SPAN
SPAN settings are only for Sophos NDR.
The appliance captures network packets via Switched Port Analyzer (SPAN) ports.
You can change your SPAN settings on the Settings page. Changes only take effect after a restart of your VM. See Restart and shutdown.
SPAN ports
By default, Sophos NDR has SPAN Port 1 (ens160) turned on and SPAN Port 2 turned off. This allows normal SPAN traffic to be monitored on the SPAN Port 1 network interface.
You might have multiple switches that are able to send SPAN traffic to the appliance. To collect this traffic, turn on SPAN Port 2.
If you need a second SPAN port, you must allocate at least 8 vCPUs to the virtual machine.
To find out more about setting up Sophos switches for SPAN, see the Configure your switches section of Sophos NDR.
Encapsulated Remote SPAN traffic
Encapsulated Remote Switched Port Analyzer (ERSPAN) enables monitoring of traffic from multiple sources distributed over multiple switches. This traffic is then delivered to the ERSPAN destination switch via IP.
The Sophos appliance can collect encapsulated SPAN traffic. It supports the VXLAN and GRE tunnel protocols.
Follow the instructions for VXLAN or GRE.
To turn on VXLAN, do as follows:
- Select Enable ERSPAN next to the SPAN port.
- In Tunnel Protocol, select vxlan.
- In IP Address, enter the IP address of the VTEP interface.
- In VXLAN ID, enter the ID. This must match the VXLAN encapsulated source configuration.
- In VXLAN Port, enter the default VXLAN port. This must match the VXLAN encapsulated source configuration.
- Click Save.
To turn on GRE, do as follows:
- Select Enable ERSPAN next to the SPAN port.
- In Tunnel Protocol, select gre.
- In IP Address, enter the IP address of the GRE target interface.
- In GRE Port, enter the default GRE port. This must match the GRE encapsulated source configuration.
-
Click Save.
It's common to see SPAN and VXLAN encapsulated SPAN ports in the same configuration. Using VXLAN and GRE on the same Sophos appliance is rare.