Information About ERSPAN
The Cisco NX-OS system supports the Encapsulated Remote Switching Port Analyzer (ERSPAN) feature on both source and destination ports. ERSPAN transports mirrored traffic over an IP network.
ERSPAN consists of an ERSPAN source session, routable ERSPAN generic routing encapsulation (GRE)-encapsulated traffic, and an ERSPAN destination session. You can separately configure ERSPAN source sessions and destination sessions on different switches.
ERSPAN Types
-
Provides timestamp information in the ERSPAN Type III header that can be used to calculate packet latency among edge, aggregate, and core switches.
-
Identifies possible traffic sources using the ERSPAN Type III header fields.
ERSPAN Sources
-
Ethernet ports and port channels.
-
VLANs—When a VLAN is specified as an ERSPAN source, all supported interfaces in the VLAN are ERSPAN sources.
-
A port configured as a source port cannot also be configured as a destination port.
-
ERSPAN does not monitor any packets that are generated by the supervisor, regardless of their source.
-
Ingress traffic at source ports can be filtered by using ACLs so that they mirror only those packets of information that match the ACL criteria.
ERSPAN Destinations
ERSPAN destination sessions capture packets sent by ERSPAN source sessions on Ethernet ports or port channels and send them to the destination port. Destination ports receive the copied traffic from ERSPAN sources.
ERSPAN destination sessions are identified by the configured source IP address and ERSPAN ID. This allows multiple source sessions to send ERSPAN traffic to the same destination IP and ERSPAN ID and allows you to have multiple sources terminating at a single destination simultaneously.
-
A port configured as a destination port cannot also be configured as a source port.
-
Destination ports do not participate in any spanning tree instance or any Layer 3 protocols.
-
Ingress and ingress learning options are not supported on monitor destination ports.
-
Host Interface (HIF) port channels and fabric port channel ports are not supported as SPAN destination ports.
ERSPAN Sessions
You can create ERSPAN sessions that designate sources and destinations to monitor.
When configuring ERSPAN source sessions, you must configure the destination IP address. When configuring ERSPAN destination sessions, you must configure the source IP address. See ERSPAN Sources for the properties of source sessions and ERSPAN Destinations for the properties of destination sessions.
Note |
Only eight unidirectional, or four bidirectional ERSPAN or SPAN source sessions can run simultaneously across all switches. Only 20 ERSPAN destination sessions can run simultaneously across all switches. |
The following figure shows an ERSPAN configuration.
Multiple ERSPAN Sessions
You can define up to eight unidirectional ERSPAN source or SPAN sessions, or four bidirectional ERSPAN source or SPAN sessions at one time. You can shut down any unused ERSPAN sessions.
For information about shutting down ERSPAN sessions, see Shutting Down or Activating an ERSPAN Session.
ERSPAN Marker Packet
The type III ERSPAN header carries a hardware generated 32-bit timestamp. This timestamp field wraps periodically. When the switch is set to 1 ns granularity, this field wraps every 4.29 seconds. Such a wrap time makes it difficult to interpret the real value of the timestamp.
To recover the real value of the ERSPAN timestamp, Cisco NX-OS Release 6.0(2)A4(1) introduces a periodical marker packet to carry the original UTC timestamp information and provide a reference for the ERSPAN timestamp. The marker packet is sent out in 1-second intervals. Therefore, the destination site can detect the 32-bit wrap by checking the difference between the timestamp of the reference packet and the packet order.
High Availability
The ERSPAN feature supports stateless and stateful restarts. After a reboot or supervisor switchover, the running configuration is applied.