Configure ERSPAN (Encapsulated Remote SPAN) in virtual Distributed Switch
ERSPAN (Encapsulated Remote SPAN) in a vSphere Virtual Distributed Switch (VDS) is a network traffic-mirroring feature that allows you to copy VM or uplink traffic and send it to a remote system over IP for monitoring or analysis.
ERSPAN (Encapsulated Remote SPAN) mirrors VM traffic and sends it over IP (GRE) to a remote analyzer (Wireshark, IDS, SIEM, etc.).
Unlike local port mirroring, ERSPAN:
- Works across hosts / data centers
- Does not require L2 adjacency
- Encapsulates traffic in GRE packets
Below is a clear, step-by-step guide to configure ERSPAN on a vSphere Virtual Distributed Switch (VDS).
This works for vSphere 7.0 + and is commonly used for remote packet capture / network analysis.
Lab Environment Overview
Lab Infrastructure:
- ESXi 7.0 Host: 192.168.91.129
- vCenter Server: 192.168.91.130
- Network: 192.168.91.0/24
Lab Objectives:
- Create a vSphere Distributed Switch (VDS)
- Configure distributed port groups
- Set up Distributed Port Mirroring
- Configure Remote Port Mirroring (RSPAN)
- Implement ERSPAN (Encapsulated Remote SPAN)
- Test and verify all mirroring types
- Troubleshoot common issues
Prerequisites:
Remote analyzer VM or appliance (for RSPAN/ERSPAN testing)
Administrative access to vCenter Server
At least 2-3 virtual machines for testing
Network packet analyzer (Wireshark or tcpdump)
Part 1: Environment Preparation
Step 1.1: Access vCenter Server
- Open a web browser and navigate to your vCenter Server:
https://192.168.91.130
- Log in with your administrator credentials
- Username:
administrator@vsphere.local - Password: [Your vCenter password]
- Username:
- Navigate to the vSphere Client interface
Step 1.2: Verify ESXi Host
- In vCenter, click on Menu → Hosts and Clusters
- Verify your ESXi host (192.168.91.129) is visible and connected
- Check host status shows “Connected” with a green icon
- Note the host version (should be ESXi 7.0.x)
Step 1.3: Prepare Test Virtual Machines
You’ll need at least three VMs for comprehensive testing:
- VM1 (Source): The VM whose traffic we’ll mirror
- VM2 (Local Monitor): For Distributed Port Mirroring
- VM3 (Remote Analyzer): For RSPAN/ERSPAN testing
Recommended VM Configuration:
- Small Linux VMs (Ubuntu Server 20.04 or CentOS 8)
- 1 vCPU, 2GB RAM each
- 20GB disk space
- Single network adapter initially
VM IP Assignments:
- VM1 (Source): 192.168.91.201/24
- VM2 (Local Monitor): 192.168.91.202/24
- VM3 (Remote Analyzer): 192.168.91.203/24
Part 2: Create vSphere Distributed Switch
Step 2.1: Create the Distributed Switch
- In vCenter, click Menu → Networking
- Right-click on your datacenter → Distributed Switch → New Distributed Switch
- Name and Location:
- Name:
Lab-VDS-01 - Click Next
- Name:
- Select Version:
- Choose 7.0.0
- Click Next
- Configure Settings:
- Number of uplinks: 4 (for better flexibility)
- Network I/O Control: Enabled
- Create a default port group: Checked
- Default port group name:
Lab-VDS-01-PG - Click Next
- Ready to Complete:
- Review and click Finish
Step 2.2: Add ESXi Host to Distributed Switch
- Select Lab-VDS-01 → Actions → Add and Manage Hosts
- Select Add hosts → Next
- Add ESXi host 192.168.91.129 → Next
- Manage physical adapters → Assign vmnic1 to Uplink 1
- Complete the wizard
Step 2.3: Create Port Groups for All Lab Scenarios
Create multiple port groups for different mirroring types:
Port Group 1: Source Traffic
- Right-click Lab-VDS-01 → Distributed Port Group → New
- Name:
Lab-Source-PG - VLAN: None (VLAN 0)
- Finish
Port Group 2: Local Monitor
- Create new distributed port group
- Name:
Lab-Monitor-PG - VLAN: None
- After creation, edit settings:
- Security: Promiscuous mode = Accept
- Security: MAC address changes = Accept
- Security: Forged transmits = Accept
Port Group 3: RSPAN VLAN
- Create new distributed port group
- Name:
