Configuring ERSPAN

Last Updated: December 8, 2011

This module describes how to configure Encapsulated Remote Switched Port Analyzer (ERSPAN). ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports.


Note
The Configuring ERSPAN feature is not supported on Layer 2 switching interfaces.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for Configuring ERSPAN

  • The maximum number of ERSPAN sessions on a Cisco ASR 1000 Series Router is 1024. A Cisco ASR 1000 Series Router can be used as an ERSPAN source device on which only source sessions are configured, an ERSPAN destination device on which only destination sessions are configured, or an ERSPAN source and destination device on which both source and destination sessions are configured. However, the total session number cannot exceed the maximum session number of 1024.
  • The maximum port number for each ERSPAN session is 128.
  • ERSPAN on Cisco ASR 1000 Series Routers supports Fast Ethernet, Gigabit Ethernet, TenGigabit Ethernet, and port-channel interfaces as source ports for a source session.
  • ERSPAN users on Cisco ASR 1000 Series Routers can configure a list of ports as source or a list of VLANs as source, but cannot configure both for a given session.
  • When a session is configured through the ERSPAN configuration CLI, the session ID and the session type cannot be changed. In order to change them, you must first use the no form of the configuration command to remove the session and then reconfigure the session.
  • The monitor session span-session-number type local command is not supported on Cisco ASR 1000 Series Routers.
  • Filter VLAN option is not functional in ERSPAN monitoring session on WAN interfaces.

Information About Configuring ERSPAN

ERSPAN Overview

ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports. ERSPAN sends traffic to a network analyzer such as a SwitchProbe device or other Remote Monitoring (RMON) probe. ERSPAN supports source ports, source VLANs, and destination ports on different routers, which provides remote monitoring of multiple routers across your network (see the figure below).

ERSPAN consists of an ERSPAN source session, routable ERSPAN generic routing encapsulation (GRE) encapsulated traffic, and an ERSPAN destination session.

You can configure an ERSPAN source session and an ERSPAN destination session, or both, on a Cisco ASR 1000 Series Aggregation Services Router. A device that has only an ERSPAN source session configured is called an ERSPAN source device, and a device that has only an ERSPAN destination session configured is called an ERSPAN termination device. A Cisco ASR 1000 Series Router can act as both an ERSPAN source device and termination device. Also, an ERSPAN session can be terminated with a destination session on the same Cisco ASR 1000 Series Router.

An ERSPAN source session is defined by the following:

  • A session ID
  • A list of source ports or source VLANs to be monitored by the session
  • The destination and the origin IP addresses, which are used as the destination and source IP addresses of the GRE envelope for the captured traffic, respectively
  • An ERSPAN flow ID
  • Optional attributes related to the GRE envelope such as IP type of service (TOS) and IP Time to Live (TTL)

For a source port or a source VLAN, the ERSPAN can monitor ingress, egress, or both ingress and egress traffic.

An ERSPAN destination session is defined by the following:

  • A session ID
  • A list of destination ports
  • The source IP address, which is the same as the destination IP address of the corresponding source session
  • The ERSPAN flow ID, which is used to match the destination session with the source session

ERSPAN source sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have either ports or VLANs as sources, but not both.

The ERSPAN source sessions copy traffic from the source ports or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the ERSPAN destination session. The ERSPAN destination session switches the traffic to the destination ports.

Figure 1 ERSPAN Configuration


Monitored Traffic

For a source port or a source VLAN, the ERSPAN can monitor ingress, egress, or both ingress and egress traffic. By default, ERSPAN monitors all traffic, including multicast and Bridge Protocol Data Unit (BPDU) frames.

