GigaSMART ERSPAN Tunnel Decapsulation
Required License for ERSPAN Decapsulation: Advanced Tunneling (GigaVUE‑HC2, and GigaVUE‑HC3), Tunneling (GigaVUE‑HC1)
Some Cisco equipment provides the ability to mirror monitored traffic to a remote destination through an ERSPAN tunnel. Using ERSPAN tunnel decapsulation, GigaSMART can act as the receiving end of an ERSPAN tunnel, decapsulating mirrored traffic sent over the Internet from a Cisco switch or router.
Both ERSPAN Type II and Type III header decapsulation are supported. For ERSPAN Type III details, refer to ERSPAN Type III.
You can configure a GigaSMART-enabled node to act as the receiving end of an ERSPAN tunnel by configuring a GigaSMART Tunnel Decapsulation operation with type set to ERSPAN and a Flow ID matching the sending end of the tunnel.
The high-level steps are as follows:
|
1.
|
Configure an IP interface associated with network port and assign an IP address, subnet mask, and default gateway to the IP interface. The IP address must match the destination IP address specified at the sending end of the tunnel. |
|
2.
|
Create a GigaSMART operation with an ERSPAN tunnel decapsulation component. The decapsulation settings include the same flow ID specified at the sending end of the tunnel. The flow ID is a value from 0 to 1023. Use this options when decapsulating traffic received over a Cisco-standard ERSPAN tunnel. A flow ID of 0 decapsulates all ERSPAN tunnel traffic regardless of flow ID. |
|
3.
|
For ERSPAN Type III, a trailer timestamp may be specified. |
|
4.
|
Bind the GigaSMART operation to the IP interface associated with network port as part of a map that distributes arriving traffic to local tool ports for analysis with local tools. |
For example configurations, refer to ERSPAN Tunnel Header Removal and ERSPAN Type III Tunnel Header Removal.
For an example of APF and ERSPAN tunneling, refer to GigaSMART Adaptive Packet Filtering (APF).
ERSPAN Type III
ERSPAN Type III is similar to ERSPAN Type II but has a hardware timestamp in the packet. The hardware timestamp needs to be translated into a usable timestamp.
The UTC timestamp can be calculated, based on the reference hardware timestamp and the reference UTC timestamp carried in marker packets that are periodically sent over UDP. The calculated UTC timestamp can then be appended to the packets as a trailer.
Marker packets have a fixed length and are identified by a signature of 0xA5A5A5A5. If the marker packet session ID matches the ERSPAN session ID, the UTC timestamp can be extracted from the marker packet. An ERSPAN session is defined by a map that uses an ERSPAN GigaSMART operation (gsop).
There are three timestamp formats: None, GigaSMART, and X12-TS (for PRT-H00-X12TS). The timestamp options are set from the GigaSMART Group page, which is accessed by selecting GigaSMART > GigaSMART Groups > GigaSMART Groups, and then clicking New or editing an existing GigaSMART Group. Figure 1 shows the timestamp format options. If the timestamp format is Disabled, ERSPAN Type III packets are parsed and the ERSPAN header is removed by GigaSMART. The inner packets are forwarded to a tool port. If the timestamp format is GigaSMART or X12-TS, a trailer containing the recovered timestamp is added to the inner packets before they are forwarded to a tool port.
|
Figure 144
|
ERSPAN Type III Timestamp Formats on GigaSMART Groups Page |
The GigaSMART timestamp is added to the Gigamon trailer. For the format of the GigaSMART trailer, refer to GigaSMART Trailer Reference. The x12-ts timestamp is added to the PRT-H00-X12-S trailer. For the format of the PRT-H00X12TS trailer, refer to the GigaVUE-OS CLI Reference Guide.
Only 10 ERSPAN sessions are supported per GigaSMART Group (gsgroup) when the timestamp format is configured to GigaSMART or X12-TS.
