The Encapsulated Remote Switch Port Analyzer (ERSPAN) allows traffic monitoring in one network area. It uses Layer 3 routing to route the SPAN traffic to a network traffic analyzer in a different network area. The configuration is almost the same with local SPAN and RSPAN port mirroring. However, since the traffic is routed to a different IP network, a few configuration commands are added to enable this functionality.
ERSPAN Configuration
To configure ERSPAN, the example topology below will be used. Both the source and destination will be configured.
The following command is entered to configure the source:
monitor session <span-session-number> type erspan-source
This command specifies the session number and the erspan-source session type. A description can also be configured to indicate the session’s purpose. Then, the source is specified using the command:
source {interface <type number> | vlan <vlan-ID>} [ , | - | both | rx | tx ]
If the source port is a trunk interface, filter based on the specific VLAN to be used as a source using the command:
filter {ip {standard-access-list | expanded-access-list | acl-name} | ipv6 {access-group <acl-name>} | vlan <vlan-ID>}
Finally, enable the session using the ‘no shutdown’ command to guarantee it is active. For Router1’s ERSPAN session, the configuration will be as follows:
Router1(config)#monitor session 1 type erspan-source Router1(config-mon-erspan-src)# description SOURCE Router1(config-mon-erspan-src)#source interface GigabitEthernet0/0/1 rx Router1(config-mon-erspan-src)#no shutdown Router1(config-mon-erspan-src)# Router1(config-mon-erspan-src)#destination Router1(config-mon-erspan-src-dst)#erspan-id 10 Router1(config-mon-erspan-src-dst)#ip address 172.16.30.254 Router1(config-mon-erspan-src-dst)#origin ip address 172.16.20.10
To configure the destination, enter the ‘destination’ command. The destination session also has a unique identifier specified by the command ‘erspan-id <erspan-ID>’. Next, enter the destination IP address for the session, where the traffic will be sent to be analyzed.
Then, the origin IP address or the source of the ERSPAN traffic will be specified. The command used is ‘origin ip address <ip-address>’. A ToS or TTL can also be assigned to the ERSPAN traffic using the ‘erspan {tos <tos-value> | ttl <ttl-value>}’ command in global configuration mode.
For Router2, the session type will be erspan-destination, and the source will be configured using the ‘source’ command:
Router2(config)#monitor session 1 type erspan-destination Router2(config-mon-erspan-dst)#description DESTINATION Router2(config-mon-erspan-dst)#no shutdown Router2(config-mon-erspan-dst)#destination interface GigabitEthernet0/0/1 Router2(config-mon-erspan-dst)#source Router2(config-mon-erspan-dst-src)#erspan-id 10 Router2(config-mon-erspan-dst-src)#ip address 172.16.30.254
The following commands can be used to verify the configured sessions:
Router1#show monitor session erspan-source session Type: ERSPAN Source Session Status: Admin Enabled Source Ports : RX Only: Gig0/0/1 Destination IP Address: 172.16.30.254 Destination ERSPAN ID: 10 Origin IP Address: 172.16.10.10
Router2#show monitor session 1 Session 1 --------- Type: ERSPAN Destination Session Status: Admin Enabled Destination Ports: Gig0/0/1 Source IP Address: 172.16.30.254 Source ERSPAN ID: 10
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: