hardware:erspan
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
hardware:erspan [2018/05/01 15:34] – [Configuring] veera | hardware:erspan [2018/05/01 21:38] (current) – [On MTU and packet sizes] veera | ||
---|---|---|---|
Line 2: | Line 2: | ||
- | ERSPAN stands for Encapsulated Remote Switch Port ANalayzer or just Encapsulated RSPAN. This is feature available on some of the higher end Cisco Switches such as Catalyst 6500 and 7500s, Nexus, and ASR platforms. | + | ERSPAN |
===== What is ERSPAN ===== | ===== What is ERSPAN ===== | ||
- | ERSPAN allows you to capture network packets from one or more physical ports, then transmit these packets | + | ERSPAN allows you to capture network packets from one or more physical ports, then transmit these packets |
- | The following diagram shows a ERSPAN session that captures packets from interface '' | + | The following diagram shows a ERSPAN session that captures packets from interface '' |
Line 16: | Line 16: | ||
There are three port mirroring features in Cisco : | There are three port mirroring features in Cisco : | ||
- | - Physical SPAN -- this is the normal | + | - Physical SPAN -- this is the common |
- | - RSPAN -- Remote SPAN, this is a Layer-2 port mirror where you can capture remote packets over a Layer2 VLAN and bring it across your network | + | - RSPAN -- Remote SPAN, this is a Layer-2 port mirror where you can capture remote packets over a Layer2 VLAN and bring it across your L2 network |
- | - ERSPAN -- Layer3 Remote SPAN, this is what we are talking about. | + | - ERSPAN -- Layer3 Remote SPAN, this is what we are talking about in this article. Allows you to transport a port mirror session over an IP network. |
- | ==== Use case 1 : Virtual Machine ==== | + | ==== ERSPAN |
- | One of the use cases of ERSPAN we are seeing is. To provide network packets to Trisul Network Analytics running inside a Virtual Machine. Particularly when the administrators of the VM are unable to provide a promiscuous mode physical interface. | + | To provide network packets to Trisul Network Analytics |
- | ==== Use case 2 : Temporary monitoring ==== | + | Recently, we had a customer who was consolidating all their server systems on a Nutanix VM farm. They wanted to put TrisulNSM also on a VM on that farm instead of a physical box. Since the Nutanix does not yet support a physical port mirror at the VM level (( Nutanix [[https:// |
- | Some of the other scenarios we are seeing | + | ==== ERSPAN Use case 2 : Temporary monitoring ==== |
+ | |||
+ | If you are already doing ERSPAN, then adding an extra port is trivial. | ||
Line 34: | Line 36: | ||
===== Configuring ===== | ===== Configuring ===== | ||
- | In ERSPAN, there is a concept of Source and Destination session. | + | In ERSPAN, there is a concept of Source and Destination session. A //source session// specifies interfaces from which traffic is captured |
- | What we do here is to only configure a //source ERSPAN session// the IP address | + | Here we only configure a //source ERSPAN session// |
<code cisco> | <code cisco> | ||
Line 49: | Line 51: | ||
no shutdown | no shutdown | ||
</ | </ | ||
+ | |||
+ | ==== On MTU and packet sizes ==== | ||
- | Notice | + | <note important> |
- | - **mtu 1900** | + | - **mtu 1900** |
+ | - You also need to set the MTU on any bridges you create on the VM infrastructure. | ||
+ | - If you dont set the MTU to a higher numbers, then packets will be truncated as per the ERSPAN documentation. Some implementations may fragment the IP packets, which will they place a load on the NSM tool to reassemble the packets. | ||
Line 66: | Line 72: | ||
===== Enabling ERSPAN in TrisulNSM ===== | ===== Enabling ERSPAN in TrisulNSM ===== | ||
- | Trisul Network Analytics supports ERSPAN natively. | + | Trisul Network Analytics supports ERSPAN natively |
+ | |||
hardware/erspan.txt · Last modified: 2018/05/01 21:38 by veera