1. Field
The present disclosure relates generally to remote data traffic monitoring and, more particularly, to automatically establishing and maintaining an Encapsulated Remote Switched Port Analyzer (ERSPAN) remote traffic monitoring session.
2. Related Art
Data switches support a variety of data traffic monitoring features to facilitate network maintenance and security. One such feature, an Encapsulated Remote Switched Port Analyzer (ERSPAN), allows a user to remotely monitor traffic at a source device via a remote destination device across a Layer 2 (L2) or a Layer 3 (L3) routed network. A network analysis device, also called a “sniffer”, can be connected to a port on the destination device to receive and analyze the monitored traffic.
The ERSPAN feature supports monitoring traffic ingress and/or egress to one or more source ports of a source device or one or more Virtual Local Area Networks (VLANs). The monitored traffic is mirrored at the source device, encapsulated within an L3 routable Generic Routing Encapsulation (GRE) tunnel, and forwarded to the destination device. At the destination device, the mirrored traffic is switched to the appropriate destination port for analysis by the network analyzer connected to the destination port.
ERSPAN currently requires a user to manually configure the source and destination devices to establish an ERSPAN session. In some instances, source and destination devices supporting ERSPAN features may have different hardware and/or software platforms, and may support different and sometimes incompatible versions of ERSPAN. As a result, it may become burdensome for a user to properly configure the source and destination devices. Additionally, it may be complex for the user to determine an optimal configuration for an ERSPAN session based on the network topology, and the user may not be aware of connectivity issues between the source and destination device that would impact the ERSPAN session. Furthermore, it is important to ensure that ERSPAN traffic replication is not used for a Denial of Service (DoS) attack by pointing the ERSPAN tunnel to the attacked IP address.
Accordingly, there is a need in the art for automatically configuring and establishing ERSPAN sessions.