ERSPAN Installation: Difference between revisions

'''ERSPAN''' is an advanced switch feature that encapsulates mirrored traffic into an IP and GRE packet. The full method is described in the RFC draft [https://tools.ietf.org/html/draft-foschiano-erspan-03 https://tools.ietf.org/html/draft-foschiano-erspan-03].

The advantage of the '''ERSPAN''' mode is that it can be routed via IP and the ERSPAN generator can be at a different location than the Allegro network Multimeter. This allows very simple captures of a low-bandwidth remote device.

'''ERSPAN''' quality depends on the switch performance and the bandwidth and latency between the switch and the Allegro. It will also add substantial load to the IP networks and can generate a packet storm when the ERSPAN packets are mirrored again into the ERSPAN tunnel.

Please refer to your switch manual how to set up a switch ERSPAN channel. Please note that the Allegro Network Multimeter can also send '''ERSPAN''' traffic.

The '''ERSPAN''' mode can be configured at '''Settings''' → '''Global Settings''' → '''Expert Settings''' → '''L3 Tunnel mode'''.  

You can enable the ERSPAN mode in parallel to the [[In-Line installation]] or [[Mirror Port, Tap and Packet Broker Installation]] for one or multiple interfaces. Please be aware that ERSPAN cannot work in parallel with the bridge mode for such an interface. The bridge mode will be disabled for this interface pair when '''ERSPAN''' is enabled for one interface.

Once the ERSPAN mode is activated, the interface will respond to ARP requests for the configured IP address. The '''ERSPAN''' interface responds to '''ICMP PING''' messages. Once ERSPAN is configured, you should be able to send a ping to the IP address.

* reply to PING messages

The ERSPAN header will be decapsulated for the analytics. The Allegro Network Multimeter analyzes the inner packet and ignores the outer ERSPAN header. The Packet Ring Buffer and pcap export stores the full packets including the ERSPAN header.

The Allegro Network Multimeter allows you to send '''ERSPAN''' packets via  the management interface  over a switched and routed network like a pcap capture. Allegro recommend you use the '''ERSPAN''' sending feature only via the LAN interface and not with the Wi-Fi interface. Please see [#Limitations] for more details.

Please make sure that the sending Allegro MTU size is big enough to send the whole packet including the '''ERSPAN''' header. To configure the Allegro as an '''ERSPAN''' sender, increase the MTU size on the management interface AND on all switches between the sending and receiving Allegro. This can be done at '''Settings''' → '''Management Settings''' → '''LAN Management Interface'''.  

This can be done also back-in-time. Please use the real-time replay with factor 1.0 to replay with the same packet timing for the receiving Allegro. See [#Limitations] for more details.

ERSPAN is supported for non-fragmented ERSPAN packets. Please make sure that the link between the switch and the Allegro supports a higher MTU than the monitored link. We recommend to use jumbo frames with 9000 bytes to forward packets.

The Allegro Network Multimeter does '''NOT''' use the time stamp of the ERSPAN receiver since there is only one real-time source for the Allegro Network Multimeter.

Please note that the back in time support requires that the storage is fast enough to extract the packets at the configured speed. A replay with factor 1.0 should work as most ring buffer can read with the same speed as they can write data. Please stop or pause the ring buffer in this case to allow high speed reads. Higher factors work very well as long as the capture rate was lower than the replay rate.