ERSPAN Installation: Difference between revisions
(Created page with "This section describes the '''ERSPAN installation''' for the Allegro Network Multimeter. '''ERSPAN''' is the abbreviation for ''Encapsulated Remote Switch Port Analyzer''. It...") |
(behaviour of IPv6 endpoint addresses) |
||
| (15 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
This section describes the '''ERSPAN installation''' for the Allegro Network Multimeter. '''ERSPAN''' is the abbreviation for ''Encapsulated Remote Switch Port Analyzer''. It is | This section describes the '''ERSPAN installation''' for the Allegro Network Multimeter to receive ERSPAN packets. '''ERSPAN''' is the abbreviation for ''Encapsulated Remote Switch Port Analyzer''. It is a Switch feature that encapsulates traffic into an IP/GRE tunnel. | ||
== General == | == General == | ||
=== What is the '''ERSPAN''' mode === | === What is the '''ERSPAN''' mode? === | ||
'''ERSPAN''' is an advanced Switch feature that encapsulates mirrored traffic into an IP and GRE packet. The full method is described in the RFC draft [https://tools.ietf.org/html/draft-foschiano-erspan-03 https://tools.ietf.org/html/draft-foschiano-erspan-03]. | |||
The advantage of the '''ERSPAN''' mode is that it can be routed via IP and the ERSPAN generator can be at a different location than the Allegro Network Multimeter. This allows very simple captures of a low-bandwidth remote device. | |||
=== How should the '''ERSPAN''' mode be used? === | |||
'''ERSPAN''' quality depends on the Switch performance and the bandwidth and latency between the Switch and the Allegro Network Multimeter. It will also add substantial load to the IP networks and can generate a packet storm when the ERSPAN packets are mirrored again into the ERSPAN tunnel. | |||
See [[#Limitations]] for more details. | See [[#Limitations|Limitations]] for more details. | ||
=== | === How can I configure the '''ERSPAN''' mode? === | ||
Please refer to | Please refer to your Switch manual how to set up a Switch ERSPAN channel. Please note that the Allegro Network Multimeter can also send '''ERSPAN''' traffic. | ||
The ''' | The '''ERSPAN''' mode can be configured at '''Settings''' → '''Global settings''' → '''Generic settings''' → '''Endpoint mode'''. | ||
[[File: | [[File:L3 tunnel mode.png|1000px]] | ||
You can enable the ERSPAN mode in parallel to the [[In-Line installation]] or [[Mirror Port, Tap and Packet Broker Installation]] for one or multiple interfaces. Please be aware that ERSPAN cannot work in parallel with the Bridge mode for such an interface. The Bridge mode will be disabled for this interface pair when '''ERSPAN''' is enabled for one interface. | |||
The '''ERSPAN''' mode works on all of the Allegro Network Multimeter interfaces including the Virtual Edition. | |||
For each interface, both an IPv4 and an IPv6 address can be configured. It is possible for both addresses to be active at the same time. It is also possible to only configure one of the addresses and leave the other field empty, in which case the '''ERSPAN''' mode will only apply to the configured address. If the IPv4 address is configured, the interface will respond to ARP requests for the IPv4 address. If the IPv6 address is configured, the interface will respond to Neighbor Solicitation messages for the IPv6 address. | |||
Once the '''ERSPAN''' mode is activated, the ERSPAN interface responds to '''ICMP/ICMPv6 Ping''' messages. Once ERSPAN is configured, you should be able to send a ping to the IP address(es). | |||
=== | === Behaviour of the '''ERSPAN''' mode === | ||
The behaviour for all packets on the '''ERSPAN''' interfaces is: | |||
= | * reply to ARP requests (if the IPv4 address is configured) | ||
* reply to Neighbor Solicitation messages (if the IPv6 address is configured) | |||
* reply to Ping messages (for all configured addresses) | |||
* decapsulate all ERSPAN packets and forward them to the packet analytics | |||
* discard all other packets | |||
* the VLAN tag which is part of the ERSPAN header will be used as outer VLAN tag for packet analysis and Virtual Link Group filtering (>= version 4.4). | |||
Be aware that mirrored packets without an ERSPAN header are dropped. | |||
The ERSPAN header will be decapsulated for the analytics. The Allegro Network Multimeter analyzes the inner packet and ignores the outer ERSPAN header. The Packet Ring Buffer and Pcap export stores the full packets including the ERSPAN header. | |||
This | === Configuration of an Allegro as an '''ERSPAN''' sender === | ||
The Allegro Network Multimeter allows you to send '''ERSPAN''' packets via the management interface over a switched and routed network like a pcap capture. Allegro recommend you use the '''ERSPAN''' sending feature only via the LAN interface and not with the Wi-Fi interface. Please see [#Limitations] for more details. | |||
Please make sure that the sending Allegro MTU size is big enough to send the whole packet including the '''ERSPAN''' header. To configure the Allegro Network Multimeter as an '''ERSPAN''' sender, increase the MTU size on the management interface AND on all Switches between the sending and receiving Allegro Network Multimeter. This can be done at '''Settings''' → '''Management settings''' → '''LAN management interface'''. | |||
[[File:Lan mtu settings.png|900px]] | |||
Once this is configured, you can initiate a '''live''' capture with or without filters with the capture button. Please select the ERSPAN as the capture type and fill the receiving IP address. | |||
[[File:Erspan capture dialog.png|400px]] | |||
This can be done also using Back-In-Time. Please use the real-time replay with factor 1.0 to replay with the same packet timing for the receiving Allegro Network Multimeter. See [[#Limitations|Limitations]] for more details. | |||
== Limitations == | == Limitations == | ||
=== Switch | === ERSPAN protocol version === | ||
The Allegro Network Multimeter supports ERSPAN version II and III as described in the RFC draft [https://tools.ietf.org/html/draft-foschiano-erspan-03 https://tools.ietf.org/html/draft-foschiano-erspan-03]. | |||
=== Fragmentation === | |||
ERSPAN is supported for non-fragmented ERSPAN packets. Please make sure that the link between the Switch and the Allegro Network Multimeter supports a higher MTU than the monitored link. We recommend to use jumbo frames with 9000 bytes to forward packets. | |||
=== Timestamping === | |||
The Allegro Network Multimeter does '''NOT''' use the timestamp of the ERSPAN receiver since there is only one real-time source for the Allegro Network Multimeter. | |||
=== Back-In-Time support === | |||
Please | Please note that the Back-In-Time support requires that the storage is fast enough to extract the packets at the configured speed. A replay with factor 1.0 should work as most Ring Buffers can read at the same speed as they write data. Please stop or pause the Ring Buffer in this case to allow high speed reads. Higher factors work very well as long as the capture rate is lower than the replay rate. | ||
If the storage is not fast enough, the replay will slow down to the storage speed. If you use the Back-In-Time mode without any speed limitation, it will be limited by the storage and the interface link speed. | |||
Latest revision as of 16:22, 26 February 2025
This section describes the ERSPAN installation for the Allegro Network Multimeter to receive ERSPAN packets. ERSPAN is the abbreviation for Encapsulated Remote Switch Port Analyzer. It is a Switch feature that encapsulates traffic into an IP/GRE tunnel.
General
What is the ERSPAN mode?
ERSPAN is an advanced Switch feature that encapsulates mirrored traffic into an IP and GRE packet. The full method is described in the RFC draft https://tools.ietf.org/html/draft-foschiano-erspan-03.
The advantage of the ERSPAN mode is that it can be routed via IP and the ERSPAN generator can be at a different location than the Allegro Network Multimeter. This allows very simple captures of a low-bandwidth remote device.
How should the ERSPAN mode be used?
ERSPAN quality depends on the Switch performance and the bandwidth and latency between the Switch and the Allegro Network Multimeter. It will also add substantial load to the IP networks and can generate a packet storm when the ERSPAN packets are mirrored again into the ERSPAN tunnel.
See Limitations for more details.
How can I configure the ERSPAN mode?
Please refer to your Switch manual how to set up a Switch ERSPAN channel. Please note that the Allegro Network Multimeter can also send ERSPAN traffic.
The ERSPAN mode can be configured at Settings → Global settings → Generic settings → Endpoint mode.
You can enable the ERSPAN mode in parallel to the In-Line installation or Mirror Port, Tap and Packet Broker Installation for one or multiple interfaces. Please be aware that ERSPAN cannot work in parallel with the Bridge mode for such an interface. The Bridge mode will be disabled for this interface pair when ERSPAN is enabled for one interface.
The ERSPAN mode works on all of the Allegro Network Multimeter interfaces including the Virtual Edition.
For each interface, both an IPv4 and an IPv6 address can be configured. It is possible for both addresses to be active at the same time. It is also possible to only configure one of the addresses and leave the other field empty, in which case the ERSPAN mode will only apply to the configured address. If the IPv4 address is configured, the interface will respond to ARP requests for the IPv4 address. If the IPv6 address is configured, the interface will respond to Neighbor Solicitation messages for the IPv6 address.
Once the ERSPAN mode is activated, the ERSPAN interface responds to ICMP/ICMPv6 Ping messages. Once ERSPAN is configured, you should be able to send a ping to the IP address(es).
Behaviour of the ERSPAN mode
The behaviour for all packets on the ERSPAN interfaces is:
- reply to ARP requests (if the IPv4 address is configured)
- reply to Neighbor Solicitation messages (if the IPv6 address is configured)
- reply to Ping messages (for all configured addresses)
- decapsulate all ERSPAN packets and forward them to the packet analytics
- discard all other packets
- the VLAN tag which is part of the ERSPAN header will be used as outer VLAN tag for packet analysis and Virtual Link Group filtering (>= version 4.4).
Be aware that mirrored packets without an ERSPAN header are dropped.
The ERSPAN header will be decapsulated for the analytics. The Allegro Network Multimeter analyzes the inner packet and ignores the outer ERSPAN header. The Packet Ring Buffer and Pcap export stores the full packets including the ERSPAN header.
Configuration of an Allegro as an ERSPAN sender
The Allegro Network Multimeter allows you to send ERSPAN packets via the management interface over a switched and routed network like a pcap capture. Allegro recommend you use the ERSPAN sending feature only via the LAN interface and not with the Wi-Fi interface. Please see [#Limitations] for more details. Please make sure that the sending Allegro MTU size is big enough to send the whole packet including the ERSPAN header. To configure the Allegro Network Multimeter as an ERSPAN sender, increase the MTU size on the management interface AND on all Switches between the sending and receiving Allegro Network Multimeter. This can be done at Settings → Management settings → LAN management interface.
Once this is configured, you can initiate a live capture with or without filters with the capture button. Please select the ERSPAN as the capture type and fill the receiving IP address.
This can be done also using Back-In-Time. Please use the real-time replay with factor 1.0 to replay with the same packet timing for the receiving Allegro Network Multimeter. See Limitations for more details.
Limitations
ERSPAN protocol version
The Allegro Network Multimeter supports ERSPAN version II and III as described in the RFC draft https://tools.ietf.org/html/draft-foschiano-erspan-03.
Fragmentation
ERSPAN is supported for non-fragmented ERSPAN packets. Please make sure that the link between the Switch and the Allegro Network Multimeter supports a higher MTU than the monitored link. We recommend to use jumbo frames with 9000 bytes to forward packets.
Timestamping
The Allegro Network Multimeter does NOT use the timestamp of the ERSPAN receiver since there is only one real-time source for the Allegro Network Multimeter.
Back-In-Time support
Please note that the Back-In-Time support requires that the storage is fast enough to extract the packets at the configured speed. A replay with factor 1.0 should work as most Ring Buffers can read at the same speed as they write data. Please stop or pause the Ring Buffer in this case to allow high speed reads. Higher factors work very well as long as the capture rate is lower than the replay rate. If the storage is not fast enough, the replay will slow down to the storage speed. If you use the Back-In-Time mode without any speed limitation, it will be limited by the storage and the interface link speed.