Install the EH1000v/2000v with Hyper-V

Introduction

The ExtraHop virtual appliance can help you to monitor the performance of your applications across internal networks, the public internet, or a virtual desktop interface (VDI), including database and storage tiers. ExtraHop can monitor application performance across geographically distributed environments such as branch offices or virtualized environments using intra-VM traffic.

This guide explains how to install these products:

  • EH1000v (Monitors up to 250 devices)

  • EH2000v (Monitors up to 1000 devices)

On these platforms:

  • Hyper-V (Microsoft)

We assume you have some experience administering your hypervisor product.

The following diagram shows the high-level steps to install and use the ExtraHop virtual appliance. Installation time is approximately 15 minutes.

Feedback

We are working hard to improve our product, and with your feedback we can better meet your needs. As a valued ExtraHop customer, we appreciate all feedback you can provide. Please email feedback to the following addresses:

Use the following documentation to assist you with the procedures in this guide:

How Mirroring Works

ExtraHop is a passive system.

Its wire data feed comes entirely from mirrored traffic. This is an improvement from traditional methods of collecting wire data with packet analyzers. With ExtraHop, the traffic is mirrored directly into the appliance and then reassembled into full per-client sessions and transaction streams, offering you the entire transaction payload in real time to analyze. There are two ways to mirror traffic into ExtraHop: network-based mirroring and host-based mirroring. This topic discusses the differences between the two.

Network-Based Mirroring

The big advantage with network based mirroring is that you can set it up at the network level, capturing traffic from multiple hosts with a minimum amount of configuration. There are different types of network-based mirroring, each designed for mirroring traffic to a target in a particular situation. The big challenge with all the network-based mirroring strategies is that they rely heavily on the capabilities of the hardware on your network (physical or virtual). If you’re running a virtual ExtraHop appliance, the hypervisor you’re running (and even the version of hypervisor) also plays into the equation. That said, if you can take advantage of network-based mirroring you’ll probably want to because once it’s set up, it requires less administrative effort to maintain.

There are three main types of network-based mirroring.

SPAN

The SPAN port is the name of the port on Cisco switches that mirrors traffic. SPAN stands for Switched Port ANalyzer (SPAN). Different vendors use different names, but spanning has become synonymous for a port on a switch that mirrors traffic. The key thing about a SPAN is that it’s all local traffic. You can configure any of the ports on the switch to mirror traffic to an ExtraHop appliance that has access to the SPAN port.

Promiscuous mode is similar to SPAN, but instead of mirroring only select local port traffic to the SPAN port, promiscuous mode mirrors all the traffic from every port. Any traffic that comes through the switch is mirrored to your ExtraHop appliance.

RSPAN

RSPAN is useful if the traffic you’re interested in mirroring is more than one switch away from where you can attach your ExtraHop appliance. The “R” in RSPAN stands for remote. You’re spanning all the traffic from one switch through any number of additional switches to your target ExtraHop appliance. Each switch on the path needs to be configured.

ERSPAN

tween the traffic you’re interested in mirroring and where you can attach your ExtraHop appliance, ERSPAN may be helpful to you. Each of the packets from your target network is encapsulated into another packet for the trip across the router.

Host-Based Mirroring

If network-based mirroring won’t work for you, then host-based mirroring is a reliable way to get traffic into ExtraHop.

Software Tap

Host-based mirroring requires that you install a software tap on each host you want to monitor. The big advantage of the software tap is that it works with any type of network gear you have. It works independent of the type or version of hypervisor you’re running. Host-based mirroring is a way of configuring the adapter on a host to duplicate and forward all traffic to ExtraHop. You can install it on Windows or Linux hosts.

The software tap (also called RPCAP and a packet forwarder) is analogous to a network tap, which is an unobtrusive hardware device for mirroring traffic from a network.

Installation Requirements

This section includes hardware and software requirements for the host on which you are installing the ExtraHop virtual appliance.

Disk Requirements and Recommendations

To ensure proper functionality of the virtual appliance:

  • Do not change the default disk size on initial installation. Using the default disk size ensures correct lookback for ExtraHop metrics and proper system functionality. If your configuration requires a different disk size, contact your ExtraHop representative before changing it.

  • Do not migrate the VM. Although it is possible to migrate when the datastore is on a remote SAN, ExtraHop does not recommend this configuration.

System Requirements: 1000v

Installation of the EH1000v has the following requirements:

  • An existing installation of Hyper-V on Windows Server 2012

  • A Hyper-V Manager client

The following VMware ESX/ESXi server hardware is required for the EH1000v:

  • Processor: 2 processing cores with hyper-threading support, VT-x technology, and 64-bit architecture

    To use SSL decryption, three processing cores are required. Refer to ExtraHop Guide: Adding a CPU Core to the EH1000v with Hyper-V for more information.

  • Memory: 4 GB or higher

  • Disk: 46 GB or higher (thick-provisioned)

  • Network: You can configure the EH1000v to monitor intra-VM or external traffic.

    • Intra-VM: One 1-Gbps Ethernet network port is required (for management). The management port must be accessible on port 443.

    • External: Two 1-Gbps Ethernet network ports are required for the physical port mirror and management. The physical port mirror interface must be connected to the port mirror of the switch. The VMware ESX server must support network interface drivers. While it is possible to use a 10-Gbps Ethernet network port for the port mirror interface, it is not recommended as the virtual appliance cannot process more than 1 Gbps of traffic.

  • Registration: For registration purposes, the EH1000v requires outbound DNS connectivity on UDP port 53 unless managed by the ExtraHop Central Manager (ECM).

System Requirements: 2000v

Installation of the EH1000v has the following requirements:

  • An existing installation of Hyper-V on Windows Server 2012

  • A Hyper-V Manager client

The following VMware ESX/ESXi server hardware is required for the EH2000v:

  • Processor: 6 processing cores with hyperthreading support, VT-x technology, and 64-bit architecture

    To use SSL decryption, three processing cores are required. Refer to ExtraHop Guide: Adding a CPU Core to the EH1000v with Hyper-V for more information.

  • Memory: 6 GB or higher

  • Disk: 255 GB or higher (thick-provisioned)

  • Network: You can configure the EH2000v to monitor intra-VM or external traffic.

    • Intra-VM: One 1-Gbps Ethernet network port is required (for management). The management interface must be accessible on port 443.

    • External: Two to four 1-Gbps Ethernet network ports are required for the physical port mirror and management. The physical port mirror interface must be connected to the port mirror of the switch. The VMware ESX server must support network interface drivers. While it is possible to use a 10-Gbps Ethernet network port for the port mirror interface, it is not recommended as the virtual appliance cannot process more than 3 Gbps of traffic.

  • Registration: For registration purposes, the EH2000v requires outbound DNS connectivity on UDP port 53 unless managed by the ExtraHop Central Manager (ECM).

Installing the ExtraHop VM

Before you install the ExtraHop virtual appliance, ensure the following:

  • You have downloaded the file for the ExtraHop virtual appliance (this is an OVA file for OVA-aware hypervisor products). If you have not downloaded the file, contact support@extrahop.com.

  • You have the ExtraHop virtual appliance license key provided by ExtraHop. If you do not have a license key, contact support@extrahop.com.

  • You have an existing installation of one of the following virtualization products:

    • Microsoft Hyper-V

  • Your host system meets the minimum hardware requirements, and you understand the disk requirements for setting up an ExtraHop appliance.

  • If you are using a software tap, you have administrative access to servers you want to monitor, and you are running a 64-bit operating system (Linux/Windows). If you are using Windows, you must be using Windows Server 2008 R2 or Windows Server 2012.

  • If you want to use Port Mirroring mode, you have administrative access to any physical or virtual switches that require configuration.

Creating a Windows Hotkey

If using a Macintosh- or Linux-based operating system, create a Windows hotkey before installing the EH1000v.

To map a Windows hotkey in Mac OSX:

  1. Go to RDC Preferences and click the Keyboard tab.

  2. Double-click Windows Start Key and insert a command such as cmd+ctrl (⌘^).

Installing the Files for Hyper-V

To install the files to run the ExtraHop virtual appliance with Hyper-V, complete the following steps.

