ERSPAN on Linux
Information
| Summary: |
The IPv4 ERSPAN option was added to the Linux kernel in 4.14 and it is based on existing kernel modules. It allows machines to act as an ERSPAN traffic source sending the ESPAN encapsulated mirrored traffic to the remote host. It requires only the iproute2 package which is generally part of all modern distributions. This functionality allows us to mirror the incoming/outgoing traffic of a machine to the Flowmon monitoring interface with configured ERSPAN decapsulation. For example in AWS, inter-region and availability zone traffic isn’t charged and this can allow free network monitoring for a certain server. |
| Environment: |
Product: Flowmon Probe Version: Any Platform: Any |
| Question/Problem Description: |
|
| Steps to Reproduce: | |
| Error Message: | |
| Defect Number: | |
| Enhancement Number: | |
| Cause: | |
| Resolution: |
Root permissions for the source machine are required. This approach has been tested on Debian 12 with kernel 6.1.0-11. ERSPAN mirroring can be configured with these commands (run on the machine whose traffic should be mirrored, not on the Flowmon appliance): ip link add dev myerspan type erspan seq key 30 local 172.16.32.2 remote 172.16.32.1 erspan_ver 1 erspan 123 tc qdisc add dev ens192 handle ffff: ingress tc filter add dev ens192 parent ffff: matchall skip_hw action mirred egress mirror dev myerspan ifup myerspan
The monitoring port of the Flowmon appliance has to have an IP address configured and ERSPAN decapsulation has to be enabled there. |
| Workaround: | |
| Notes: |