Lab-RSPAN-PG - VLAN type: VLAN
- VLAN ID: 100
- After creation, edit settings:
- Security: Promiscuous mode = Accept
Port Group 4: Remote Analyzer
- Create new distributed port group
- Name:
Lab-RemoteAnalyzer-PG - VLAN: None
- Security: Promiscuous mode = Accept
Step 2.4: Migrate VMs to Distributed Switch
- VM1 → Edit Settings → Network adapter 1 → Lab-Source-PG
- VM2 → Edit Settings → Network adapter 1 → Lab-Monitor-PG
- VM3 → Edit Settings → Network adapter 1 → Lab-RemoteAnalyzer-PG
Step 2.5: Configure VM Network Settings
On VM1 (Source):
sudo ip addr add 192.168.91.201/24 dev eth0
sudo ip link set eth0 up
sudo ip route add default via 192.168.91.1
On VM2 (Local Monitor):
sudo ip addr add 192.168.91.202/24 dev eth0
sudo ip link set eth0 up
# Install tcpdump
sudo apt-get update && sudo apt-get install -y tcpdump wireshark
On VM3 (Remote Analyzer):
sudo ip addr add 192.168.91.203/24 dev eth0
sudo ip link set eth0 up
# Install tcpdump
sudo apt-get update && sudo apt-get install -y tcpdump wireshark tshark
Test connectivity between all VMs:
ping 192.168.91.201
ping 192.168.91.202
ping 192.168.91.203
Part 3: Lab Exercise 1 – Distributed Port Mirroring
This is the most common type of port mirroring, where source and destination are on the same distributed switch.
Step 3.1: Create Distributed Port Mirroring Session
- Navigate to Networking → Select Lab-VDS-01
- Click Configure tab → Settings → Port Mirroring
- Click Add (+)
Step 3.2: Configure Session – Basic Settings
Session Configuration:
- Session name:
DPM-Session-01 - Session type: Distributed Port Mirroring
- Normal I/O on destination ports: Not Allowed
- Session enabled: Checked
- Mirroring packet length: 65535 bytes
- Sampling rate: 1 (no sampling)
- Description:
Local distributed port mirroring - VM1 to VM2
Traffic Direction:
- Select: Ingress and Egress
Click Next
Step 3.3: Select Source Ports
- Click + Add under Sources
- Select Ports
- Expand Lab-Source-PG
- Find and select the port connected to VM1
- Look for the port showing VM1’s name
- Port format:
Lab-Source-PG-dvPort-##
- Click OK → Next
Pro Tip: To easily identify VM ports:
- Look at the “Connected To” column
- Check VM name in the port list
- Or note the port ID from VM’s network adapter settings
Step 3.4: Select Destination Port
- Click + Add under Destinations
- Select Ports
- Expand Lab-Monitor-PG
- Select the port connected to VM2
- Click OK → Next
Step 3.5: Complete and Verify
- Review configuration
- Click Finish
- Verify session appears with Enabled status
Read More about virtual standard switch
Step 3.6: Test Distributed Port Mirroring
On VM2 (Monitor) – Start Capture:
# Start capturing all traffic
sudo tcpdump -i eth0 -nn -v
# Or save to file for later analysis
sudo tcpdump -i eth0 -w /tmp/dpm_capture.pcap -v
On VM1 (Source) – Generate Traffic:
# ICMP traffic
ping 8.8.8.8 -c 50
# HTTP traffic
curl http://www.google.com
# DNS queries
nslookup www.vmware.com
# TCP connections
telnet 192.168.91.130 443
# Generate continuous traffic
ping 192.168.91.1 -i 0.5
Expected Results on VM2: You should see ALL traffic from VM1, including:
15:23:10.123456 IP 192.168.91.201 > 8.8.8.8: ICMP echo request
15:23:10.145678 IP 8.8.8.8 > 192.168.91.201: ICMP echo reply
15:23:11.234567 IP 192.168.91.201.54321 > 172.217.1.46.80: Flags [S], seq 123456
15:23:11.256789 IP 192.168.91.201.54321 > 8.8.8.8.53: 12345+ A? www.vmware.com
Step 3.7: Analyze Captured Traffic
Stop capture on VM2:
# Press Ctrl+C to stop tcpdump
# Analyze the capture file
sudo tcpdump -r /tmp/dpm_capture.pcap | head -50
# Count packets by protocol
sudo tcpdump -r /tmp/dpm_capture.pcap -n | awk '{print $3}' | sort | uniq -c
# Filter specific traffic
sudo tcpdump -r /tmp/dpm_capture.pcap 'icmp'
sudo tcpdump -r /tmp/dpm_capture.pcap 'tcp port 80'
Or use Wireshark for GUI analysis:
# Transfer file to your workstation
scp user@192.168.91.202:/tmp/dpm_capture.pcap .
