erspan in linux
play

ERSPAN in Linux A short history and review. Presenters: William Tu - PowerPoint PPT Presentation

Jan 30, 2023 •361 likes •608 views

ERSPAN in Linux A short history and review. Presenters: William Tu and Greg Rose 1 What is Port Mirroring? Port mirroring is one of the most common network troubleshooting techniques. SPAN - Switch Port Analyzer - sends a copy of the

  1. ERSPAN in Linux A short history and review. Presenters: William Tu and Greg Rose 1

  2. What is Port Mirroring? • Port mirroring is one of the most common network troubleshooting techniques. • SPAN - Switch Port Analyzer - sends a copy of the monitored traffic to a local device. • RSPAN – Remote Switch Port Analyzer – sends a copy of the monitored traffic to a remote device via VLAN tagging. • ERSPAN - Encapsulated Remote SPAN – uses GRE encapsulation to extend the basic port mirroring capability from Layer 2 to Layer 3 which allows the mirrored traffic to be sent through a routable IP network. 2

  3. Port Mirroring Examples • Host A sends traffic to Host B • A copy of the traffic is forwarded to sniffer Three ways: • SPAN: sniffer is at the same switch • RSPAN: sniffer is at different switch • ERSPAN: sniffer is across IP network • Use cases: • Analyze, diagnose, detect malicious traffic 3

  4. E ncapsulated R emote S witched Port AN AN alyzer • Mirrors traffic on source port(s) and delivers the mirrored traffic to destination port(s) on another switch • Traffic (inner packet) is encapsulated in GRE (Generic Routing Encapsulation) so routable across a dest layer 3 network source Cross Layer3 network 4

  5. A Short History of ERSPAN in Linux • Adding ERSPAN to Linux became possible when Cisco released the specification in 2014. • ERSPAN for IPv4 was added into Linux kernel in 4.14, and for IPv6 in 4.16. • Includes both transmission and reception and is based on the existing ip_gre and ip6_gre kernel modules. • Allows Linux to act as an ERSPAN traffic source sending the ERSPAN mirrored traffic to the remote host, or an ERSPAN destination which receives and parses the ERSPAN packets generated from Cisco or other ERSPAN-capable switches. • Provides native tunnel support and metadata mode tunnel support. 5

  6. Common ERSPAN Use Cases • Debugging network issues by tracking the control and data frames. • Monitoring Voice-over-IP, VoIP, packets for delay and jitter analysis • Monitoring network transactions for latency analysis • Monitoring network traffic for anomaly detection 6

  7. ERSPAN Packet Example ETHER IP GRE ERSPAN ETHER IP ERSPAN header Outer routable packet header using GRE with inner Mirrored packet (Generic Routing Encapsulation) packet details 7

  8. ERSPAN Tunnel Setup Examples Linux Linux Linux Netdev VM 1 VM 2 @10.1.1.5 10.1.1.3 10.1.1.4 Physical Machines Open vSwitch ERSPAN Native or LW Tunnel Links 10.1.1.2 ERSPAN Tunnel 192.168.1.3 ERSPAN Tunnel 192.168.1.4 Cisco Switch ERSPAN Tunnel 192.168.1.2 Sniffer Layer 3 IPv4 / IPv6 Network – 192.168.1.* 192.168.1.1 8

  9. Linux native tunnel vs metadata mode tunnel • There are two tunnel type implementations in Linux kernel: native tunnel and metadata-mode (light weight) tunnel. • https://lwn.net/Articles/651497/ See article by Thomas Graf, August 2016 • Native tunnel - created with per tunnel-specific configuration, tied together with the net device. • creating a GRE tunnel with key and sequence number can be done by: # ip link add dev gre123 type gretap local 1.1.1.1 remote 2.2.2.2 seq key 0xfb • As a result, N different tunnel configurations require creating N number of netdevs. • Does not scale well. 9

  10. Native vs. metadata mode tunnel (cont…) • Metadata mode tunnel (aka lightweight tunnel) resolves scaling issue. • Only one netdev per tunnel type is required to represent multiple tunnels. • This means that the tunnel configuration of a particular type of the tunnel must be passed to the tunnel netdev in order to encapsulate the packet. • OVS uses lightweight tunnels. • See example of a LWT with eBPF: https://elixir.bootlin.com/linux/latest/source/tools/testing/selftests/bpf/test_tunnel.sh https://elixir.bootlin.com/linux/latest/source/tools/testing/selftests/bpf/test_tunnel_kern.c 10

  11. ERSPAN Protocol Headers inner outer ETHER IP GRE ERSPAN ETHER IP The use of the IP protocol as part of the outer header is important Fixed 8 byte header with Seq # because it makes the mirrored Next Protocol 0x88be – ERSPAN Type II Next Protocol 0x22be – ERSPAN Type III traffic routable across any IP network. 11

  12. GRE Header GRE header for ERSPAN encapsulation (8 octets) -- 8 bytes 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0|0|0|1|0| 00000 | 000000 | Protocol Type for ERSPAN | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number (increments per packet per session) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Sequence # useful at sniffer to Next Protocol 0x88be – ERSPAN Type II determine out of order packets. Next Protocol 0x22be – ERSPAN Type III 12

  13. ERSPAN Header – Version 1 (Type II) ERSPAN Version 1 (Type II) header (8 octets) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ver | VLAN | COS | En|T| Session ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | Index | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Original Class of VLAN Encap Platform Truncated VLAN Service Type Dependent 13

  14. ERSPAN Version 1 (Type II) Implementation • Introduces two new iproute2 configurable fields to the netlink API. • Session ID • Index • ERSPAN does not use GRE KEY so repurposes IFLA_GRE_IKEY, IFLA_GRE_OKEY for the Session ID. • Index is also configurable via iproute2. • COS and VLAN are extracted from original frame. • Truncate bit is set if: • Skb length is greater than device MTU + device hard_header_len • IPv4 length is greater than skb length – network header offset • IPv6 length is greater than skb length – transport header offset 14

  15. ERSPAN Header – Version 2 (Type III) Bad/Short Oversized ERSPAN Version 2 (Type III) header (12 octets) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ver | VLAN | COS |BSO|T| Session ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SGT |P| FT | Hw ID |D|Gra|O| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Security Frame Ingress / Optional TS Payload Platform Group Tag Type Egress Granularity Subheader 15

  16. ERSPAN Version 2 (Type III) Implementation • Introduces another two fields to kernel through netlink API. • Hardware ID • Direction - ingress or egress • COS, BSO, and T fields can be extracted or inferred from the mirrored frame. • Timestamp value is calculated by calling the kernel ktime_get_real() with 100 µs granularity – Only 100 µs is supported. • SGT is hard coded to zero. • Non-Ethernet mirrored packet is not supported, so FT is always 0 and P is set to 1. • There is no implementation of sub-headers, so optional bit is zero. 16

  17. Cisco ERSPAN example • We use Nexus 5000 switch and configure its ERSPAN tunnel on ports 11 and 12 as below monitor session 10 type erspan-source erspan-id 10 vrf default destination ip 192.168.1.1 source interface Ethernet1/11 both source interface Ethernet1/12 both no shut monitor erspan origin ip-address 192.168.1.2 global 17

  18. With openvswitch.ko # with 4.19-rc6+ kernel and iproute2-ss180813 # creating datapath named "mydp", attach veth1(port 1) $ ovs-dpctl add-dp mydp $ ovs-dpctl add-if mydp ovs-veth1 // connected to namespace ns0 peer veth1 # creating erspan dev named "myerspan" and attach # Note that OVS uses a lightweight tunnel with “external” keyword $ ip link add dev myerspan type erspan external $ ovs-dpctl add-if mydp myerspan # flow entry for port 1 to erspan tunnel $ ovs-dpctl add-flow mydp \ "in_port(1),eth(src=00:01:02:03:04:05,dst=10:11:12:13:14:15),eth_type(0x0800),\ ipv4(src=35.8.2.41,dst=172.16.0.20,proto=5,tos=0x80,ttl=128,frag=no)" \ "set(tunnel(tun_id=20,dst=192.168.1.1,ttl=64,erspan(ver=2,dir=1,hwid=0x4),flags(df|key ))),2 Note that the OVS vswitchd daemon is not required for this case. 18

  19. Linux Native Mode tunnel example # with 4.19-rc6+ kernel and iproute2-ss180813 # Native-mode without using eBPF $ ip link add dev myerspan type erspan seq \ key 30 local 192.168.1.4 remote 192.168.1.1 \ erspan_ver 1 erspan 123 dev ens3 $ tc qdisc add dev ens3 handle ffff: ingress $ tc filter add dev ens3 parent ffff: \ matchall skip_hw action mirred egress \ mirror dev myerspan 19

  20. Linux LWT ERSPAN eBPF example # with 4.19-rc6+ kernel and iproute2-ss180813 $ ip link add dev myerspan type erspan external $ tc qdisc add dev myerspan handle ffff: ingress $ tc qdisc add dev ens3 handle ffff: ingress $ tc filter add dev myerspan bpf da obj \ ./test_tunnel_kern.o section erspan_set_tunnel $ tc filter add dev ens3 parent ffff: matchall\ skip_hw action mirred egress mirror dev myerspan See e.g. https://elixir.bootlin.com/linux/latest/source/tools/testing/selftests/bpf/test_tunnel.sh 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range

Linux from Sensors to Servers ! When is Linux Not Linux? ! 1 1 Linux runs across a huge range of systems ! CC BY-SA 2.0 FHKE, Flickr 2 Whats the difference between Linux on a big thing and Linux on a little thing? ! 3 ! Whats the

900 views • 52 slides
Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the

High Performance Computing using Linux: The Good and the Bad Christoph Lameter HPC and Linux Most of the supercomputers today run Linux. All of the computational clusters in corporations that I know of run Linux. Support for

419 views • 12 slides
Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux Distributions Linux vs Windows Linux Architecture Linux Security 2 What is Linux? Similar Operating System To Microsoft Windows, Sun

1.11k views • 55 slides
Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig

Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig

The State of Desktop Linux: Interviews with Different Users About Their Linux Setups Steven Ovadia My Linux Rig www.mylinuxrig.com @steven_ovadia *** Associate Professor/Web Services Librarian LaGuardia Community College About My Linux

458 views • 27 slides
Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux History Linux Architecture Logging in to Linux Command Format Linux Filesystem Directory and File Commands Wildcard Characters

686 views • 19 slides
Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux

Linux, whats that? The pieces of a Linux system Linux Concepts Distributions Desktop environments Switching to Linux Epilogue Introduction to Linux Aline Abler Aline Abler Linux, whats that? The pieces of a Linux system Linux

766 views • 57 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
Linux You Can Drive My Car Embedded Linux Conference

Linux You Can Drive My Car Embedded Linux Conference

Linux You Can Drive My Car Embedded Linux Conference 2017 Walt Miner ( @VStarWalt ) Community Manager, AGL , The Linux FoundaGon

721 views • 55 slides
Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows

Linux For Beginners April 26, 2016 Dualboot Linux and Windows Dualboot Linux and Windows Reinstall usually keeps personal files Advantages of Linux More secure Package manager Software installation is easy, fast and secure Keeps

528 views • 15 slides
Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the

Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the

Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system

607 views • 48 slides
AOS Linux Tutorial Introduction to Linux Michael Havas Dept. of Atmospheric and Oceanic Sciences

AOS Linux Tutorial Introduction to Linux Michael Havas Dept. of Atmospheric and Oceanic Sciences

AOS Linux Tutorial Introduction to Linux Michael Havas Dept. of Atmospheric and Oceanic Sciences McGill University September 15, 2011 Outline 1 Introduction to Linux Benefits of Linux What Exactly is Linux? The Free-Software Philosophy 2

898 views • 69 slides
The State of the Linux Desktop An OSDL Perspective John Cherry OSDL Desktop Linux (DTL)

The State of the Linux Desktop An OSDL Perspective John Cherry OSDL Desktop Linux (DTL)

The State of the Linux Desktop An OSDL Perspective John Cherry OSDL Desktop Linux (DTL) September 23, 2006 1 2 The State of the Linux Desktop Riding the Open Software Wave The Linux Desktop Markets Linux Desktop Market Data The Linux

543 views • 40 slides
Linux Basics 2 Pre-Lab Everyone installed Linux on their

Linux Basics 2 Pre-Lab Everyone installed Linux on their

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Linux Basics 2 Pre-Lab Everyone installed Linux on

617 views • 25 slides
Power Your Car with Automo0ve Grade Linux Automo&ve Linux

Power Your Car with Automo0ve Grade Linux Automo&ve Linux

Power Your Car with Automo0ve Grade Linux Automo&ve Linux Summit 2017 Walt Miner ( @VStarWalt ) Community Manager, AGL , The Linux

594 views • 37 slides
Mostafa Z. Ali Mostafa Z. Ali mzali@just.edu.jo 1 1 The Linux Utilities Linux did not

Mostafa Z. Ali Mostafa Z. Ali mzali@just.edu.jo 1 1 The Linux Utilities Linux did not

Fall 2009 Lecture 5 Operating Systems: Configuration & Use CIS345 The Linux Utilities Mostafa Z. Ali Mostafa Z. Ali mzali@just.edu.jo 1 1 The Linux Utilities Linux did not have a GUI. It ran on character based terminals only,

1.16k views • 70 slides
PPP Protocol Overview 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301)

PPP Protocol Overview 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301)

PPP Protocol Overview 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 1 Website: http://www.gl.com Point-to-Point Protocol (PPP) Point to Point (PPP) networks

759 views • 46 slides
NITRIFICATION DENITRIFICATION OF RAW MUNICIPAL WASTEWATER WITHOUT RECIRCULATION, USING

NITRIFICATION DENITRIFICATION OF RAW MUNICIPAL WASTEWATER WITHOUT RECIRCULATION, USING

NITRIFICATION DENITRIFICATION OF RAW MUNICIPAL WASTEWATER WITHOUT RECIRCULATION, USING ENCAPSULATED MICROBIAL SYSTEMS M. Farazaki, H. Marakas and P. Gikas School of Environmental Engineering Technical University of Crete Typical wastewater

389 views • 28 slides
Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass

Breakthrough welding solutions for hermetic encapsulation Primoceler your partner for glass encapsulation GLASS WELDING UNIT ENGINEERING KNOW-HOW Laser based welding Solution specification tool and software for Laboratory

751 views • 7 slides
Prof. Antonn KAZDA NEW VISION - ONE OF THE BEST IN EUROPE 1989 Velvet Revolution 1960

Prof. Antonn KAZDA NEW VISION - ONE OF THE BEST IN EUROPE 1989 Velvet Revolution 1960

UNIVERSITY OF ILINA SLOVAKIA Prof. Antonn KAZDA NEW VISION - ONE OF THE BEST IN EUROPE 1989 Velvet Revolution 1960 1975 1989 2012 SMARTS Sustainable Management of Air Transportation System 2016 ATAERA - Air Transport and

500 views • 14 slides
MEXICO BIENVENIDO - WELCOME WE HOPE YOUVE BEEN HAVING A GREAT TIME OUR GOAL BE THE BEST

MEXICO BIENVENIDO - WELCOME WE HOPE YOUVE BEEN HAVING A GREAT TIME OUR GOAL BE THE BEST

MEXICO BIENVENIDO - WELCOME WE HOPE YOUVE BEEN HAVING A GREAT TIME OUR GOAL BE THE BEST AND HELP YOU GROW YOU ARE ARE YOU TAKING FULL ADVANTAGE? Training Business Development Tech Support Tribal Knowledge & Resources IDI

671 views • 49 slides
Biological Products Micro-encapsulation November & December 2017 Introduction Eden is an

Biological Products Micro-encapsulation November & December 2017 Introduction Eden is an

Biological Products Micro-encapsulation November & December 2017 Introduction Eden is an industrial biotechnology company that delivers Natural Solutions to challenges in plant protection, consumer products and animal health .

859 views • 18 slides
Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking

Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking

Introduction VXLAN prototype Security assessment Q&A Security assessment on a VXLAN-based network Guido Pineda Reyes MSc. Systems and Networking Engineering University of Amsterdam February 5, 2014 Guido Pineda Reyes Security

430 views • 32 slides
Handling Large Formats On a Small Budget Tuesday, November 15, 11 What We Do at

Handling Large Formats On a Small Budget Tuesday, November 15, 11 What We Do at

Handling Large Formats On a Small Budget Tuesday, November 15, 11 What We Do at the CHL Anything up to 36x48 is stored in folders and boxes Anything above that is encapsulated and

622 views • 39 slides

More recommend