Encapsulation Endpoints (GRE, ERSPAN, GENEVE, VXLAN)
Configure Sensor capture interfaces with an IP address to be used as a destination for tunneled encapsulations such as GRE, ERSPAN, GENEVE, and VXLAN traffic.
Overview
Encapsulation Endpoints enable Vectra Sensors to add an IP address to capture interfaces and serve as a destination for tunneled encapsulations such as GRE, ERSPAN, GENEVE, and VXLAN.
Vectra can still decapsulate these encapsulations when the tunnel destination is not the capture interface and the capture ports are passively observing the traffic through normal out-of-band mechanisms such as SPAN/COPY/MIRROR, TAPs, 3rd party packet brokers, etc.
Support for decapsulating passively observed GRE, GENEVE, and VXLAN existed prior to v9.10. With the v9.10 release, Vectra introduces ERSPAN decapsulation support along with the ability to add an IP address to capture interfaces.
An additional benefit of this new feature is that ICMP based health checks can be directed at capture interfaces that have a configured IP address. The capture interfaces will only respond to ICMP and ARP and do not originate any other traffic.
Capture interfaces configured with an encapsulation endpoint (IP address) still continue to process passively observed traffic as they did before the IP was added.
Please Note:
This feature is currently available for Private Preview for customers running at least v9.10 software on their Brain. It supports both Respond UX (RUX) and Quadrant UX (QUX) deployments.
Please contact your Vectra account team if you are interested in participating in the Private Preview. General Availability (GA) is planned for a later release.
During Private Preview, please be aware of the following:
Virtual appliances are not supported. Support for virtual appliance is planned for the v9.12 release.
This includes all virtual appliances (cloud IaaS and traditional hypervisor based).
Mixed-mode deployment is not supported.
A Sensor being enabled as an encapsulation endpoint must in the Sensor mode only.
A single IP address is supported per capture interface.
Vectra is investigating adding support for multiple IPs per capture interface.
Performance when operating as an encapsulation endpoint (the Sensor terminating the tunneled traffic) is impacted when operating at high sustained throughputs for tunneled traffic.
This does not affect normal Sensor performance for traffic (even encapsulated traffic) that is observed passively.
ERSPAN tunnels directed at the Sensor may cause packets to be dropped when operating above ⅓ the normal Sensor max throughput.
Vectra engineering is working to increase performance for the General Availability (GA) of this feature.
You may want to dedicate a Sensor to tunnel termination, especially during Private Preview.
Tooltip and documentation are not final. They are being updated for GA of this feature.
Requiring the IP Address/Subnet to be entered in CIDR notation is enforced in v9.11.
For ERSPAN, Type II and Type III are supported.
Type I (generally considered deprecated for most uses) is NOT supported.
Configuration
Navigate to Configuration COVERAGE → Data Sources in the left hand panel. From there, select Network Encapsulation Endpoints.
Add IP Address/Subnet and Default Gateway
Enter the IP Address/Subnet in CIDR notation the selected capture interface will use when listening for traffic in supported encapsulation types. This IP can also be used for ICMP based health checks.
Enter the Default Gateway for this IP addresss and Save your configuration.
Validation
Once saved, the Encapsulation Endpoint Status will update within a few minutes of the interface is receiving encapsulated traffic. This area only reports on encapsulated traffic.
To see a detailed view of what kind of traffic is being received on each interface, navigate to Network Stats TRAFFIC VALIDATION Per Sensor Traffic. Near the bottom of the page there is a new table dedicated to Encapsulation Endpoints as seen below.
Outbound Traffic From Encapsulation Endpoints
Configured encapsulation endpoints will not initiate any communication, they will only respond to ICMP and ARP.
Last updated
Was this helpful?