hardware:erspan
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
hardware:erspan [2018/05/01 15:55] – [Use case 1 : Virtual Machine] veera | hardware:erspan [2018/05/01 21:38] (current) – [On MTU and packet sizes] veera | ||
---|---|---|---|
Line 2: | Line 2: | ||
- | ERSPAN (( ERSPAN Cisco IOS XE 3S Configuration Guide : [[https:// | + | ERSPAN (( ERSPAN Cisco IOS XE 3S Configuration Guide : [[https:// |
===== What is ERSPAN ===== | ===== What is ERSPAN ===== | ||
- | ERSPAN allows you to capture network packets from one or more physical ports, then transmit these packets | + | ERSPAN allows you to capture network packets from one or more physical ports, then transmit these packets |
- | The following diagram shows a ERSPAN session that captures packets from interface '' | + | The following diagram shows a ERSPAN session that captures packets from interface '' |
Line 17: | Line 17: | ||
There are three port mirroring features in Cisco : | There are three port mirroring features in Cisco : | ||
- Physical SPAN -- this is the common port SPAN. It is supported on nearly all models of Cisco and allows you to physically mirror one or more ports to a //monitor port//. | - Physical SPAN -- this is the common port SPAN. It is supported on nearly all models of Cisco and allows you to physically mirror one or more ports to a //monitor port//. | ||
- | - RSPAN -- Remote SPAN, this is a Layer-2 port mirror where you can capture remote packets over a Layer2 VLAN and bring it across your network | + | - RSPAN -- Remote SPAN, this is a Layer-2 port mirror where you can capture remote packets over a Layer2 VLAN and bring it across your L2 network |
- | - ERSPAN -- Layer3 Remote SPAN, this is what we are talking about in this article. | + | - ERSPAN -- Layer3 Remote SPAN, this is what we are talking about in this article. |
==== ERSPAN Use case 1 : Virtual Machine ==== | ==== ERSPAN Use case 1 : Virtual Machine ==== | ||
Line 25: | Line 25: | ||
To provide network packets to Trisul Network Analytics or other NSM tool running inside a Virtual Machine. Particularly when the administrators of the VM are unable to provide a promiscuous mode physical interface. | To provide network packets to Trisul Network Analytics or other NSM tool running inside a Virtual Machine. Particularly when the administrators of the VM are unable to provide a promiscuous mode physical interface. | ||
- | ==== Use case 2 : Temporary monitoring ==== | + | Recently, we had a customer who was consolidating all their server systems on a Nutanix VM farm. They wanted to put TrisulNSM also on a VM on that farm instead of a physical box. Since the Nutanix does not yet support a physical port mirror at the VM level (( Nutanix [[https:// |
- | Some of the other scenarios we are seeing | + | ==== ERSPAN Use case 2 : Temporary monitoring ==== |
+ | |||
+ | If you are already doing ERSPAN, then adding an extra port is trivial. | ||
Line 34: | Line 36: | ||
===== Configuring ===== | ===== Configuring ===== | ||
- | In ERSPAN, there is a concept of Source and Destination session. | + | In ERSPAN, there is a concept of Source and Destination session. A //source session// specifies interfaces from which traffic is captured |
- | What we do here is to only configure a //source ERSPAN session// the IP address | + | Here we only configure a //source ERSPAN session// |
<code cisco> | <code cisco> | ||
Line 49: | Line 51: | ||
no shutdown | no shutdown | ||
</ | </ | ||
+ | |||
+ | ==== On MTU and packet sizes ==== | ||
+ | <note important> | ||
- | <note important> | + | |
- | + | ||
- | | + | |
- You also need to set the MTU on any bridges you create on the VM infrastructure. | - You also need to set the MTU on any bridges you create on the VM infrastructure. | ||
- If you dont set the MTU to a higher numbers, then packets will be truncated as per the ERSPAN documentation. Some implementations may fragment the IP packets, which will they place a load on the NSM tool to reassemble the packets. | - If you dont set the MTU to a higher numbers, then packets will be truncated as per the ERSPAN documentation. Some implementations may fragment the IP packets, which will they place a load on the NSM tool to reassemble the packets. | ||
Line 69: | Line 72: | ||
===== Enabling ERSPAN in TrisulNSM ===== | ===== Enabling ERSPAN in TrisulNSM ===== | ||
- | Trisul Network Analytics supports ERSPAN natively. | + | Trisul Network Analytics supports ERSPAN natively |
+ | |||
hardware/erspan.1525170305.txt.gz · Last modified: 2018/05/01 15:55 by veera