In summary for ERSPAN Type III encapsulation, GigaSMART does the following:
|
■
|
strips encapsulating Ethernet + outer IP + GRE + ERSPAN Type III headers from incoming packets |
|
■
|
uses the timestamp field in ERSPAN packets and calculates the UTC timestamp, based on the timestamp in marker packets |
|
■
|
appends the UTC timestamp to the GigaSMART trailer or the PRT-H00-X12TS trailer if either GigaSMART format or PRT-HD00-X12TS (X12-TS) format is configured |
|
■
|
forwards packets to tool ports |
ERSPAN Granularity
ERSPAN granularity is a setting that can be configured on the Cisco switch for the level of detail of the hardware timestamp in marker packets.
A marker packet will be considered overdue if it does not arrive by the following times:
|
■
|
00: Granularity—overdue after 119 hours |
|
■
|
01: Granularity—overdue after 430 seconds (7 minutes) |
|
■
|
10: 1588 PTP—overdue after 4.3 seconds |
ERSPAN statistics include a count of overdue packets. Refer to Display ERSPAN Statistics for how to display the output and to ERSPAN Statistics Definitions for descriptions of these statistics.
PRT-H00-X12TS Unique ID
For the PRT-H00-X12TS format, you can obtain a unique ID identifying the port on which packets arrive. Use the following CLI command to display the mapping of ports to unique IDs: (config) # show apps netflow port-id =========================== Port Netflow port-id --------------------------- 1/1/x1 1 1/1/x2 2 1/1/x3 3 1/1/x4 4 1/1/x5 5 1/1/x6 6 1/1/x7 7 1/1/x8 8 1/1/x9 9 1/1/x10 10 1/1/x11 11 1/1/x12 12 ---------------------------
Configure GigaSMART Operations for ERSPAN
Use the GigaSMART Operation (GSOP) page to configure the ERSPAN decapsulation types and options. For example, you can specify an ERSPAN flow ID, from 0 to 1023. Use this option when decapsulating traffic received over a Cisco-standard ERSPAN tunnel. Both ERSPAN Type II and Type III header decapsulation are supported.
To access GigaSMART within GigaVUE‑FM, access a device that has been added to GigaVUE‑FM from the GigaVUE‑FM interface. GigaSMART appears in the navigation pane of the device view on supported devices. Refer to Access GigaSMART from GigaVUE‑FM for details.
ERSPAN Tunnel Header Removal
To configure a tunnel to capture the ERSPAN packets, remove the ERSPAN header, and then forward the packets to a tool port, set the ERSPAN Decapsulation Flow ID to zero when creating the GigaSMART operation as shown in Figure 2.
Note: A flow ID of zero is a wildcard value that matches all flow IDs.
|
Figure 145
|
Decapsulation Flow ID Set to Zero. |
In the following example, a tunnel is configured to capture ERSPAN packets, then the ERSPAN header is removed and the packets are forwarded to a tool port.
Task
|
Description
|
UI Steps
|
|
Configure a tool type of port.
|
|
a.
|
Select Ports > All Ports. |
|
b.
|
Click Quick Port Editor. |
|
c.
|
Use Quick search to find the ports to configure. For example,1/1/g1. |
|
d.
|
Set the type to Tool and select Enable. |
|
|
Configure a GigaSMART group and associate it with a GigaSMART engine port.
|
|
a.
|
From the device view, select GigaSMART > GigaSMART Groups > GigaSMART Groups. |
|
c.
|
Type an alias in the Alias field (for example, gsgrp1) and enter an engine port in the Port List field (for example 1/3/e1). |
|
|
Configure the IP interface.
|
|
a.
|
Select Ports > IP Interfaces. |
|
c.
|
On the IP Interfaces page, in the Alias and Description fields, enter the name and description for the IP interface. |
|
d.
|
Click the Ports field and select the port from the drop-down list. |
|
e.
|
Enter the IP address, subnet mask, gateway, and MTU settings in the respective fields. For example, port 1/1/g2, IP address 10.10.10.10, mask 255.255.225.0, gateway 0.10.10.1, and MTU 1500. |
|
f.
|
Click on the GigaSMART Group field to select the GigaSMART group. |
|
|
Configure the GigaSMART operation and assign it to the GigaSMART group.
