Cognito sensors do not currently understand native RSPAN and ERSPAN traffic. This traffic is used by some switching infrastructures to transport SPAN traffic remotely.
This traffic encapsulates the underlying captured traffic in transport headers as follows:
- RSPAN encapsulates SPAN traffic in a VLAN tag, permitting its encapsulation across VLAN trunk links between switches. This traffic remains at layer 2.
- ERSPAN encapsulates SPAN traffic in a Layer 3 header, proprietary and only supported by Cisco switches. This traffic may be routed across networks.
Cognito sensors DO support VLAN tags within VLAN traffic (known as Q-in-Q). If RSPAN is used to encapsulate VLAN tagged traffic it is likely that no further action is required, however, the traffic must arrive at the sensor with no more than two VLAN tags. It may be required that the switch be configured to strip the outer layer of VLAN tag prior to presenting the traffic to the sensor. The switch vendor should be engaged to validate the configuration and ensure that there are no compatibility or performance issues associated with this configuration.
Cognito sensors DO NOT support ERSPAN encapsulation and this traffic cannot be read by the sensor. It may be possible to configure Cisco switches to remove the ERSPAN encapsulation at the final hop so that traffic is presented 'bare' to the Cognito sensor, however, this configuration should be developed in conjunction with your Cisco support channel as there are significant platform, version and performance implications.