Example: Vyatta NOS ERSPAN monitoring with IPsec
This example shows how to set up a ERSPAN monitoring between two servers in Azure.
The collector (analytics engine) also lies within Azure. This example uses the following topology:
Vyatta NOS Configuration
interfaces { dataplane dp0s16 {
address dhcp } dataplane dp0s17 {
address dhcp } dataplane dp0s18 {
address dhcp } erspan erspan0 {
local-ip 192.0.2.249
remote-ip 192.0.2.250 } loopback lo vti vti0 {
address 192.0.2.249/30
} } security {
vpn { ipsec {
esp-group ESP-CT { compression disable lifetime 1800
mode tunnel pfs enable proposal 1 {
encryption aes256
hash sha1 } proposal 2 {
encryption 3des hash md5
} } ike-group IKE-CT {
lifetime 3600
proposal 1 { encryption aes256 hash sha1
}
proposal 2 { encryption aes128 hash sha1
} } site-to-site {
peer 10.0.3.5 {
authentication { id @Router1 mode pre-shared-secret pre-shared-secret test_key_1 remote-id @Router2
} ike-group IKE-CT local-address 10.0.3.4 vti {
bind vti0 esp-group ESP-CT } } } }
} } service {
portmonitor {
session 22 { destination erspan0 erspan {
header type-II
identifier 200 } source dp0s16 type erspan-source
} } ssh
} system {
acm { enable operational-ruleset {
rule 9977 { action allow command /show/tech-support/save group vyattaop
}
rule 9978 { action deny command "/show/tech-support/save/*" group vyattaop
}
rule 9979 { action allow command /show/tech-support/save-uncompressed
group vyattaop } rule 9980 {
action deny command "/show/tech-support/save-uncompressed/*" group vyattaop
}
rule 9981 { action allow command /show/tech-support/brief/save group vyattaop
}
rule 9982 { action deny command "/show/tech-support/brief/save/*" group vyattaop
}
rule 9983 { action allow command /show/tech-support/brief/save-uncompressed group vyattaop
}
rule 9984 { action deny command "/show/tech-support/brief/save-uncompressed/*" group vyattaop
}
rule 9985 { action allow command /show/tech-support/brief/ group vyattaop
}
rule 9986 { action deny command /show/tech-support/brief group vyattaop
}
rule 9987 { action deny command /show/tech-support group vyattaop
}
rule 9988 { action deny command /show/configuration group vyattaop
}
rule 9989 { action allow command "/clear/*" group vyattaop
}
rule 9990 { action allow command "/show/*" group vyattaop
}
rule 9991 { action allow command "/monitor/*" group vyattaop
}
rule 9992 { action allow command "/ping/*" group vyattaop
}
rule 9993 { action allow command "/reset/*" group vyattaop
}
rule 9994 { action allow command "/release/*" group vyattaop
}
rule 9995 { action allow command "/renew/*" group vyattaop
}
rule 9996 { action allow command "/telnet/*" group vyattaop
}
rule 9997 { action allow command "/traceroute/*" group vyattaop
}
rule 9998 { action allow command "/update/*" group vyattaop
}
rule 9999 { action deny command "*" group vyattaop
} } ruleset {
rule 9999 { action allow group vyattacfg operation "*" path "*"
}
} } config-management {
commit-revisions 20 } console {
device ttyS0 {
speed 9600 } serial-boot-console ttyS0
} domain-name localdomain host-name localhost login {
session-timeout 540 user vyatta { authentication { encrypted-password "********" }
} } syslog {
global { facility all { level warning }
} } }