Most readers are probably familiar with the switchport analysis (SPAN) feature on Cisco's Catalyst switches. SPAN replicates all ingress and/or egress traffic from one or several interfaces to another for the purposes of packet capture or traffic monitoring. This is especially helpful when deploying a network-based IDS. Unfortunately, it's often not possible to install the IDS on the same physical switch as the ports from which you want to capture.
Remote SPAN (RSPAN) can be employed to extend a SPAN session between source and destination points on disparate switches, however it requires a layer two path end-to-end. When we need to replicate layer two traffic across a layer three network, we turn to encapsulated remote SPAN (ERSPAN). ERSPAN transports traffic inside a point-to-point GRE tunnel between arbitrary IP endpoints.
For this lab, we'll configure an ERSPAN session from an NX-OS source (a Nexus 7K) to an IOS destination (a Cisco 7600) to provide an example configuration for both platforms. MPLS transport is used between the two switches and routing of the ERSPAN tunnel will take place inside a VRF named Capture.
First, we'll configure the Nexus switch as the ERSPAN source per the documentation. We'll use Lo1 in the Capture VRF as our ERSPAN tunnel source.
interface loopback1 vrf member Capture ip address 172.16.0.2/32
The monitor session must be created of the
erspan-source type. We'll assign a unique ERSPAN ID of 100 (valid values are 1 through 1023 inclusive) and assign the ERSPAN tunnel to the Capture VRF. The destination IP is set to the loopback interface of our destination switch (which must be routable within the Capture VRF) and we configure VLAN 142 as the SPAN source; this could alternatively be a physical interface or set of interfaces. Lastly,
no shut enables the ERSPAN session.
monitor session 1 type erspan-source description ERSPAN to 7600 erspan-id 100 vrf Capture destination ip 172.16.0.1 source vlan 142 both no shut
Our source configuration is almost complete, but an additional global command is necessary for ERSPAN to function. We need to designate Lo1 as the origin IP address for the GRE tunnel. The
global keyword here signifies that the command applies across all Nexus virtual device contexts (VDCs).
monitor erspan origin ip-address 172.16.0.2 global
We can verify the operation of ERSPAN with the command
show monitor session.
Nexus7K# show monitor session 1 session 1 --------------- description : ERSPAN to 7600 type : erspan-source state : up erspan-id : 100 vrf-name : Capture acl-name : acl-name not specified ip-ttl : 255 ip-dscp : 0 destination-ip : 172.16.0.1 origin-ip : 172.16.0.2 (global) source intf : rx : tx : both : source VLANs : rx : 142 tx : 142 both : 142 filter VLANs : filter not specified
For the destination configuration, we define the physical destination interface, ERSPAN ID, transport VRF, and local IP address. Note that we are specifying the IP address used as the destination, not the origin/source IP. This tells ERSPAN what interface to listen on for incoming GRE-encapsulated traffic.
interface Loopback1 ip vrf forwarding Capture ip address 172.16.0.1 255.255.255.255 ! monitor session 1 type erspan-destination description ERSPAN from Nexus 7K destination interface Gi1/48 source erspan-id 100 ip address 172.16.0.1 vrf Capture
7600# show monitor session 1 Session 1 --------- Type : ERSPAN Destination Session Status : Admin Enabled Description : ERSPAN from Nexus 7K Destination Ports : Gi1/48 Source IP Address : 172.16.0.1 Source IP VRF : Capture Source ERSPAN ID : 100
We can now connect our collection device to Gi1/48 and start sniffing. All traffic entering VLAN 142 on the source switch will be replicated out this interface.