ERSPAN 1) stands for Encapsulated Remote Switch Port ANalayzer or just Encapsulated RSPAN. This is feature available on some of the higher end platforms like Catalyst 6500 and 7500s, Nexus, and ASR platforms. Let us see how this feature can be useful in some scenarios.
ERSPAN allows you to capture network packets from one or more physical ports, then transmit these packets to a particular IP address where your monitoring software is waiting. The captured packet stream is sent inside a Layer-3 IP tunnel using GRE (Generic Routing Encapsulation).
The following diagram shows a ERSPAN session that captures packets from interface
GigabitEthernet1/0/1 and transmits it to the IP address
10.0.0.21 where TrisulNSM is listening.
There are three port mirroring features in Cisco :
To provide network packets to Trisul Network Analytics or other NSM tool running inside a Virtual Machine. Particularly when the administrators of the VM are unable to provide a promiscuous mode physical interface.
Recently, we had a customer who was consolidating all their server systems on a Nutanix VM farm. They wanted to put TrisulNSM also on a VM on that farm instead of a physical box. Since the Nutanix does not yet support a physical port mirror at the VM level 2) , we use a ERSPAN session to get the packets directly to the TrisulVM.
If you are already doing ERSPAN, then adding an extra port is trivial. When you want to temporarily monitor an interface without having to do any extra cabling that would be required for a physical layer SPAN. The main disadvantage is ERSPAN is only available on high-end Cisco gear.
In ERSPAN, there is a concept of Source and Destination session. A source session specifies interfaces from which traffic is captured and sent to an analyzers IP address. A destination session specifies the output port to which the decapsulated traffic is written out. You dont have to configure a destination session.
Here we only configure a source ERSPAN session to the IP address
10.0.0.21 of the TrisulNSM Virtual Machine. When you do this, the network will just forward the GRE Encapsulated mirror traffic to the TrisulNSM VM. Since Trisul already supports ERSPAN as a capture mechanism, you can use that to decode the traffic. Here is a sample config from the Cisco manual 3)
enable configure terminal interface GigabitEthernet1/0/1 monitor session 1 type erspan-source description "For TrisulNSM" erspan-id 101 ip address 10.0.0.21 mtu 1900 no shutdown
to view the monitor
show monitor session 1
Trisul Network Analytics supports ERSPAN natively since version 6.5.2883