Traffic Mirroring Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Release

Monitor ERSPAN sessions with SPAN and security ACLs

Updated: February 5, 2026

On this page

Overview

Configure multiple monitor ERSPAN sessions with SPAN and security ACL

Overview

This section explains how to use SPAN and security ACLs together to monitor multiple ERSPAN sessions under the same source interface. This functionality allows you to distribute mirrored traffic across different destination interfaces while selectively allowing incoming traffic.

Monitoring multiple ERSPAN sessions is a functionality that:

uses GREv4 and GREv6 under the same source interface to monitor multiple ERSPAN sessions
allows you to choose the destination interface for the mirrored traffic from the multiple ERSPAN monitor sessions configured on an interface, and
uses SPAN and security ACLs together for the configuration of monitor sessions.

Table 1. Feature History Table
Feature Name	Release Information	Feature Description
Monitor multiple ERSPAN sessions with SPAN and security ACL	Release 25.1.1	Introduced in this release on: Fixed Systems (8700 [ASIC: K100], 8010 [ASIC: A100]) This feature is now supported on: 8712-MOD-M 8011-4G24Y4H-I
Monitor multiple ERSPAN sessions with SPAN and security ACL	Release 24.4.1	Introduced in this release on: Fixed Systems(8200, 8700)(select variants only); Modular Systems (8800 [LC ASIC: P100])(select variants only). This feature now enables you to use SPAN and security ACL together to monitor multiple ERSPAN sessions under the same source interface thus distributing the mirrored traffic over different destination interfaces and allowing selective incoming traffic on the following hardware. *This feature is now supported on: 8212-48FH-M 8711-32FH-M 8712-MOD-M 88-LC1-12TH24FH-E 88-LC1-52Y8H-EM 88-LC1-36EH
Monitor multiple ERSPAN sessions with SPAN and security ACL	Release 7.5.4	With this feature, you can use SPAN and security ACL together to monitor multiple ERSPAN sessions under the same source interface. SPAN ACL helps you to distribute the mirrored traffic over different destination interfaces and Security ACL helps you to allow selective incoming traffic.

Configure multiple monitor ERSPAN sessions with SPAN and security ACL

Use this procedure to configure SPAN and security ACL with GREv4 and GREv6 monitor sessions.

Procedure

Start a monitor session and attach the SPAN ACL to an interface.

Example:

Router# configure
Router(config-if)#monitor-session always-on-v4
Router(config-if)#monitor-session always-on-v4 ethernet direction rx-only port-level
Router(config-if-mon)#acl ipv4 v4-monitor-acl1
Router(config-if-mon)#acl ipv6 v6-monitor-acl1
Router(config-if-mon)#exit
Router(config-if)#monitor-session on-demand-v4 ethernet direction rx-only port-level
Router(config-if-mon)#acl ipv4 v4-monitor-acl2
Router(config-if-mon)#acl ipv6 v6-monitor-acl2
Router(config-if-mon)#exit

Attach the security ACL to an interface.

Example:

Router(config-if)#ipv4 access-group sec_aclv4 ingress
Router(config-if)#ipv6 access-group sec_aclv6 ingress
Router(config-if)#commit

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.