The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The ERSPAN feature requires IP routing to be enabled in the Global Configuration Mode.
Access control list (ACL) filter is applied before sending the monitored traffic on to the tunnel.
Restrictions for Configuring ERSPAN
The following restrictions apply for this feature:
ERSPAN does not support IP Network Address Translation (NAT) functionality.
Truncation is supported on IPv4 spanned packets only.
An ERSPAN destination interface can be part of only one session. The same destination interface cannot be configured for multiple
ERSPANs/SPANs.
You can configure either a list of ports or a list of VLANs as a source, but cannot configure both for a given session.
Filter IP/IPv6/MAC/VLAN access-group and filter SGT cannot be configured at the same time.
When a session is configured through the ERSPAN CLI, the session ID and the session type cannot be changed. To change them,
you must use the no form of the commands to remove the session and then reconfigure it.
ERSPAN source sessions do not copy locally-sourced RSPAN VLAN traffic from source trunk ports that carry RSPAN VLANs.
ERSPAN source sessions do not copy locally-sourced ERSPAN Generic routing encapsulation (GRE)-encapsulated traffic from source
ports.
Information about Configuring ERSPAN
The following sections provide information about configuring ERSPAN.
ERSPAN Overview
The Cisco ERSPAN feature allows you to monitor traffic on ports or VLANs, and send the monitored traffic to destination ports.
ERSPAN sends traffic to a network analyzer, such as a Switch Probe device or a Remote Monitoring (RMON) probe. ERSPAN supports
source ports, source VLANs, and destination ports on different devices, which helps remote monitoring of multiple devices
across a network.
ERSPAN supports encapsulated packets of up to 9180 bytes. ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated
traffic, and an ERSPAN destination session.
You can configure an ERSPAN source session, an ERSPAN destination session, or both on a device. A device on which only an
ERSPAN source session is configured is called an ERSPAN source device, and a device on which only an ERSPAN destination session
is configured is called an ERSPAN termination device. A device can act as both; an ERSPAN source device and a termination
device.
For a source port or a source VLAN, the ERSPAN can monitor the ingress, egress, or both ingress and egress traffic. By default,
ERSPAN monitors all traffic, including multicast, and Bridge Protocol Data Unit (BPDU) frames.
A device supports up to 66 sessions. A maximum of 8 source sessions can be configured and the remaining sessions can be configured
as RSPAN destinations sessions. A source session can be a local SPAN source session or an RSPAN source session or an ERSPAN
source session. The number of source sessions decreases by the number of configured ERSPAN destination sessions.
A device can support a maximum of 50 Security Group Tag (SGT) filter per session.
An ERSPAN source session is defined by the following parameters:
A session ID
ERSPAN flow ID
List of source ports or source VLANs to be monitored by the session
Optional attributes, such as, IP type of service (ToS) and IP Time to Live (TTL), related to the GRE envelope
The destination and origin IP addresses, which are used as the destination and source IP addresses of the generic routing
encapsulation (GRE) envelope for the captured traffic, respectively
Note
ERSPAN source sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have
either ports or VLANs as sources, but not both.
Because encapsulation and decapsulation are performed in the hardware, the CPU performance is not impacted.
Only IPv4 delivery/transport header is supported.
ERSPAN Sources
The Cisco ERSPAN feature supports the following sources:
Source ports—A source port that is monitored for traffic analysis. Source ports in any VLAN can be configured and trunk ports
can be configured as source ports along with nontrunk source ports.
Source VLANs—A VLAN that is monitored for traffic analysis.
ERSPAN Destination Ports
A destination port is a Layer 2 or Layer 3 LAN port to which ERSPAN source sends traffic for analysis.
When you configure a port as a destination port, it can no longer receive any traffic, and the port is dedicated for use only
by the ERSPAN feature. An ERSPAN destination port does not forward any traffic except that required for the ERSPAN session.
You can configure trunk ports as destination ports, which allows destination trunk ports to transmit encapsulated traffic.
