ERSPAN

ERSPAN#

ERSPAN is the acronym for Encapsulated Remote Switched Port Analyzer. It mirrors traffic on one or more source ports and delivers the mirrored traffic to one or more destination ports. The traffic is encapsulated in Generic Routing Encapsulation (GRE), which is therefore routable across a Layer 3 network between the source switch and the destination. In this case, the destination is the IP of the monitor interface (e.g. ‘mon1’) on the FlowPro appliance.

On this page:

FlowPro ERSPAN configuration
FlowPro ERSPAN configuration
Cisco switch configuration
Cisco switch
VMware VDS configuration
VMware VDS

Configuration#

Configuration is required on both the FlowPro and the ERSPAN/GRE device, as each device’s setup requires information from the other.

Prerequisites#

The following information should be determined prior to starting the configuration:

ERSPAN device configuration#

  • ERSPAN Source IP: The IP address on the device (switch or router) or the ESXi host IP address (VDS).

  • Destination IP: The FlowPro monitor port IP address (not the FlowPro management IP).

  • ERSPAN Type/Version: Legacy ERSPAN = Type 1/Ver 0, Type II = Ver 1, Type III = Ver 2

Note

ERSPAN Versions 1 and 2 will prompt to set up the ERSPAN destination interface. FlowPro also provides support for GRE type 2.

FlowPro ERSPAN configuration#

  1. Run the following command:

    sudo ./setup.sh --erspan-config

  2. Confirm whether you need to assign an IP address to a monitoring interface to receive ERSPAN.

    Do you need to IP a monitor interface to receive ERSPAN? (yes/no): yes

  3. Enter the monitoring interface name to assign an IP address as the ERSPAN destination.

    Monitor Interfaces Available:
mon1
mon2
mon3
#############################
Enter the interface name to IP for ERSPAN Destination: mon1

  4. Then, enter the IP address of the monitoring interface.

    Enter the IP address (with CIDR notation, e.g., x.x.x.x/yy) for mon1: 192.168.1.24/24

  5. Verify the ERSPAN version.

    Do you need to set up a Virtual Type II/III ERSPAN destination? (yes/no):

  6. If yes, enter a name for the ERSPAN mon port. If no, the ERSPAN traffic will go directly to the configured interface, completing the ERSPAN setup.

    Enter a name for this ERSPAN MON port [fp_erspan_x]:

    Important

    Take note of this interface name as it will need to be added to an observation interface pair after setup.

  7. Re-enter the ERSPAN source for the virtual interface peer.

    Enter your Local ERSPAN destination IP (Not MGMT IP):

  8. Enter the ERSPAN version.

    ###########################################################
ERSPAN Version Map: ERSPAN Type II = 1, ERSPAN Type III = 2
###########################################################
Enter your ERSPAN Version:

  9. Enter the ERSPAN ID.

  10. Once you complete the setup, run the following command for either the virtual or physical interface configured to receive ERSPAN:

    sudo ./setup.sh --create-observation-point

Command reference#

The monitoring interface(s) must first be enabled as defined in the hardware appliance or virtual appliance installation instructions.

Next, connect to FlowPro over SSH, and then use the enable erspan command to configure FlowPro for ERSPAN.

  • enable erspan <interface> <ipaddress/cidr> <gateway> <peerIPaddress> - Configures a monitor interface to receive traffic from an ERSPAN/GRE tunnel. This configuration supports all types of GRE tunnels. The following parameters are required:

  • <interface> - Monitors the ERSPAN/GRE tunnel traffic. This interface must be one of the monitoring interfaces displayed by the show interfaces command.

  • <interface><ipaddress/cidr> - The IP address dedicated to the ERSPAN/GRE tunnel. This IP must be routable from the monitoring interface to the network device configured to send ERSPAN/GRE. Both the IP address and CIDR are required, which must be unique to this interface.

  • <interface><gateway> - Used by the monitoring interface to create a route to keep the outgoing traffic from the ERSPAN/GRE tunnel localized to the monitoring interface.

  • <interface><peerIPaddress> - The external address of the network device configured to send ERSPAN/GRE. If the device is a VMware VDS, enter the IP address of the VMware host.

Note

Each monitoring interface on the FlowPro supports only one ERSPAN configuration. Multiple ERSPAN configurations on the same interface, for example mon1, may produce unpredictable results.

Device-specific configuration#

Cisco switch#

monitor session 1 type erspan-source
description ERSPAN direct to FlowPro
erspan-id 32                              # required
vrf default                               # required
destination ip 10.1.2.3                   # IP address of FlowPro monitor interface
source interface port-channel1 both       # Port(s) to be sniffed
no shut                                   # enable

monitor erspan origin ip-address 10.1.2.1 global

VMware VDS#

Note

This requires the VMware Enterprise Plus license and a configured vSphere Distributed Switch.

From the VMware web console, do the following:

  1. Select the VDS from the list of networks.

  2. Select Port mirroring on the Configure tab.

  3. Select New… to create a new session.

    ERSPAN Step 1

  4. Select Encapsulated Remote Mirroring (L3) Source, and then click Next.

    ERSPAN Step 2

  5. Give the new session a name, set the status to Enabled, and then click Next.

    ERSPAN Step 3

  6. Add the ports intended to mirror to the probe, and then click Next.

    ERSPAN Step 4

  7. Add the IP given to the monitor interface of the probe as the destination of the session (not the FlowPro management IP), and then click Next.

    ERSPAN Step 5

  8. Verify the configuration, and then click Finish to start the session.

    ERSPAN Step 6

Note

Specific commands and configuration options may vary between devices and versions. Command syntax should be verified with vendor documentation for the specific device being configured.

Contents