Information About ERSPAN
ERSPAN transports mirrored traffic over an IP network, which provides remote monitoring of multiple switches across your network. The traffic is encapsulated at the source router and is transferred across the network. The packet is decapsulated at the destination router and then sent to the destination interface.
ERSPAN consists of an ERSPAN source session, routable ERSPAN generic routing encapsulation (GRE)-encapsulated traffic, and an ERSPAN destination session. You can separately configure ERSPAN source sessions and destination sessions on different switches.
ERSPAN Source Sessions
An ERSPAN source session is defined by the following:
-
A session ID.
-
A list of source ports, source VLANs, or source VSANs to be monitored by the session.
-
An ERSPAN flow ID.
-
Optional attributes related to the GRE envelope such as IP TOS and TTL.
-
Destination IP address.
-
Virtual Routing and Forwarding tables.
ERSPAN source sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have ports, VLANs, or VSANs as sources. However, there are some limitations. For more information, see Guidelines and Limitations for ERSPAN.
The following figure shows an example ERSPAN configuration.
Monitored Traffic
By default, ERSPAN monitors all traffic, including multicast and bridge protocol data unit (BPDU) frames.
The direction of the traffic that ERSPAN monitors depends on the source, as follows:
-
For a source port, the ERSPAN can monitor ingress, egress, or both ingress and egress traffic.
-
For a source VLAN or source VSAN, the ERSPAN can monitor only ingress traffic.
ERSPAN Sources
The interfaces from which traffic can be monitored are called ERSPAN sources. Sources designate the traffic to monitor and whether to copy ingress, egress, or both directions of traffic. ERSPAN sources include the following:
-
Source Ports—A source port is a port monitored for traffic analysis. You can configure source ports in any VLAN, and trunk ports can be configured as source ports and mixed with nontrunk source ports.
-
Source VLANs—A source VLAN is a virtual local area network (VLAN) that is monitored for traffic analysis.
-
Source VSANs—A source VSAN is a virtual storage area network (VSAN) that is monitored for traffic analysis.
Truncated ERSPAN
Truncated ERSPAN can be used to reduce the amount of fabric or network bandwidth used in sending ERSPAN packets.
The default is no truncation so switches or routers receiving large ERSPAN packets might drop these oversized packets.
Note |
Do not enable the truncated ERSPAN feature if the destination ERSPAN router is a Cisco Nexus 6001 or Cisco Nexus 6004 switch because the Cisco Nexus 6000 Series switch drops these truncated packets. |
Multiple ERSPAN Sessions
For information about shutting down ERSPAN sessions, see Shutting Down or Activating an ERSPAN Session.
High Availability
The ERSPAN feature supports stateless restarts. After a reboot, the running configuration is applied.