LAN Switching Configuration Guide, Cisco IOS XE Gibraltar 16.10.x
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module describes how to configure Encapsulated Remote Switched Port Analyzer (ERSPAN). The Cisco ERSPAN feature allows
you to monitor traffic on one or more ports or VLANs and send the monitored traffic to one or more destination ports.
Note
The ERSPAN feature is not supported on Layer 2 switching interfaces.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information,
see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module,
and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Configuring ERSPAN
The maximum number of allowed ERSPAN sessions on a Cisco ASR 1000 Series Router is 1024. A Cisco ASR 1000 Series Router can
be used as an ERSPAN source device on which only source sessions are configured, an ERSPAN destination device on which only
destination sessions are configured, or an ERSPAN source and destination device on which both source and destination sessions
are configured. However, total number of sessions must not exceed 1024.
The maximum number of available ports for each ERSPAN session is 128.
ERSPAN on Cisco ASR 1000 Series Routers supports only Fast Ethernet, Gigabit Ethernet, TenGigabit Ethernet, and port-channel
interfaces as source ports for a source session.
ERSPAN on Cisco ASR 1000 Series Routers supports only Layer 3 interfaces. Ethernet interfaces are not supported on ERSPAN
when configured as Layer 2 interfaces.
ERSPAN users on Cisco ASR 1000 Series Routers can configure a list of ports as a source or a list of VLANs as a source, but
cannot configure both for a given session.
When a session is configured through the ERSPAN configuration CLI, the session ID and the session type cannot be changed.
To change them, you must first use theno form of the configuration command to remove the session and then reconfigure the session.
The
monitor session span-session-number type local command is not supported on Cisco ASR 1000 Series Routers.
The filter VLAN option is not functional in an ERSPAN monitoring session on WAN interfaces.
Information About Configuring ERSPAN
ERSPAN Overview
The Cisco ERSPAN feature allows you to monitor traffic on one or more ports or more VLANs, and send the monitored traffic
to one or more destination ports. ERSPAN sends traffic to a network analyzer such as a Switch Probe device or other Remote
Monitoring (RMON) probe. ERSPAN supports source ports, source VLANs, and destination ports on different routers, which provides
remote monitoring of multiple routers across a network (see the figure below).
On a Cisco ASR 1000 Series Router, ERSPAN supports encapsulated packets of up to 9180 bytes. The default ERSPAN maximum
transmission unit (MTU) size is 1500 bytes. If the ERSPAN payload length, which comprises the encapsulated IPv4 header, generic
routing encapsulation (GRE) header, ERSPAN header, and the original packet, exceeds the ERSPAN MTU size, the replicated packet
is truncated to the default ERSPAN MTU size.
ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE encapsulated traffic, and an ERSPAN destination session.
You can configure an ERSPAN source session, an ERSPAN destination session, or both on a Cisco ASR 1000 Series Router. A device
that has only an ERSPAN source session configured is called an ERSPAN source device, and a device that has only an ERSPAN
destination session configured is called an ERSPAN termination device. A Cisco ASR 1000 Series Router can act as both an ERSPAN
source device and an ERSPAN termination device. You can terminate an ERSPAN session with a destination session on the same
Cisco ASR 1000 Series Router.
An ERSPAN source session is defined by the following parameters:
A session ID
List of source ports or source VLANs to be monitored by the session
The destination and origin IP addresses, which are used as the destination and source IP addresses of the GRE envelope for
the captured traffic, respectively
ERSPAN flow ID
Optional attributes, such as, IP type of service (TOS) and IP Time to Live (TTL), related to the GRE envelope
An ERSPAN destination session is defined by the following:
Session ID
Destination ports
Source IP address, which is the same as the destination IP address of the corresponding source session
ERSPAN flow ID, which is used to match the destination session with the source session
ERSPAN source sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have
either ports or VLANs as sources, but not both.
The ERSPAN source sessions copy traffic from the source ports or source VLANs and forwards the traffic using routable GRE-encapsulated
packets to the ERSPAN destination session. The ERSPAN destination session switches the traffic to the destination ports.
Figure 1. ERSPAN Configuration
Monitored Traffic
For a source port or a source VLAN, the ERSPAN can monitor the ingress, egress, or both ingress and egress traffic. By default,
ERSPAN monitors all traffic, including multicast and Bridge Protocol Data Unit (BPDU) frames.
ERSPAN
Sources
The Cisco ERSPAN
feature supports the following sources:
Source ports—A
source port that is monitored for traffic analysis. Source ports in any VLAN
can be configured and trunk ports can be configured as source ports along with
nontrunk source ports.
Source VLANs—A
VLAN that is monitored for traffic analysis.
