source session and an ERSPAN destination session.
There is no restriction on whether these two sessions are created on the same router or not. If the two sessions are created on two different routers, the monitoring traffic will be forwarded from the source to the destination by ERSPAN. However, if the two sessions are created on the same router, the data flow takes place inside the router, which is similar to that of local SPAN.
The following factors are applicable while using ERSPAN as local SPAN:
The ERSPAN monitors and captures traffic over Ethernet ports and virtual LANs (VLANs). ERSPAN replicates the original frame and encapsulates the replicated frame inside an IP or generic routing encapsulation (GRE) packet by adding Fabric Interface Asic (FIA) entries on the WAN interface. The frame header of the replicated packet is modified for capturing. After encapsulation, ERSPAN sends the IP or GRE packet through an IP network to a device on the network. This device sends the original frame to an analyzing device that is directly connected to the network device.
ERSPAN uses separate source and destination sessions. You configure the source and destination sessions on different routers. The following sections describe how to configure ERSPAN sessions:
Perform this task to configure an ERSPAN source session. The ERSPAN source session defines the session configuration parameters and the ports or VLANs to be monitored.
Perform this task to configure an ERSPAN destination session. The ERSPAN destination session defines the session configuration parameters and the ports that will receive the monitored traffic.
The following example shows how to configure an ERSPAN source session:
monitor session 1 type erspan-source source interface GigabitEthernet1/0/1 rx source interface GigabitEthernet1/0/4 - 8 tx source interface GigabitEthernet1/0/3 destination erspan-id 100 ip address 10.10.0.1 ip prec 5 ip ttl 32 origin ip address 10.1.0.1
The following example shows how to configure an ERSPAN destination session:
monitor session 2 type erspan-destination destination interface GigabitEthernet1/3/2 destination interface GigabitEthernet2/2/0 source erspan-id 100 ip address 10.10.0.1
The following sections provide references related to the ERSPAN feature.
Related Topic |
Document Title |
---|---|
LAN Switching commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples |
Cisco IOS LAN Switching Command Reference |
Cisco IOS commands |
Cisco IOS Master Commands List, All Releases |
Standard |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFC |
Title |
---|---|
No new or modified RFCs are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Configuring ERSPAN |
Feature Name |
Releases |
Feature Information |
---|---|---|
Encapsulated Remote SPAN |
Cisco IOS XE Release 2.1 |
ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports. The following section provides information about this feature. The following commands were modified by this feature: description, destination, erspan-id, filter, ip dscp, ip prec, ip ttl, monitor permit-list, monitor session, origin ip address, show monitor permit-list, source, switchport, switchport mode trunk, switchport nonegotiate, switchport trunk encapsulation, vrf. |
ERSPAN WAN Source | Cisco IOS XE Release 3.5S | ERSPAN monitors and captures traffic over Ethernet ports and virtual LANs (VLANs). The following section provides information about this feature. The following command was introduced by this feature:source interface. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.