This module describes
how to configure Encapsulated Remote Switched Port Analyzer (ERSPAN). The Cisco
ERSPAN feature allows you to monitor traffic on ports or VLANs and send the
monitored traffic to destination ports.
The ERSPAN feature requires IP routing to be enabled in the Global Configuration Mode.
delivery/transport header is supported.
list (ACL) filter is applied before sending the monitored traffic on to the
Type-II ERSPAN header.
restrictions apply for this feature:
sessions are not supported.
supports up to 66 sessions. A maximum of 8 source sessions can be configured
and the remaining sessions can be configured as RSPAN destinations sessions. A
source session can be a local SPAN source session or an RSPAN source session or
an ERSPAN source session.
configure either a list of ports or a list of VLANs as a source, but cannot
configure both for a given session.
When a session
is configured through the ERSPAN CLI, the session ID and the session type
cannot be changed. To change them, you must use the no form of the
configuration commands to remove the session and then reconfigure the session.
sessions do not copy locally-sourced Remote SPAN (RSPAN) VLAN traffic from
source trunk ports that carry RSPAN VLANs.
sessions do not copy locally-sourced ERSPAN GRE-encapsulated traffic from
Information for Configuring ERSPAN
The Cisco ERSPAN
feature allows you to monitor traffic on ports or VLANs, and send the monitored
traffic to destination ports. ERSPAN sends traffic to a network analyzer, such
as a Switch Probe device or a Remote Monitoring (RMON) probe. ERSPAN supports
source ports, source VLANs, and destination ports on different devices, which
helps remote monitoring of multiple devices across a network.
encapsulated packets of up to 9180 bytes. ERSPAN consists of an ERSPAN source
session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination
ERSPAN consists of an
ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN
destination session. You can configure an ERSPAN source session, an ERSPAN
destination session, or both on a device. A device on which only an ERSPAN
source session is configured is called an ERSPAN source device, and a device on
which only an ERSPAN destination session is configured is called an ERSPAN
termination device. A device can act as both; an ERSPAN source device and a
For a source port or a
source VLAN, the ERSPAN can monitor the ingress, egress, or both ingress and
egress traffic. By default, ERSPAN monitors all traffic, including multicast,
and Bridge Protocol Data Unit (BPDU) frames.
An ERSPAN source
session is defined by the following parameters:
A session ID
List of source
ports or source VLANs to be monitored by the session
and origin IP addresses, which are used as the destination and source IP
addresses of the generic routing encapsulation (GRE) envelope for the captured
ERSPAN flow ID
attributes, such as, IP Time to Live (TTL), related to the GRE envelope
sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each
ERSPAN source session can have either ports or VLANs as sources, but not both.
encapsulation is performed in the hardware, the CPU performance is not
The Cisco ERSPAN
feature supports the following sources:
source port that is monitored for traffic analysis. Source ports in any VLAN
can be configured and trunk ports can be configured as source ports along with
nontrunk source ports.
VLAN that is monitored for traffic analysis.
interfaces are supported as source ports:
How to Configure ERSPAN
ERSPAN Source Session
The ERSPAN source
session defines the session configuration parameters and the ports or VLANs to
Switch(config)# monitor session span-session-number type erspan-source
ERSPAN source session using the session ID and the session type, and enters
ERSPAN monitor source session configuration mode.
for source sessions or destination sessions are in the same global ID space, so
each session ID is globally unique for both session types.
span-session-number and the session type
(configured by the
keyword) cannot be changed once configured. Use the no form of this command to
remove the session and then re-create the session with a new session ID or a
new session type.
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
most tools on the Cisco Support website requires a Cisco.com user ID and
The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for
XE Denali 16.3.1
describes how to configure Encapsulated Remote Switched Port Analyzer (ERSPAN).
The Cisco ERSPAN feature allows you to monitor traffic on ports or VLANs and
send the monitored traffic to destination ports over a generic routing
encapsulation (GRE) tunnel in any VRF.
In Cisco IOS
XE Denali 16.3.1, this feature was introduced on Cisco Catalyst 3650 Series
Switches and Cisco Catalyst 3850 Series Switches.
following commands were introduced or modified: destination (ERSPAN), erspan,
filter (ERSPAN), and show capability feature monitor.
following commands were introduced or modified: