GigaSMART ERSPAN Tunnel Decapsulation
Required License for ERSPAN Decapsulation: Advanced Tunneling (GigaVUE‑HC2, and GigaVUE‑HC3), Tunneling (GigaVUE‑HC1)
Some Cisco equipment provides the ability to mirror monitored traffic to a remote destination through an ERSPAN tunnel. Using ERSPAN tunnel decapsulation, GigaSMART can act as the receiving end of an ERSPAN tunnel, decapsulating mirrored traffic sent over the Internet from a Cisco switch or router.
Both ERSPAN Type II and Type III header decapsulation are supported. For ERSPAN Type III details, refer to ERSPAN Type III.
You can configure a GigaSMART-enabled node to act as the receiving end of an ERSPAN tunnel by configuring a GigaSMART Tunnel Decapsulation operation with type set to ERSPAN and a Flow ID matching the sending end of the tunnel.
The high-level steps are as follows:
1. | Configure an IP interface associated with network port and assign an IP address, subnet mask, and default gateway to the IP interface. The IP address must match the destination IP address specified at the sending end of the tunnel. |
2. | Create a GigaSMART operation with an ERSPAN tunnel decapsulation component. The decapsulation settings include the same flow ID specified at the sending end of the tunnel. The flow ID is a value from 0 to 1023. Use this options when decapsulating traffic received over a Cisco-standard ERSPAN tunnel. A flow ID of 0 decapsulates all ERSPAN tunnel traffic regardless of flow ID. |
3. | For ERSPAN Type III, a trailer timestamp may be specified. |
4. | Bind the GigaSMART operation to the IP interface associated with network port as part of a map that distributes arriving traffic to local tool ports for analysis with local tools. |
For example configurations, refer to ERSPAN Tunnel Header Removal and ERSPAN Type III Tunnel Header Removal.
For an example of APF and ERSPAN tunneling, refer to GigaSMART Adaptive Packet Filtering (APF).
ERSPAN Type III is similar to ERSPAN Type II but has a hardware timestamp in the packet. The hardware timestamp needs to be translated into a usable timestamp.
The UTC timestamp can be calculated, based on the reference hardware timestamp and the reference UTC timestamp carried in marker packets that are periodically sent over UDP. The calculated UTC timestamp can then be appended to the packets as a trailer.
Marker packets have a fixed length and are identified by a signature of 0xA5A5A5A5. If the marker packet session ID matches the ERSPAN session ID, the UTC timestamp can be extracted from the marker packet. An ERSPAN session is defined by a map that uses an ERSPAN GigaSMART operation (gsop).
There are three timestamp formats: None, GigaSMART, and X12-TS (for PRT-H00-X12TS). The timestamp options are set from the GigaSMART Group page, which is accessed by selecting GigaSMART > GigaSMART Groups > GigaSMART Groups, and then clicking New or editing an existing GigaSMART Group. Figure 1 shows the timestamp format options. If the timestamp format is Disabled, ERSPAN Type III packets are parsed and the ERSPAN header is removed by GigaSMART. The inner packets are forwarded to a tool port. If the timestamp format is GigaSMART or X12-TS, a trailer containing the recovered timestamp is added to the inner packets before they are forwarded to a tool port.
Figure 144 | ERSPAN Type III Timestamp Formats on GigaSMART Groups Page |
The GigaSMART timestamp is added to the Gigamon trailer. For the format of the GigaSMART trailer, refer to GigaSMART Trailer Reference. The x12-ts timestamp is added to the PRT-H00-X12-S trailer. For the format of the PRT-H00X12TS trailer, refer to the GigaVUE-OS CLI Reference Guide.
Only 10 ERSPAN sessions are supported per GigaSMART Group (gsgroup) when the timestamp format is configured to GigaSMART or X12-TS.
In summary for ERSPAN Type III encapsulation, GigaSMART does the following:
strips encapsulating Ethernet + outer IP + GRE + ERSPAN Type III headers from incoming packets |
uses the timestamp field in ERSPAN packets and calculates the UTC timestamp, based on the timestamp in marker packets |
appends the UTC timestamp to the GigaSMART trailer or the PRT-H00-X12TS trailer if either GigaSMART format or PRT-HD00-X12TS (X12-TS) format is configured |
forwards packets to tool ports |
ERSPAN granularity is a setting that can be configured on the Cisco switch for the level of detail of the hardware timestamp in marker packets.
A marker packet will be considered overdue if it does not arrive by the following times:
00: Granularity—overdue after 119 hours |
01: Granularity—overdue after 430 seconds (7 minutes) |
10: 1588 PTP—overdue after 4.3 seconds |
ERSPAN statistics include a count of overdue packets. Refer to Display ERSPAN Statistics for how to display the output and to ERSPAN Statistics Definitions for descriptions of these statistics.
For the PRT-H00-X12TS format, you can obtain a unique ID identifying the port on which packets arrive. Use the following CLI command to display the mapping of ports to unique IDs:
(config) # show apps netflow port-id
===========================
Port Netflow port-id
---------------------------
1/1/x1 1
1/1/x2 2
1/1/x3 3
1/1/x4 4
1/1/x5 5
1/1/x6 6
1/1/x7 7
1/1/x8 8
1/1/x9 9
1/1/x10 10
1/1/x11 11
1/1/x12 12
---------------------------
Use the GigaSMART Operation (GSOP) page to configure the ERSPAN decapsulation types and options. For example, you can specify an ERSPAN flow ID, from 0 to 1023. Use this option when decapsulating traffic received over a Cisco-standard ERSPAN tunnel. Both ERSPAN Type II and Type III header decapsulation are supported.
To access GigaSMART within GigaVUE‑FM, access a device that has been added to GigaVUE‑FM from the GigaVUE‑FM interface. GigaSMART appears in the navigation pane of the device view on supported devices. Refer to Access GigaSMART from GigaVUE‑FM for details.
To configure a tunnel to capture the ERSPAN packets, remove the ERSPAN header, and then forward the packets to a tool port, set the ERSPAN Decapsulation Flow ID to zero when creating the GigaSMART operation as shown in Figure 2.
Note: A flow ID of zero is a wildcard value that matches all flow IDs.
Figure 145 | Decapsulation Flow ID Set to Zero. |
In the following example, a tunnel is configured to capture ERSPAN packets, then the ERSPAN header is removed and the packets are forwarded to a tool port.
Task |
Description |
UI Steps |
|||||||||||||||||||||||||||
|
Configure a tool type of port. |
|
|||||||||||||||||||||||||||
|
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
|||||||||||||||||||||||||||
|
Configure the IP interface. |
|
|||||||||||||||||||||||||||
|
Configure the GigaSMART operation and assign it to the GigaSMART group. Note: A flow ID of zero is a wildcard value that matches all flow IDs. |
|
|||||||||||||||||||||||||||
|
Create a map. |
Select IPv4 Protocol from the drop-down list and select GRE for Value, and then select Pass.
|
In this example, a tunnel is configured to capture ERSPAN packets. ERSPAN Type III packets are parsed, the ERSPAN header is removed, and the timestamp is calculated. A timestamp trailer is added before the packets are forwarded to a tool port.
Note: A flow ID of zero is a wildcard value that matches all flow IDs.
Task |
Description |
UI Steps |
|||||||||||||||||||||||||||||||||
|
Configure a port of type tool. |
|
|||||||||||||||||||||||||||||||||
|
Configure a GigaSMART group and associate it with a GigaSMART engine port. |
|
|||||||||||||||||||||||||||||||||
|
Configure the IP interface. |
|
|||||||||||||||||||||||||||||||||
|
Configure the GigaSMART operation and assign it to the GigaSMART group. Note: A flow ID of zero is a wildcard value that matches all flow IDs. |
|
|||||||||||||||||||||||||||||||||
|
Configure a timestamp trailer format. |
|
|||||||||||||||||||||||||||||||||
|
Create a map. The map contains a rule to allow marker packets (UDP) to be processed. |
Select Pass, then select IPv4 Protocol, and then select GRE fro Value.
Select Pass, then select IPv4 Protocol, and then select UDP for Value.
|
To display ERSPAN statistics, select GigaSMART > GigaSMART Operations (GSOP) > Statistics. The ERSPAN statistics will be in the row labeled Tunnel Decap in the GS Operations column.
Refer to ERSPAN Statistics Definitions for descriptions of these statistics as well as to GigaSMART Operations Statistics Definitions.