The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module describes
how to configure Encapsulated Remote Switched Port Analyzer (ERSPAN). The Cisco
ERSPAN feature allows you to monitor traffic on ports or VLANs and send the
monitored traffic to destination ports.
Prerequisites for
Configuring ERSPAN
The ERSPAN feature requires IP routing to be enabled in the Global Configuration Mode.
Only IPv4
delivery/transport header is supported.
Access control
list (ACL) filter is applied before sending the monitored traffic on to the
tunnel.
Only supports
Type-II ERSPAN header.
Restrictions for
Configuring ERSPAN
The following
restrictions apply for this feature:
Destination
sessions are not supported.
A device
supports up to 66 sessions. A maximum of 8 source sessions can be configured
and the remaining sessions can be configured as RSPAN destinations sessions. A
source session can be a local SPAN source session or an RSPAN source session or
an ERSPAN source session.
You can
configure either a list of ports or a list of VLANs as a source, but cannot
configure both for a given session.
When a session
is configured through the ERSPAN CLI, the session ID and the session type
cannot be changed. To change them, you must use the no form of the
configuration commands to remove the session and then reconfigure the session.
ERSPAN source
sessions do not copy locally-sourced Remote SPAN (RSPAN) VLAN traffic from
source trunk ports that carry RSPAN VLANs.
ERSPAN source
sessions do not copy locally-sourced ERSPAN GRE-encapsulated traffic from
source ports.
Information for Configuring ERSPAN
ERSPAN
Overview
The Cisco ERSPAN
feature allows you to monitor traffic on ports or VLANs, and send the monitored
traffic to destination ports. ERSPAN sends traffic to a network analyzer, such
as a Switch Probe device or a Remote Monitoring (RMON) probe. ERSPAN supports
source ports, source VLANs, and destination ports on different devices, which
helps remote monitoring of multiple devices across a network.
ERSPAN supports
encapsulated packets of up to 9180 bytes. ERSPAN consists of an ERSPAN source
session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN destination
session.
ERSPAN consists of an
ERSPAN source session, routable ERSPAN GRE-encapsulated traffic, and an ERSPAN
destination session. You can configure an ERSPAN source session, an ERSPAN
destination session, or both on a device. A device on which only an ERSPAN
source session is configured is called an ERSPAN source device, and a device on
which only an ERSPAN destination session is configured is called an ERSPAN
termination device. A device can act as both; an ERSPAN source device and a
termination device.
For a source port or a
source VLAN, the ERSPAN can monitor the ingress, egress, or both ingress and
egress traffic. By default, ERSPAN monitors all traffic, including multicast,
and Bridge Protocol Data Unit (BPDU) frames.
An ERSPAN source
session is defined by the following parameters:
A session ID
List of source
ports or source VLANs to be monitored by the session
The destination
and origin IP addresses, which are used as the destination and source IP
addresses of the generic routing encapsulation (GRE) envelope for the captured
traffic, respectively
ERSPAN flow ID
Optional
attributes, such as, IP Time to Live (TTL), related to the GRE envelope
Note
ERSPAN source
sessions do not copy ERSPAN GRE-encapsulated traffic from source ports. Each
ERSPAN source session can have either ports or VLANs as sources, but not both.
Note
Because
encapsulation is performed in the hardware, the CPU performance is not
impacted.
ERSPAN
Sources
The Cisco ERSPAN
feature supports the following sources:
Source ports—A
source port that is monitored for traffic analysis. Source ports in any VLAN
can be configured and trunk ports can be configured as source ports along with
nontrunk source ports.
Source VLANs—A
VLAN that is monitored for traffic analysis.
The following
interfaces are supported as source ports:
GigabitEthernet
PortChannel
TenGigabitEthernet
How to Configure ERSPAN
Configuring an
ERSPAN Source Session
The ERSPAN source
session defines the session configuration parameters and the ports or VLANs to
be monitored.
Procedure
Command or Action
Purpose
Step 1
enable
Example:
Switch> enable
Enables
privileged EXEC mode.
Enter your
password if prompted.
Step 2
configure
terminal
Example:
Switch# configure terminal
Enters global
configuration mode.
Step 3
monitor
session
span-session-number
type
erspan-source
Example:
Switch(config)# monitor session span-session-number type erspan-source
Defines an
ERSPAN source session using the session ID and the session type, and enters
ERSPAN monitor source session configuration mode.
Session IDs
for source sessions or destination sessions are in the same global ID space, so
each session ID is globally unique for both session types.
The
span-session-number and the session type
(configured by the
erspan-source
keyword) cannot be changed once configured. Use the no form of this command to
remove the session and then re-create the session with a new session ID or a
new session type.
The Cisco
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
To receive
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to
most tools on the Cisco Support website requires a Cisco.com user ID and
password.
The following table provides release information about the feature or features described in this module. This table lists
only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise,
subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco
Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for
Configuring ERSPAN
Feature
Name
Releases
Feature
Information
ERSPAN
Cisco IOS
XE Denali 16.3.1
This module
describes how to configure Encapsulated Remote Switched Port Analyzer (ERSPAN).
The Cisco ERSPAN feature allows you to monitor traffic on ports or VLANs and
send the monitored traffic to destination ports over a generic routing
encapsulation (GRE) tunnel in any VRF.
In Cisco IOS
XE Denali 16.3.1, this feature was introduced on Cisco Catalyst 3650 Series
Switches and Cisco Catalyst 3850 Series Switches.
The
following commands were introduced or modified: destination (ERSPAN), erspan,
filter (ERSPAN), and show capability feature monitor.
The
following commands were introduced or modified:
destination (ERSPAN),
filter
(ERSPAN), and
show
capability
feature
monitor.