Without the use of a specialized "packet broker" type of product?
I know I can plug the output port of a physical, in-line network tap into a switchport, and then configure that switchport to be a SPAN Source Interface, and configure ERSPAN to then route that SPAN input to a remote destination.
My question is: will it actually work?
After all, the frames being duplicated by that physical tap will have the original source/destination mac addresses, 802.1q tags, as well as any inherent errors that may be present. Will the switch still wrap these up in their unadulterated form and send them packing across the ether as ERSPAN traffic, when the chosen action of the switch receiving it would be discard?
Just something I'm pondering.
Also how do ethernet timestamps works with ERSPAN in general? Obviously latency is introduced in sending those duplicated frames to a remote destination. When you look at the captured traffic, will the time stamps match the original packet, or will it match the new packets when they arrived at the packet broker?
No comments:
Post a Comment