The following tunnel
interfaces are supported as source ports for a ERSPAN source session:
GRE
IPinIP
IPv6
IPv6 over IP tunnel
Multipoint GRE (mGRE)
Secure Virtual Tunnel
Interfaces (SVTI)
Note
SVTI and IPinIP
tunnel interfaces support the monitoring of both IPsec-protected and
non-IPsec-protected tunnel packets. Monitoring of tunnel packets allows you to
see the clear-text tunnel packet after IPsec decryption if that tunnel is IPsec
protected.
The following limitations apply to the enhancements introduced in
Cisco IOS XE Release 3.4S:
Monitoring of
non-IPsec-protected tunnel packets is supported on IPv6 and IPv6 over IP tunnel
interfaces.
The enhancements apply only
to ERSPAN source sessions, not to ERSPAN destination sessions.
ERSPAN has the
following behavior in Cisco IOS XE Release 3.4S:
The tunnel
interface is removed from the ERSPAN database at all levels when the tunnel
interface is deleted. If you want to create the same tunnel again, you must
manually configure it in source monitor sessions to keep monitoring the tunnel
traffic.
The Layer 2
Ethernet header is generated with both source and destination MAC addresses set
to zero.
In Cisco IOS XE
Release 3.5S, support was added for the following types of WAN interfaces as
source ports for a source session:
Serial (T1/E1,
T3/E3, DS0)
Packet over SONET
(POS) (OC3, OC12)
Multilink PPP
The
multilink, pos, and
serial keywords
were added to the
source
interface command.
ERSPAN Destination Ports
A destination port is a Layer 2 or Layer 3 LAN port to which ERSPAN sends traffic for analysis.
When you configure a port as a destination port, it can no longer receive any traffic and, the port is dedicated for use
only by the ERSPAN feature. An ERSPAN destination port does not forward any traffic except that required for the ERSPAN session.
You can configure trunk ports as destination ports, which allows destination trunk ports to transmit encapsulated traffic.
Using ERSPAN as Local SPAN
To use ERSPAN to monitor traffic through one or more ports or VLANs, you must create an ERSPAN source and ERSPAN destination
sessions.
You can create the two sessions either on the same router or on different routers. If the two sessions are created on two
different routers, the monitoring traffic will be forwarded from the source to the destination by ERSPAN. However, if the
two sessions are created on the same router, data flow takes place inside the router, which is similar to that in local SPAN.
The following factors are applicable while using ERSPAN as a local SPAN:
Both sessions have the same ERSPAN ID.
Both sessions have the same IP address. This IP address is the router’s own IP address; that is, the loopback IP address or
the IP address configured on any port.
ERSPAN Support on WAN Interface
In Cisco IOS Release 3.5S an ERSPAN source on WAN is added to allow monitoring of traffic on WAN interfaces. ERSPAN replicates
the original frame and encapsulates the replicated frame inside an IP or GRE packet by adding Fabric Interface ASIC (FIA)
entries on the WAN interface. The frame header of the replicated packet is modified for capturing. After encapsulation, ERSPAN
sends the IP or GRE packet through an IP network to a device on the network. This device sends the original frame to an analyzing
device that is directly connected to the network device.
ERSPAN Dummy MAC
Address Rewrite
ERSPAN dummy MAC address rewrite
supports customized MAC value for WAN interface and tunnel interface. It also
allows you to monitor the traffic going through WAN interface.
ERSPAN IP Access Control
Lists
From Cisco IOS XE
Everest 16.4.1 release, ERSPAN has been enhanced to better monitor packets and
reduce network traffic. This enhancement supports ACL on ERSPAN source session
to filter only specific IP traffic according to the ACL, and is supported on
the IOS XE platform. Both IPv4 and IPv6 traffic can be monitored by associating
an ACL with the ERSPAN session. The ERSPAN session can associate only one IP
ACL entry with its name.
How to Configure ERSPAN
ERSPAN uses separate source and destination sessions. You configure the source and destination sessions on either the same
router or on different routers.
Configuring an ERSPAN Source
Session
The ERSPAN source
session defines the session configuration parameters and the ports or VLANs to
be monitored.
(Optional)
Disables the VLAN filtering option for Ethernet interfaces. Use this command if
you are using the
vlanfilter command or if the source interface is using
dot1q encapsulation.
Device(config)# monitor session 1 type erspan-source
Defines an
ERSPAN source session using the session ID and the session type, and enters
ERSPAN monitor source session configuration mode.
The
span-session-number argument range is from 1 to
1024. The same session number cannot be used more than once.
The session
IDs for source sessions or destination sessions are in the same global ID
space, so each session ID is globally unique for both session types.
The session
ID (configured by the
span-session-number
argument) and the session type (configured by the
erspan-source
keyword) cannot be changed once entered. Use the
no form of this
command to remove the session and then re-create the session, with a new
session ID or a new session type.
