ERSPAN Installation: Difference between revisions

From Allegro Network Multimeter Manual
Jump to navigation Jump to search
Access restrictions were established for this page. If you see this message, you have no access to this page.
No edit summary
No edit summary
Line 1: Line 1:
This section describes the '''ERSPAN installation''' for the Allegro Network Multimeter. '''ERSPAN''' is the abbreviation for ''Encapsulated Remote Switch Port Analyzer''. It is switch feature that encapsulates traffic into an IP/GRE tunnel.
This section describes the '''ERSPAN installation''' for the Allegro Network Multimeter to receive ERSPAN packets. '''ERSPAN''' is the abbreviation for ''Encapsulated Remote Switch Port Analyzer''. It is switch feature that encapsulates traffic into an IP/GRE tunnel.


== General ==
== General ==
Line 17: Line 17:
=== Where can I configure the '''ERSPAN''' mode ===
=== Where can I configure the '''ERSPAN''' mode ===


Please refer to you switch manual how to set up a switch ERSPAN channel.
Please refer to you switch manual how to set up a switch ERSPAN channel. Please note that the Allegro Network Multimeter can also send '''ERSPAN''' traffic.


The '''ERSPAN''' mode can be configured at '''Settings''' → '''Global Settings''' → '''Expert Settings''' → '''L3 Tunnel mode'''.  
The '''ERSPAN''' mode can be configured at '''Settings''' → '''Global Settings''' → '''Expert Settings''' → '''L3 Tunnel mode'''.  
[[File:L3 tunnel mode.png|800px]]
[[File:L3 tunnel mode.png|800px]]


You can enable the ERSPAN mode in parallel to the [[In-Line Installation]] or [[Mirror Port, TAP and Packet Broker Installation]] for one or multiple ports. Please be aware that the ERSPAN cannot work in parallel with the bridge mode for such a port.
You can enable the ERSPAN mode in parallel to the [[In-Line Installation]] or [[Mirror Port, TAP and Packet Broker Installation]] for one or multiple interfaces. Please be aware that the ERSPAN cannot work in parallel with the bridge mode for such an interface. The bridge will be disabled for this interface pair when '''ERSPAN''' is enabled for one interface.


The '''ERSPAN''' mode works on all interfaces of the Allegro Network Multimeter, including the virtual version.


Once the ERSPAN mode is activated, the interface will respond to ARP requests for the configured IP address. The '''ERSPAN''' interface responds to '''ICMP PING''' messages. Once the ERSPAN is configured, you should be able to send a ping to the IP address.


=== Behavior of the '''ERSPAN''' mode ===


The behavior for all packets on the '''ERSPAN''' interfaces is:


* reply to ARP requests
* reply to PING messages
* decapsulate all ERSPAN packets and forard them to the packet analytics
* discard all other packets


== Data Plane Ports of Allegro Network Multimeters ==
Be aware that mirrored packets without an ERSPAN header are dropped.


=== Devices with built-in Network Ports ===
The ERSPAN header will be decapsulated for the analytics. The Allegro Network Multimeter analyzes the inner packet and ignores the outer ERSPAN header. The packet ring buffer and Pcap export stores the full packets including the ERSPAN header.


The '''Allegro 200, 500, 1000, 1200, 3000 and 3200''' have built-in physical network ports.


{| class="wikitable"
=== Configuration of an Allegro as '''ERSPAN''' sender ===
|Device||Picture||Number of Monitoring Ports||Remarks
|-
|'''Allegro 200'''||[[File:Allegro-200 back cut.jpg|400px]]||2||
|-
|'''Allegro 500'''||[[File:Allegro-500 back cut.jpg|400px]]<br/>[[File:Allegro-500 front cut.jpg|400px]]||4||
|-
|'''Allegro 1000'''<br/>'''Allegro 3000'''||[[File:Allegro-1000 front cut.jpg|400px]]||7||Can be extended by [[#Devices with port extension cards| extension cards]].
|-
|'''Allegro 1200'''<br/>'''Allegro 3200'''||[[File:Allegro-1200-front cut.jpg|400px]]||7||Can be extended by [[#Devices with port extension cards| extension cards]].
|-
|'''Allegro x300'''<br/>'''Allegro x500'''||||none||The Allegro x300 and x500 series do not have built-in network ports, see section [[#Devices with port extension cards| extension cards]] below.
|}


=== Devices with port extension cards ===
The Allegro Network Multimeter allows to send '''ERSPAN''' as a switch via the management interface like a Pcap capture. Allegro recommend to use the '''ERSPAN''' sending feature only via the LAN interface and not with the Wifi interface. Please see [#Limitations] for more details.
Please make sure that the MTU size of the sending Allegro is big enough to send the whole packet including the '''ERSPAN''' header. To configure the Allegro as an '''ERSPAN''' sender, please increase the MTU on the management interface AND on all switches between the sending and receiving Allegro. This can be done at '''Settings''' → '''Management Settings''' → '''LAN Management Interface'''.


All Allegros with network card extension slots support the '''Mirror Port Mode'''. All extension cards have either '''2''' or '''4''' network ports.
[[File:Lan mtu settings.png|600px]]


=== Bypass extension cards ===
Once this is configured, you can start a '''live''' capture of a whole link, IP address on the sending Allegro. Please select the ERSPAN as capture type and fill the receiving IP address.


The bypass cards for the Allegro Network Multimeter deliver a fail-over when the software bypass is not active in '''Bridge Mode''' ( see [[In-Line Installation]] for more details ). The bypass is deactivated when the When the '''Mirror Port Mode / Sink Mode''' is active.
[[File:Erspan capture dialog.png|400px]]


== Grouping of multiple Links ( Trunk vs. separate links ) ==
This can be done also back in time. Please use realtime replay with factor 1.0 to replay with the same packet timing for the receiving Allegro. See [#Limitations] for more details.


By default, the Allegro processes all incoming traffic as one big pipe and it does not use the port as an criteria to separate links. If you have connected separate links at the Allegro, please use the virtual link grouping feature to specify which ports belong together.
== Limitations ==
 
=== ERSPAN protocol version ===
 
The Allegro Network Multimeter supports ERSPAN version II and III as described in the RFC draft [https://tools.ietf.org/html/draft-foschiano-erspan-03 https://tools.ietf.org/html/draft-foschiano-erspan-03].


This feature can also be used to forward multiple links with a packet broker to one Allegro port with VLANs as a separation.
=== Fragmentation ===


== Limitations ==
ERSPAN is supported for non-fragmented ERSPAN packets. Please make sure that the link between the switch and the Allegro supports a higher MTU than the monitored link. We recommend to use jumbo frames with 9000 bytes to forward packets.


=== Switch Limitations ===
=== Timestamping ===


Please be aware that the Allegro Network Multimeter can only analyze packets that have been forwarded by the switch port. Please also be aware that the exact packet timing and ordering depends on the switch implementation. Allegro recommends the installation of a TAP to prevent any switch side effects.
The Allegro Network Multimeter does '''NOT''' use the time stamps of the ERSPAN receiver as there is only one real-time source for the Allegro Network Multimeter.

Revision as of 09:26, 30 March 2020

This section describes the ERSPAN installation for the Allegro Network Multimeter to receive ERSPAN packets. ERSPAN is the abbreviation for Encapsulated Remote Switch Port Analyzer. It is switch feature that encapsulates traffic into an IP/GRE tunnel.

General

What is the ERSPAN mode

The ERSPAN is an advanced switch feature that encapsulates mirrored traffic into an IP and GRE packet. The full method is described in the RFC draft https://tools.ietf.org/html/draft-foschiano-erspan-03.

The advantage of the ERSPAN mode is that it can be routed via IP and the ERSPAN generator can be at a different location than the Allegro network Multimeter. This allows very simple captures of a low-bandwidth remote device when.

How should the ERSPAN mode be used

The ERSPAN quality depends on the switch performance and the bandwidth and latency between the switch and the Allegro. It will also add substantial load to the IP networks and can generate a packet storm when the ERSPAN packets themself are mirrored again into the ERSPAN tunnel.

See #Limitations for more details.

Where can I configure the ERSPAN mode

Please refer to you switch manual how to set up a switch ERSPAN channel. Please note that the Allegro Network Multimeter can also send ERSPAN traffic.

The ERSPAN mode can be configured at SettingsGlobal SettingsExpert SettingsL3 Tunnel mode. L3 tunnel mode.png

You can enable the ERSPAN mode in parallel to the In-Line Installation or Mirror Port, TAP and Packet Broker Installation for one or multiple interfaces. Please be aware that the ERSPAN cannot work in parallel with the bridge mode for such an interface. The bridge will be disabled for this interface pair when ERSPAN is enabled for one interface.

The ERSPAN mode works on all interfaces of the Allegro Network Multimeter, including the virtual version.

Once the ERSPAN mode is activated, the interface will respond to ARP requests for the configured IP address. The ERSPAN interface responds to ICMP PING messages. Once the ERSPAN is configured, you should be able to send a ping to the IP address.

Behavior of the ERSPAN mode

The behavior for all packets on the ERSPAN interfaces is:

  • reply to ARP requests
  • reply to PING messages
  • decapsulate all ERSPAN packets and forard them to the packet analytics
  • discard all other packets

Be aware that mirrored packets without an ERSPAN header are dropped.

The ERSPAN header will be decapsulated for the analytics. The Allegro Network Multimeter analyzes the inner packet and ignores the outer ERSPAN header. The packet ring buffer and Pcap export stores the full packets including the ERSPAN header.


Configuration of an Allegro as ERSPAN sender

The Allegro Network Multimeter allows to send ERSPAN as a switch via the management interface like a Pcap capture. Allegro recommend to use the ERSPAN sending feature only via the LAN interface and not with the Wifi interface. Please see [#Limitations] for more details. Please make sure that the MTU size of the sending Allegro is big enough to send the whole packet including the ERSPAN header. To configure the Allegro as an ERSPAN sender, please increase the MTU on the management interface AND on all switches between the sending and receiving Allegro. This can be done at SettingsManagement SettingsLAN Management Interface.

Lan mtu settings.png

Once this is configured, you can start a live capture of a whole link, IP address on the sending Allegro. Please select the ERSPAN as capture type and fill the receiving IP address.

Erspan capture dialog.png

This can be done also back in time. Please use realtime replay with factor 1.0 to replay with the same packet timing for the receiving Allegro. See [#Limitations] for more details.

Limitations

ERSPAN protocol version

The Allegro Network Multimeter supports ERSPAN version II and III as described in the RFC draft https://tools.ietf.org/html/draft-foschiano-erspan-03.

Fragmentation

ERSPAN is supported for non-fragmented ERSPAN packets. Please make sure that the link between the switch and the Allegro supports a higher MTU than the monitored link. We recommend to use jumbo frames with 9000 bytes to forward packets.

Timestamping

The Allegro Network Multimeter does NOT use the time stamps of the ERSPAN receiver as there is only one real-time source for the Allegro Network Multimeter.

Retrieved from "https://allegro-packets.com/wiki/index.php?title=ERSPAN_Installation&oldid=649"