Traffic Mirroring using ERSPAN
Overview
Encapsulated Remote Switched Port Analyzer (ERSPAN) is a function used for monitoring network traffic. Using ERSPAN, you can mirror traffic from one or more ports or VLANs on a network switch and send the mirrored traffic to a remote monitoring device for analysis.
ERSPAN encapsulates mirrored traffic with Generic Routing Encapsulation (GRE) and, in addition, ERSPAN headers to send over an IP network.
Traffic mirroring protocols such as Switched Port Analyzer (SPAN) and Remote Switched Port Analyzer (RSPAN) in OcNOS allow traffic analysis within the same domain. ERSPAN aims to overcome this limitation by routing the traffic to any destination on the network.
Feature Characteristics
The main characteristics of ERSPAN are as follows:
• Transports mirrored traffic from the source to the destination over Layer 3 IP network.
• Monitors ingress, egress, or both ingress and egress traffic.
• Sends mirrored traffic to remote monitoring device for analysis without being restricted by Layer 2 boundaries.
• Supports filters on ingress traffic providing capability to filter the traffic to be mirrored.
• Supports Type 1 and Type 3 ERSPAN, with Type 1 as the default.
Supported Hardware
• XGS platforms - TD3, TH/TH2
Limitations
The following encapsulations are not supported:
• Type 1 IPv6
• Type 3 IPv4 - egress traffic mirroring
• Type 3 IPv6
Prerequisites
Before configuration, ensure the IP address is available for:
• Destination of the ERSPAN tunnel.
• Origin of the ERSPAN tunnel.
Configuration
The following configuration enables a sender session to send packets to the destination over ERSPAN tunnels.
Topology
The topology shown here consists of Hosts H1 and H2, a Sender node R1 and a Receiver node R2.
The sender node forwards ERSPAN traffic to the receiver node. An ERSPAN tunnel is created between R1 and R2 over interface ge3.
R1 collects the traffic received or sent over one or more interfaces (such as ge1 and/or ge2), mirrors the collected traffic, encapsulates the packets inside ERSPAN and sends them to the IP address on R2.
R2 is configured to receive ERSPAN encapsulated packets.
ERSPAN Topology
The configuration is done in two stages:
2. Configure ERSPAN sender session using the ERSPAN destination
Configure ERSPAN destination
1. Enter configure mode and set a name for the ERSPAN destination.
R1(config-router)#monitor destination erspan erspan_dest_1
R1(config-erspan-dst)#
2. Configure the destination IPv4/IPv6 where the ERSPAN packets will be forwarded.
R1(config-erspan-dst)#dest-ip 172.16.12.2
3. Set the origin IPv4/IPv6 of the ERSPAN tunnel.
R1(config-erspan-dst)#origin-ip 172.16.12.1
4. The below parameters are optional. If not specified, the default values are used for each parameter.
• Set the VRF where the ERSPAN tunnel will be created. If not specified, value default will be used.
R1(config-erspan-dst)#vrf default
• Set the TTL value to be used at the outer IP layer. If not specified, value 255 will be used.
R1(config-erspan-dst)#ttl 50
• Set the DSCP value to be used at the outer IP layer. If not specified, value 0 will be used.
R1(config-erspan-dst)#dscp 211
• Enable the packet truncation when mirroring to the ERSPAN destination. When this flag is set, the original packet is truncated to 192 bytes and then encapsulated in ERSPAN. By default, truncation is not enabled.
R1(config-erspan-dst)#enable-truncate
Note: Packet truncation is not supported on TH and TH2 platforms.
• Set the ERSPAN tunnel to Type 1 or Type 3. If not specified, value 1 will be used.
R1(config-erspan-dst)#erspan-type 1
• Set the ERSPAN ID to be used in the ERSPAN session. This is relevant for type 3 only. If not specified, value 0 is used.
R1(config-erspan-dst)#erspan-id 100
• Set a Hardware ID value between 0 to 63. This parameter is relevant for type 3 only. If not specified, value 0 is used.
R1(config-erspan-dst)#hardware-id 45
• Set a Switch ID value between 0 to 511. This parameter is relevant for type 3 only. If not specified, value 0 is used.
R1(config-erspan-dst)#switch-id 110
• Commit the changes.
R1(config-erspan-dst)#commit
Configure ERSPAN sender session
1. Enter configure mode and create a sender session with ID 1. Optionally, you can enter a description for the session (containing a maximum of 32 characters).
