Configuring ERSPAN

This chapter contains the following sections:

Information About ERSPAN

ERSPAN transports mirrored traffic over an IP network, which provides remote monitoring of multiple switches across your network. The traffic is encapsulated at the source router and is transferred across the network. The packet is decapsulated at the destination router and then sent to the destination interface.

ERSPAN consists of an ERSPAN source session, routable ERSPAN generic routing encapsulation (GRE)-encapsulated traffic, and an ERSPAN destination session. You can separately configure ERSPAN source sessions and destination sessions on different switches.

ERSPAN Source Sessions

An ERSPAN source session is defined by the following:

  • A session ID.

  • A list of source ports, source VLANs, or source VSANs to be monitored by the session.

  • An ERSPAN flow ID.

  • Optional attributes related to the GRE envelope such as IP TOS and TTL.

  • Destination IP address.

  • Virtual Routing and Forwarding tables.

ERSPAN source sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each ERSPAN source session can have ports, VLANs, or VSANs as sources. However, there are some limitations. For more information, see Guidelines and Limitations for ERSPAN.

The following figure shows an example ERSPAN configuration.

Figure 1. ERSPAN Configuration

Monitored Traffic

By default, ERSPAN monitors all traffic, including multicast and bridge protocol data unit (BPDU) frames.

The direction of the traffic that ERSPAN monitors depends on the source, as follows:

  • For a source port, the ERSPAN can monitor ingress, egress, or both ingress and egress traffic.

  • For a source VLAN or source VSAN, the ERSPAN can monitor only ingress traffic.

ERSPAN Sources

The interfaces from which traffic can be monitored are called ERSPAN sources. Sources designate the traffic to monitor and whether to copy ingress, egress, or both directions of traffic. ERSPAN sources include the following:

  • Source Ports—A source port is a port monitored for traffic analysis. You can configure source ports in any VLAN, and trunk ports can be configured as source ports and mixed with nontrunk source ports.

  • Source VLANs—A source VLAN is a virtual local area network (VLAN) that is monitored for traffic analysis.

  • Source VSANs—A source VSAN is a virtual storage area network (VSAN) that is monitored for traffic analysis.

Truncated ERSPAN

Truncated ERSPAN can be used to reduce the amount of fabric or network bandwidth used in sending ERSPAN packets.

The default is no truncation so switches or routers receiving large ERSPAN packets might drop these oversized packets.


Note

Do not enable the truncated ERSPAN feature if the destination ERSPAN router is a Cisco Nexus 6001 or Cisco Nexus 6004 switch because the Cisco Nexus 6000 Series switch drops these truncated packets.

Multiple ERSPAN Sessions

For information about shutting down ERSPAN sessions, see Shutting Down or Activating an ERSPAN Session.

High Availability

The ERSPAN feature supports stateless restarts. After a reboot, the running configuration is applied.

Licensing Requirements for ERSPAN

The following table shows the licensing requirements for this feature:

Product License Requirement

Cisco NX-OS

ERSPAN requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the License and Copyright Information for Cisco NX-OS Software available at the following URL: http:/​/​www.cisco.com/​en/​US/​docs/​switches/​datacenter/​sw/​4_0/​nx-os/​license_agreement/​nx-ossw_​lisns.html.

Prerequisites for ERSPAN

ERSPAN has the following prerequisite:

•You must first configure the Ethernet interfaces for ports on each device to support the desired ERSPAN configuration. For more information, see the Interfaces configuration guide for your platform.

Guidelines and Limitations for ERSPAN

ERSPAN has the following guidelines and limitations:

  • Cisco Nexus 5000 Series switches support only ERSPAN source sessions. Destination sessions are not supported.

  • The Cisco Nexus 5000 Series switch supports a maximum of 2 sessions.

  • The Cisco Nexus 5500 Series switch supports a maximum of 4 sessions.

  • The maximum number of ports for each ERSPAN session is 32.

  • You can have source ports, source VLANs, and source VSANs in one ERSPAN session.

  • On Cisco Nexus 5000 Series switches, ERSPAN can monitor ingress, egress, or both ingress and egress traffic on a source port and only ingress traffic on source VLANs or source VSANs as long as the VLAN is not mapped to a VSAN.

  • On Cisco 5500 Series switches, source ports and source VLANs can be in the same ERSPAN session.

  • ERSPAN traffic can exit the switch through a Layer 2 interface, Layer 3 interface, port channel, or FabricPath core port.

  • The Cisco Nexus 5000 series switch cannot reach a destination IP address of a remote switch through a virtual Ethernet port or FEX port. This functionality is not supported.

  • ERSPAN traffic is not load balanced if the reachability to a destination IP address is a Layer 3 ECMP or a port channel. In the case of ECMP, the ERSPAN traffic is sent to only one next-hop router or one member of the port channel.

  • ERSPAN on the Cisco Nexus 5000 Series switch supports Fast Ethernet, Gigabit Ethernet, TenGigabit Ethernet, and port channel interfaces as source ports for a source session.

  • When a session is configured through the ERSPAN configuration commands, the session ID and the session type cannot be changed. In order to change them, you must first use the no version of the configuration command to remove the session and then reconfigure the session.

  • ERSPAN traffic might compete with regular data traffic.

  • ERSPAN traffic is assigned to the QoS class-default system class (qos-group 0).

  • To ensure that data traffic is prioritized over ERSPAN traffic, you can create a QoS system class with prioritization above the class-default system class on the ERSPAN destination port.

    On Layer 3 networks, ERSPAN traffic can be marked with a the desired Differentiated Services Code Point (DSCP) value using the ip dscp command. By default, ERSPAN traffic is marked with a DSCP value of 0.

  • Consider a scenario in which an ERSPAN session and a local SPAN session is configured on a switch. Egress ports on both sessions are different. However, the ingress port on the local SPAN session is also receiving GRE-encapsulated traffic from the ERSPAN session. In such a scenario, the local SPAN session captures only the non-GRE-encapsulated traffic from the port that is defined as the source.

  • ERSPAN can monitor ingress traffic on a source VSAN only on Cisco Nexus 5010 and 5020 switches.

  • ERSPAN cannot monitor egress traffic on source VLANs and VSANs on any Cisco Nexus 5000 Series switch.

  • ERSPAN can monitor ingress, egress, or both ingress and egress traffic on a source port.

  • VSANs as ERSPAN sources are not allowed on Cisco Nexus 5548 and 5596 switches.

  • ERSPAN source sessions are supported on F3 Series modules. Beginning with Cisco NX-OS Release 7.0, ERPSPAN destination sessions are also supported on these modules. However, ERSPAN ACL sessions are not supported on F3 Series modules.

  • The SPAN session ignores any permit or deny actions specified in the access-list, and spans only the packets that match the access-list filter criteria.

Default Settings for ERSPAN

The following table lists the default settings for ERSPAN parameters.

Table 1 Default ERSPAN Parameters

Parameters

Default

ERSPAN sessions

Created in the shut state.

Truncated ERSPAN

Disabled.

Configuring ERSPAN

Configuring an ERSPAN Source Session

The ERSPAN source session defines the session configuration parameters and the ports or VLANs to be monitored. This section describes how to configure an ERSPAN source session.

Procedure
     Command or ActionPurpose
    Step 1configuration terminal


    Example: 
    switch# config t
switch(config)#
     

    Enters global configuration mode.

     
    Step 2monitor session span-session-number type {erspan-source | local}


    Example:
    switch(config)# monitor session 1 type erspan-source
switch(config-erspan-src)#
     

    Defines an ERSPAN source session using the session ID and the session type, and places the command in ERSPAN monitor source session configuration mode.

    The span-session-number argument range is from 1 to 1024. The same session number cannot be used more than once.

    The session IDs for source sessions are in the same global ID space, so each session ID is globally unique for both session types.

    The session ID (configured by the span-session-number argument) and the session type (configured by the erspan-source keyword) cannot be changed once entered. To change session ID or session type, use the no version of the command to remove the session and then recreate the session through the command with a new session ID or a new session type.

     
    Step 3description erspan_session_description


    Example:
    switch(config-erspan-src)# description source1
          		(Optional)

    Describes the ERSPAN source session.

    The erspan_session_description argument can be up to 240 characters and cannot contain special characters or spaces.

     
    Step 4source interface { ethernet slot/chassis number | portchannel number }


    Example:
    switch(config-erspan-src)# source interface eth 1/1
     

    Associates the ERSPAN source session number with the source ports (1-255).

     
    Step 5source vlan number


    Example:
    switch(config-erspan-src)# source vlan 1
     

    Associates the ERSPAN source session number with the VLANs (1-4096).

     
    Step 6source vsan number


    Example:
    switch(config-erspan-src)# source vsan 1
     

    On Cisco Nexus 5000 Series switches, specifies the VSAN ID number. The range is 1 to 4093. On Cisco Nexus 5500 Series switches, you cannot configure source VSANs.

     

    Step 7destination ip ip-address


    Example:
    switch(config-erspan-src)# destination ip 192.0.2.2
     

    Configures the destination IP address in the ERSPAN session. Only one destination IP address is supported per ERSPAN source session.

     
    Step 8erspan-id flow-id


    Example:
    switch(config-erspan-src)# erspan-id 5
     

    Configures the flow ID to identify the ERSPAN flow. The range is from 1 to 1023.

     
    Step 9vrf {vrf-name | default }


    Example:
    switch(config-erspan-src)# vrf default
     

    Configures the VRF to use instead of the global routing table. You can use a VRF that you have specifically configured or the default VRF.

     
    Step 10ip ttl ttl-number


    Example:
    switch(config-erspan-src)# ip ttl 5
          		(Optional)

    Configures the IP time-to-live (TTL) value of the packets in the ERSPAN traffic. Valid values are from 1 to 255. The default value is 255.

     
    Step 11ip dscp dscp_value


    Example:
    switch(config-erspan-src)# ip dscp 42
          		(Optional)

    Configures the IP Differentiated Services Code Point (DSCP) value of the packets in the ERSPAN traffic. Valid values are from 0 to 63. The default value is 0.

     
    Step 12no shut


    Example:
    switch(config-erspan-src)# no shut
     
    Enables the ERSPAN source session. By default, the session is created in the shut state.
    Note   

    On Cisco Nexus 5000 Series switches, only two ERSPAN source sessions can be running simultaneously. On Cisco Nexus 5500 Series switches, up to four source sessions can be running simultaneously.

     
    Step 13exit


    Example:
    switch(config-erspan-src)# exit
switch(config)# exit
     

    Updates the configuration and exits ERSPAN source session configuration mode.

     
    Step 14copy running-config startup-config


    Example:
    switch(config-erspan-src)# copy running-config startup-config
          		(Optional)

    Copies the running configuration to the startup configuration.

     

    Configuring a Source Rate Limit for an ERSPAN Session

    Depending upon the platform, each TCAM region might have a different minimum/maximum/aggregate size restriction. The default size of the EFP TCAM for IPv4 Egress VACL (e-vacl) is 512 and Egress RACL (e-racl) is 512.

    To enable the ERSPAN rate-limit feature, you must carve e-racl TCAM region to program TCAM entry in the EFP TCAM to match on ERSPAN mirror copy traffic and provide policer result with the new configured rate-limit. If the default values of the egress TCAM are not changed or if the e-racl region has a non-zero value, then you need not explicitly carve TCAM to enable ERSPAN egress rate-limit feature. However, if the e-racl region was carved to be zero earlier then you must resize other TCAM regions to allocate entries for e-racl region. After TCAM carving, you must save the configuration and reload the switch.

    Procedure
       Command or ActionPurpose
      Step 1configure terminal


      Example: 
      switch# config t
switch(config)#
       

      Enters global configuration mode.

       
      Step 2monitor session {session-number | all} type erspan-source


      Example: 
      switch(config)# monitor session 1 type erspan-source
switch(config-erspan-src)#
       

      Configures an ERSPAN source session.

       
      Step 3 hardware profile tcam region {arpacl | {ipv6-e-racl | e-racl} | ifacl | ipsg | {ipv6-qos | qos} |qoslbl | {ipv6-racl | racl} | vacl } tcam_size
       

      Changes the ACL TCAM region size.

      • arpacl—Configures the size of the Address Resolution Protocol (ARP) ACL (ARPACL) TCAM region.

      • e-racl—Configures the size of the egress router ACL (ERACL) TCAM region.

      • e-vacl—Configures the size of the egress VLAN ACL (EVACL) TCAM region.

      • ifacl—Configures the size of the interface ACL (ifacl) TCAM region. The maximum number of entries is 1500.

      • ipsg—Configures the size of the IP Source Guard (IPSG) TCAM region.

      • qos—Configures the size of the quality of service (QoS) TCAM region.

      • qoslbl—Configures the size of the QoS Label (qoslbl) TCAM region.

      • racl—Configures the size of the router ACL (RACL) TCAM region.

      • vacl—Configures the size of the VLAN ACL (VACL) TCAM region.

      • tcam_size—TCAM size. The range is from 0 to 2,14,74, 83, 647 entries.

      Note   

      vacl and e-vacl TCAM regions should be set to the same size. You must carve e-racl regions with non-zero TCAM values.

       
      Step 4copy running-config startup-config


      Example: 
      switch(config)# copy running-config startup-config
       

      Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

       
      Step 5switch(config)# show hardware profile tcam region


      Example: 
      switch(config)# show hardware profile tcam region
       

      Displays the TCAM sizes that will be applicable on the next reload of the switch.

       
      Step 6switch(config)# reload


      Example: 
      switch(config)# reload
       

      Copies the running configuration to the startup configuration.

      Note   

      The new size values are effective only upon the next reload after saving the copy running-config to startup-config.

       
      Step 7switch(config)# hardware rate-limit erspan-egress


      Example: 
      switch(config)# hardware rate-limit erspan-egress 1000 kbps
       

      Specifies the ERSPAN egress rate-limit.

       
      Step 8switch(config)# show hardware rate-limit erspan-egress


      Example: 
      switch(config)# show hardware rate-limit erspan-egress
       

      Displays the configured ERSPAN egress rate-limit and also the permitted and dropped ERSPAN traffic statistics.

       
      Step 9switch(config)# clear hardware rate-limit erspan-egress statistics


      Example: 
      switch(config)# clear hardware rate-limit erspan-egress statistics
       

      Clears the currently permitted and dropped ERSPAN traffic statistics.

       

      The following example shows how to change the size of the e-VACL region: 

      switch(config)# hardware profile tcam region e-vacl 256 
[SUCCESS] New tcam size will be applicable only at boot time. 
You need to 'copy run start' and 'reload'

switch(config)# copy running-config startup-config 
switch(config)# reload 
WARNING: This command will reboot the system 
Do you want to continue? (y/n) [n] y

      The following example shows how to configure ERSPAN rate-limit: 

      switch# configure terminal
switch(config)# hardware rate-limit erspan-egress 1000 kbps

      Configuring an Origin IP Address for ERSPAN Packets

      You must configure an IP address to be used as the source of the ERSPAN traffic.

      Procedure
         Command or ActionPurpose
        Step 1configure terminal


        Example: 
        switch# configure terminal
switch(config)#
         

        Enters global configuration mode.