  1. Go to the Start menu and open the Hyper-V Manager.

  2. In the right pane of the Hyper-V Manager, click New and select Import Virtual Machine….

  3. In the Import Virtual Machine Wizard, click Next.

  4. Browse to the folder with the extracted files and click Next.

  5. View the VM information and click Next.

  6. Click the Copy the virtual machine radio button and click Next.

  7. Click Browse and navigate to the location where you want to store the VM. Click Next.

  8. Click Browse and navigate to the location where you want to store the virtual hard disks associated with the VM. Click Next.

  9. View the summary and click Finish.

  10. Wait several minutes for the files to copy.

  11. Repeat the following steps for each VM you want to monitor, excluding the first VM you created in this procedure.

    1. Right-click the first VM and select Settings.

    2. Expand Network Adapter and click Advanced Features.

    3. In the Port mirroring section, click the Mirroring mode drop-down list and select Source.

      If you are using the second interface on the EH1000v, use the default Mirroring mode, Destination.

    4. Click the Apply button.

    5. Click OK.

  12. Click Network Adapter. Go to the Virtual switch drop-down list and select the switch that is connected to the network you want to monitor. Click OK.

  13. Make sure the switch connected to the management interface is able to obtain an IP address from your DHCP server.

  14. Select a switch for every network adapter on the VM for the purpose of tying it to a monitoring source.

  15. In the Virtual Machines list, right-click the virtual machine and select Start.

  16. Right-click the virtual machine again and select Connect.

  17. Go to the console and find the IP address of the VM.

  18. Enter the IP address into your web browser.

Applying the ExtraHop License

The ExtraHop virtual appliance requires a product key and a license in order to function.

  1. Go to the Administration UI (https://<extrahop_ip>/admin).

  2. If the following screen appears the first time you open the Admin UI, click Proceed anyway.

  3. On the following screen, select the I Agree radio button and click Submit. This screen appears the first time you open the Admin UI.

  4. Click Please apply license to Admin UI.

  5. Log in with the user account setup and the password default.

  6. Click Register to enter the product key.

  7. Enter the product key and then click Register. The ExtraHop system now contacts the license server and validates the product key. After the product key is validated, the license is downloaded.

    The following example shows a properly licensed ExtraHop system in the ExtraHop Admin UI:

  8. After you apply the ExtraHop license, go to the console and enter your user name and password in the dialog box.

Configuring a Static IP Address

The ExtraHop virtual appliance is delivered with DHCP enabled. If your network does not support DHCP, no IP address would be acquired, and you must configure a static address manually. To configure a static IP address, complete the following steps:

  1. Log in to the console. Use the user account named shell and the password default.

  2. Enable the privilege commands.

    extrahop>enable
    Password:default
    extrahop#
  3. Enter the configuration section.

    extrahop#config
    extrahop(config)#
  4. Enter the interface section.

    extrahop(config)#int
    extrahop(config-if)#
  5. Set the IP address and DNS using this syntax: ip ipaddr IP_ADDRESS NETMASK GATEWAY DNS.

    extrahop(config-if)#ip ipaddr 10.10.10.10 255.255.0.0 10.10.1.254 8.8.8.8
  6. Save the running config.

    extrahop(config-if)#exit
    extrahop(config) * #running_config save
    Would you like to write configuration changes to default config [Y/n]?: y
    extrahop(config)#

    The full set of commands is as follows:

    extrahop>enable
    Password:
    extrahop#config
    extrahop(config)#int
    extrahop(config-if)#ip ipaddr 10.10.10.10 255.255.0.0 10.10.1.254 8.8.8.8
    Changing IP address. Please wait...
    .Done
    extrahop(config-if)# exit
    extrahop(config) * #running_config save
    Would you like to write configuration changes to default config [Y/n]?: y
    extrahop(config)#

    Note: The default time server setting is pool.ntp.org. To configure the time servers manually, refer to the System Settings section of the ExtraHop Admin UI Users Guide.

Published 2017-08-14 22:08