If ERSPAN technology is used to transmit mirrored traffic on a network switch, you will need to perform additional configuration of the operating system on the node that has the Kaspersky Industrial CyberSecurity for Networks component installed (Server or sensor) to receive and process this traffic. This additional configuration of the operating system will create a virtual network interface that allows the node with the installed application component to act as an endpoint for the created tunnels over the Generic Routing Encapsulation (GRE) protocol.
To configure a Server or sensor node to receive traffic using ERSPAN technology:
sudo ip link add <virtual interface name> type erspan local <interface IP address> remote <switch IP address> erspan_ver <ERSPAN version> seq key <ERSPAN session key> erspan <ERSPAN traffic index> dev <physical interface name>
where:
<virtual interface name> – name of the created virtual network interface<interface IP address> – IP address of the network interface<switch IP address> – IP address of the network switch sending the mirrored traffic<ERSPAN version> – utilized ERSPAN version number (1 for type II or 2 for type III)<ERSPAN session key> – unique identifier that lets you group mirrored traffic and route it<ERSPAN traffic index> – value of the index field that represents the outbound port and direction of the mirrored traffic in 20-bit format<physical interface name> – name of the physical network interface that receives the mirrored trafficExample:
|