11-04-2020 03:14 AM
I saw that with Stealthwatch 7.3 ERSPAN support has been added to the Flow Sensor.
ERSPAN (Encapsulated Remote Switch Port Analyzer) support has been added to the Flow Sensor to increase versatility. Now, it also offers visibility improvements through the ability to see within VMware’s NSX-T data centers to facilitate Flow Sensor deployment and network configuration.
I have been trying to search for configurations guides on the topic but do not see any.
Is it as simple as configuring ERSPAN from source switch directly to Flow Sensor's management IP with any erspan id?
Also, since the Flow Sensor's other interfaces cannot be configured with IP addresses does that mean that ERSPAN can only be ingested from the management interface or is there a way to configure another interface IP address for the ERSPAN traffic?
11-05-2020 07:07 AM
In version 7.3.1 ERSPAN will be configurable via the WebUI. In 7.3.0 there are some steps that need to be completed via the CLI.
So, here is what is needed to be done in 7.3.0.
Enable ERSPAN decapsulation first by doing the following :
Edit /lancope/var/flowsensor/config/flowsensor.xml to add the line:
<enable_erspan_decapsulation value="1" min="0" max="1" default="0" />
Add an IP address to the monitoring interface as follows by executing the command on the Linux shell as root:
CallOSAxsD setOptionValueByAttribute network interface name eth1 "address::10.0.22.240, broadcast::10.0.22.255, dhcp::no, gateway::10.0.22.1, netmask::255.255.255.0, name::eth1"
Don’t forget to change the address/broadcast/gateway/netmask/eth1 values as per your environment.
To confirm it has worked, you need 2 things – first is that you are getting ERSPAN traffic to the monitoring interface – usually a tcpdump should show that. Secondly, you should see the ERSPAN counters increase in the flowsensor.log file (/lancope/var/flowsensor/log/flowsensor.log).
If you run into any further issues enabling ERSPAN please open a case with the Stealthwatch TAC.
03-08-2021 07:32 AM
Ben,
Maybe you can give me some insight into what could be my customer's problem here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide