ERSPAN
The Cisco Encapsulated Remote Switched Port Analyzer (ERSPAN) feature allows you to monitor traffic on ports or VLANs, and send the monitored traffic to destination ports over a Layer 3 (IP) network using Generic Routing Encapsulation (GRE) encapsulation. ERSPAN sends traffic to a network analyzer, such as a Switch Probe device or a Remote Monitoring (RMON) probe. ERSPAN supports source ports, source VLANs, and destination ports on different devices, which help remote monitoring of multiple devices across a network.
ERSPAN supports encapsulated packets of up to 9180 bytes. ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination session.
You can configure an ERSPAN source session, an ERSPAN destination session, or both on a device. A device on which only an ERSPAN source session is configured is called an ERSPAN source device. A device on which only an ERSPAN destination session is configured is called an ERSPAN termination device. A device can act as both; an ERSPAN source device and a termination device.
Over-subscription of traffic can lead to a drop in management traffic on the destination device. To avoid over-subscription, ensure that the destination session is configured and is working on the destination device, before configuring a source session on the source device.
For a source port or a source VLAN, the ERSPAN can monitor the ingress, egress, or both ingress and egress traffic. By default, ERSPAN monitors all traffic, including multicast, and Bridge Protocol Data Unit (BPDU) frames.
A device supports up to 66 sessions. A maximum of eight source sessions can be configured and the remaining sessions can be configured as RSPAN destinations sessions. A source session can be a local SPAN source session or an RSPAN source session or an ERSPAN source session.
An ERSPAN source session is defined by the following parameters:
-
A session ID.
-
ERSPAN flow ID.
-
List of source ports or source VLANs that are monitored by the session.
-
Optional attributes, such as, IP type of service (ToS) and IP Time to Live (TTL), related to the Generic Routing Encapsulation (GRE) envelope.
-
The destination and origin IP addresses. These are used as the destination and source IP addresses of the GRE envelope for the captured traffic, respectively.
Note |
|