# Open in Wireshark
wireshark dpm_capture.pcap
Part 4: Lab Exercise 2 – Remote Port Mirroring (RSPAN)
Remote port mirroring allows you to mirror traffic to a destination on a different VLAN, useful when the analyzer is on a different network segment.
Step 4.1: Understanding RSPAN Architecture
RSPAN Uses:
- Mirrors traffic across VLANs
- Destination is on a dedicated RSPAN VLAN
- Does not encapsulate packets (Layer 2 only)
- Limited to same Layer 2 domain
Our Setup:
- Source: VM1 (Lab-Source-PG, VLAN 0)
- RSPAN VLAN: VLAN 100
- Destination: VM3 with additional interface on VLAN 100
Step 4.2: Add Second Network Adapter to VM3
- Power off VM3
- Edit VM3 settings
- Click Add New Device → Network Adapter
- New Network Adapter 2:
- Network: Lab-RSPAN-PG (VLAN 100)
- Adapter Type: VMXNET3
- Click OK
- Power on VM3
Step 4.3: Configure Second Interface on VM3
On VM3:
# Check interfaces
ip link show
# Configure second interface (usually eth1)
sudo ip addr add 192.168.100.203/24 dev eth1
sudo ip link set eth1 up
sudo ip link set eth1 promisc on
# Verify promiscuous mode
ip link show eth1
# Should show: BROADCAST,MULTICAST,PROMISC,UP
Step 4.4: Disable Previous Mirroring Session
- Navigate to Lab-VDS-01 → Configure → Port Mirroring
- Select DPM-Session-01
- Click Edit
- Uncheck Session enabled
- Click OK
Step 4.5: Create RSPAN Session
- Click Add (+) to create new session
Basic Configuration:
- Session name:
RSPAN-Session-01 - Session type: Remote Mirroring Source
- Normal I/O on destination ports: Not Allowed
- Session enabled: Checked
- Mirroring packet length: 65535
- Sampling rate: 1
- Description:
RSPAN to VLAN 100
Traffic Direction:
- Select: Ingress and Egress
Click Next
Step 4.6: Configure RSPAN Source
- Click + Add under Sources
- Select Ports
- Select VM1’s port on Lab-Source-PG
- Click OK → Next
Step 4.7: Configure RSPAN Destination
- Under Destination, click + Add
- Select Uplinks
- Choose an uplink (e.g., Uplink 1)
- Destination uplink VLAN: 100
- Click OK → Next
Note: RSPAN sends traffic to an uplink tagged with the RSPAN VLAN. The physical switch would need VLAN 100 configured, but in our lab, we’re simulating this within the distributed switch.
Step 4.8: Complete RSPAN Configuration
- Review settings
- Click Finish
- Verify session status is Enabled
Step 4.9: Test RSPAN
On VM3 – Start Capture on RSPAN Interface:
# Capture on eth1 (VLAN 100 interface)
sudo tcpdump -i eth1 -nn -v
# Or save to file
sudo tcpdump -i eth1 -w /tmp/rspan_capture.pcap -v
On VM1 – Generate Traffic:
# Generate varied traffic
ping 8.8.8.8 -c 100
curl http://www.example.com
nslookup www.cisco.com
wget http://ipv4.download.thinkbroadband.com/5MB.zip
# Continuous traffic
ping 192.168.91.130 -i 0.2
Expected Results on VM3:
16:45:23.123456 IP 192.168.91.201 > 8.8.8.8: ICMP echo request
16:45:23.145678 IP 8.8.8.8 > 192.168.91.201: ICMP echo reply
16:45:24.234567 IP 192.168.91.201.52345 > 93.184.216.34.80: Flags [S]
Verification:
- Traffic arrives on eth1 (VLAN 100 interface)
- Packets maintain original source/destination
- All protocols are captured
Step 4.10: RSPAN Analysis
Compare RSPAN vs Distributed Port Mirroring:
# On VM3 - Analyze RSPAN capture
sudo tcpdump -r /tmp/rspan_capture.pcap -n | head -100
# Count total packets
sudo tcpdump -r /tmp/rspan_capture.pcap | wc -l
# Protocol distribution
sudo tcpdump -r /tmp/rspan_capture.pcap -n | \
awk '{print $4}' | sed 's/:.*//' | sort | uniq -c
Key Differences:
- RSPAN uses VLAN tagging for transport
- Destination must be on configured RSPAN VLAN
- No encapsulation (vs ERSPAN which uses GRE)
- Limited to Layer 2 domain
Part 5: Lab Exercise 3 – ERSPAN (Encapsulated Remote SPAN)
ERSPAN is the most advanced mirroring type, using GRE encapsulation to send mirrored traffic across Layer 3 networks.
Step 5.1: Understanding ERSPAN Architecture
ERSPAN Features:
- Uses GRE (IP Protocol 47) encapsulation
- Works across Layer 3 networks (routable)
- Preserves original packet information
- Industry-standard (supported by Cisco, VMware, etc.)
- Most flexible mirroring option
Our Setup:
- Source: VM1 (192.168.91.201)
- ERSPAN Tunnel: GRE encapsulation
- Destination: VM3 (192.168.91.203)
Step 5.2: Prepare VM3 for ERSPAN
On VM3 (Remote Analyzer):
# Install GRE module (if not already loaded)
sudo modprobe ip_gre
# Create GRE tunnel interface to receive ERSPAN traffic
sudo ip link add gre1 type gre remote 192.168.91.129 local 192.168.91.203
sudo ip link set gre1 up
sudo ip link set gre1 promisc on
# Verify GRE interface
ip link show gre1
# Check loaded modules
lsmod | grep gre
Alternative – Use any interface to capture ERSPAN:
# ERSPAN packets arrive as GRE-encapsulated
# You can capture on eth0 and filter for GRE
sudo tcpdump -i eth0 proto gre -w /tmp/erspan_raw.pcap
Step 5.3: Disable Previous Sessions
- Navigate to Lab-VDS-01 → Configure → Port Mirroring
- Disable both DPM-Session-01 and RSPAN-Session-01
- Or delete them if no longer needed
Step 5.4: Create ERSPAN Session
- Click Add (+) for new session
Basic Configuration:
- Session name:
ERSPAN-Session-01 - Session type: Encapsulated Remote Mirroring (L3) Source
- Normal I/O on destination ports: Not Allowed
- Session enabled: Checked
- Mirroring packet length: 65535
- Sampling rate: 1
- Description:
ERSPAN to remote analyzer at 192.168.91.203
ERSPAN Specific Settings:
- ERSPAN ID: 1 (session identifier, 1-1023)
- IP address: 192.168.91.203 (VM3’s IP)
- Encapsulation VLAN ID: Leave blank or 0 (no VLAN tagging needed)
Traffic Direction:
- Select: Ingress and Egress
Click Next
Step 5.5: Configure ERSPAN Source
- Click + Add under Sources
- Select Ports
- Select VM1’s port on Lab-Source-PG
- Click OK → Next
Step 5.6: ERSPAN Destination
Note: For ERSPAN source sessions, destination is the uplink through which GRE packets exit.
