In this article we will discuss the Encapsulated Remote Switched Port Analyzer (ERSPAN) feature that can be configured on the Cisco devices.

The ERSPAN feature allows you to monitor traffic on one or more ports, or one or more VLANs, and send the monitored traffic to one or more destinations where a network analyser can do deeper packet inspection.

CCNA Training – Resources (Intense)

There are two types of ERSPAN sessions:

  • Source sessions
  • Destination sessions

The source ERSPAN copies the packets from the source ports or VLANs and then forwards them encapsulated as GRE packets to the ERSPAN destination session. The destination ERSPAN then switches the traffic to the destination ports.

Below we will discuss a source ERSPAN session that has the following parameters:

  • Session ID
  • Source ports or VLANs
  • ERSPAN ID
  • Destination and source IP
  • Optionally TTL, IP Precedence or DSCP

So let’s start with the topology:

In our topology, the network analyser is in the same subnet as the device doing the ERSPAN, but they could be different subnets as the packets are sent over IP networks.

We have reachability between R1 and R3 and this will be our test in order to confirm that the packets are sent to the network analyser from R2. There are static routes configured for reachability to avoid other packets (like routing protocols updates and hellos) crossing the links:

R-1#ping 10.10.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.23.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/5/15 ms
R-1#

As mentioned, we will do a source ERSPAN and this is the basic configuration that you need to have in place on R2 to configure the feature.

In this case, we will mirror all the packets incoming and outgoing GigabitEthernet2. The network analyser IP address is specified as well as the source IP address from where the mirrored packets will be sent:

R-2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R-2(config)#monitor session 1 type erspan-source
R-2(config-mon-erspan-src)#destination
R-2(config-mon-erspan-src-dst)#erspan-id 1
R-2(config-mon-erspan-src-dst)#ip address 172.30.158.248
R-2(config-mon-erspan-src-dst)#origin ip address 172.30.158.250
R-2(config-mon-erspan-src-dst)#exit
R-2(config-mon-erspan-src)#source interface GigabitEthernet2
R-2(config-mon-erspan-src)#no shutdown
R-2(config-mon-erspan-src)#end
R-2#

Once this is configured, you can check the ERSPAN session status:

R-2#show monitor session 1
Session 1
---------
Type                   : ERSPAN Source Session
Status                 : Admin Enabled
Source Ports           :
    Both               : Gi2
Destination IP Address : 172.30.158.248
Destination ERSPAN ID  : 1
Origin IP Address      : 172.30.158.250


R-2#

As you can see, if you don’t specify a direction, the router will assume that you want to mirror the packets on both directions by default.

Also, you can see details about the operations of the ERSPAN session:

R-2#show monitor session 1 detail
Session 1
---------
Type                   : ERSPAN Source Session
Status                 : Admin Enabled
Description            : -
Source Ports           :
    RX Only            : None
    TX Only            : None
    Both               : Gi2
Source VLANs           :
    RX Only            : None
    TX Only            : None
    Both               : None
Source EFPs            :
    RX Only            : None
    TX Only            : None
    Both               : None
Destination Ports      : None
Filter VLANs           : None
Source IP Address      : None
Source IP VRF          : None
Source ERSPAN ID       : None
Destination IP Address : 172.30.158.248
Destination IP VRF     : None
MTU                    : None
Destination ERSPAN ID  : 1
Origin IP Address      : 172.30.158.250
IP QOS PREC            : 0
IP TTL                 : 255


R-2#

After sending five ICMP packets from R1 to R3, we can see that 10 packets were mirrored on the remote device:

Let’s see the headers of one packet. You’ll notice we have the encapsulating headers that were added when the mirroring device (R2) sent the packets to the network analyser.

Then we have the GRE and the ERSPAN headers and finally, the original packet sent from R1 to R3:

Let’s expand the GRE and the ERSPAN headers:

You can mirror the packets with granularity and also modify the TTL and IP precedence or DSCP of the packets when they are sent to the network analyser host.

Let’s change the configuration of GigabitEthernet2 between R1 and R2 and make it trunk with VLANs 100, 101 and 102. This would be the configuration of the interface on R2:

interface GigabitEthernet2
 no ip address
 negotiation auto
!
interface GigabitEthernet2.100
 encapsulation dot1Q 100
 ip address 10.10.100.2 255.255.255.0
!
interface GigabitEthernet2.101
 encapsulation dot1Q 101
 ip address 10.10.101.2 255.255.255.0
!
interface GigabitEthernet2.102
 encapsulation dot1Q 102
 ip address 10.10.102.2 255.255.255.0
!

Using the same ERSPAN configuration, let’s send one ICMP packet from R1 towards R2 on each VLAN:

R-1#ping 10.10.100.2 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.10.100.2, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 3/3/3 ms
R-1#ping 10.10.101.2 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.10.101.2, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 2/2/2 ms
R-1#ping 10.10.102.2 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.10.102.2, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 1/1/1 ms
R-1#

As expected, six packets will be captured (two for each VLAN):

This would be the packet from VLAN 100 as you can see in the ERSPAN header:

Let’s change a few of the default values of the ERSPAN. We want to mirror only the packets from VLAN 101 and VLAN 102 from the interface GigabitEthernet2. Also, we will change the MTU for ERSPAN encapsulation. Also, when the packets are sent to the network analyser, they will have a TTL of 33 (the default it 255) and the IP Precedence will be 5:

R-2(config)#monitor session 1
R-2(config-mon-erspan-src)#filter vlan 101
R-2(config-mon-erspan-src)#filter vlan 102
R-2(config-mon-erspan-src)#destination
R-2(config-mon-erspan-src-dst)#mtu 9000
R-2(config-mon-erspan-src-dst)#ip ttl 33
R-2(config-mon-erspan-src-dst)#ip prec 5
R-2(config-mon-erspan-src-dst)#end
R-2#

This will be the operation of the ERSPAN:

CSR1000v-2#show monitor session 1
Session 1
---------
Type                   : ERSPAN Source Session
Status                 : Admin Enabled
Source Ports           :
    Both               : Gi2
Filter VLANs      : 101-102
Destination IP Address : 172.30.158.248
MTU                    : 9000
Destination ERSPAN ID  : 1
Origin IP Address      : 172.30.158.250
IP QOS PREC            : 5
IP TTL                 : 33


CSR1000v-2#

Performing the same test by sending an ICMP packet for each of the three VLANs, we will see that we captured only the packets from VLAN 101 and VLAN 102:

On the outer IP header we see that the IP Precedence (Class Selector) is 5 and the TTL is 33:

And this would be it about ERSPAN. There are a few other types of ERSPAN, but they are variations of the source ERSPAN we discussed. The other types are discussed in the links in the reference section.

To sum up, in this article we saw what ERSPAN is, what it is used for, how to configure it and how to monitor it to confirm it is working properly.

References: