Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2441
Views
0
Helpful
2
Replies

Stealthwatch 7.3 ERSPAN

scvvuuren
Level 1
Level 1

‎11-04-2020 03:14 AM

I saw that with Stealthwatch 7.3 ERSPAN support has been added to the Flow Sensor.

 

ERSPAN (Encapsulated Remote Switch Port Analyzer) support has been added to the Flow Sensor to increase versatility. Now, it also offers visibility improvements through
the ability to see within VMware’s NSX-T data centers to facilitate Flow Sensor deployment and network configuration.

I have been trying to search for configurations guides on the topic but do not see any.

 

Is it as simple as configuring ERSPAN from source switch directly to Flow Sensor's management IP with any erspan id?

Also, since the Flow Sensor's other interfaces cannot be configured with IP addresses does that mean that ERSPAN can only be ingested from the management interface or is there a way to configure another interface IP address for the ERSPAN traffic?

 

 

Labels:
0 Helpful
2 Replies 2

bmcinnis
Cisco Employee
Cisco Employee

‎11-05-2020 07:07 AM

In version 7.3.1 ERSPAN will be configurable via the WebUI. In 7.3.0 there are some steps that need to be completed via the CLI.

So, here is what is needed to be done in 7.3.0.

Enable ERSPAN decapsulation first by doing the following :

Edit /lancope/var/flowsensor/config/flowsensor.xml to add the line:
<enable_erspan_decapsulation value="1" min="0" max="1" default="0" />


Add an IP address to the monitoring interface as follows by executing the command on the Linux shell as root:
CallOSAxsD setOptionValueByAttribute network interface name eth1 "address::10.0.22.240, broadcast::10.0.22.255, dhcp::no, gateway::10.0.22.1, netmask::255.255.255.0, name::eth1"


Don’t forget to change the address/broadcast/gateway/netmask/eth1 values as per your environment.

To confirm it has worked, you need 2 things – first is that you are getting ERSPAN traffic to the monitoring interface – usually a tcpdump should show that. Secondly, you should see the ERSPAN counters increase in the flowsensor.log file (/lancope/var/flowsensor/log/flowsensor.log).

If you run into any further issues enabling ERSPAN please open a case with the Stealthwatch TAC.

0 Helpful

dadewunm
Cisco Employee
Cisco Employee
In response to bmcinnis

‎03-08-2021 07:32 AM

Ben, 

 

Maybe you can give me some insight into what could be my customer's problem here. 

 

I have 2 erspan sessions (id 1 and id 3) which are being received by a flow sensor and NetFlow is correctly exported. I have an additional erspan session (id 2) that is not recognized. I currently also have an error 'Flow Collector Exporter Count Exceeded'. I've attempted to adjust the 'max' count in /lancope/var/flowsensor/config/flowsensor.xml and it doesn't change anything. I've also tried to adjust the Exporter settings to increase the thresholds. Please advise.
 
 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents