cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2265
Views
15
Helpful
4
Replies
jerry.bonner
Beginner

Sensor as ERSPAN destination?

I know SF can de-encapsulate ERSPAN traffic, but can a sensor be configured directly as an ERSPAN destination host for passive analysis? My issue is I'm trying to run a sensor in UCS B-Series environment in passive mode. B-series / fabric interconnects do not support spanning traffic / rspan into the system. So I'd like to be able to ship traffic over a layer 3 connection directly to the sensor, but I'd need the sensor to respond to layer 3 requests for ARP etc.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Pavel Trinos
Beginner

Not sure on the ERSPAN, but you should be able to get visibility into your traffic in one of two ways:

1) Use Port Bypass TAP system (100% uptime, sourcefire TAP)

2) Implement virtual sensor (look into traffic between virtual servers)

View solution in original post

Veronika Klauzova
Cisco Employee

Hello Jerry,

what type of hardware sensor do you want to configure with ERSPAN and what software version does it run.

You can configure ERSPAN in Firepower Threat Defense devices in routed firewall mode only. It requires you to configure physical interface with ERSPAN mode,  you have to also provide name of the interface (this will add nameif on the backend as in traditional ASA FW devices and without this name, device will not process any traffic), also you have to configure IP address on this interface.  Switch/router needs to support ERSPAN from where are you trying to send traffic over GRE tunnel to FTD/sensor. Make sure that flow id on sensor match ERSPAN ID monitor session and that you have specified on ERSPAN sw/router correct source and destination IP address for encapsulated traffic.

Let me know if you have more questions.

Best regards,

Veronika

View solution in original post

4 REPLIES 4
Pavel Trinos
Beginner

Not sure on the ERSPAN, but you should be able to get visibility into your traffic in one of two ways:

1) Use Port Bypass TAP system (100% uptime, sourcefire TAP)

2) Implement virtual sensor (look into traffic between virtual servers)

View solution in original post

anas.alnajjar
Beginner

hello Jerry,

good day!

could you please help me ?

i have the same situation.

did you try to configure the sensor as ERSPAN destination?

does it work?

how did you configure it exactly?

best regards,

Veronika Klauzova
Cisco Employee

Hello Jerry,

what type of hardware sensor do you want to configure with ERSPAN and what software version does it run.

You can configure ERSPAN in Firepower Threat Defense devices in routed firewall mode only. It requires you to configure physical interface with ERSPAN mode,  you have to also provide name of the interface (this will add nameif on the backend as in traditional ASA FW devices and without this name, device will not process any traffic), also you have to configure IP address on this interface.  Switch/router needs to support ERSPAN from where are you trying to send traffic over GRE tunnel to FTD/sensor. Make sure that flow id on sensor match ERSPAN ID monitor session and that you have specified on ERSPAN sw/router correct source and destination IP address for encapsulated traffic.

Let me know if you have more questions.

Best regards,

Veronika

View solution in original post

Hello,

I'm trying to do the opposite. Do you know if it's possible to configure the virtual FTD to span traffic to another device? We have a software IDS that will be on a VM and are trying to send traffic to it from the FTD. Tried to accomplish from CSR 1000V in environment but from what I've found that is not supported. 

Respectfully,

Alex

 

Content for Community-Ad