Second for ebpf users using iproute2 to create

  • No School
  • AA 1
  • 5

This preview shows page 1 - 3 out of 5 pages.

ceived from the net device. Second, for eBPF users, using iproute2 to create metadata-mode ERSPAN tunnel. With eBPF TC hook and eBPF tunnel helper functions, users can read/write ERSPAN protocols fields in finer granularity. Fi- nally, for Open vSwitch users, using the netlink interface to create a switch and programmatically parse, lookup, and forward the ERSPAN packets based on flows installed from the userspace. ERSPAN is popular in the followin use cases [3]: Debugging network issues by tracking the control and data frames. Monitoring Voice-over-IP, VoIP, packets for delay and jitter analysis Monitoring network transactions for latency analysis Monitoring network traffic for anomaly detection Figure 1 shows an example setup of ERSPAN tunnels. A network administrator first sets up multiple source network devices and filters the interested portion of the traffic he/she wants to inspect. One case on the left-most is to create the ERSPAN tunnel between the Cisco switch and a traffic snif-
Image of page 1
<------------ outer -------------> <---- inner ---- ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ether | IP | GRE | ERSPAN | Ether | IP | ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: An example of mirrored packet with outer header contain- ing the GRE and ERSPAN header, followed by the inner Ethernet frame. fer. Depending on the features in the Cisco switch, differ- ent filters can be applied to the traffic. In the middle of the figure, for multiple virtual machines running inside a Linux box, the virtual switch forwarding the packet between vir- tual and physical networks can also create ERSPAN tunnels between the software switch and remote traffic sniffer. Here, Open vSwitch [7] is an example capable of creating filters and forwarding packets to ERSPAN tunnels. More detailed configurations of Open vSwitch are described in later sec- tion. The ERSPAN tunnel is represented in Linux as a net- dev and configured through iproute2 [4]. Any packet that is placed into its send queue will be encapsulated based on the netdev’s ERSPAN configuration. As a result on the right-most, any other linux netdev which wants to create a ERSPAN mirrored packet simply makes a copy and forwards to the ERSPAN netdev. For example, a physical netdev can use linux TC [8] with mirror action to copy a packet to the erspan tunnel. Mirrored traffic arriving at the sniffer machine needs to be able to extract and restore the original monitored frame. To differentiate the three use cases, the administrator can create three ERSPAN session IDs, a configuration parameter for grouping the mirrored traffic. For Linux users, an ERSPAN tunnel can also be used at the sniffer side. Any packet ar- riving at the ERSPAN tunnel netdev’s receive queue will be decapsulated. Tools such as Wireshark [10, 11] can be used to inspect the mirrored packet. 2. ERSPAN Protocol Implementation The ERSPAN protocol was developed by Cisco and its spec- ification is published at IETF draft [3]. Figure 2 shows an example of ERSPAN encapsulated packet, with outer header consisting of Ethernet header, following by IPv4/IPv6 header, following by a fixed 8-byte GRE header, and following by ERSPAN header. After the ERSPAN header, the inner frame
Image of page 2
Image of page 3

You've reached the end of your free preview.

Want to read all 5 pages?

  • Fall '19
  • IP address, ERSPAN, ERSPAN tunnel

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes
A+ icon
Ask Expert Tutors