# Encapsulation Endpoints (GRE, ERSPAN, GENEVE, VXLAN)

## Overview

Encapsulation Endpoints enable Vectra Sensors to add an IP address to capture interfaces and serve as a destination for tunneled encapsulations such as GRE, ERSPAN, GENEVE, and VXLAN.

Vectra can still decapsulate these encapsulations when the tunnel destination is not the capture interface and the capture ports are passively observing the traffic through normal out-of-band mechanisms such as SPAN/COPY/MIRROR, TAPs, 3rd party packet brokers, etc.

Support for decapsulating passively observed GRE, GENEVE, and VXLAN existed prior to v9.10. With the v9.10 release, Vectra introduces ERSPAN decapsulation support along with the ability to add an IP address to capture interfaces.

An additional benefit of this new feature is that ICMP based health checks can be directed at capture interfaces that have a configured IP address. The capture interfaces will only respond to ICMP and ARP and do not originate any other traffic.

Capture interfaces configured with an encapsulation endpoint (IP address) still continue to process passively observed traffic as they did before the IP was added.

{% hint style="info" %}
**Please Note:**

This feature is currently available for Private Preview for customers running at least v9.10 software on their Brain. It supports both Respond UX (RUX) and Quadrant UX (QUX) deployments.

Please contact your Vectra account team if you are interested in participating in the Private Preview. General Availability (GA) is planned for a later release.

During Private Preview, please be aware of the following:

* Virtual appliances are not supported.  Support for virtual appliance is planned for the v9.12 release.
  * This includes all virtual appliances (cloud IaaS and traditional hypervisor based).
* Mixed-mode deployment is not supported.
  * A Sensor being enabled as an encapsulation endpoint must in the Sensor mode only.
* A single IP address is supported per capture interface.
  * Vectra is investigating adding support for multiple IPs per capture interface.
* Performance when operating as an encapsulation endpoint (the Sensor terminating the tunneled traffic) is impacted when operating at high sustained throughputs for tunneled traffic.
  * This does not affect normal Sensor performance for traffic (even encapsulated traffic) that is observed passively.
  * ERSPAN tunnels directed at the Sensor may cause packets to be dropped when operating above ⅓ the normal Sensor max throughput.
  * Vectra engineering is working to increase performance for the General Availability (GA) of this feature.
  * You may want to dedicate a Sensor to tunnel termination, especially during Private Preview.
* Tooltip and documentation are not final. They are being updated for GA of this feature.
* Requiring the IP Address/Subnet to be entered in CIDR notation is enforced in v9.11.
* For ERSPAN, Type II and Type III are supported.
  * Type I (generally considered deprecated for most uses) is NOT supported.
    {% endhint %}

## Configuration

Navigate to *Configuration* <i class="fa-arrow-right">:arrow-right:</i> COVERAGE → *Data Sources* in the left hand panel. From there, select *Network* <i class="fa-arrow-right">:arrow-right:</i> *Encapsulation Endpoints.*

{% stepper %}
{% step %}

#### Add an encapsulation endpoint

To configure the IP address and gateway (encapsulation endpoint), expand the desired Sensor and hover over the interface until the pencil icon appears, the click it.

<figure><img src="/files/t0qCWaZz13gG6BRS0VdX" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Add IP Address/Subnet and Default Gateway

Enter the **IP Address/Subnet** in CIDR notation the selected capture interface will use when listening for traffic in supported encapsulation types. This IP can also be used for ICMP based health checks.

Enter the **Default Gateway** for this IP addresss and **Save** your configuration.

<figure><img src="/files/CrvlbDsht8XLG3YKM5sy" alt="" width="563"><figcaption></figcaption></figure>
{% endstep %}

{% step %}

#### Repeat as necessary

Repeat steps 1 and 2 for any other Sensor capture interfaces you wish to configure as an ecapsulation endpoint.
{% endstep %}
{% endstepper %}

## Validation

Once saved, the **Encapsulation Endpoint Status** will update within a few minutes of the interface is receiving encapsulated traffic. This area only reports on encapsulated traffic.&#x20;

<figure><img src="/files/FIqeslBppEMsVlhlvMe4" alt=""><figcaption></figcaption></figure>

To see a detailed view of what kind of traffic is being received on each interface, navigate to *Network Stats* <i class="fa-arrow-right">:arrow-right:</i> TRAFFIC VALIDATION <i class="fa-arrow-right">:arrow-right:</i> *Per Sensor Traffic.* Near the bottom of the page there is a new table dedicated to Encapsulation Endpoints as seen below.

<figure><img src="/files/RJhp3zYMGaQPfTpRce18" alt=""><figcaption></figcaption></figure>

## Outbound Traffic From Encapsulation Endpoints

Configured encapsulation endpoints will not initiate any communication, they will only respond to ICMP and ARP.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.vectra.ai/configuration/coverage/encapsulation-endpoints-gre-erspan-geneve-vxlan.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.