R1(config)#monitor session 1 type erspan-sender
R1(config-monitor)#description R1 ERSPAN sender
2. Configure the ERSPAN destination for the session using the name of the destination that has been created previously.
R1(config-monitor)#destination erspan erspan_dest_1
3. Optionally, add sources such as source VLAN and/or source interface to the sessions. For example, the command source interface configures the monitored source interface and the direction of the traffic to be monitored. If not specified, both ingress and egress traffic are monitored.
R1(config-monitor)#source interface ce51 rx
4. Enable the configured session on the interface.
no shut
ERSPAN Snippet Configuration
To verify the configuration and view the overall commands, use the show running-config monitor command.
R1#show running-config monitor
monitor destination erspan erspan_dest_1
dest-ip 23.1.1.2
vrf default
origin-ip 69.69.69.69
ttl 211
dscp 50
enable-truncate
erspan-type 1
!
monitor session 1 type erspan-sender
description R1 ERSPAN sender
source interface ce51 rx
destination erspan erspan_dest_1
no shut
Validation
To verify the ERSPAN configuration, check the output of the show monitor session 1 command.
#show monitor session 1
session 1
---------------
description : R1 ERSPAN sender
type : ERSPAN Sender
state : up
source intf :
tx :
rx : ge1
both :
source VLANs :
rx :
destination ERSPAN: erspan_dest_1
ERSPAN Type : 1
Dest IP addr : 172.16.12.2
Origin IP addr: 172.16.12.1
Dest VRF : default
ERSPAN ID : 0
DSCP : 50
TTL : 211
pkt truncate : Enabled
NextHop addr : 172.16.12.2
NextHop intf : ge3
filter count :
Legend: f = forwarding enabled, l = learning enabled
Sender#
CLI Commands
The ERSPAN feature introduces the following configuration commands.
destination ERSPAN
Use this command to configure the ERSPAN destination for an ERSPAN sender session. The destination must be already created using the command monitor destination erspan.
Use no form of this command to remove the ERSPAN destination from the session.
Command Syntax
destination erspan NAME
no destination erspan
Parameters
NAME | ERSPAN destination name mentioned in the command monitor destination erspan |
Default
No default value is specified
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to configure the ERSPAN destination.
(config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#dest-ip 172.16.12.2
(config-erspan-dst)#origin-ip 172.16.12.1
(config-erspan-dst)#exit
(config)#monitor session 1 type erspan-sender
(config-monitor)#destination erspan erspan_dest_1
(config-monitor)#no destination erspan
ERSPAN origin ip
Use this command to set the origin IPv4/IPv6 of the ERSPAN tunnel.
Use no form of this command to unset the origin IPv4/IPv6 of the ERSPAN tunnel.
Command Syntax
origin-ip A.B.C.D/X:X::X:X
no origin-ip
Parameters
A.B.C.D/X:X::X:X | Origin IPv4/IPv6 address of the ERSPAN tunnel |
Default
Disabled
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to set the origin IPv4/IPv6 of the ERSPAN tunnel.
(config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#origin-ip 172.16.12.1
(config-erspan-dst)#commit
(config-erspan-dst)#no origin-ip
(config-erspan-dst)#commit
ERSPAN destination ip
Use this command to set the destination IPv4/IPv6 of the ERSPAN tunnel.
Use no form of this command to unset the destination IPv4/IPv6 of the ERSPAN tunnel.
Command Syntax
dest-ip A.B.C.D/X:X::X:X
no dest-ip
Parameters
A.B.C.D/X:X::X:X | Destination IPv4/IPv6 address of the ERSPAN tunnel |
Default
Disabled
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to set the destination IPv4/IPv6 of the ERSPAN tunnel.
(config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#dest-ip 172.16.12.1
(config-erspan-dst)#commit
(config-erspan-dst)#no dest-ip
(config-erspan-dst)#commit
ERSPAN vrf
Use this command to set the VRF where the ERSPAN tunnel will be created.
Use no form of this command to reset the VRF to default.
Command Syntax
vrf VRF_NAME
no vrf
Parameters
VRF_NAME | VRF name where the ERSPAN tunnel will be created |
Default
Default
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to set the VRF where the ERSPAN tunnel will be created.
((config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#vrf custom_vrf_1
(config-erspan-dst)#commit
(config-erspan-dst)#no vrf
(config-erspan-dst)#commit
ERSPAN ip ttl
Use this command to set the Time To Live (TTL) value to use at the outer IP layer. This is an optional parameter that uses TTL value 255, if not specified.
Use no form of this command to reset the TTL value to 255.
