Example for Configuring ACL-based ERSPAN
Networking Requirements
Figure 1. ACL-based ERSPAN Configuration Example
As shown in Figure 1, Host A, Host B and Host C access the Internet through Switch A. The remote Data Monitoring Server connects to Switch A through Switch B. To monitor the traffic from the three hosts, the data needs to be mirrored to the output port and carried across the tunnel to the remote Data Monitoring Server. The network administrator hopes that the Data Monitoring Server can analyze the packet flow matching both the TCP protocol and the source IPv4 address of 1.1.1.0/24 network segment, so as to locate the source of malicious attack.
Follow the configuration steps listed below to enable the ACL-based ERSPAN function:
- On Switch A, configure ACL filter rules for ACL-based ERSPAN and apply the ACL rules to the mirroring input port te-1/1/1.
- On Switch A, configure the source IP address and destination IP address for ACL-based ERSPAN GRE encapsulation.
- On Switch B, create the VLAN and VLAN interface for forwarding mirrored messages to the Data Monitoring Server.
- On Data Monitoring Server, configure Linux GRE to decapsulate the receiving GRE messages.
Procedure
Switch A
Step 1 Configure VLANs and VLAN interfaces.
admin@SwitchA# set vlans vlan-id 100 admin@SwitchA# set vlans vlan-id 230 admin@SwitchA# set interface gigabit-ethernet te-1/1/1 family ethernet-switching native-vlan-id 100 admin@SwitchA# set interface gigabit-ethernet te-1/1/3 family ethernet-switching native-vlan-id 230 admin@SwitchA# set vlans vlan-id 100 l3-interface vlan100 admin@SwitchA# set vlans vlan-id 230 l3-interface vlan230 admin@SwitchA# set l3-interface vlan-interface vlan100 address 100.100.100.1 prefix-length 24 admin@SwitchA# set l3-interface vlan-interface vlan230 address 220.220.220.1 prefix-length 24
Step 2 Configure ACL filter rules. You can refer to ACL configuration guide for details about how to configure ACL filter rules.
admin@SwitchA# set firewall filter f1 sequence 1 from protocol tcp admin@SwitchA# set firewall filter f1 sequence 1 from source-address-ipv4 1.1.1.0/24
Step 3 Apply the ACL filter rules to the mirroring input port.
NOTE: Due to hardware restrictions, currently it only supports to apply the ACL rules to the ingress direction of the mirroring input port. That is, the command set firewall filter <filter-name> output interface <interface-name> does not support for ACL-based ERSPAN.
admin@SwitchA# set firewall filter f1 input interface te-1/1/1
Step 3 Configure the source IP address and destination IP address for ACL-based ERSPAN encapsulation.
admin@SwitchA# set firewall filter f1 sequence 1 then erspan source-ip 4.4.4.4 admin@SwitchA# set firewall filter f1 sequence 1 then erspan dest-ip 8.8.8.8
Step 4 Configure routing protocol and enable IP routing for L3 forwarding.
admin@SwitchA# set protocols ospf router-id 1.1.1.1 admin@SwitchA# set protocols ospf area 0 admin@SwitchA# set protocols ospf network 100.100.100.0/24 area 0 admin@SwitchA# set protocols ospf network 220.220.220.0/24 area 0 admin@SwitchA# set ip routing enable true
Step 5 Commit the configurations.
admin@SwitchA# commit
Switch B
Step 1 Configure VLANs and VLAN interfaces.
admin@SwitchB# set vlans vlan-id 100 admin@SwitchB# set vlans vlan-id 230 admin@SwitchB# set interface gigabit-ethernet te-1/1/1 family ethernet-switching native-vlan-id 100 admin@SwitchB# set interface gigabit-ethernet te-1/1/5 family ethernet-switching native-vlan-id 230 admin@SwitchB# set vlans vlan-id 100 l3-interface vlan100 admin@SwitchB# set vlans vlan-id 230 l3-interface vlan230 admin@SwitchB# set l3-interface vlan-interface vlan100 address 8.8.8.1 prefix-length 24 admin@SwitchB# set l3-interface vlan-interface vlan230 address 220.220.220.2 prefix-length 24
Step 2 Configure routing protocol and enable IP routing for L3 forwarding.
admin@SwitchB# set protocols ospf router-id 3.3.3.3 admin@SwitchB# set protocols ospf area 0 admin@SwitchB# set protocols ospf network 220.220.220.0/24 area 0 admin@SwitchB# set protocols ospf network 8.8.8.0/24 area 0 admin@SwitchB# set ip routing enable true
Step 3 Commit the configurations.
admin@SwitchB# commit
Data Monitoring Server
On the Data Monitoring Server, configure Linux GRE to decapsulate the receiving GRE messages on Linux shell.
root@Monitoring_Server:/home/admin# ip addr add 8.8.8.8/24 dev eth0 root@Monitoring_Server:/home/admin# ip link add mm type erspan local 8.8.8.8 erspan_ver 0 root@Monitoring_Server:/home/admin# ip link set mm up
Host
No configuration is necessary on the hosts. Any packet the hosts send which flows through Switch A will automatically be copied across the ERSPAN tunnel to the Data Monitoring Server.
Verify Configuration
- On Switch A, run command run show filter to view the configuration information about ACL-based ERSPAN.
admin@SwitchA# run show filter f1 Filter: f1 Description: Sequence: 1 Description: match counter: 0 packets match-condition: protocol: tcp source-address-ipv4: 1.1.1.0/24 action: forward Erspan Output: state: UP source-ip: 4.4.4.4 dest-ip: 8.8.8.8 output-port: te-1/1/3 tagged vlan: vrf: ttl: 255 forwarding_class: Input interface: te-1/1/1
- The Data Monitoring Server can normally receive the mirrored message.
- Check the received mirrored message.
root@Monitoring_Server:/home/admin# tcpdump -i eth0 -net -vv
- View the decapsulated mirrored message.
root@Monitoring_Server:/home/admin# tcpdump -i mm -net -vv
Copyright © 2024 Pica8 Inc. All Rights Reserved.