Got a wild question for all of you. I have a requirement to send the traffic of a port mirror to another “network” via site to site vpn and output then traffic of the original port mirror there to be scanned via a network security tool. Are there any kind of physical devices that would do this? Im thinking I could add the devices to their own vlan, and have them communicate across the site to site vpn. Then once the traffic is on the other side, this device could then output this traffic to my security tool. Any wild ideas? currently on meraki and they dont support port mirroring over auto vpn.
Suspect doing it with Meraki is likely a pipe dream (no pun intended).
Is this an XY problem? What are you trying to solve that requires backhauling mirrored data?
L2TP tunnels / other pseudo-wire options have previously proved good for this, done it with Cisco ASRs.
Bad Idea:
- Add two small systems to the network: one in the remote site, and one near the security tool.
- In the remote site, SPAN the traffic to a dedicated NIC on that site’s small system.
- Dedicate a NIC on the system near the security tool for output to the tool.
- The remote system runs a shell script which does more-or-less the following:
tcpdump -ni <NIC> -Uw - | ssh <OTHER_SERVER> tcpreplay -I <NIC> -
This should scoop up the packets on the source side, serialize them into libpcap format, fire 'em through an SSH pipeline, and release them via the NIC facing toward the security box.
edit: the tool-side system probably isn’t required. It should be possible to scoop those packets directly into GRE on the remote system, then fire those GRE packets directly at the security tool.
As others said, this is not a good idea to overflow a VPN line just for the sake of monitoring. How about placing a remote analyzer such as NTOP. Very cheap, easy to use and will reduce the need to suffocate this VPN.
Put your Security tool on a laptop and install it at the remote site. Remote into the laptop via WiFi. This allows you to monitor or WireShark anything at the remote site.
I think Niagara Networks might be able to help? I know they can do ER-SPAN. But not sure about auto vpn.
meraki only supports RSPAN sadly 
any ideas on a physical bit of kit?
its cost driven. im also trying to prove that its a fruitless exercise. We would be duplicating the output from core stack, and then sending it to our hub (remote) for monitoring and processing. So we’d be effectively doubling the upload of our satellite site and then adding that traffic to the download on the hub site. its just not practical.
Was going to recommend a similar option. I did something like this with a VoIP gateway (test bench, not malicious reasons), but probably in a more roundabout way.
SSH local tunnel to the gateway from my device, start nc -e on the gateway and point it towards /bin/sh, nc to my local device on the SSH tunnel port and < tcpdump (with the the appropriate params) then | to wireshark.exe.
I think your one-liner is doing the same thing, but way less convoluted.
I was still proud of myself when I figured that one out though, dangit!
I don’t know if Gigamon can solve this or not, but they are the first vendor that comes to mind.
Why not just do monitoring on the core stack at that location and send the relevant information to the hub?
Running tcpdump on a remote system and displaying the results live in Wireshark on my desktop is one of my favorite tricks.
its a darktrace network appliance that does the monitoring and processing. to do what you’re suggesting we’d need an appliance in both locations
Definitely. I haven’t done it in years, but I remember showing one of the old-time telco guys. Had him say a few words into our test phone and then replayed what he said in Wireshark. He couldn’t believe that could be done with the VoIP gear. Modern day test butt to POTS block.
Correct, I have never used DarkTrace before but I have seen similar products that have cheaper collector/analyzers units meant for offsite situations. I would at least inquirer about it.