Introduction to Traffic Mirroring
Traffic mirroring, which is sometimes called port mirroring, or Switched Port Analyzer (SPAN) is a Cisco proprietary feature. Traffic mirroring enables you to monitor Layer 3 network traffic passing in, or out of, a set of Ethernet interfaces. You can then pass this traffic to a network analyzer for analysis.
Traffic mirroring copies traffic from one or more Layer 3 interfaces or sub-interfaces. Traffic mirroring then sends the copied traffic to one or more destinations for analysis by a network analyzer or other monitoring device. Traffic mirroring does not affect the switching of traffic on the source interfaces or sub-interfaces. It allows the system to send mirrored traffic to a destination interface or sub-interface.
Traffic mirroring is introduced on switches because of a fundamental difference between switches and hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet from all ports except from the one at which the hub received the packet. In case of switches, after a switch boots, it starts to build up a Layer 2 forwarding table on the basis of the source MAC address of the different packets that the switch receives. After the system builds this forwarding table, the switch forwards traffic that is destined for a MAC address directly to the corresponding port.
For example, if you want to capture Ethernet traffic that is sent by host A to host B, and both are connected to a hub, attach a traffic analyzer to this hub. All other ports see the traffic between hosts A and B.
Implementing Traffic Mirroring on the Cisco 8000 Series Routers
ERSPAN
Encapsulated Remote Switched Port Analyzer (ERSPAN) is a traffic mirroring mechanism used to monitor network traffic passing in or out of a set of ports on a router. It copies or mirrors traffic from one or more source ports and sends the copied traffic through GRE tunnels to one or more destinations for analysis. The destination may be a network analyzer or other monitoring devices.
Feature Name |
Release Information |
Feature Description |
---|---|---|
Partial packet capture ability for ERSPAN (Rx) |
Release 7.5.3 |
With this feature, you can perform partial packet capture in the RX direction. Earlier, the ability for entire packet capture was available, now you can choose entire or partial packet capture in the RX direction. Here, partial packet capture is also known as truncation. |
ERSPAN over MPLS traffic |
Release 7.5.3 |
With this release, the router allows you to mirror MPLS traffic and set up the GRE tunnel with the next hop over a labeled path. This feature helps you to remote-monitor the traffic on traffic analyzers. |
Higher payload analysis with eight ERSPAN sessions |
Release 24.4.1 |
Introduced in this release on: Fixed Systems(8200, 8700)(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*). This feature now enables the Cisco 8000 Series routers to support eight ERSPAN sessions on the following hardware thus allowing you to analyze higher payloads in real time across Layer 3 domains on your network. *This feature is now supported on:
|
Higher payload analysis with eight ERSPAN sessions |
Release 7.3.2 |
With this release, Cisco 8000 Series routers support eight ERSPAN sessions. This functionality helps you analyze higher payloads in real time across Layer 3 domains on your network. |
ERSPAN over GRE IPv6 |
Release 24.4.1 |
Introduced in this release on: Fixed Systems(8200, 8700)(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*). With this release, the router allows you to mirror IPv4 or IPv6 traffic with ERSPAN over GRE IPv6 sessions to monitor traffic on remote traffic analyzers on the following hardware. *This feature is now supported on:
|
ERSPAN over GRE IPv6 |
Release 7.3.2 |
With this release, the router allows you to mirror IPv4 or IPv6 traffic with ERSPAN over GRE IPv6 sessions to monitor traffic on remote traffic analyzers. In earlier releases, ERSPAN traffic monitoring was possible only on IPv4 networks. |
ERSPAN enables network operators to troubleshoot issues in the network in real-time using automated tools that auto-configures ERSPAN parameters on the network devices to send specific flows to management servers for in-depth analysis.
ERSPAN transports mirrored traffic over an IP network. The traffic is encapsulated at the source router and is transferred across the network.
From Cisco IOS XR Software Release 7.5.3 onwards, the packet truncation feature is supported over remote GRE tunnels. You can now get the flexibility to truncate packets and mirror the traffic.
Starting with Cisco IOS XR Software Release 7.0.14, sequence bit is set in the GRE header and the value of sequence number is always 0 for ERSPAN packets.
Starting with Cisco IOS XR Software Release 7.5.3, the sequence number bit will always be set to one and the sequence number field (4 bytes), will always be set to zero.
Supported Capabilities
The following capabilities are supported:
-
The source interfaces are layer 3 interfaces, such as physical, and bundle interfaces or subinterface.
-
The routers mirror IPv4 and IPv6 traffic.
-
ERSPAN with GRE IPv4 or IPv6 has tunnel destinations.
-
ERSPAN supports only RX direction.
-
ERSPAN over GRE IPv4 and IPv6 supports SPAN ACL.
-
Supports MPLS traffic mirroring and GRE tunnel configuration with the next hop over a labeled path.
-
Each monitor session allows only one destination interface.
-
ACL permit or deny entries with capture action are part of mirroring features.
-
The next hop interface must be a main interface. It can be a Physical or Bundle interface.
-
Supports full packet capture.
-
In ERSPAN over GRE IPv6, the HopLimit and TrafficClass fields in outer IPv6 header are editable under the tunnel configuration.
-
The maximum SPAN sessions supported in the Cisco 8000 Router are as follows:.
SPAN Type
7.3.1 and Prior Releases
7.3.2 and Later Releases
ERSPAN (GRE IPv4, GRE IPv6, or GRE IPv4 + GRE IPv6)
4
8
Local SPAN
4
4
SPAN to File
4
4
Combined SPAN (GRE IPv4 + GRE IPv6 + Local SPAN + SPAN to File)
4
8
-
Starting with Release 24.2.11, on all Egress Traffic Management (ETM)-based platforms, when the NPU compatibility mode is set to P100, the maximum number of SPAN sessions supported on the 88-LC1-52Y8H-EM and 88-LC1-12TH24FH-E line cards are as follows:
-
ERSPAN (GRE IPv4, GRE IPv6, or GRE IPv4 + GRE IPv6): 4
-
Local SPAN: 4
-
SPAN to File: 4
-
Combined SPAN (GRE IPv4 + GRE IPv6 + Local SPAN + SPAN to File): 4
Note
For more information on NPU compatibility mode, see Configure the Compatibility Mode.
-
-
Starting from Cisco IOS XR Release 24.3.1, the system creates one default monitor session and users can configure up to three additional monitor sessions, totaling four sessions, which is the maximum number of monitor sessions that the router allows. However, with the defect, CSCwm81257 raised in Cisco IOS XR Release 24.3.2, the router ignored the system's default session thus allowing users to create four monitor sessions instead of three sessions.
If you have upgraded the router from Cisco IOS XR Release 24.3.2 to later releases, one of the four user-configured sessions (created in Cisco IOS XR Release 24.3.x) will be lost, as the router allows only a maximum of three user-configured sessions.
Supported Capabilities for ERSPAN Packet Truncation support
The following are the capabilities and requirements:
-
Ability to enable the new ERSPAN GREv4 and GREv6 truncation configuration per device.
-
Truncation configuration should be on the monitor sessions. Packets received from all sources will only be truncated when you configure the truncation on a monitor session.
-
By default, the whole packet will be mirrored without the mirror first <number> (truncation size) configuration.
-
If the monitor session truncation size is less than the configured-truncation size (343 bytes), then whole packet is mirrored.
If the monitor session truncation size exceeds 343 bytes, the configuration is accepted. However, only 343 bytes truncation size is programmed.
An
ios-msg
is displayed to warn the user.Example:
ERSPAN only support 343 bytes truncation size. monitor-session with session_id <id> will be set to 343 bytes only.
Restrictions
The following are the ERSPAN and SPAN ACL restrictions:
-
The ERSPAN mirror packet is received with a TTL minus 1.
The mirror packet is not identical to the incoming packet and TTL minus 1 is the expected value in the ERSPAN packet.
-
The router mirrors only unicast traffic.
However, from Cisco IOS XR Software Release 7.5.3 onwards, the router can mirror multicast traffic.
-
Remove and re-apply monitor-sessions on all interfaces after modifying the access control list (ACL).
-
GRE tunnel is only dedicated to ERSPAN mirrored packets. There should be no IPv4 and IPv6 address configured under the GRE tunnel.
-
Only ERSPAN TYPE II header is supported. The value of the index field is always 0. The value of the session-ID field is an internal number that is used by the data path to distinguish between sessions.
-
Traffic accounting of the ERSPAN mirrored packets is not supported.
Note
You can view the SPAN packet count per session, using the show monitor-session status internal command.
-
ERSPAN decapsulation is unsupported.
-
From Cisco IOS XR Software Release 7.5.3 onwards, the ERSPAN will be functional regardless of any configuration related to MPLS or LDP present on the router.
-
MPLS packet mirroring is supported only from Cisco IOS XR Software Release 7.5.3 onwards.
-
Due to data path limitation, the source IPv6 addresses of the outer IPv6 header of the ERSPAN packet have only higher 64 bits as valid. The lower 64-bits value is changed to zero. The destination GREv6 IPv6 address should contain all the 128 bits.
Traffic Mirroring Terminology
-
Ingress traffic—Traffic that enters the switch.
-
Egress traffic—Traffic that leaves the switch.
-
Source port—A port that the systen monitors with the use of traffic mirroring. It is also called a monitored port.
-
Destination port—A port that monitors source ports, usually where a network analyzer is connected. It is also called a monitoring port.
-
Monitor session—A designation for a collection of traffic mirroring configurations consisting of a single destination and, potentially, many source interfaces.
Characteristics of the Source Port
A source port, also called a monitored port, is a switched or routed port that you monitor for network traffic analysis. In a single local or remote traffic mirroring session, you can monitor source port traffic, such as received (Rx) for ingress traffic. Your router can support any number of source ports (up to a maximum number of 800).
A source port has these characteristics:
-
It can be any port type, such as Bundle Interface, sub-interface, 100-Gigabit Ethernet, or 400-Gigabit Ethernet.
Note
Bridge group virtual interfaces (BVIs) are not supported.
-
Each source port can be monitored in only one traffic mirroring session.
-
It cannot be a destination port.
-
Each source port can be configured with a direction (ingress) to monitor. For bundles, the monitored direction applies to all physical ports in the group.
In the figure above, the network analyzer is attached to a port that is configured to receive a copy of every packet that host A sends. This port is called a traffic mirroring port.
Characteristics of the Monitor Session
A monitor session is a collection of traffic mirroring configurations consisting of a single destination and, potentially, many source interfaces. For any given monitor session, the traffic from the source interfaces (called source ports) is sent to the monitoring port or destination port. If there is more than one source port in a monitoring session, the traffic from the several mirrored traffic streams is combined at the destination port. The result is that the traffic that comes out of the destination port is a combination of the traffic from one or more source ports.
Monitor sessions have these characteristics:
-
A single monitor session can have only one destination port.
-
A single destination port can belong to only one monitor session.
Note |
The destination of ERSPAN monitoring session is a GRE IPv4 or IPv6 tunnel. |
Supported Traffic Mirroring Types
The system supports the following traffic mirroring types:
-
ACL-based traffic mirroring. The system mirrors traffic that is based on the configuration of the global interface ACL.
-
Layer 3 traffic mirroring is supported. The system can mirror Layer 3 source ports.
ACL-Based Traffic Mirroring
You can mirror traffic that is based on the definition of a global interface access list (ACL). When you are mirroring Layer 3 traffic, the ACL is configured using the ipv4 access-list or ipv6 access-list command with the capture keyword. The permit and deny commands determine the behavior of regular traffic. The capture keyword designates that the packet is to be mirrored to the destination port.