- Click + Add under Destinations
- Select Uplinks
- Choose the uplink connected to your physical network (e.g., Uplink 1)
- Click OK → Next
Step 5.7: Complete ERSPAN Configuration
- Review all settings:
- Session type: Encapsulated Remote Mirroring (L3) Source
- ERSPAN ID: 1
- Destination IP: 192.168.91.203
- Source: VM1’s port
- Destination: Uplink 1
- Click Finish
Step 5.8: Verify ERSPAN on ESXi Host
SSH to ESXi host:
ssh root@192.168.91.129
# List port mirroring sessions
net-dvs -l
# Check ERSPAN configuration
esxcli network vswitch dvs vmware list
# Verify GRE traffic
esxtop
# Press 'n' for network view
# Look for GRE protocol traffic
Step 5.9: Test ERSPAN Capture
On VM3 – Method 1: Capture GRE Traffic
# Capture GRE-encapsulated packets
sudo tcpdump -i eth0 -nn proto gre -v
# Or save to file
sudo tcpdump -i eth0 proto gre -w /tmp/erspan_gre.pcap -v
On VM3 – Method 2: Capture on GRE Tunnel Interface
# Capture decapsulated traffic on GRE interface
sudo tcpdump -i gre1 -nn -v
# Save to file
sudo tcpdump -i gre1 -w /tmp/erspan_decap.pcap -v
On VM1 – Generate Test Traffic:
# ICMP traffic
ping 8.8.8.8 -c 200
# HTTP requests
for i in {1..10}; do
curl http://www.google.com > /dev/null 2>&1
sleep 1
done
# DNS queries
for domain in google.com vmware.com cisco.com; do
nslookup $domain
done
# Large file transfer
wget http://speedtest.tele2.net/1MB.zip
# Continuous ping
ping 192.168.91.1 -i 0.3
Expected Results on VM3:
If capturing on eth0 (GRE packets):
17:30:15.123456 IP 192.168.91.129 > 192.168.91.203: GREv0, length 102: IP 192.168.91.201 > 8.8.8.8: ICMP echo request
17:30:15.145678 IP 192.168.91.129 > 192.168.91.203: GREv0, length 102: IP 8.8.8.8 > 192.168.91.201: ICMP echo reply
If capturing on gre1 (decapsulated):
17:30:15.123456 IP 192.168.91.201 > 8.8.8.8: ICMP echo request
17:30:15.145678 IP 8.8.8.8 > 192.168.91.201: ICMP echo reply
Step 5.10: Analyze ERSPAN Traffic
Examine GRE Encapsulation:
# View GRE packet details
sudo tcpdump -i eth0 -vvv proto gre -c 10
# Extract inner (original) packets
sudo tcpdump -r /tmp/erspan_gre.pcap -vvv | grep "IP 192.168.91.201"
# Use tshark for detailed analysis
tshark -r /tmp/erspan_gre.pcap -V | grep -A 20 GRE
Wireshark Analysis:
- Transfer capture file to workstation
- Open in Wireshark
- Apply display filter:
gre - Right-click GRE packet → Follow → GRE Stream
- View encapsulated packet details
Verify ERSPAN Headers:
# ERSPAN packets should show:
# - Outer IP: ESXi host (192.168.91.129) to Analyzer (192.168.91.203)
# - GRE protocol: 0x88be (ERSPAN Type II) or 0x88be (ERSPAN Type III)
# - ERSPAN header: Session ID = 1
# - Inner packet: Original traffic from VM1
tshark -r /tmp/erspan_gre.pcap -T fields \
-e ip.src -e ip.dst -e gre.proto -e erspan.sessionid
Step 5.11: ERSPAN Performance Testing
Generate High Volume Traffic:
On VM1:
# Install iperf3
sudo apt-get install iperf3
# Start iperf server on another VM
# On VM2: iperf3 -s
# Generate traffic from VM1 to VM2
iperf3 -c 192.168.91.202 -t 60 -b 100M
On VM3 – Monitor ERSPAN Performance:
# Count packets per second
sudo tcpdump -i eth0 proto gre -nn | \
awk '{print $1}' | uniq -c
