ERSPAN transports mirrored traffic over an IP network, which provides remote monitoring of multiple switches across your network. The traffic is encapsulated at the source router and is transferred across the network. The packet is decapsulated at the destination router and then sent to the destination interface.
Cisco Nexus 9300 Series switches support ERSPAN Type II and Type III, and Cisco Nexus 9500 Series switches support only ERSPAN.
ERSPAN Type III supports all of the ERSPAN Type II features and functionality and adds these enhancements:
Provides Precision Time Protocol (PTP) timestamp information (defined in IEEE 1588) in the ERSPAN Type III header that can be used to calculate packet latency among edge, aggregate, and core switches.
Identifies possible traffic sources using the ERSPAN Type III header fields.
For more information on PTP, see Configuring PTP.
ERSPAN Marker Packet
The ERSPAN Type III header carries a hardware-generated 32-bit timestamp. This timestamp field wraps periodically. When the switch is set to 1 ns granularity, this field wraps every 4.29 seconds. Such a wrap time makes it difficult to interpret the real value of the timestamp.
To recover the real value of the ERSPAN timestamp, you can configure a periodical marker packet to carry the original UTC timestamp information and provide a reference for the ERSPAN timestamp. The marker packet is sent out in 1-second intervals. Therefore, the destination site can detect the 32-bit wrap by checking the difference between the timestamp of the reference packet and the packet order.
The interfaces from which traffic can be monitored are called ERSPAN sources. Sources designate the traffic to monitor and whether to copy ingress, egress, or both directions of traffic. ERSPAN sources include the following:
Ethernet ports (but not subinterfaces)
A single ERSPAN session can include mixed sources in any combination of the above.
You can create ERSPAN sessions that designate sources to monitor.
Localized ERSPAN Sessions
An ERSPAN session is localized when all of the source interfaces are on the same line card.
Beginning with Cisco NX-OS Release 7.0(3)I7(1), you can configure the truncation of source packets for each ERSPAN session based on the size of the MTU. Truncation helps to decrease ERSPAN bandwidth by reducing the size of monitored packets. Any ERSPAN packet that is larger than the configured MTU size is truncated to the given size. For ERSPAN, an additional ERSPAN header is added to the truncated packet from 54 to 166 bytes depending on the ERSPAN header type. For example, if you configure the MTU as 300 bytes, the packets are replicated with an ERSPAN header size from 354 to 466 bytes depending on the ERSPAN header type configuration.
ERSPAN truncation is disabled by default. To use truncation, you must enable it for each ERSPAN session.
The ERSPAN feature supports stateless and stateful restarts. After a reboot or supervisor switchover, the running configuration is applied.
For more information on high availability, see the Cisco Nexus 9000 Series NX-OS High Availability and Redundancy Guide.