Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » hardware » Configuring ERSPAN packet capture for Network Security Monitoring
Trace: How to analyze large PCAP files using TrisulNSM Docker Disabling weak key exchange algorithms HA mode using Keepalived
hardware:erspan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
hardware:erspan [2018/05/01 21:28] – [Why ERSPAN for Network Monitoring] veerahardware:erspan [2018/05/01 21:38] (current) – [On MTU and packet sizes] veera
Line 24: Line 24:
  
 To provide network packets to  Trisul Network Analytics or other NSM tool running inside a Virtual Machine. Particularly when the administrators of the VM are unable to provide a promiscuous mode physical interface.  To provide network packets to  Trisul Network Analytics or other NSM tool running inside a Virtual Machine. Particularly when the administrators of the VM are unable to provide a promiscuous mode physical interface. 
 +
 +Recently, we had a customer who was consolidating all their server systems on a Nutanix VM farm. They wanted to put TrisulNSM also on a VM on that farm instead of a physical box. Since the Nutanix does not yet support a physical port mirror at the VM level (( Nutanix [[https://next.nutanix.com/installation-configuration-23/single-vm-in-promiscuous-mode-on-ahv-27096 ]] forum post mentioning  they do not yet support a physical port mirror at the VM Level)) , we use a ERSPAN session to get the packets directly to the TrisulVM. 
  
 ==== ERSPAN Use case 2 : Temporary monitoring ==== ==== ERSPAN Use case 2 : Temporary monitoring ====
  
-When you want to temporarily monitor an interface without having to do any extra cabling that would be required for a physical layer SPAN.  If you are already doing ERSPAN, then adding an extra port is trivial+If you are already doing ERSPAN, then adding an extra port is trivial.  When you want to temporarily monitor an interface without having to do any extra cabling that would be required for a physical layer SPAN. The main disadvantage is ERSPAN is only available on high-end Cisco gear  
  
  
Line 36: Line 38:
 In ERSPAN, there is a concept of Source and Destination session. A //source session// specifies interfaces from which traffic is captured  and sent to an analyzers IP address. A //destination session// specifies the output port to which the decapsulated traffic is written out.  You dont have to configure a destination session.  In ERSPAN, there is a concept of Source and Destination session. A //source session// specifies interfaces from which traffic is captured  and sent to an analyzers IP address. A //destination session// specifies the output port to which the decapsulated traffic is written out.  You dont have to configure a destination session. 
  
-Here we only configure a //source ERSPAN session// to the IP address of the TrisulNSM Virtual Machine.  When  you do this, the network will just forward the GRE Encapsulated mirror traffic to the TrisulNSM VM.  Since Trisul already supports ERSPAN as a capture mechanism, you can use that to decode the traffic. Here is a sample config from the Cisco manual (( Cisco Guide :  [[https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/configuration/xe-3s/lanswitch-xe-3s-book/lnsw-conf-erspan.html#GUID-A135491D-5FC8-4DF8-BA68-0B825C41B01F|Configuring ERSPAN]]  )) +Here we only configure a //source ERSPAN session// to the IP address ''10.0.0.21'' of the TrisulNSM Virtual Machine.  When  you do this, the network will just forward the GRE Encapsulated mirror traffic to the TrisulNSM VM.  Since Trisul already supports ERSPAN as a capture mechanism, you can use that to decode the traffic. Here is a sample config from the Cisco manual (( Cisco Guide :  [[https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/lanswitch/configuration/xe-3s/lanswitch-xe-3s-book/lnsw-conf-erspan.html#GUID-A135491D-5FC8-4DF8-BA68-0B825C41B01F|Configuring ERSPAN]]  )) 
  
 <code cisco> <code cisco>
Line 49: Line 51:
 no shutdown  no shutdown 
 </code> </code>
 + 
 +==== On MTU and packet sizes ====
    
  
 +<note important>Make sure you increase the MTU of the ERSPAN session and the IP path to accommodate the extra 42 bytes of tunnel header </note>
  
-<note important>Note about MTU for ERSPAN </note> +  - **mtu 1900**  -- ERSPAN adds about 42 bytes of extra header bytes by way of Ethernet/IP/GRE header. The default ERSPAN MTU is 1500 bytes, so when you mirror full length packets they can be truncated. Make sure you increase the MTU of the ERSPAN to 1700 or 1900 or even the maximum size of 9000 bytes.
- +
-  - **mtu 1900**  -- ERSPAN adds about 48 bytes of extra header bytes by way of Ethernet/IP/GRE header. The default ERSPAN MTU is 1500 bytes, so when you mirror full length packets they can be truncated. Make sure you increase the MTU of the ERSPAN to 1700 or 1900 or even the maximum size of 9000 bytes.+
   - You also need to set the MTU on any bridges you create on the VM infrastructure.    - You also need to set the MTU on any bridges you create on the VM infrastructure. 
   - If you dont set the MTU to a higher numbers, then packets will be truncated as per the ERSPAN documentation. Some implementations may fragment the IP packets, which will they place a load on the NSM tool to reassemble the packets.    - If you dont set the MTU to a higher numbers, then packets will be truncated as per the ERSPAN documentation. Some implementations may fragment the IP packets, which will they place a load on the NSM tool to reassemble the packets. 
hardware/erspan.1525190306.txt.gz · Last modified: 2018/05/01 21:28 by veera