Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Example: Vyatta NOS ERSPAN monitoring with IPsec

This example shows how to set up a ERSPAN monitoring between two servers in Azure.

The collector (analytics engine) also lies within Azure. This example uses the following topology:

Figure 1. Vyatta NOS ERSPAN monitoring with IPsec

Vyatta NOS Configuration

The following is the Vyatta NOS configuration for Vyatta NOS ERSPAN monitoring.
interfaces { dataplane dp0s16 {
 address dhcp } dataplane dp0s17 {
 address dhcp } dataplane dp0s18 {
 address dhcp } erspan erspan0 {
 local-ip 192.0.2.249
 remote-ip 192.0.2.250 } loopback lo vti vti0 {
 address 192.0.2.249/30
 } } security {
 vpn { ipsec {
 esp-group ESP-CT { compression disable lifetime 1800 
 mode tunnel pfs enable proposal 1 {
 encryption aes256
 hash sha1 } proposal 2 {
 encryption 3des hash md5
 } } ike-group IKE-CT {
 lifetime 3600
 proposal 1 { encryption aes256 hash sha1
 }
 proposal 2 { encryption aes128 hash sha1
 } } site-to-site {
 peer 10.0.3.5 {
 authentication { id @Router1 mode pre-shared-secret pre-shared-secret test_key_1 remote-id @Router2
 } ike-group IKE-CT local-address 10.0.3.4 vti {
 bind vti0 esp-group ESP-CT } } } }
 } } service {
 portmonitor {
 session 22 { destination erspan0 erspan {
 header type-II
 identifier 200 } source dp0s16 type erspan-source
 } } ssh 
} system {
 acm { enable operational-ruleset {
 rule 9977 { action allow command /show/tech-support/save group vyattaop
 }
 rule 9978 { action deny command "/show/tech-support/save/*" group vyattaop
 }
 rule 9979 { action allow command /show/tech-support/save-uncompressed 
 group vyattaop } rule 9980 {
 action deny command "/show/tech-support/save-uncompressed/*" group vyattaop
 }
 rule 9981 { action allow command /show/tech-support/brief/save group vyattaop
 }
 rule 9982 { action deny command "/show/tech-support/brief/save/*" group vyattaop
 }
 rule 9983 { action allow command /show/tech-support/brief/save-uncompressed group vyattaop
 }
 rule 9984 { action deny command "/show/tech-support/brief/save-uncompressed/*" group vyattaop
 }
 rule 9985 { action allow command /show/tech-support/brief/ group vyattaop
 }
 rule 9986 { action deny command /show/tech-support/brief group vyattaop
 }
 rule 9987 { action deny command /show/tech-support group vyattaop
 }
 rule 9988 { action deny command /show/configuration group vyattaop
 }
 rule 9989 { action allow command "/clear/*" group vyattaop
 }
 rule 9990 { action allow command "/show/*" group vyattaop
 }
 rule 9991 { action allow command "/monitor/*" group vyattaop
 }
 rule 9992 { action allow command "/ping/*" group vyattaop
 }
 rule 9993 { action allow command "/reset/*" group vyattaop
 } 
 rule 9994 { action allow command "/release/*" group vyattaop
 }
 rule 9995 { action allow command "/renew/*" group vyattaop
 }
 rule 9996 { action allow command "/telnet/*" group vyattaop
 }
 rule 9997 { action allow command "/traceroute/*" group vyattaop
 }
 rule 9998 { action allow command "/update/*" group vyattaop
 }
 rule 9999 { action deny command "*" group vyattaop
 } } ruleset {
 rule 9999 { action allow group vyattacfg operation "*" path "*"
 }
 } } config-management {
 commit-revisions 20 } console {
 device ttyS0 {
 speed 9600 } serial-boot-console ttyS0
 } domain-name localdomain host-name localhost login {
 session-timeout 540 user vyatta { authentication { encrypted-password "********" }
 } } syslog {
 global { facility all { level warning } 
 } } }