ERSPAN assistance

Unanswered Question
Oct 23rd, 2008

I need advise from folks who have actually done this in a production


I have 3 different sites, each site has 6509-E with Sup720 running

IOS version 12.2(8). At each site, the 6509-E is connected to

a Cisco 3845 for routing between site A, B and C.

I have a Sourefire IDS sensor locating at siteA. I want to use

ERSPAN to monitor traffics for one of the port residing in siteC.

According to cisco, I need ERSPAN to do this. Unfortunately,

I can test this in the lab because I have NO equipments.

The configuration seems easy but I have the following questions

in the example on page 53-19 regarding the IP address:

Are they referring to the IP addresses of the switch? There are many IP addresses

of the VLAN on the switch at each site and also the loopback ip address on the

switch as well. What are they referring to?

Can someone shed some lights on this? Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Fri, 10/24/2008 - 11:17

Hello David,

with ERSPAN frames are encapsulated in an point-to-point GRE tunnel.

the destination address can be a loopback or an SVI that must be advertised in the routing protocol.

See also pag 53-21:

Configures the ERSPAN flow destination IP address.

This must be an address on a local interface and match

the address that you entered in the “Configuring

ERSPAN Source Sessions” section on page 53-18,

Step 8.

Once you choice the ip address only one ip per chassis can be used and different sessions can use a different erspan-id flow-number to demultiplex.

the destination interface is a physical interface the one to the IDS.

see also the restrictions on page 53-11

you need 12.2(18)SXF and 720 with PFC 3B or 3BXL, sup720 base only if HW version >= 3.2

Hope to help


Hope to help



This Discussion