         
        Step 2monitor erspan origin ip-address ip_address


        Example:
        switch(config)# monitor erspan origin
ip-address 192.0.2.1
         

        Configures an IP address to be used as the source of the ERSPAN traffic.

         
        Step 3exit


        Example:
        switch(config-erspan-src)# exit
         

        Updates the configuration and exits ERSPAN source session configuration mode.

         
        Step 4copy running-config startup-config


        Example: 
        switch(config)# copy running-config startup-config
                  		(Optional)

        Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

         

        Configuring Truncated ERSPAN

        You can configure an MTU size for the ERSPAN traffic to reduce the amount of fabric or network bandwidth used in sending ERSPAN packets.

        Procedure
           Command or ActionPurpose
          Step 1 enable


          Example: 
          switch> enable
           

          Enables privileged EXEC mode. Enter your password if prompted.

           
          Step 2configure terminal


          Example: 
          switch# configure terminal
switch(config)#
           

          Enters global configuration mode.

           
          Step 3monitor session erspan_session_number type {erspan-source | local}


          Example:
          switch(config)# monitor session 1 type
erspan-source
switch(config-erspan-src)#
           

          Defines an ERSPAN source session using the session ID and the session type, and places the command in ERSPAN monitor source session configuration mode.

          The span-session-number argument range is from 1 to 1024. The same session number cannot be used more than once.

          The session IDs for source sessions are in the same global ID space, so each session ID is globally unique for both session types.

          The session ID (configured by the span-session number argument) and the session type (configured by the erspan-source keyword) cannot be changed once entered. To change session ID or session type, use the no version of the command to remove the session and then re-create the session through the command with a new session ID or a new session type.

           
          Step 4mtu mtu-value


          Example:
          switch(config-erspan-src)# mtu 64
           

          Defines the maximum transmission unit (MTU) truncation size for ERSPAN packets. Valid values are from 64 to 1518.

          The default is no truncation enabled.

           
          Step 5exit


          Example:
          switch(config-mon-erspan-src)# exit
           

          Updates the configuration and exits ERSPAN source session configuration mode.

           
          Step 6copy running-config startup-config


          Example: 
          switch(config)# copy running-config startup-config
                      		(Optional)

          Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

           

          Shutting Down or Activating an ERSPAN Session

          You can shut down ERSPAN sessions to discontinue the copying of packets from sources to destinations. Because only a specific number of ERSPAN sessions can be running simultaneously, you can shut down a session to free hardware resources to enable another session. By default, ERSPAN sessions are created in the shut state.

          You can enable ERSPAN sessions to activate the copying of packets from sources to destinations. To enable an ERSPAN session that is already enabled but operationally down, you must first shut it down and then enable it. You can shut down and enable the ERSPAN session states with either a global or monitor configuration mode command.

          Procedure
             Command or ActionPurpose
            Step 1configuration terminal


            Example: 
            switch# configuration terminal
switch(config)#
             

            Enters global configuration mode.

             
            Step 2 monitor session {session-range | all} shut


            Example: 
            switch(config)# monitor session 3 shut
             

            Shuts down the specified ERSPAN sessions. The session range is from 1 to 48. By default, sessions are created in the shut state.

            Note   

            • In Cisco Nexus 5000 and 5500 platforms, two sessions can run simultaneously.

            • In Cisco Nexus 5600 and 6000 platforms, 16 sessions can run simultaneously.

             
            Step 3no monitor session {session-range | all} shut


            Example: 
            switch(config)# no monitor session 3 shut
             
            Resumes (enables) the specified ERSPAN sessions. The session range is from 1 to 48. By default, sessions are created in the shut state. Only two sessions can be running at a time.
            Note   

            If a monitor session is enabled but its operational status is down, then to enable the session, you must first specify the monitor session shut command followed by the no monitor session shut command.

