This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
→ Having trouble accessing our new support portal or creating a ticket? Please notify our team here
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Product Discussions
- Use of RSPAN or ERSPAN with for asset radar logs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2024 12:57 AM
Hi, we have a customer that has dozens of vlans. It won't be practical to install a scanning server in each one. Has anybody implemented an additional scanning server that will be used to capture the traffic from other vlans using RSPAN or ERSPAN mirror ports?
Thanks for you comments
Solved! Go to Solution.
Labels:
- Labels:
-
General Topics
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-07-2024 09:42 AM
@DonMario73 yes, using port spanning will help you to gather info from other vlan's without having to install a scanning server in them.
Asset radar mainly uses ARP, DHCP, UDP and UDPv6 packets for recognition, so you could focus to forward only those to a network interface where asset radar is active.
If available, ERSPAN is recommended: SPAN is however limited to one switch, RSPAN is able to send traffic between switches but this traffic can't be routed. ERSPAN (Encapsulated Remote Switched Port Analyzer) solves this issue! It uses GRE encapsulation, this allows us to route SPAN traffic from a source to a destination.
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-07-2024 09:42 AM
@DonMario73 yes, using port spanning will help you to gather info from other vlan's without having to install a scanning server in them.
Asset radar mainly uses ARP, DHCP, UDP and UDPv6 packets for recognition, so you could focus to forward only those to a network interface where asset radar is active.
If available, ERSPAN is recommended: SPAN is however limited to one switch, RSPAN is able to send traffic between switches but this traffic can't be routed. ERSPAN (Encapsulated Remote Switched Port Analyzer) solves this issue! It uses GRE encapsulation, this allows us to route SPAN traffic from a source to a destination.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Hi Gillian, I found the following reply in the forum that explains some details about asset radar logs and seems like the use of SPAN, RSPAN and ERSPAN will work only for asset radar visibility. Not for appending additional asset details like Vendor, Model and Operating System unless there is a scanning server in each subnet:
Packets (IP/MAC combinations) captured via Asset Radar don't always necessarily generate new assets or link to existing assets. The asset radar packet capturing isn't fully integrated into asset scanning. When asset radar is enabled (not set to logging only), IP addresses found by capturing packets are sent to the scanning queue, and this IP then runs through the regular IP scanning logic.
It's important to note that only the IP address is sent to the queue, the scanning queue currently cannot handle IP/MAC address combinations. This may result in the IP scan not finding a MAC address, while asset radar did. The asset radar logs are joined on asset tables based on the MAC address. If no asset with the same MAC address is found, a question mark will be shown, as no asset was found that with a high degree of certainty is related to that specific log entry.
Lansweeper can retrieve MAC addresses from assets through regular scanning in the following ways:
- By authenticating successfully via a protocol that will return a MAC address, e.g. WMI (Windows), SNMP, SSH (Linux/Mac), etc.
- By performing an ARP lookup (locally on the scanning server). This will only return a MAC address for assets in the same subnet as your scanning server.
If you're capturing packets from outside of the subnet of your scanning server, you may end up with a situation where your asset radar log entry for a specific IP address is more detailed than the asset that was generated for the same IP address, most notably the log having a MAC address while the asset does not. In this case, a link cannot be made.
Lansweeper uses the network interface that's highest in the binding order for IP scans, which may not be the interface that is in the same subnet as the captured packet. To ensure that the resulting assets from captured packets always have a MAC address, you'd need to use multiple scanning servers and limit yourself to an interface per server.
Kindly request your help to clarify this.
Regards
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now