Starting with Cisco IOS XR Software Release 7.0.14, configuration of ERSPAN and security ACL will be separate. Neither of these will have an impact or dependency on the other, but both can be applied simultaneously.
ERSPAN over GRE IPv6
The ERSPAN over GRE IPv6 feature enables mirroring IPv4 or IPv6 traffic in your network. The router encapsulates the traffic adding an ERSPAN header inside the GRE IPv6 packet. The GRE header of the ERSPAN encapsulated packets have the sequence number set to 0. The router sends the replicated traffic packet to be monitored to the destination through the GRE IPv6 channel to achieve traffic mirroring. The mirrored traffic is sent to remote traffic analyzer for monitoring purposes. For the traffic mirroring to work, the ERSPAN GRE IPv6 tunnel next-hop must have ARP or neighbor resolved. We recommend using the cef proactive-arp-nd enable command to configure missing adjacency information for the next hop.
Note |
The GRE tunnel configured for ERSPAN should only be used for mirrored traffic. There should be no IPv4 or IPv6 address configured under the GRE Tunnel. |
Router# configure
Router(config)# cef proactive-arp-nd enable
Router(config)# commit
Configuring ERSPAN over GRE IPv6
-
Enable GRE IPv6 tunnel configuration.
RP/0/RP0/CPU0:router#configure RP/0/RP0/CPU0:router(config)#interface tunnel-ip1 RP/0/RP0/CPU0:router(config-if)#tunnel mode gre ipv6 RP/0/RP0/CPU0:router(config-if)#tunnel source 2001:DB8:1::1 RP/0/RP0/CPU0:router(config-if)#tunnel destination 2001:DB8:2::1 RP/0/RP0/CPU0:router(config-if)#no shut RP/0/RP0/CPU0:router(config)#commit
-
Enable ERSPAN session.
RP/0/RP0/CPU0:router#configure RP/0/RP0/CPU0:router(config)#monitor-session mon1 ethernet RP/0/RP0/CPU0:router(config-mon)#destination interface tunnel-ip1 RP/0/RP0/CPU0:router(config-mon)#commit RP/0/RP0/CPU0:router(config-mon)#end
-
Configure ERSPAN session under port to be monitored.
RP/0/RP0/CPU0:router(config)#interface HundredGigE0/1/0/14 RP/0/RP0/CPU0:router(config-if)#monitor-session mon1 ethernet direction rx-only RP/0/RP0/CPU0:router(config-if-mon)#exit RP/0/RP0/CPU0:router(config-if)#exit RP/0/RP0/CPU0:router(config)#interface Bundle-Ether1 RP/0/RP0/CPU0:router(config-if)#monitor-session mon1 ethernet direction rx-only RP/0/RP0/CPU0:router(config-if-mon)#exit RP/0/RP0/CPU0:router(config-if)#exit RP/0/RP0/CPU0:router(config)#interface HundredGigE0/1/0/15.100 RP/0/RP0/CPU0:router(config-subif)#monitor-session mon1 ethernet direction rx-only
Verification
Use the show monitor-session status command o verify the configuration of the ERSPAN over GRE IPv6 feature.
P/0/RP0/CPU0:router#show monitor-session mon1 status
Monitor-session mon1
Destination interface tunnel-ip1
================================================================================
Source Interface Dir Status
--------------------- ---- ----------------------------------------------------
Hu0/1/0/14 Rx Operational
Hu0/1/0/15.100 Rx Operational
BE1 Rx Operational
BE1.1 Rx Operational
RP/0/RP0/CPU0:R1-SF-D#show monitor-session erspan3 status internal
Thu Jul 15 06:00:14.720 UTC
Information from SPAN Manager and MA on all nodes:
Monitor-session erspan3 (ID 0x00000007) (Ethernet)
SPAN Mgr: Destination interface tunnel-ip372 (0x0f00049c)
Last error: Success
Tunnel data:
Mode: GREoIPv6
Source IP: 77:3:1::79
Dest IP: 95::90
VRF:
ToS: 100
TTL: 200
DFbit: Not set
0/3/CPU0: Destination interface tunnel-ip372 (0x0f00049c)
Tunnel data:
Mode: GREoIPv6
Source IP: 77:3:1::79
Dest IP: 95::90
VRF:
ToS: 100
TTL: 200
DFbit: Not set
0/RP0/CPU0: Destination interface tunnel-ip372 (0x0f00049c)
Tunnel data:
Mode: GREoIPv6
Source IP: 77:3:1::79
Dest IP: 95::90
VRF:
ToS: 100
TTL: 200
DFbit: Not set
Information from SPAN EA on all nodes:
Monitor-session 0x00000007 (Ethernet)
0/3/CPU0: Name 'erspan3', destination interface tunnel-ip372 (0x0f00049c)
Platform, 0/3/CPU0:
Monitor Session ID: 7
Monitor Session Packets: 2427313444
Monitor Session Bytes: 480591627492
Configuring Partial Packet Capture Ability for ERSPAN (RX)
To configure partial traffic mirroring, use the mirror first command in monitor session configuration mode.
Mirror first <number>
: Configures the size of truncation packets for an ERSPAN session
Use the following command to create a ERSPAN monitor session for mirroring the packets:
monitor-session <name> [ethernet]
destination interface tunnel-ip <number>
mirror first <number>
traffic-class <traffic-class>
Configuration Example
Use the following command to create a ERSPAN monitor session for mirroring packets to Tunnel-IP 30 with truncation enabled:
monitor-session mon1 ethernet
destination interface tunnel-ip 30
mirror first 343
!
Attach the session to the interfaces using the following configuration:
interface <>
monitor-session session-name ethernet direction rx-only|tx-only|both | acl [acl_name]
Running Configuration
interface tunnel-ip30
tunnel mode gre ipv4
tunnel source 2.2.2.2
tunnel destination 200.0.0.2
!
interface HundredGigE0/0/0/12
ipv4 address 12.0.0.2 255.255.255.0
monitor-session mon1 ethernet direction rx-only
!
Verification
The show monitor-session status internal displays the size of the programmed truncation.
Example:
Router#show monitor-session mon1 status internal
Fri Apr 12 18:50:45.006 UTC
Information from SPAN Manager and MA on all nodes:
Packet truncation size: 343B
Monitor-session mon1 (ID 0x00000001) (Ethernet)
SPAN Mgr: Destination interface Tunnel-IP 20 (0x0f000250)
Last error: Success
Information from SPAN EA on all nodes:
Monitor-session 0x00000001 (Ethernet)
0/RP0/CPU0: Name 'mon1', destination interface Tunnel-IP 20 (0x0f000250)
Platform, 0/RP0/CPU0:
Monitor Session Packets: 142462
Monitor Session Bytes: 7653237
ERSPAN traffic to a destination in a non-default VRF
ERSPAN traffic to a destination in a non-default VRF is an ERSPAN feature that sends mirrored traffic over GRE tunnels that belong to different VRF instances. This capability helps design a network with multiple Layer 3 partitions, enabling traffic segregation and management across different network segments.
Feature Name |
Release Information |
Description |
---|---|---|
ERSPAN traffic to a destination in a non-default VRF |
Release 24.4.1 |
Introduced in this release on: Fixed Systems(8200, 8700)(select variants only*); Modular Systems (8800 [LC ASIC: P100])(select variants only*). This feature is now supported on the following hardware thus allowing you design your network with multiple Layer 3 partitions. *This feature is now supported on:
|
ERSPAN traffic to a destination in a non-default VRF |
Release 7.5.2 Release 7.3.4 |
Encapsulated Remote Switched Port Analyzer (ERSPAN) now transports mirrored traffic through GRE tunnels with multiple VRFs, helping you design your network with multiple Layer 3 partitions. In earlier releases, ERSPAN transported mirrored traffic through GRE tunnels that belonged to only default VRF. |