GRE ERSPAN Example Use Case

Encapsulated Remote Switched Port Analyzer (ERSPAN) is a type of GRE tunnel which allows a remote Intrusion Detection System (IDS) or similar packet inspection device to receive copies of packets from a local interface. This operates similar to a local mirror or span port on a switch, but in a remote capacity.

A typical use case for this is central packet inspection or a case where a remote site has plenty of bandwidth available, but no suitable local hardware for inspecting packets.

On TNSR, this is accomplished by configuring an ERSPAN GRE tunnel and then configuring a span to link the ERSPAN tunnel a local interface. From that point on, a copy of every packet on the interface being spanned is sent across GRE.

Note

The receiving end does not need to support ERSPAN, a standard GRE tunnel will suffice.

Example Scenario

In this example, copies of packets from a local TNSR interface will be copied to a remote IDS for inspection.

Item

Value

Local Server:

172.29.193.47/24

TNSR Local Interface:

VirtualFunctionEthernet0/6/0

TNSR Local Address:

172.29.193.60/24

TNSR Internet Interface:

VirtualFunctionEthernet0/7/0

TNSR Internet Address:

172.29.194.142/24

IDS Address:

172.29.194.90/24

../../_images/diagram-erspan.png

ERSPAN Example

TNSR Configuration

First, there is the basic interface configuration of TNSR to handle IP connectivity:

tnsr(config)# interface VirtualFunctionEthernet0/6/0
tnsr(config-interface)# ip address 172.29.193.160/24
tnsr(config-interface)# description Local
tnsr(config-interface)# enable
tnsr(config-interface)# exit

tnsr(config)# interface VirtualFunctionEthernet0/7/0
tnsr(config-interface)# ip address 172.29.194.142/24
tnsr(config-interface)# description Internet
tnsr(config-interface)# enable
tnsr(config-interface)# exit

Next, configure the GRE tunnel on TNSR:

tnsr(config)# gre gre1
tnsr(config-gre)# destination 172.29.194.90
tnsr(config-gre)# source 172.29.194.142
tnsr(config-gre)# tunnel-type erspan session-id 1
tnsr(config-gre)# instance 1
tnsr(config-gre)# exit

tnsr(config)# interface gre1
tnsr(config-interface)# enable
tnsr(config-interface)# exit

Finally, configure a SPAN that ties the local interface to the GRE interface:

tnsr(config)# span VirtualFunctionEthernet0/6/0
tnsr(config-span)# onto gre1 hw both
tnsr(config-span)# exit

Server Configuration

No configuration is necessary on the server. Any packet it sends which flows through TNSR will automatically be copied across the ERSPAN tunnel to the IDS.

IDS Configuration

The IDS must support GRE interfaces and also must support inspecting packets on GRE interfaces. The IDS does not need to explicitly support ERSPAN to receive copies of packets from TNSR.

At a minimum, take the following steps on the IDS:

  • Configure a GRE tunnel between the IDS and TNSR, it does not need to have an address internal to the GRE tunnel.

  • Configure the IDS software to inspect packets on the GRE interface