ERSPAN Sources

The Cisco ERSPAN feature supports the following sources:

  • Source ports--A source port is a port monitored for traffic analysis. You can configure source ports in any VLAN, and trunk ports can be configured as source ports along with nontrunk source ports.
  • Source VLANs--A source VLAN is a VLAN monitored for traffic analysis.
  • The tunnel keyword was added to the source interface command.
  • Support was added for the following types of tunnel interfaces as source ports for a source session:
    • GRE
    • IPinIP
    • IPv6
    • IPv6 over IP tunnel
    • mGRE
    • SVTI

    Note
    GRE, mGRE, SVTI, and IPinIP tunnel interfaces support monitoring of both IPsec-protected and non-IPsec-protected tunnel packets. Monitoring allows you to see the clear-text tunnel packet after IPsec decryption if that tunnel is IPsec protected.
    The following limitations apply to the enhancements introduced in Cisco IOS XE Release 3.4S:
    • Only monitoring of non-IPsec-protected tunnel packets is supported on IPv6 and IPv6 over IP tunnel interfaces.
    • The enhancements apply only to ERSPAN source sessions, not to ERSPAN destination sessions.

ERSPAN has the following behavior in Cisco IOS XE Release 3.4S:

  • The tunnel interface is removed from the ERSPAN database at all levels when the tunnel interface is deleted. If you want to create the same tunnel again, you must manually configure it in source monitor sessions in order to keep monitoring the tunnel traffic.
  • The Layer 2 Ethernet header is feature generated with both source and destination MAC addresses set to zero.

ERSPAN Destination Ports

A destination port is a Layer 2 or Layer 3 LAN port to which ERSPAN sends traffic for analysis.

When you configure a port as a destination port, it can no longer receive any traffic. When you configure a port as a destination port, the port is dedicated for use only by the ERSPAN feature. An ERSPAN destination port does not forward any traffic except that required for the ERSPAN session. You can configure trunk ports as destination ports, which allows destination trunk ports to transmit encapsulated traffic.

Using ERSPAN as Local SPAN

To use ERSPAN to monitor traffic through one or more ports, or one or more VLANs, you must create an ERSPAN source session and an ERSPAN destination session.

There is no restriction on whether these two sessions are created on the same router or not. If the two sessions are created on two different routers, the monitoring traffic will be forwarded from the source to the destination by ERSPAN. However, if the two sessions are created on the same router, the data flow takes place inside the router, which is similar to that of local SPAN.

The following factors are applicable while using ERSPAN as local SPAN:

  • Both sessions have the same ERSPAN ID.
  • Both sessions have the same IP address. This IP address is the router's own IP address; that is, the loopback IP address or the IP address configured on any port.

Configuring ERSPAN WAN Source Support

The ERSPAN monitors and captures traffic over Ethernet ports and virtual LANs (VLANs). ERSPAN replicates the original frame and encapsulates the replicated frame inside an IP or generic routing encapsulation (GRE) packet by adding Fabric Interface Asic (FIA) entries on the WAN interface. The frame header of the replicated packet is modified for capturing. After encapsulation, ERSPAN sends the IP or GRE packet through an IP network to a device on the network. This device sends the original frame to an analyzing device that is directly connected to the network device.

How to Configure ERSPAN

ERSPAN uses separate source and destination sessions. You configure the source and destination sessions on different routers. The following sections describe how to configure ERSPAN sessions:

Configuring an ERSPAN Source Session

Perform this task to configure an ERSPAN source session. The ERSPAN source session defines the session configuration parameters and the ports or VLANs to be monitored.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    monitor session span-session-number type {erspan-destination | erspan-source}

4.    description string

5.    source interface {if-single | if-list | if-range | if-mixed} [rx | tx | both]

6.    source vlan {id-single | id-list | id-range | id-mixed} [rx | tx | both]

7.    filter vlan {id-single | id-list | id-range | id-mixed}

8.    destination

9.    erspan-id erspan-flow-id

10.    ip address ip-address

11.    ip prec prec-value

12.    ip dscp dscp-value

13.    ip ttl ttl-value

14.    origin ip address ip-address [force]

15.    vrf vrf-id

16.    end


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
monitor session span-session-number type {erspan-destination | erspan-source}


Example:

Router(config)# monitor session 1 type erspan-destination

 

Defines an ERSPAN destination session using the session ID and the session type, and enters ERSPAN monitor source session configuration mode.