# Monitor bandwidth
sudo iftop -i eth0 -f 'proto gre'
# Check for packet drops
watch -n 1 'ifconfig eth0 | grep -E "RX|TX"'
Check ESXi Host Load:
# On ESXi host
esxtop
# Press 'n' for network
# Monitor GRE traffic on uplinks
Part 6: Comparison and Advanced Scenarios
Step 6.1: Mirroring Type Comparison Table
| Feature | Distributed PM | RSPAN | ERSPAN |
|---|---|---|---|
| Scope | Same VDS | Same L2 domain | Layer 3 capable |
| Encapsulation | None | VLAN tag | GRE |
| Routing | No | No | Yes |
| Configuration | Simple | Medium | Complex |
| Overhead | Low | Low | Medium (GRE) |
| Use Case | Local monitoring | Cross-VLAN | Remote sites |
| Standard | VMware | Cisco/VMware | Industry standard |
Step 6.2: Multi-Source ERSPAN
Configure ERSPAN to mirror multiple VMs simultaneously.
Create Multi-Source Session:
- Edit ERSPAN-Session-01 or create new session
- In Sources section, click + Add multiple times
- Add ports for VM1, VM2, and other VMs
- All traffic mirrors to same destination (VM3)
Test Multi-Source:
# On VM3
sudo tcpdump -i gre1 -nn -v
# On VM1
ping 8.8.8.8 &
# On VM2
ping 8.8.4.4 &
# VM3 should show traffic from BOTH VMs
Step 6.3: ERSPAN with Traffic Filtering
Using Sampling to Reduce Overhead:
- Edit ERSPAN session
- Change Sampling rate to 10
- Captures 1 out of every 10 packets
- Reduces bandwidth by 90%
- Useful for high-traffic environments
Using Packet Length Limits:
- Change Mirroring packet length to 128 bytes
- Captures only headers, not full payload
- Reduces storage and bandwidth requirements
- Sufficient for flow analysis
Step 6.4: ERSPAN to Multiple Destinations
vSphere 7 supports multiple concurrent sessions.
Create Second ERSPAN Session:
- Keep ERSPAN-Session-01 enabled (to VM3)
- Create ERSPAN-Session-02
- Destination IP: Different analyzer (e.g., 192.168.91.204)
- ERSPAN ID: 2 (must be unique)
- Same source (VM1)
- Traffic now mirrors to two analyzers simultaneously
Step 6.5: Directional Filtering
Capture Only Ingress Traffic:
- Edit any mirroring session
- Traffic direction: Ingress only
- Captures only incoming traffic to VM1
- Reduces capture volume by ~50%
Capture Only Egress Traffic:
- Traffic direction: Egress only
- Captures only outgoing traffic from VM1
- Useful for monitoring VM’s outbound connections
Test Directional Filtering:
# On VM3 - capture
sudo tcpdump -i gre1 -w /tmp/ingress_test.pcap
# On VM1 - from external host, ping VM1
ping 192.168.91.201
# On VM1 - ping external
ping 8.8.8.8
# Analyze which traffic was captured
sudo tcpdump -r /tmp/ingress_test.pcap -nn
Part 7: Production-Ready Scenarios
Scenario A: IDS/IPS Integration
Setup ERSPAN to Security Appliance:
- Deploy security VM (Suricata, Snort, or commercial IDS)
- Configure ERSPAN to security appliance IP
- Security appliance analyzes all mirrored traffic
- Alerts on suspicious activity
Example with Suricata:
# On security appliance VM
sudo apt-get install suricata
# Configure Suricata to monitor GRE interface
sudo vi /etc/suricata/suricata.yaml
# Set: af-packet: - interface: gre1
# Start Suricata
sudo systemctl start suricata
# Monitor alerts
sudo tail -f /var/log/suricata/fast.log
80% Awesome
- Design
