Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
669
Views
2
Helpful
4
Replies

Flow Sensor - ERSPAN

llomjaria
Level 1
Level 1

‎10-31-2024 05:26 AM

Hello,

I am testing SNA (Stealthwatch) in my lab (ESXi). I have installed version 7.5.1 - SMC, Flow Collector, Flow Sensor, Data Store.

I want to test Flow sensor. I have added additional interface for SPAN traffic. I have enabled "ERSPAN Decapsulation".

On Nexus 93180yc I have configured ERSPAN:

monitor session 3 type erspan-source
description StealthWatch
erspan-id 1
vrf default
destination ip x.x.x.x
source vlan 333 both
no shut

monitor erspan origin ip-address y.y.y.y global

I am able to see gre packets on flow sensor when using packet capture.

llomjaria_0-1730377510758.png

But I do not see anything when trying to search flows on SMC.

Any ideas?

0 Helpful
4 Replies 4

Cristian Matei
VIP Alumni
VIP Alumni

‎10-31-2024 06:25 AM

Hi,

   Have you configured ERSPAN on the FlowSensor? https://community.cisco.com/t5/security-analytics/stealthwatch-7-3-erspan/td-p/4178516

Best,

Cristian.

0 Helpful

llomjaria
Level 1
Level 1
In response to Cristian Matei

‎10-31-2024 06:57 AM

Yes, I have enabled ERSPAN decapsulation and added interface on Flow Sensor

0 Helpful

jamegill
Cisco Employee
Cisco Employee
In response to llomjaria

‎10-31-2024 08:16 AM - edited ‎10-31-2024 08:38 AM

Most basic question first: is there traffic being sent through the interfaces you are ERSPAN’ing to the Flow Sensor? In your screenshot all the packets have the same length and they’re not coming very fast. Lets make sure the encapsulated SPAN packets are not just empty boxcars before worrying further (:

For future reference the configuration on the Flow Sensor for ERSPAN has gotten a lot easier, it’s just a check-box now … here’s a link to the current configuration guide with the steps to enable it. Do not miss the “reboot the flow sensor” step at the end ...
https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_5_1_System_Configuration_Guide_DV_1_2.pdf#%5B%7B%22num%22%3A398%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C72%2C648.75%2C0%5D

If that’s working, the next thing to check is the Engine Status table on the front page of the Flow Sensor appliance. You should see data in the Capture columns confirming that you’re getting the SPAN traffic in. The drops should be low and will reset at reboot. Process and Export columns should show that you are sending data out to the Flow Collector destination you have configured.

If this is working you can move to checking the Flow Collector for input from this exporter. I would probably get into the SNA Report builder interface to look.

If this is not working, go back to the configuration guide linked above and make sure the FS and ERSPAN configurations are correct.


Here’s an example from mine where the thing is working correctly… (I do not believe I had ERSPAN configured in this case)

jamegill_0-1730389101880.png

 

andre.baumgarten
Level 1
Level 1

‎01-15-2025 03:42 AM

I had issues with ERSPAN in my lab, too. The trick at my lab was, that the ERSPAN interface of FlowSensor and the Mgt Interface if FlowSenor must be in seperate VLANs! Check that

Customers Also Viewed These Support Documents