  • The span-session-number argument range is from 1 to 1024. The same session number cannot be used more than once.
  • The session IDs for source sessions or destination sessions are in the same global ID space, so each session ID is globally unique for both session types.
  • The session ID (configured by the span-session number argument) and the session type (configured by the erspan-destination or erspan-source keyword) cannot be changed once entered. Use the no form of the command to remove the session and then re-create the session through the command with a new session ID or a new session type.
 
Step 4
description string


Example:

Router(config-mon-erspan-src)# description source1

 

(Optional) Describes the ERSPAN source session.

  • The string argument can be up to 240 characters and cannot contain special characters or spaces.
 
Step 5
source interface {if-single | if-list | if-range | if-mixed} [rx | tx | both]


Example:

Router(config-mon-erspan-src)# source interface GigabitEthernet1/0/1 rx

 

Associates the ERSPAN source session number with the source ports, and selects the traffic direction to be monitored.

 
Step 6
source vlan {id-single | id-list | id-range | id-mixed} [rx | tx | both]


Example:

Router(config-mon-erspan-src)# source vlan 1

 

(Optional) Associates the ERSPAN source session number with the VLANs, and selects the traffic direction to be monitored.

  • You cannot mix source VLANs and filter VLANs within a session. You can have source VLANs or filter VLANs, but not both at the same time.
 
Step 7
filter vlan {id-single | id-list | id-range | id-mixed}


Example:

Router(config-mon-erspan-src)# filter vlan 1

 

(Optional) Configures source VLAN filtering when the ERSPAN source is a trunk port.

  • You cannot mix source VLANs and filter VLANs within a session. You can have source VLANs or filter VLANs, but not both at the same time.
 
Step 8
destination


Example:

Router(config-mon-erspan-src)# destination

 

Enters ERSPAN source session destination configuration mode.

 
Step 9
erspan-id erspan-flow-id


Example:

Router(config-mon-erspan-src-dst)# erspan-id 100

 

Configures the ID number used by the source and destination sessions to identify the ERSPAN traffic, which must also be entered in the ERSPAN destination session configuration.

 
Step 10
ip address ip-address


Example:

Router(config-mon-erspan-src-dst)# ip address 10.10.0.1

 

Configures the IP address used as the source of the ERSPAN traffic.

 
Step 11
ip prec prec-value


Example:

Router(config-mon-erspan-src-dst)# ip prec 5

 

(Optional) Configures the IP precedence value of the packets in the ERSPAN traffic.

  • You can optionally use either the ip prec command or the ip dscp command, but not both.
 
Step 12
ip dscp dscp-value


Example:

Router(config-mon-erspan-src-dst)# ip dscp

 

(Optional) Enables the use of IP differentiated services code point (DSCP) for packets that originate from a circuit emulation (CEM) channel.

  • You can optionally use either the ip prec command or the ip dscp command, but not both.
 
Step 13
ip ttl ttl-value


Example:

Router(config-mon-erspan-src-dst)# ip ttl 32

 

(Optional) Configures the IP time-to-live (TTL) value of the packets in the ERSPAN traffic.

 
Step 14
origin ip address ip-address [force]


Example:

Router(config-mon-erspan-src-dst)# origin ip address 10.1.0.1

 

Configures the IP address used as the source of the ERSPAN traffic.

 
Step 15
vrf vrf-id


Example:

Router(config-mon-erspan-src-dst)# vrf 1

 

(Optional) Configures the VRF name to use instead of the global routing table.

 
Step 16
end


Example:

Router(config-mon-erspan-src-dst)# end

 

Exits ERSPAN source session destination configuration mode, and returns to privileged EXEC mode.

 

Configuring an ERSPAN Destination Session

Perform this task to configure an ERSPAN destination session. The ERSPAN destination session defines the session configuration parameters and the ports that will receive the monitored traffic.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    monitor session session-number type {erspan-destination | erspan-source}

4.    description string

5.    destination interface {if-single | if-list | if-range | if-mixed} [rx | tx | both]

6.    source

7.    erspan-id erspan-flow-id

8.    ip address ip-address

9.    vrf vrf-id

10.    end


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
monitor session session-number type {erspan-destination | erspan-source}


Example:

Router(config)# monitor session 1 type erspan-source

 

Defines an ERSPAN source session using the session ID and the session type, and enters the command in ERSPAN monitor source session configuration mode.

The session-number argument range is from 1 to 1024. The same session number cannot be used more than once.

The session IDs for source sessions or destination sessions are in the same global ID space, so each session ID is globally unique for both session types.

The session ID (configured by the session number argument) and the session type (configured by the erspan-destination or erspan-source keyword) cannot be changed once entered. Use the no form of the command to remove the session and then re-create the session through the command with a new session ID or a new session type.

 
Step 4
description string


Example:

Router(config-mon-erspan-src)# description source1

 

(Optional) Describes the ERSPAN source session.

The string argument can be up to 240 characters and cannot contain special characters or spaces.

 
Step 5
destination interface {if-single | if-list | if-range | if-mixed} [rx | tx | both]


Example:

Router(config-mon-erspan-src)# destination interface GigabitEthernet1/0/1 rx

 

Associates the ERSPAN source session number with the source ports, and selects the traffic direction to be monitored.

 
Step 6
source


Example:

Router(config-mon-erspan-src)# source

 

Enters ERSPAN destination session source configuration mode.

 
Step 7
erspan-id erspan-flow-id


Example:

Router(config-mon-erspan-src-dst)# erspan-id 100

 

Configures the ID number used by the source and destination sessions to identify the ERSPAN traffic, which must also be entered in the ERSPAN destination session configuration.

 
Step 8
ip address ip-address


Example:

Router(config-mon-erspan-src-dst)# ip address 10.10.0.1

 

Configures the IP address used as the source of the ERSPAN traffic.

 
Step 9
vrf vrf-id


Example:

Router(config-mon-erspan-src-dst)# vrf 1

 

(Optional) Configures the VRF name to use instead of the global routing table.

 
Step 10
end


Example:

Router(config-mon-erspan-src-dst)# end

 

Exits ERSPAN destination session source configuration mode, and returns to privileged EXEC mode.

 

Configuration Examples for ERSPAN

Example: Configuring an ERSPAN Source Session

The following example shows how to configure an ERSPAN source session: 


monitor session 1 type erspan-source
 source interface GigabitEthernet1/0/1 rx
 source interface GigabitEthernet1/0/4 - 8 tx
 source interface GigabitEthernet1/0/3
 destination
  erspan-id 100
  ip address 10.10.0.1
  ip prec 5
  ip ttl 32
  origin ip address 10.1.0.1

Example: Configuring an ERSPAN Destination Session

The following example shows how to configure an ERSPAN destination session: 

monitor session 2 type erspan-destination
 destination interface GigabitEthernet1/3/2
 destination interface GigabitEthernet2/2/0
 source
  erspan-id 100
  ip address 10.10.0.1

Additional References

The following sections provide references related to the ERSPAN feature.

Related Documents

Related Topic

Document Title

LAN Switching commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS LAN Switching Command Reference

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Standards

Standard

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

--

MIBs

MIB

MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

No new or modified RFCs are supported by this feature, and support for existing standards has not been modified by this feature.

--

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Feature Information for Configuring ERSPAN

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Configuring ERSPAN

Feature Name

Releases

Feature Information

Encapsulated Remote SPAN

Cisco IOS XE Release 2.1

ERSPAN sessions allow you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destination ports.

The following section provides information about this feature.

The following commands were modified by this feature: description, destination, erspan-id, filter, ip dscp, ip prec, ip ttl, monitor permit-list, monitor session, origin ip address, show monitor permit-list, source, switchport, switchport mode trunk, switchport nonegotiate, switchport trunk encapsulation, vrf.

ERSPAN WAN Source Cisco IOS XE Release 3.5S ERSPAN monitors and captures traffic over Ethernet ports and virtual LANs (VLANs).

The following section provides information about this feature.

The following command was introduced by this feature:source interface.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2011 Cisco Systems, Inc. All rights reserved.