Configure ASR1000 Local ERSPAN

Available Languages

Download Options

  • PDF     (77.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (71.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (66.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 28, 2017
Document ID:116212

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure a local Switched Port Analyzer (SPAN) quickly and easily on an Aggregation Services Router (ASR) 1000. This type of SPAN is called a local Encapsulated Remote SPAN (ERSPAN).

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    The information in this document is based on the ASR1002 Router that runs 3.4.6S.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

    Background Information

    There are many knobs that can be adjusted, which can be seen in detail in the LAN Switching Configuration Guide, Cisco IOS XE Release 3S.

    Configure

    Network Diagram

    Traffic flows in and out of G0/0/0. The sniffer application is on G0/0/2.

    G0/0/0 --- ASR1002 ----G0/0/2

    Configuration

    1. Define a session in order to monitor the traffic and another session in order to send that traffic out the local interface.
    2. Ensure that the IP address and origin-IP in both session definitions are exactly the same. This is required. Use an address that is local to the router; an unused loopback is suggested.
    3. Ensure that the ERSPAN-ID is also the same.

      interface GigabitEthernet0/0/0
       ip address 192.168.1.1 255.255.255.0
       negotiation auto
      ! 
      interface GigabitEthernet0/0/2
       no ip address
       negotiation auto
      ! 
      interface Loopback1
       ip address 10.1.1.1 255.255.255.255
      !
      monitor session 10 type erspan-source
       source interface Gi0/0/0
       destination
        erspan-id 10
        ip address 10.1.1.1
        origin ip address 10.1.1.1
      monitor session 20 type erspan-destination
       destination interface Gi0/0/2
       source
        erspan-id 10
        ip address 10.1.1.1

    Another common ERSPAN configuration is a local SPAN when the source interface is a trunk.

    1. For this configuration, set the physical interface as the ERSPAN source.
    2. On the ERSPAN destination, disable the VLAN filter with the plim ethernet vlan filter disable command. If the filter is not disabled, the SPAN session does not send the replicated traffic.

      G0/0/0 --dot1q-- ASR1002 ----G0/0/2

      interface GigabitEthernet0/0/0
       no ip address
       negotiation auto
      !
      interface GigabitEthernet0/0/0.2
       encapsulation dot1Q 2
       ip address 192.168.1.1 255.255.255.0
      !
      interface GigabitEthernet0/0/2
       no ip address
       negotiation auto
       plim ethernet vlan filter disable
      !
      interface Loopback1
       ip address 10.1.1.1 255.255.255.255
      !
      monitor session 10 type erspan-source
       source interface Gi0/0/0
       destination
        erspan-id 10
        ip address 10.1.1.1
        origin ip address 10.1.1.1
      monitor session 20 type erspan-destination
       destination interface Gi0/0/2
       source
        erspan-id 10
        ip address 10.1.1.1

    Verify

    Use this section in order to confirm that your configuration works properly.

    The simplest verification is to check that the output packet count increases on the ERSPAN destination interface. Since this interface does not have a configuration on it, there is no other traffic.

    ASR1002#show int gig 0/0/2 | i packets out
         2073 packets output, 242097 bytes, 0 underruns

    You can also look at the session information in the Quantum Flow Processor (QFP). In these examples, the Statistics increase as packets are copied.

    ASR2#show platform hardware qfp active feature erspan session 10
    ERSPAN Session: 10
      Type         : SRC 
      Config Valid : Yes
      User On/Off  : On
      DP Debug Cfg : 0x00000000
    Statistics:
      Src session transmit :               4165 /             634836
    Configuration:
      VRF ID       : 0
      Dest IP addr : 10.1.1.1
      Orig IP addr : 10.1.1.1
      Flow ID      : 10
      GRE protocol : 0x88BE
      MTU          : 1464
      IP TOS       : 0
      IP TTL       : 255
      COS          : 0
    Encapsulation:
      00000000  4500  0000  0000  4000  ff2f  0000  0a01  0101
      00000010  0a01  0101  1000  88be  0000  0000  1001  000a
      00000020  0000  0000  0000  0000  0000  0000  0000  0000
    Port Configurations:
      VF      Interface Name                              Flag    Status       
      -----------------------------------------------------------------------

      No      GigabitEthernet0/0/0                        BOTH    Enable   
    ASR2#show platform hardware qfp active feature erspan session 20
    ERSPAN Session: 20
      Type         : TERM
      Config Valid : Yes
      User On/Off  : On
      DP Debug Cfg : 0x00000000
    Statistics:
      Term session receive :               4167 /             635644
    Configuration:
      VRF ID       : 0
      Dest IP addr : 10.1.1.1
      Flow ID      : 10
    Port Configurations:
      VF      Interface Name                              Flag    Status       
      -----------------------------------------------------------------------
      No      GigabitEthernet0/0/2                        TX      Enable       

    Troubleshoot

    This section provides information you can use in order to troubleshoot your configuration.

    • When a monitor session is first configured, it is shut down. The session must be enabled with the no shutdown command.
    • ERSPAN only works on Layer 3 interfaces. It does not work for Ethernet interfaces that are Layer 2, such as Bridge Domain Interfaces or service instances.
    • If any of the sources that are monitored are part of a Dot1q trunk, the traffic analyzed with SPAN is dropped by the outgoing interface. In order to fix this issue, add the plim ethernet vlan filter disable command to the physical ERSPAN destination interface.
    • The ERSPAN destination interface should not contain any configuration besides what is required in order to bring the link online. No IP addresses are needed. The interface is used solely for ERSPAN traffic.
    TAC Authored

    Contributed by Cisco Engineers

    • Tim Perry
      Cisco TAC Engineer
    • David Chen
      Cisco TAC Engineer
    • Manigandan B
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products