Command Syntax
ttl <1-255>
no ttl
Parameters
<1-255> | TTL value to be used |
Default
Value 255
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to set the TTL value to use at the outer IP layer.
(config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#ttl 25
(config-erspan-dst)#commit
(config-erspan-dst)#no ttl
(config-erspan-dst)#commit
ERSPAN ip dscp
Use this command to set the Differentiated Services Code Point (DSCP) value to use at the outer IP layer. This is an optional parameter that uses DSCP value 0, if not specified.
Use no form of this command to reset the DSCP value to 0.
Command Syntax
dscp <0-63>
no dscp
Parameters
<0-63> | DSCP value to be used |
Default
Value 0
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to set the DSCP value to use at the outer IP layer.
(config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#dscp 42
(config-erspan-dst)#commit
(config-erspan-dst)#no dscp
(config-erspan-dst)#commit
ERSPAN enable truncate
Use this command to enable packet truncation when mirroring to the ERSPAN destination. When this flag is set, the original packet is truncated to 192 bytes and then encapsulated in ERSPAN.
Use no form of this command to disable packet truncate.
Command Syntax
enable-truncate
no enable-truncate
Parameters
None
Default
Disabled
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to enable the packet truncation.
(config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#enable-truncate
(config-erspan-dst)#commit
(config-erspan-dst)#no enable-truncate
(config-erspan-dst)#commit
ERSPAN type
Use this command to set the ERSPAN tunnel to Type 1 or Type 3. Note that ERSPAN Type 2 is not supported on XGS TD3 and TH/TH2 boards.
Use no form of this command to reset the ERSPAN type to the default value.
Command Syntax
erspan-type (1|3)
no erspan-type
Parameters
1 | Use ERSPAN Type 1 |
3 | Use ERSPAN Type 3 |
Default
Type 1
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to set the ERSPAN tunnel.
(config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#erspan-type 3
(config-erspan-dst)#commit
(config-erspan-dst)#no erspan-type
(config-erspan-dst)#commit
ERSPAN id
Use this command to set the ERSPAN ID to be used in the ERSPAN session. This is only relevant for ERSPAN Type 3. This is an optional parameter and the ERSPAN ID 0 is used, if not specified.
Use no form of this command to reset the value to 0.
Command Syntax
erspan-id (1-1023)
no erspan-id
Parameters
<1-1023> | ERSPAN ID to be used |
Default
Value 0
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to set the ERSPAN ID.
(config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#erspan-id 33
(config-erspan-dst)#commit
(config-erspan-dst)#no erspan-id
(config-erspan-dst)#commit
ERSPAN hardware id
Use this command to set the Hardware ID to be used. This is only relevant for ERSPAN Type 3.
Use no form of this command to reset the value to 0.
Command Syntax
hardware-id (0-63)
no hardware-id
Parameters
<1-63> | Hardware ID to be used |
Default
Value 0
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to set the Hardware ID.
(config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#hardware-id 12
(config-erspan-dst)#commit
(config-erspan-dst)#no hardware-id
(config-erspan-dst)#commit
ERSPAN switch id
Use this command to set value for the Switch ID to be used. This is only relevant for ERSPAN Type 3.
Use no form of this command to reset the value to 0.
Command Syntax
switch-id (0-1023)
no switch-id
Parameters
<1-1023> | Switch ID to be used |
Default
Value 0
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 6.6.0.
Example
The following sequence of commands is used to set the Switch ID.
(config)#monitor destination erspan erspan_dest_1
(config-erspan-dst)#switch-id 112
(config-erspan-dst)#commit
(config-erspan-dst)#no switch-id
(config-erspan-dst)#commit
The below commands have been revised for ERSPAN. For more details, refer to the Traffic Mirroring Commands chapter.
• show monitor session - Example section
Glossary
The following table provides definitions for key terms or abbreviations and their meanings used throughout this document:
Key Terms/Acronym | Description |
Switched Port Analyzer (SPAN) | A protocol that monitors the traffic on source port and sends a copy of the traffic to a destination port. |
Remote Switched Port Analyzer (RSPAN) | A protocol that monitors the traffic distributed over multiple switches from the source ports. |
Time to Live (TTL) | A limit on how long a piece of information can exist before it should be discarded. |
Differentiated Services Code Point (DSCP) | A six-bit field in an IP header that enables allocation of resources on a per-packet basis. |
Virtual Routing and Forwarding (VRF) | A technology that allows multiple data structures to co-exist within the same router at the same time. |