We all know that how crucial a DMZ environment can be from the Security perspective. So, we all follow the same rule of follow the traffic. While we can use VMware vDS to use Port Mirror and follow the traffic, but that has a limitation and that is a local Port Mirroring. So, the source & destination ports must be on the same ESXi host. Note that if a source and a destination are not on the same host, the mirroring path between them will not take effect, though the session could still be added.
Now we can mitigate this limitation using Cisco Nexus 1000v. This has a feature called ERSPAN (Encapsulated Remote Switched Port Analyzer).
Encapsulated remote (ER) SPAN monitors traffic in multiple network devices across an IP network and sends that traffic in an encapsulated envelope to destination analyzers. ERSPAN can be used to monitor traffic remotely. ERSPAN sources can be ports, VLANs, or port profiles.
On physical switches, customers are used to being able to mirror traffic to special ports in order to assist in troubleshooting and as input for security and other network analysis appliances. In Cisco Nexus 1000v ERSPAN / Port Mirroring will enable the same functionality.
So, at this point you may ask why not using the Promiscuous mode on a dvPort. Well, if you enable promiscuous mode on a dvport, this port will see all the network traffic going through the switch. There is no way to select which traffic from a port or portgroup that a particular ‘promiscuous’ port is allowed to see – it can see all the traffic on the same broadcast domain.
ERSPAN / Port Mirroring overcomes this limitation by giving a much greater granularity so that not all traffic on the switch can be see by a particular port. This allows administrators to control which traffic on the Cisco Nexus 1000v.
The ERSPAN feature was introduced on switches because of a fundamental difference that switches have with hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet on all ports except on the one where the hub received the packet.
In comparison, after a switch boots, it starts to build up a Layer 2 forwarding table using the source MAC address of the different packets that the switch receives. After this forwarding table is built, the switch forwards traffic that is destined for a particular MAC address directly to the corresponding port. An extra feature is necessary that artificially copies packets to the sniffer port (called a ERSPAN port). ERSPAN / Port Mirroring provides the same functionality.
Well, everything has some limitation and below are the ones.
ERSPAN / Port Mirroring Gotcha
- An egress source can’t be a destination of any sessions, to avoid cycles in mirroring paths.
- In a session, a port can’t be both source and destination.
- A port can’t be destination for more than one session.
- A promiscuous port can’t be egress source or destination.
These rules are in place to avoid ‘flooding’ the network with mirrored traffic.
It allows you to take advantage of existing L4-7 services investments. One or more destinations can be configured and can be defined with “Source VLAN Filters”.
ERSPAN mirrors traffic in an encapsulated envelope to a IP destination. Designed to monitor the traffic on VEMs remotely. It supports sends packets outside an individual VEM.