ERSPAN Timestamp
ERSPAN Timestamp is automatically enabled when the ERSPAN header is set to type III. The timestamp field is used to calculate
packet latency in devices. The ERSPAN source session fills in the timestamp field with local time information when a packet
is received, and destination session can handover this timestamp to the application. ERSPAN supports all timestamps in 32-bit
format. It supports 100 nanosecond (ns) granularity and the timestamp field wraparound time is around 7 minutes.
SGT Based ERSPAN
A Security Group Tag (SGT) is a 16-bit value that the Cisco Identity Services Engine (ISE) assigns to the user or endpoint
session upon login. The network infrastructure views the SGT as another attribute to assign to the session and inserts the
Layer 2 tag to all traffic from that session. A platform can support a maximum of 50 SGT policies per session.
On an existing flow-based SPAN (FSPAN) or VLAN filter session, SGT filtering configurations are not allowed.
How to Configure ERSPAN
The following sections provide information about how to configure ERSPAN.
Configuring an ERSPAN Source Session
The ERSPAN source session defines the session configuration parameters and the ports or VLANs to be monitored.
Device(config)# monitor session 1 type erspan-source
Defines an ERSPAN source session using the session ID and the session type, and enters ERSPAN monitor source session configuration
mode.
The span-session-number argument range is from 1 to 66. The same session number cannot be used more than once.
The session IDs for source sessions or destination sessions are in the same global ID space, so each session ID is globally
unique for both session types.
The session ID (configured by the span-session-number argument) and the session type (configured by the erspan-source keyword) cannot be changed once entered. Use the no form of this command to remove the session and then re-create the session, with a new session ID or a new session type.
(Optional) Configures source VLAN filtering when the ERSPAN source is a trunk port. The filter sgt sgt-ID command configures SGT filtering in the ERSPAN source session.
Note
You cannot include source VLANs and filter VLANs in the same session.
Configures the ID used by source and destination sessions to identify the ERSPAN traffic, which must also be entered in the
ERSPAN destination session configuration.
Step 10
ip addressip-address
Example:
Device(config-mon-erspan-src-dst)# ip address 10.10.0.1
Configures the IP address that is used as the destination of the ERSPAN traffic.
Step 11
ip dscpdscp-value
Example:
Device(config-mon-erspan-src-dst)# ip dscp 10
(Optional) Enables the use of IP differentiated services code point (DSCP) for packets that originate from a circuit emulation
(CEM) channel.
Step 12
ip ttlttl-value
Example:
Device(config-mon-erspan-src-dst)# ip ttl 32
(Optional) Configures the IP TTL value of packets in the ERSPAN traffic.
Step 13
mtumtu-size
Example:
Device(config-mon-erspan-src-dst)# mtu 512
Configures the MTU size for truncation. Any ERSPAN packet that is larger than the configured MTU size is truncated to the
configured size. The MTU size range is 176 to 9000 bytes. The default value is 9000 bytes.
Step 14
originip-addressip-address
Example:
Device(config-mon-erspan-src-dst)# origin ip address 10.10.0.1
Configures the IP address used as the source of the ERSPAN traffic.
Step 15
vrfvrf-id
Example:
Device(config-mon-erspan-src-dst)# vrf 1
(Optional) Configures the VRF name to use instead of the global routing table.
Step 16
exit
Example:
Device(config-mon-erspan-src-dst)# exit
Exits ERSPAN source session destination configuration mode, and returns to ERSPAN source session configuration mode.
Step 17
noshutdown
Example:
Device(config-mon-erspan-src)# no shutdown
Enables the configured sessions on an interface.
Step 18
end
Example:
Device(config-mon-erspan-src)# end
Exits ERSPAN source session configuration mode, and returns to privileged EXEC mode.
Configuring an ERSPAN Destination Session
Perform this task to configure an ERSPAN destination session. The ERSPAN destination session defines the session configuration
parameters and the ports that will receive the monitored traffic.
Device(config)# monitor session 1 type erspan-destination
Defines an ERSPAN destination session using the session ID and the session type, and enters ERSPAN monitor destination session
configuration mode.
The session-number argument range is from 1 to 66. The session number must be unique and cannot be used more than once.
The session IDs for source sessions or destination sessions are in the same global ID space, so each session ID is globally
unique for both session types.
The session ID (configured by the session-number argument) and the session type (configured by the erspan-destination) cannot be changed once entered. Use the no form of this command to remove the session, and then recreate the session with a new session ID or a new session type.
Configures the ID used by source and destination sessions to identify the ERSPAN traffic, which must also be entered in the
ERSPAN source session configuration.
Step 8
ipaddressip-address[force]
Example:
Device(config-mon-erspan-dst-src)# ip address 10.10.0.1
Configures the IP address that is used as the source of the ERSPAN traffic.
The ipaddressip-addressforce command changes the source IP address for all ERSPAN destination sessions.
Step 9
noshutdown
Example:
Device(config-mon-erspan-dst-src)# no shutdown
Enables the configured sessions on an interface.
Step 10
end
Example:
Device(config-mon-erspan-dst-src)# end
Exits ERSPAN destination session source configuration mode, and returns to privileged EXEC mode.
Configuration examples for ERSPAN
The following sections provide configuration examples for ERSPAN.
Example: Configuring an ERSPAN Source Session
The following example shows how to configure an ERSPAN source session:
Device> enable
Device# configure terminal
Device(config)# monitor session 1 type erspan-source
Device(config-mon-erspan-src)# description source1
Device(config-mon-erspan-src)# source interface GigabitEthernet 1/0/1 rx
Device(config-mon-erspan-src)# source interface GigabitEthernet 1/0/4 - 8 tx
Device(config-mon-erspan-src)# source interface GigabitEthernet 1/0/3
Device(config-mon-erspan-src)# destination
Device(config-mon-erspan-src-dst)# erspan-id 100
Device(config-mon-erspan-src-dst)# ip address 10.1.0.2
Device(config-mon-erspan-src-dst)# ip prec 5
Device(config-mon-erspan-src-dst)# ip ttl 32
Device(config-mon-erspan-src-dst)# mtu 512
Device(config-mon-erspan-src-dst)# origin ip address 10.10.0.1
Device(config-mon-erspan-src-dst)# vrf 1
Device(config-mon-erspan-src-dst)# no shutdown
Device(config-mon-erspan-src-dst)# end
Example: Configuring an ERSPAN Destination Session
The following example shows how to configure an ERSPAN destination session:
To verify the ERSPAN configuration, use the following commands:
The following is sample output from the showmonitorsession command:
Device# show monitor session 53
Session 53
----------
Type : ERSPAN Source Session
Status : Admin Enabled
Source Ports :
MTU : Fo1/0/2
The following is sample output from the showplatformsoftwaremonitorsession command:
Device# show platform software monitor session 53
Span Session 53 (FED Session 0):
Type: ERSPAN Source
Prev type: Unknown
Ingress Src Ports:
Egress Src Ports:
Ingress Local Src Ports: (null)
Egress Local Src Ports: (null)
Destination Ports:
Ingress Src Vlans:
Egress Src Vlans:
Ingress Up Src Vlans: (null)
Egress Up Src Vlans: (null)
Src Trunk filter Vlans:
RSPAN dst vlan: 0
RSPAN src vlan: 0
RSPAN src vlan sav: 0
Dest port encap = 0x0000
Dest port ingress encap = 0x0000
Dest port ingress vlan = 0x0
SrcSess: 1 DstSess: 0 DstPortCfgd: 0 RspnDstCfg: 0 RspnSrcVld: 0
DstCliCfg: 0 DstPrtInit: 0 PsLclCfgd: 0
Flags: 0x00000000
Remote dest port: 0 Dest port group: 0
FSPAN disabled
FSPAN not notified
ERSPAN Id : 0
ERSPAN Org Ip: 0.0.0.0
ERSPAN Dst Ip: 0.0.0.0
ERSPAN Ip Ttl: 255
ERSPAN DSCP : 0
ERSPAN MTU : 1500 >>>>
ERSPAN VRFID : 0
ERSPAN State : Disabled
ERSPAN Tun id: 61
ERSPAN header-type: 2
ERSPAN SGT :
The following is sample output from the showmonitorsessionerspan-sourcedetail command:
Device# show monitor session erspan-source detail
Type : ERSPAN Source Session
Status : Admin Enabled
Description : -
Source Ports :
RX Only : None
TX Only : None
Both : None
Source Subinterfaces :
RX Only : None
TX Only : None
Both : None
Source VLANs :
RX Only : None
TX Only : None
Both : None
Source Drop-cause : None
Source EFPs :
RX Only : None
TX Only : None
Both : None
Source RSPAN VLAN : None
Destination Ports : None
Filter VLANs : None
Filter SGT : None
Dest RSPAN VLAN : None
IP Access-group : None
MAC Access-group : None
IPv6 Access-group : None
Filter access-group :None
smac for wan interface : None
dmac for wan interface : None
Destination IP Address : 192.0.2.1
Destination IPv6 Address : None
Destination IP VRF : None
MTU : 1500
Destination ERSPAN ID : 251
Origin IP Address : 10.10.10.216
Origin IPv6 Address : None
IP QOS PREC : 0
IPv6 Flow Label : None
IP TTL : 255
ERSPAN header-type : 3
The following output from theshowcapabilityfeaturemonitor erspan-source command displays information about the configured ERSPAN source sessions:
Device# show capability feature monitor erspan-source
ERSPAN Source Session:ERSPAN Source Session Supported: TRUE
No of Rx ERSPAN source session: 8
No of Tx ERSPAN source session: 8
ERSPAN Header Type supported: II and III
ACL filter Supported: TRUE
SGT filter Supported: TRUE
Fragmentation Supported: TRUE
Truncation Supported: FALSE
Sequence number Supported: FALSE
QOS Supported: TRUE
The following output from the showcapabilityfeaturemonitorerspan-destination command displays all the configured global built-in templates:
Device# show capability feature monitor erspan-destination
ERSPAN Destination Session:ERSPAN Destination Session Supported: TRUE
Maximum No of ERSPAN destination session: 8
ERSPAN Header Type supported: II and III
Additional
References
RFCs
Standard/RFC
Title
RFC 2784
Generic
Routing Encapsulation (GRE)
Technical
Assistance
Description
Link
The Cisco
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
To receive
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to
most tools on the Cisco Support website requires a Cisco.com user ID and
password.
The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to https://cfnng.cisco.com/. An account on Cisco.com is not required.
Table 1. Feature Information for Configuring ERSPAN
Feature Name
Releases
Feature Information
ERSPAN
Cisco IOS XE Denali 16.3.1
This module describes how to configure Encapsulated Remote Switched Port Analyzer (ERSPAN). The Cisco ERSPAN feature allows
you to monitor traffic on ports or VLANs and send the monitored traffic to destination ports over a generic routing encapsulation
(GRE) tunnel in any VRF.
In Cisco IOS XE Denali 16.3.1, this feature was introduced on Cisco Catalyst 3650 Series Switches and Cisco Catalyst 3850
Series Switches.
The following commands were introduced or modified: destination (ERSPAN), erspan, filter (ERSPAN), and show capability feature
monitor.
The following commands were introduced or modified: destination (ERSPAN), filter (ERSPAN), and show capability feature monitor.
ERSPAN
Cisco IOS XE Gibraltar 16.11.1
Support of destination sessions was introduced.
The vrf and ip dscp commands, and the sgt keyword were introduced.
ERSPAN has been enhanced to configure a device to Type-III header.
The header-type 3 command was introduced.
Support of ERSPAN truncation and timestamp was introduced.