ERSPAN (Encapsulated Remote SPAN) Explained

The Encapsulated Remote Switch Port Analyzer (ERSPAN) allows traffic monitoring in one network area. It uses Layer 3 routing to route the SPAN traffic to a network traffic analyzer in a different network area. The configuration is almost the same with local SPAN and RSPAN port mirroring. However, since the traffic is routed to a different IP network, a few configuration commands are added to enable this functionality.

 

ERSPAN Configuration

To configure ERSPAN, the example topology below will be used. Both the source and destination will be configured.

ERSPAN

The following command is entered to configure the source:

monitor session <span-session-number> type erspan-source

 

This command specifies the session number and the erspan-source session type. A description can also be configured to indicate the session’s purpose. Then, the source is specified using the command:

source {interface <type number> | vlan <vlan-ID>} [ , | - | both | rx | tx ]

 

If the source port is a trunk interface, filter based on the specific VLAN to be used as a source using the command:

filter {ip {standard-access-list | expanded-access-list | acl-name} | ipv6 {access-group <acl-name>} | vlan <vlan-ID>}

 

Finally, enable the session using the ‘no shutdown’ command to guarantee it is active. For Router1’s ERSPAN session, the configuration will be as follows:

Router1(config)#monitor session 1 type erspan-source
Router1(config-mon-erspan-src)# description SOURCE
Router1(config-mon-erspan-src)#source interface GigabitEthernet0/0/1 rx
Router1(config-mon-erspan-src)#no shutdown
Router1(config-mon-erspan-src)#
Router1(config-mon-erspan-src)#destination
Router1(config-mon-erspan-src-dst)#erspan-id 10
Router1(config-mon-erspan-src-dst)#ip address 172.16.30.254
Router1(config-mon-erspan-src-dst)#origin ip address 172.16.20.10

 

To configure the destination, enter the ‘destination’ command. The destination session also has a unique identifier specified by the command ‘erspan-id <erspan-ID>’. Next, enter the destination IP address for the session, where the traffic will be sent to be analyzed.

Then, the origin IP address or the source of the ERSPAN traffic will be specified. The command used is ‘origin ip address <ip-address>’. A ToS or TTL can also be assigned to the ERSPAN traffic using the ‘erspan {tos <tos-value> | ttl <ttl-value>}’ command in global configuration mode.

For Router2, the session type will be erspan-destination, and the source will be configured using the ‘source’ command:

Router2(config)#monitor session 1 type erspan-destination
Router2(config-mon-erspan-dst)#description DESTINATION
Router2(config-mon-erspan-dst)#no shutdown
Router2(config-mon-erspan-dst)#destination interface GigabitEthernet0/0/1
Router2(config-mon-erspan-dst)#source
Router2(config-mon-erspan-dst-src)#erspan-id 10
Router2(config-mon-erspan-dst-src)#ip address 172.16.30.254

 

The following commands can be used to verify the configured sessions:

Router1#show monitor session erspan-source session
Type: ERSPAN Source Session
Status: Admin Enabled
Source Ports :
RX Only: Gig0/0/1
Destination IP Address: 172.16.30.254
Destination ERSPAN ID: 10
Origin IP Address: 172.16.10.10

 

Router2#show monitor session 1
Session 1
---------
Type: ERSPAN Destination Session
Status: Admin Enabled
Destination Ports: Gig0/0/1
Source IP Address: 172.16.30.254
Source ERSPAN ID: 10

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: