topic Flow Sensor - ERSPAN in Security Analytics

Flow Sensor - ERSPAN

llomjaria — Thu, 31 Oct 2024 12:26:30 GMT

Hello,

I am testing SNA (Stealthwatch) in my lab (ESXi). I have installed version 7.5.1 - SMC, Flow Collector, Flow Sensor, Data Store.

I want to test Flow sensor. I have added additional interface for SPAN traffic. I have enabled "ERSPAN Decapsulation".

On Nexus 93180yc I have configured ERSPAN:

monitor session 3 type erspan-source
description StealthWatch
erspan-id 1
vrf default
destination ip x.x.x.x
source vlan 333 both
no shut

monitor erspan origin ip-address y.y.y.y global

I am able to see gre packets on flow sensor when using packet capture.

But I do not see anything when trying to search flows on SMC.

Any ideas?

Re: Flow Sensor - ERSPAN

Cristian Matei — Thu, 31 Oct 2024 13:25:36 GMT

Hi,

Have you configured ERSPAN on the FlowSensor? https://community.cisco.com/t5/security-analytics/stealthwatch-7-3-erspan/td-p/4178516

Best,

Cristian.

Re: Flow Sensor - ERSPAN

llomjaria — Thu, 31 Oct 2024 13:57:26 GMT

Yes, I have enabled ERSPAN decapsulation and added interface on Flow Sensor

Re: Flow Sensor - ERSPAN

jamegill — Thu, 31 Oct 2024 15:38:37 GMT

Most basic question first: is there traffic being sent through the interfaces you are ERSPAN’ing to the Flow Sensor? In your screenshot all the packets have the same length and they’re not coming very fast. Lets make sure the encapsulated SPAN packets are not just empty boxcars before worrying further (:

For future reference the configuration on the Flow Sensor for ERSPAN has gotten a lot easier, it’s just a check-box now … here’s a link to the current configuration guide with the steps to enable it. Do not miss the “reboot the flow sensor” step at the end ...
https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_5_1_System_Configuration_Guide_DV_1_2.pdf#%5B%7B%22num%22%3A398%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C72%2C648.75%2C0%5D

If that’s working, the next thing to check is the Engine Status table on the front page of the Flow Sensor appliance. You should see data in the Capture columns confirming that you’re getting the SPAN traffic in. The drops should be low and will reset at reboot. Process and Export columns should show that you are sending data out to the Flow Collector destination you have configured.

If this is working you can move to checking the Flow Collector for input from this exporter. I would probably get into the SNA Report builder interface to look.

If this is not working, go back to the configuration guide linked above and make sure the FS and ERSPAN configurations are correct.

Here’s an example from mine where the thing is working correctly… (I do not believe I had ERSPAN configured in this case)

Re: Flow Sensor - ERSPAN

andre.baumgarten — Wed, 15 Jan 2025 11:42:45 GMT

I had issues with ERSPAN in my lab, too. The trick at my lab was, that the ERSPAN interface of FlowSensor and the Mgt Interface if FlowSenor must be in seperate VLANs! Check that