Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term ERSPAN

Training Camp • Cybersecurity Glossary

What is ERSPAN?

A Cisco feature that mirrors switch traffic and tunnels it over IP using GRE, letting analyzers capture packets from remote switches across a routed network.

Glossary > Network Security > ERSPAN

Understanding ERSPAN

ERSPAN (Encapsulated Remote Switched Port Analyzer) is a Cisco feature that copies network traffic from a source port or VLAN and tunnels the mirrored packets across a routed IP network to a remote monitoring destination. Unlike local SPAN, which is confined to one switch, ERSPAN encapsulates the captured frames in GRE (Generic Routing Encapsulation) so analyzers and security tools anywhere on the network can inspect them.

The mechanism has three parts: a source session that selects ports or VLANs to mirror, an encapsulation step that wraps each copied frame in a GRE-over-IP header (with an ERSPAN shim header carrying a session ID and metadata), and a destination session on the receiving device that decapsulates the traffic and forwards it to an attached capture tool. Because the payload rides over IP, the monitored switch and the analyzer can sit in different buildings, data centers, or VLANs without affecting production traffic flow.

For security operations, ERSPAN is a key visibility tool. It feeds intrusion detection systems, network forensics platforms, and packet brokers with full-fidelity copies of traffic for threat hunting, malware analysis, and compliance capture, all without inline taps. That same power makes it sensitive: an attacker who gains switch admin access could configure an ERSPAN session to siphon traffic to a destination they control, creating a stealthy data-exfiltration channel. Restricting configuration privileges, monitoring for unexpected GRE flows, and auditing SPAN/ERSPAN sessions are important defenses.

For example, a SOC needs to inspect east-west traffic on a data center distribution switch but the IDS sensor lives in a central monitoring rack three hops away. Engineers configure an ERSPAN source session mirroring the suspect VLAN, encapsulate it to the sensor's IP, and a destination session on the analyzer switch hands decapsulated packets to the IDS. The team captures the traffic for analysis with zero physical recabling and no impact on the production flows.

Learn More About ERSPAN:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →