home

Supported platforms

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Example: Vyatta NOS ERSPAN monitoring with IPsec

This example shows how to set up a ERSPAN monitoring between two servers in Azure.

The collector (analytics engine) also lies within Azure. This example uses the following topology:

Figure 1. Vyatta NOS ERSPAN monitoring with IPsec

Vyatta NOS Configuration

The following is the Vyatta NOS configuration for Vyatta NOS ERSPAN monitoring.
interfaces { dataplane dp0s16 {
 address dhcp } dataplane dp0s17 {
 address dhcp } dataplane dp0s18 {
 address dhcp } erspan erspan0 {
 local-ip 192.0.2.249
 remote-ip 192.0.2.250 } loopback lo vti vti0 {
 address 192.0.2.249/30
 } } security {
 vpn { ipsec {
 esp-group ESP-CT { compression disable lifetime 1800 
 mode tunnel pfs enable proposal 1 {
 encryption aes256
 hash sha1 } proposal 2 {
 encryption 3des hash md5
 } } ike-group IKE-CT {
 lifetime 3600
 proposal 1 { encryption aes256 hash sha1
 }
 proposal 2 { encryption aes128 hash sha1
 } } site-to-site {
 peer 10.0.3.5 {
 authentication { id @Router1 mode pre-shared-secret pre-shared-secret test_key_1 remote-id @Router2
 } ike-group IKE-CT local-address 10.0.3.4 vti {
 bind vti0 esp-group ESP-CT } } } }
 } } service {
 portmonitor {
 session 22 { destination erspan0 erspan {
 header type-II
 identifier 200 } source dp0s16 type erspan-source
 } } ssh 
} system {
 acm { enable operational-ruleset {
 rule 9977 { action allow command /show/tech-support/save group vyattaop
 }
 rule 9978 { action deny command "/show/tech-support/save/*" group vyattaop
 }
 rule 9979 { action allow command /show/tech-support/save-uncompressed 
 group vyattaop } rule 9980 {
 action deny command "/show/tech-support/save-uncompressed/*" group vyattaop
 }
 rule 9981 { action allow command /show/tech-support/brief/save group vyattaop
 }
 rule 9982 { action deny command "/show/tech-support/brief/save/*" group vyattaop
 }
 rule 9983 { action allow command /show/tech-support/brief/save-uncompressed group vyattaop
 }
 rule 9984 { action deny command "/show/tech-support/brief/save-uncompressed/*" group vyattaop
 }
 rule 9985 { action allow command /show/tech-support/brief/ group vyattaop
 }
 rule 9986 { action deny command /show/tech-support/brief group vyattaop
 }
 rule 9987 { action deny command /show/tech-support group vyattaop
 }
 rule 9988 { action deny command /show/configuration group vyattaop
 }
 rule 9989 { action allow command "/clear/*" group vyattaop
 }
 rule 9990 { action allow command "/show/*" group vyattaop
 }
 rule 9991 { action allow command "/monitor/*" group vyattaop
 }
 rule 9992 { action allow command "/ping/*" group vyattaop
 }
 rule 9993 { action allow command "/reset/*" group vyattaop
 } 
 rule 9994 { action allow command "/release/*" group vyattaop
 }
 rule 9995 { action allow command "/renew/*" group vyattaop
 }
 rule 9996 { action allow command "/telnet/*" group vyattaop
 }
 rule 9997 { action allow command "/traceroute/*" group vyattaop
 }
 rule 9998 { action allow command "/update/*" group vyattaop
 }
 rule 9999 { action deny command "*" group vyattaop
 } } ruleset {
 rule 9999 { action allow group vyattacfg operation "*" path "*"
 }
 } } config-management {
 commit-revisions 20 } console {
 device ttyS0 {
 speed 9600 } serial-boot-console ttyS0
 } domain-name localdomain host-name localhost login {
 session-timeout 540 user vyatta { authentication { encrypted-password "********" }
 } } syslog {
 global { facility all { level warning } 
 } } }