Example for Configuring ACL-based ERSPAN

Owned by Tracy Yang
Mar 19, 2024
4 min read

Networking Requirements

Figure 1. ACL-based ERSPAN Configuration Example

As shown in Figure 1, Host A, Host B and Host C access the Internet through Switch A. The remote Data Monitoring Server connects to Switch A through Switch B. To monitor the traffic from the three hosts, the data needs to be mirrored to the output port and carried across the tunnel to the remote Data Monitoring Server. The network administrator hopes that the Data Monitoring Server can analyze the packet flow matching both the TCP protocol and the source IPv4 address of 1.1.1.0/24 network segment, so as to locate the source of malicious attack.

Follow the configuration steps listed below to enable the ACL-based ERSPAN function:

  1. On Switch A, configure ACL filter rules for ACL-based ERSPAN and apply the ACL rules to the mirroring input port te-1/1/1.
  2. On Switch A, configure the source IP address and destination IP address for ACL-based ERSPAN GRE encapsulation.
  3. On Switch B, create the VLAN and VLAN interface for forwarding mirrored messages to the Data Monitoring Server.
  4. On Data Monitoring Server, configure Linux GRE to decapsulate the receiving GRE messages.

Procedure

Switch A

Step 1          Configure VLANs and VLAN interfaces.

admin@SwitchA# set vlans vlan-id 100
admin@SwitchA# set vlans vlan-id 230
admin@SwitchA# set interface gigabit-ethernet te-1/1/1 family ethernet-switching native-vlan-id 100
admin@SwitchA# set interface gigabit-ethernet te-1/1/3 family ethernet-switching native-vlan-id 230
admin@SwitchA# set vlans vlan-id 100 l3-interface vlan100
admin@SwitchA# set vlans vlan-id 230 l3-interface vlan230
admin@SwitchA# set l3-interface vlan-interface vlan100 address 100.100.100.1 prefix-length 24
admin@SwitchA# set l3-interface vlan-interface vlan230 address 220.220.220.1 prefix-length 24

 Step 2          Configure ACL filter rules. You can refer to ACL configuration guide for details about how to configure ACL filter rules.

admin@SwitchA# set firewall filter f1 sequence 1 from protocol tcp
admin@SwitchA# set firewall filter f1 sequence 1 from source-address-ipv4 1.1.1.0/24

Step 3          Apply the ACL filter rules to the mirroring input port.

NOTE: Due to hardware restrictions, currently it only supports to apply the ACL rules to the ingress direction of the mirroring input port. That is, the command set firewall filter <filter-name> output interface <interface-name> does not support for ACL-based ERSPAN.

admin@SwitchA# set firewall filter f1 input interface te-1/1/1

 Step 3          Configure the source IP address and destination IP address for ACL-based ERSPAN encapsulation.

admin@SwitchA# set firewall filter f1 sequence 1 then erspan source-ip 4.4.4.4 
admin@SwitchA# set firewall filter f1 sequence 1 then erspan dest-ip 8.8.8.8

 Step 4          Configure routing protocol and enable IP routing for L3 forwarding.

admin@SwitchA# set protocols ospf router-id 1.1.1.1
admin@SwitchA# set protocols ospf area 0
admin@SwitchA# set protocols ospf network 100.100.100.0/24 area 0
admin@SwitchA# set protocols ospf network 220.220.220.0/24 area 0
admin@SwitchA# set ip routing enable true

 Step 5          Commit the configurations.

admin@SwitchA# commit

Switch B

 Step 1          Configure VLANs and VLAN interfaces.

admin@SwitchB# set vlans vlan-id 100
admin@SwitchB# set vlans vlan-id 230
admin@SwitchB# set interface gigabit-ethernet te-1/1/1 family ethernet-switching native-vlan-id 100
admin@SwitchB# set interface gigabit-ethernet te-1/1/5 family ethernet-switching native-vlan-id 230
admin@SwitchB# set vlans vlan-id 100 l3-interface vlan100
admin@SwitchB# set vlans vlan-id 230 l3-interface vlan230
admin@SwitchB# set l3-interface vlan-interface vlan100 address 8.8.8.1 prefix-length 24
admin@SwitchB# set l3-interface vlan-interface vlan230 address 220.220.220.2 prefix-length 24

 Step 2          Configure routing protocol and enable IP routing for L3 forwarding.

admin@SwitchB# set protocols ospf router-id 3.3.3.3
admin@SwitchB# set protocols ospf area 0
admin@SwitchB# set protocols ospf network 220.220.220.0/24 area 0
admin@SwitchB# set protocols ospf network 8.8.8.0/24 area 0
admin@SwitchB# set ip routing enable true

 Step 3          Commit the configurations.

admin@SwitchB# commit

Data Monitoring Server

On the Data Monitoring Server, configure Linux GRE to decapsulate the receiving GRE messages on Linux shell.

root@Monitoring_Server:/home/admin# ip addr add 8.8.8.8/24 dev eth0
root@Monitoring_Server:/home/admin# ip link add mm type erspan local 8.8.8.8 erspan_ver 0
root@Monitoring_Server:/home/admin# ip link set mm up

Host

No configuration is necessary on the hosts. Any packet the hosts send which flows through Switch A will automatically be copied across the ERSPAN tunnel to the Data Monitoring Server.

Verify Configuration

  • On Switch A, run command run show filter to view the configuration information about ACL-based ERSPAN.
admin@SwitchA# run show filter f1
Filter: f1
    Description: 
    Sequence: 1
        Description: 
        match counter:  0 packets
        match-condition:
            protocol:                 tcp
            source-address-ipv4:      1.1.1.0/24
        action: forward
        Erspan Output:
               state: UP
               source-ip: 4.4.4.4
               dest-ip: 8.8.8.8
               output-port: te-1/1/3
               tagged vlan: 
               vrf: 
               ttl: 255
        forwarding_class: 
Input interface: te-1/1/1
  • The Data Monitoring Server can normally receive the mirrored message.
    • Check the received mirrored message.
root@Monitoring_Server:/home/admin# tcpdump -i eth0 -net -vv

    • View the decapsulated mirrored message.
root@Monitoring_Server:/home/admin# tcpdump -i mm -net -vv






Copyright © 2024 Pica8 Inc. All Rights Reserved.