8

I know how to use both SPAN and RSPAN. If I'm not wrong, ERSPAN leads us to the possibility of remotely monitoring a router through an IP network and a GRE tunnel. However a tunnel end-point is needed.

My question is, is it possible for the tunnel endpoint to be a desktop computer to receive the mirrored traffic? I'm mostly looking for an OpenSource/Freware solution, since I guess a proprietary one would involve VMWare Vswitch or Nexus1000V.

Dynamips could be a solution, but I don't think any routers support ERSPAN.

I know about OpenVswitch, but it does not support ERSPAN.

Mike Pennington
  • 29,876
  • 11
  • 78
  • 152
radtrentasei
  • 1,099
  • 13
  • 32

1 Answers1

9

There are a couple of options, depending on how much traffic you will receive:

  • If you're going to receive a lot of traffic, should use gulp, which runs on linux; gulp requires the linux pf_ring kernel module.
  • If the bandwidth requirements are reasonable, you could simply use your laptop with wireshark's ERSPAN decoder; wireshark can see the protocols inside ERSPAN v2 and v3 packets. Use ip proto 0x2f as your capture filter, if you want to only capture ERSPAN traffic. I use the wireshark to capture ERSPAN from Catalyst6500 user ports when I need to remotely sniff a port without walking up to the switch with a laptop. This works well for user ports and even some server ports (as long as they aren't sending tons of traffic)

Example Cat6500 ERSPAN config:

!
monitor session 2 type erspan-source
 source interface GigabitEthernet7/22
 destination
  erspan-id 1
  ! This is the ip address of gulp, or the wireshark laptop
  !    If using wireshark, capture with "ip proto 0x2f"
  ip address 10.1.1.5
  ! This is the IP address of the switch sourcing ERSPAN packets
  origin ip address 10.21.4.12
 no shutdown

Example Nexus9000 ERSPAN config:

monitor session 1 type erspan-source
  erspan-id 1
  ! Specify the vrf that ERSPAN will use to route to the destination IP
  !  NOTE: I have not found a way to use "vrf management" on the 9000 series
  vrf default
  ! This is the ip address of gulp, or the wireshark laptop
  !    If using wireshark, capture with "ip proto 0x2f"
  destination ip 10.5.69.226
  source interface port-channel1001 both
  no shut

! This is the IP address of the switch sourcing ERSPAN packets
monitor erspan origin ip-address 172.16.12.80 global
Mike Pennington
  • 29,876
  • 11
  • 78
  • 152
  • So essentially there is no need to "close" the GRE tunnel. It's just a matter of "formatting" the received traffic... isn't it ? – radtrentasei Sep 18 '13 at 12:50
  • 1
    @radicetrentasei ERSPAN uses a unidirectional GRE tunnel and all gulp does is decapsulate the traffic into a linux virtual NIC driver. Even when you enable keepalives on a typical Cisco IOS GRE tunnel, the keepalive packets contain their own response, which should be routed via the opposite tunnel back to the keepalive source. – Mike Pennington Sep 18 '13 at 13:39
  • AS I understand GRE tunnel between Cisco and Linux will not be a good solution to achieve traffic coming from the Internet to the start point "Cisco " – Ali Mezgani Apr 27 '17 at 11:08
  • What qualifies as "a good solution" depends on your requirements. For some requirements ERSPAN to a Linux sniffer is a good solution – Mike Pennington May 07 '17 at 08:48