Note: A flow ID of zero is a wildcard value that matches all flow IDs.
|
|
a.
|
From the device view, select GigaSMART > GigaSMART Operations > GigaSMART Operation. |
|
c.
|
Type an alias in the Alias field. |
|
d.
|
From the GigaSMART Groups drop-down list, select the GigaSMART Group that you created in the second task. |
|
e.
|
From the GigaSMART Operations (GSOP) drop-down list, select Tunnel Decapsulation. |
|
f.
|
Select ERSPAN for the decapsulation type. |
|
|
Create a map.
|
|
a.
|
Select Maps > Maps > Maps. |
|
c.
|
Type an alias in the Map Alias field that will help you identify this map. |
|
d.
|
Select Regular and By Rule for the map type and subtype. |
|
e.
|
Specify the network and tool ports in the Source and Destination fields, respectively. |
|
f.
|
From the GSOP drop-down list, select the GigaSMART operation configured in task 4. |
|
g.
|
Click Add a rule under Map Rules and create the following rule: |
Select IPv4 Protocol from the drop-down list and select GRE for Value, and then select Pass.
|
ERSPAN Type III Tunnel Header Removal
In this example, a tunnel is configured to capture ERSPAN packets. ERSPAN Type III packets are parsed, the ERSPAN header is removed, and the timestamp is calculated. A timestamp trailer is added before the packets are forwarded to a tool port.
Note: A flow ID of zero is a wildcard value that matches all flow IDs.
Task
|
Description
|
UI Steps
|
|
Configure a port of type tool.
|
|
a.
|
Select Ports > Ports > All Ports. |
|
b.
|
Click Quick Port Editor. |
|
c.
|
In the Quick View Editor, find the port to configure. |
|
g.
|
Close the Quick Port Editor. |
|
|
Configure a GigaSMART group and associate it with a GigaSMART engine port.
|
|
a.
|
From the device view, select GigaSMART > GigaSMART Groups > GigaSMART Groups. |
|
c.
|
Enter a name in the Alias field |
|
d.
|
Select the engine port in the Port List field. |
|
|
Configure the IP interface.
|
|
a.
|
Select Ports > IP Interfaces. |
|
c.
|
On the IP Interfaces page, in the Alias and Description fields, enter the name and description of the IP interface. |
|
d.
|
Click the Ports field and select the tool port from the drop-down list. |
|
e.
|
Enter the IP address, subnet mask, gateway, and MTU settings in the respective fields. For example, port 1/1/g2, IP address 10.10.10.10, mask 255.255.225.0, gateway 0.10.10.1, and MTU 1500. |
|
f.
|
Click on the GigaSMART Group field to select the GigaSMART group. |
|
|
Configure the GigaSMART operation and assign it to the GigaSMART group.
Note: A flow ID of zero is a wildcard value that matches all flow IDs.
|
|
a.
|
From the device view, select GigaSMART > GigaSMART Operations (GSOP) > GigaSMART Operation. |
|
c.
|
Type an alias in the Alias field. |
|
d.
|
From the GigaSMART Groups drop-down list, select the GigaSMART Group that you created in the second task. |
|
e.
|
From the GigaSMART Operations (GSOP) drop-down list, select Tunnel Decapsulation. |
|
f.
|
Select ERSPAN for the decapsulation type. |
|
|
Configure a timestamp trailer format.
|
|
a.
|
From the device view, select GigaSMART > GigaSMART Group. |
|
b.
|
Select the GigaSMART Group created in Task 2. |
|
c.
|
Under GigaSMART Parameters, go to Tunnel Decapsulation. |
|
d.
|
For ERSPAN Type III Timestamp Format, select GigaSMART |
|
|
Create a map. The map contains a rule to allow marker packets (UDP) to be processed.
|
|
a.
|
Select Maps > Maps > Maps. |
|
c.
|
Type an alias in the Map Alias field that will help you identify this map. |
|
d.
|
Select Regular and By Rule for the map type and subtype. |
|
e.
|
Specify a network ports in the Source fields. |
|
f.
|
Select the tool port configured in Task 1 in the Destination field |
|
g.
|
From the GSOP drop-down list, select the GigaSMART operation configured in task 4. |
|
h.
|
Click Add a Rule and create the first rule. |
Select Pass, then select IPv4 Protocol, and then select GRE fro Value.
|
i.
|
Click Add a Rule and create the second rule. |
Select Pass, then select IPv4 Protocol, and then select UDP for Value.
|
|
|