(Optional) Associates the ERSPAN source session number with the VLANs, and selects the traffic direction to be monitored.
You cannot include source VLANs and filter VLANs in the same session. You can either include source VLANs or filter VLANs,
but not both at the same time.
(Optional)
Associates an ACL with the ERSPAN session.
Use the
nofilteraccess-groupacl-filter command to detach the ACL from the
ERSPAN session.
Only ACL
name is supported to associate to the ERSPAN source session. If the ACL does
not exist or if there is no entry defined in the access control list, the ACL
name is not attached to the ERSPAN source session.
When the
ERSPAN source session is active, you cannot detach the ACL from the ERSPAN
source session. The source session must be shut down before detaching the ACL.
After the session shutdown, you must exit the session for the
shutdown command to execute, and then
re-enter the session to detach the ACL.
Configures
the ID used by the source and destination sessions to identify the ERSPAN
traffic, which must also be entered in the ERSPAN destination session
configuration.
Step 14
ip
addressip-address
Example:
Device(config-mon-erspan-src-dst)# ip address 10.10.0.1
Configures
the IP address that is used as the destination of the ERSPAN traffic.
Step 15
ip
precprec-value
Example:
Device(config-mon-erspan-src-dst)# ip prec 5
(Optional)
Configures the IP precedence value of the packets in the ERSPAN traffic.
You can
optionally use either the
ip prec command or the
ip dscp command, but not both.
Step 16
ip
dscpdscp-value
Example:
Device(config-mon-erspan-src-dst)# ip dscp 10
(Optional)
Enables the use of IP differentiated services code point (DSCP) for packets
that originate from a circuit emulation (CEM) channel.
You can
optionally use either the
ip prec
command or the
ip dscp
command, but not both.
Step 17
ip
ttlttl-value
Example:
Device(config-mon-erspan-src-dst)# ip ttl 32
(Optional)
Configures the IP TTL value of the packets in the ERSPAN traffic.
Step 18
mtumtu-size
Example:
Device(config-mon-erspan-src-dst)# mtu 1500
Configures the
maximum transmission unit (MTU) size, in bytes, for ERSPAN encapsulation.
Valid
values are from 64 to 9180. The default value is 1500.
Step 19
originipaddressip-address [force]
Example:
Device(config-mon-erspan-src-dst)# origin ip address 10.10.0.1
Configures
the IP address used as the source of the ERSPAN traffic.
Step 20
vrfvrf-id
Example:
Device(config-mon-erspan-src-dst)# vrf 1
(Optional)
Configures the VRF name to use instead of the global routing table.
Step 21
noshutdown
Example:
Device(config-mon-erspan-src-dst)# no shutdown
Enables the
configured sessions on an interface.
Step 22
end
Example:
Device(config-mon-erspan-src-dst)# end
Exits ERSPAN
source session destination configuration mode, and returns to privileged EXEC
mode.
Configuring an ERSPAN Destination Session
Perform this task to configure an Encapsulated Remote Switched Port Analyzer (ERSPAN) destination session. The ERSPAN destination
session defines the session configuration parameters and the ports that will receive the monitored traffic.
Device(config)# monitor session 1 type erspan-destination
Defines an ERSPAN destination session using the session ID and the session type, and enters in ERSPAN monitor destination
session configuration mode.
The
session-number argument range is from 1 to 1024. The session number must be unique and cannot be used more than once.
The session IDs for source sessions or destination sessions are in the same global ID space, so each session ID is globally
unique for both session types.
The session ID (configured by the
session-number argument) and the session type (configured by the
erspan-destination) cannot be changed once entered. Use the
no form of this command to remove the session, and then recreate the session with a new session ID or a new session type.
Configures the ID used by the source and destination sessions to identify the ERSPAN traffic, which must also be entered
in the ERSPAN source session configuration.
Step 8
ipaddressip-address[force]
Example:
Device(config-mon-erspan-dst-src)# ip address 10.10.0.1
Configures the IP address that is used as the source of the ERSPAN traffic.
The
ipaddressip-addressforce command changes the source IP address for all ERSPAN destination sessions.
Step 9
vrfvrf-id
Example:
Device(config-mon-erspan-dst-src)# vrf 1
(Optional) Configures the VRF name to use instead of the global routing table.
Step 10
noshutdown
Example:
Device(config-mon-erspan-dst-src)# no shutdown
Enables the configured sessions on an interface.
Step 11
end
Example:
Device(config-mon-erspan-dst-src)# end
Exits ERSPAN destination session source configuration mode, and returns to privileged EXEC mode.
Device(config)# monitor session 100 type erspan-source
Defines an
ERSPAN source session using the session ID and the session type, and enters
ERSPAN monitor source session configuration mode.
The
span-session-number argument range is from 1 to
1024. The same session number cannot be used more than once.
The
session IDs for source sessions or destination sessions are in the same global
ID space, so each session ID is globally unique for both session types.
The
session ID (configured by the
span-session-number
argument) and the session type (configured by the
erspan-source
keyword) cannot be changed once entered. Use the
no form of
this command to remove the session and then re-create the session, with a new
session ID or a new session type.
Exits
ERSPAN source session destination configuration mode, and returns to privileged
EXEC mode.
Configuration Examples for ERSPAN
Example: Configuring an ERSPAN Source Session
The following example shows how to configure an ERSPAN source session:
Device> enable
Device# configure terminal
Device(config)# monitor session 1 type erspan-source
Device(config-mon-erspan-src)# description source1
Device(config-mon-erspan-src)# source interface GigabitEthernet1/0/1 rx
Device(config-mon-erspan-src)# source interface GigabitEthernet1/0/4 - 8 tx
Device(config-mon-erspan-src)# source interface GigabitEthernet1/0/3
Device(config-mon-erspan-src)# destination
Device(config-mon-erspan-src-dst)# erspan-id 100
Device(config-mon-erspan-src-dst)# origin ip address 10.1.0.1
Device(config-mon-erspan-src-dst)# ip prec 5
Device(config-mon-erspan-src-dst)# ip ttl 32
Device(config-mon-erspan-src-dst)# mtu 1700
Device(config-mon-erspan-src-dst)# origin ip address 10.10.0.1
Device(config-mon-erspan-src-dst)# vrf 1
Device(config-mon-erspan-src-dst)# no shutdown
Device(config-mon-erspan-src-dst)# end
Example: Configuring an ERSPAN Source Session on a WAN Interface
The following example shows how to configure more than one WAN interface in a single ERSPAN source monitor session. Multiple
interfaces have been separated by a commas.
monitor session 100 type erspan-source
source interface Serial 0/1/0:0, Serial 0/1/0:6
Example: Configuring an ERSPAN Destination Session
The following example shows how to configure an ERSPAN destination session:
monitor session 2 type erspan-destination
destination interface GigabitEthernet1/3/2
destination interface GigabitEthernet2/2/0
source
erspan-id 100
ip address 10.10.0.1
Example: Configuring an ERSPAN as a Local SPAN
The following example shows how to configure an ERSPAN as a local SPAN.
monitor session 10 type erspan-source
source interface GigabitEthernet0/0/0
destination
erspan-id 10
ip address 10.10.10.1
origin ip address 10.10.10.1
monitor session 20 type erspan-destination
destination interface GigabitEthernet0/0/1
source
erspan-id 10
ip address 10.10.0.1
Example: Configuring ERSPAN
Dummy MAC Address Rewrite
monitor session 1 type erspan-source
s-mac 1111.1111.1111
d-mac 2222.2222.2222
source interface Gi2/2/0
destination
erspan-id 100
mtu 1464
ip address 200.0.0.1
origin ip address 100.0.0.1
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use
these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products
and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for
Configuring ERSPAN
Feature
Name
Releases
Feature
Information
ERSPAN
Cisco IOS
XE Release 2.1
Cisco IOS
XE Release 3.8S
The Cisco
ERSPAN feature allows you to monitor traffic on one or more ports or VLANs, and
send the monitored traffic to one or more destination ports.
The
following commands were introduced or modified by this feature:
description,
destination,
erspan-id,
filter,
ipdscp,
ipprec,
ipttl,monitorpermit-list,
monitorsession,
originipaddress,
showmonitorpermit-list,source,switchport,switchportmodetrunk,
switchportnonegotiate,switchporttrunkencapsulation,
vrf.
In Cisco IOS
XE 3.8S release, ERSPAN was enhanced to support MTU data size up to 9180 bytes.
The following command was added by this feature:
mtu.
ERSPAN
Support on WAN Interface
Cisco IOS
XE Release 3.5S
ERSPAN has been enhanced to support WAN interface as an ERSPAN
source.
The
following command was modified by this feature:
source
interface.
ERSPAN
Type III Header
Cisco IOS
XE Denali 16.2
ERSPAN has been enhanced to
configure a switch to ERSPAN type III header.
The
following command was introduced by this feature:
header-type
3.
ERSPAN IP
ACL
Cisco IOS
XE Everest 16.4.1
ERSPAN has
been enhanced to better monitor packets and reduce network traffic. This
enhancement supports ACL on ERSPAN source session to filter only specific IP
traffic according to the ACL.
The
following command was introduced by this feature:
filteraccess-groupacl-filter.
Feedback