Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
425
Views
0
Helpful
2
Replies

ERSPAN assistance

cisco24x7
Level 6
Level 6

‎10-23-2008 04:46 AM - edited ‎03-06-2019 02:06 AM

I need advise from folks who have actually done this in a production

environment.

I have 3 different sites, each site has 6509-E with Sup720 running

IOS version 12.2(8). At each site, the 6509-E is connected to

a Cisco 3845 for routing between site A, B and C.

I have a Sourefire IDS sensor locating at siteA. I want to use

ERSPAN to monitor traffics for one of the port residing in siteC.

According to cisco, I need ERSPAN to do this. Unfortunately,

I can test this in the lab because I have NO equipments.

The configuration seems easy but I have the following questions

in the example on page 53-19 regarding the IP address:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/span.pdf

Are they referring to the IP addresses of the switch? There are many IP addresses

of the VLAN on the switch at each site and also the loopback ip address on the

switch as well. What are they referring to?

Can someone shed some lights on this? Thanks.

Labels:
0 Helpful
2 Replies 2

cisco24x7
Level 6
Level 6

‎10-24-2008 05:50 AM

Can someone help me with this? Thanks.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to cisco24x7

‎10-24-2008 11:17 AM

Hello David,

with ERSPAN frames are encapsulated in an point-to-point GRE tunnel.

the destination address can be a loopback or an SVI that must be advertised in the routing protocol.

See also pag 53-21:

Configures the ERSPAN flow destination IP address.

This must be an address on a local interface and match

the address that you entered in the “Configuring

ERSPAN Source Sessions” section on page 53-18,

Step 8.

Once you choice the ip address only one ip per chassis can be used and different sessions can use a different erspan-id flow-number to demultiplex.

the destination interface is a physical interface the one to the IDS.

see also the restrictions on page 53-11

you need 12.2(18)SXF and 720 with PFC 3B or 3BXL, sup720 base only if HW version >= 3.2

Hope to help

Giuseppe

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card