Cisco Systems' Encapsulated Remote Switch Port Analyzer (ERSPAN)
draft-foschiano-erspan-03

Document Type Active Internet-Draft (individual)
Last updated 2017-05-09 (latest revision 2017-02-22)
Stream ISE
Intended RFC status Informational
Formats plain text pdf html bibtex
Stream ISE state In ISE Review
Awaiting Reviews
Consensus Boilerplate Unknown
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Internet Engineering Task Force                            M. Foschiano 
Internet Draft                                                 K. Ghosh 
Category: Informational                                        M. Mehta 
Expires: August 2017                                      Cisco Systems 
                                                          February 2017 
    
    
     Cisco Systems' Encapsulated Remote Switch Port Analyzer (ERSPAN) 
                     draft-foschiano-erspan-03.txt 
    
    
Abstract 
    
   This document describes an IP-based packet capture format that can 
   be used to transport exact copies of packets to a network probe to 
   analyze and characterize the operational load and protocol 
   distribution of a network as well as to detect anomalies such as 
   network-based worms or viruses.  This replication and transport 
   mechanism operates over one or multiple switch or router ports whose 
   traffic can be mirrored and forwarded to a destination device in 
   charge of traffic analysis and reporting. 
 
 
Status of this Memo 
    
   This Internet-Draft is submitted in full conformance with the 
   provisions of BCP 78 and BCP 79. 
    
   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF).  Note that other groups may also distribute 
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/. 
    
   Internet-Drafts are draft documents valid for a maximum of six 
   months and may be updated, replaced, or obsoleted by other documents 
   at any time.  It is inappropriate to use Internet-Drafts as 
   reference material or to cite them other than as "work in progress." 
    
   This Internet-Draft will expire in August 2017. 
    
    
    
    
    
    
    
    
    
    
    
    
    
    

        Encapsulated Remote Switch Port Analyzer          August 2017 
 
 
Copyright Notice 
    
   Copyright (c) 2017 IETF Trust and the persons identified as the 
   document authors. All rights reserved. 
    
   This document is subject to BCP 78 and the IETF Trust's Legal 
   Provisions Relating to IETF Documents 
   (http://trustee.ietf.org/license-info) in effect on the date of 
   publication of this document. Please review these documents 
   carefully, as they describe your rights and restrictions with 
   respect to this document. 
 
    
Table of Contents 
    
   1. Introduction .................................................. 3 
   2. ERSPAN's Basic Principles of Operation ........................ 3 
   3. ERSPAN's Common Encapsulation Components ...................... 4 
   4. ERSPAN Types and Specific Sub-Headers ......................... 5 
      4.1 ERSPAN Type I ............................................. 5 
      4.2 ERSPAN Type II ............................................ 6 
      4.3 ERSPAN Type III ........................................... 9 
   5. ERSPAN Session Numbers ....................................... 15 
   6. Ethernet and IP fields ....................................... 15 
   7. Use of Other Relevant ERSPAN Fields .......................... 16 
   8. Security Considerations ...................................... 16 
   9. IANA Considerations .......................................... 17 
   10. Changes from the Previous Version ........................... 17 
   11. Acknowledgements ............................................ 17 
   12. Normative References ........................................ 17 
    
    

Foschiano                                                     [Page 2] 
 
 

        Encapsulated Remote Switch Port Analyzer          August 2017 
 
 
1. Introduction 
    
   Today one of the most common network monitoring and troubleshooting 
   tools is the so-called Switch Port Analyzer (SPAN) feature, also 
   known as port mirroring. It allows a user to monitor network traffic 
   non-intrusively and send a copy of the monitored traffic to a local 
   or remote device, which can be a sniffer, an intrusion detection 
   system (IDS), or other type of network analysis tool. 
     
   Some of the most popular use cases of SPAN are: 
    
   1. Debugging network problems by tracking control/data frames 
    
   2. Monitoring Voice-over-IP (VoIP) packets for delay and jitter 
   analysis 
    
   3. Monitoring network transactions for latency analysis 
    
   4. Monitoring network traffic for anomaly detection 
    
   SPAN can operate locally and mirror traffic to other ports of the 
   same source device, or it can operate remotely mirroring traffic to 
   a different network device that is layer-2 adjacent to the source. 
    
   This document describes the frame formats used by the "encapsulated 
   remote" extension of the SPAN feature, which supports remote 
   monitoring of network traffic across a generic IP transport. 
    
2. ERSPAN's Basic Principles of Operation 
    
Show full document text