             
            Step 4monitor session session-number type erspan-source


            Example: 
            switch(config)# monitor session 3 type erspan-source
switch(config-erspan-src)#
             

            Enters the monitor configuration mode for the ERSPAN source type. The new session configuration is added to the existing session configuration.

             
            Step 5monitor session session-number type erspan-destination


            Example: 
            switch(config-erspan-src)# monitor session 3 type erspan-destination
             

            Enters the monitor configuration mode for the ERSPAN destination type.

             
            Step 6shut


            Example: 
            switch(config-erspan-src)# shut
             

            Shuts down the ERSPAN session. By default, the session is created in the shut state.

             
            Step 7no shut


            Example: 
            switch(config-erspan-src)# no shut
             

            Enables the ERSPAN session. By default, the session is created in the shut state.

             
            Step 8show monitor session all


            Example: 
            switch(config-erspan-src)# show monitor session all
                          		(Optional)

            Displays the status of ERSPAN sessions.

             
            Step 9show running-config monitor


            Example: 
            switch(config-erspan-src)# show running-config monitor
                          		(Optional)

            Displays the running ERSPAN configuration.

             
            Step 10show startup-config monitor


            Example: 
            switch(config-erspan-src)# show startup-config monitor
                          		(Optional)

            Displays the ERSPAN startup configuration.

             
            Step 11copy running-config startup-config


            Example: 
            switch(config-erspan-src)# copy running-config startup-config
                          		(Optional)

            Copies the running configuration to the startup configuration.

             

            Verifying the ERSPAN Configuration

            Use the following command to verify the ERSPAN configuration information:

            Command

            Purpose

            show monitor session {all | session-number | range session-range}

            Displays the ERSPAN session configuration.

            show running-config monitor

            Displays the running ERSPAN configuration.

            show startup-config monitor

            Displays the ERSPAN startup configuration.

            Configuration Examples for ERSPAN

            Configuration Example for an ERSPAN Source Session

            The following example shows how to configure an ERSPAN source session: 

            switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# monitor session 1 type erspan-source
switch(config-erspan-src)# description source1
switch(config-erspan-src)# source interface ethernet 1/1
switch(config-erspan-src)# source vlan 1
switch(config-erspan-src)# source vsan 1
switch(config-erspan-src)# destination ip 192.0.2.2
switch(config-erspan-src)# erspan-id 1
switch(config-erspan-src)# vrf default
switch(config-erspan-src)# ip ttl 5
switch(config-erspan-src)# ip dscp 5
switch(config-erspan-src)# no shut
switch(config-erspan-src)# exit
switch(config)# copy running-config startup config
            switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# monitor session 1 type erspan-source
switch(config-erspan-src)# description source1
switch(config-erspan-src)# source interface ethernet 1/1
switch(config-erspan-src)# source vlan 1
switch(config-erspan-src)# source vsan 1
switch(config-erspan-src)# destination ip 192.0.2.2
switch(config-erspan-src)# erspan-id 1
switch(config-erspan-src)# vrf default
switch(config-erspan-src)# ip ttl 5
switch(config-erspan-src)# ip dscp 5
switch(config-erspan-src)# no shut
switch(config-erspan-src)# exit
switch(config)# copy running-config startup config

            Configuration Example for an IP Address as the Source for an ERSPAN Session

            This example shows how to configure an IP address as the source for an ERSPAN session:

            switch# configure terminal
switch(config)# monitor erspan origin ip-address 192.0.2.1
switch(config)#  exit
switch(config)# copy running-config startup config

            Configuration Example for Truncated ERSPAN

            This example shows how to configure truncated ERSPAN:

            switch# configure terminal
switch(config)# monitor session 1 type erspan-source
switch(config-erspan-src)# mtu 64
switch(config-mon-erspan-src)# exit
switch(config)# copy running-config startup config

            Additional References

            Related Documents

            Related Topic

            Document Title

            ERSPAN commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

            Cisco Nexus NX-OS System Management Command Reference for your platform.