Install the ExtraHop EH1000v or EH2000v on a Linux KVM

This document provides information on how to install an ExtraHop EH1000v or EH2000v virtual appliance on a Linux kernel-based virtual machine (KVM) using the package files available from ExtraHop Networks.

Notes:
  • If you need either the installation package files or a license key for the virtual appliance, contact support@extrahop.com.
  • This document assumes that you are familiar with basic KVM administration.

Package Contents

The installation package for KVM systems is a tar.gz file that contains the following items:

Item File name for the EH1000v File name for the EH2000v
The domain XML configuration file EH1000v_KVM.xml EH2000v_KVM.xml
The boot disk extrahop-boot.qcow2 extrahop-boot.qcow2
The datastore disk extrahop-data.qcow2 extrahop-data.qcow2

Requirements

Before you can install the ExtraHop virtual appliance, make sure that your environment meets the following requirements:

for the EH1000v for the EH2000v
A KVM hypervisor environment capable of hosting a VM that includes:
  • 4 GB RAM
  • 2 vCPU
  • 1 4 GB boot disk (virtio-scsi interface recommended)
  • 1 40 GB datastore disk (virtio-scsi interface recommended)
A KVM hypervisor environment capable of hosting a VM that includes:
  • 6 GB RAM
  • 6 vCPU
  • 1 4 GB boot disk (virtio-scsi interface recommended)
  • 1 250 GB datastore disk (virtio-scsi interface recommended)
(Optional) Open vSwitch virtual switch software (Optional) Open vSwitch virtual switch software
An ExtraHop virtual appliance license key An ExtraHop virtual appliance license key

Deployment Process

Follow these steps to deploy the ExtraHop virtual appliance:

  1. Determine the best virtual bridge configuration for your network.
  2. Create a virtual capture bridge that contains the traffic you want to monitor.
  3. Edit the domain XML configuration file and create your virtual appliance.
  4. Configure a mirror session on the virtual bridge.

Determine the Best Bridge Configuration

Gather information about your network to determine the best virtual bridge configuration.

  1. Identify the source of your wire data and the type of data you want to capture.
    • For SPAN, RSPAN, or port mirroring, use Open vSwitch to create the virtual capture bridge.
    • For ERSPAN or rpcapd, use either Open vSwitch or the built-in Linux bridge to create the virtual capture bridge.
  2. Determine if you want to capture traffic from an external network source. If yes, configure a physical interface on the virtual capture bridge.
  3. Identify the bridge you want to access the management interface through.
    • We recommend that you configure separate bridges for the capture bridge and the management bridge.
    • The management bridge must be accessible to the ExtraHop virtual appliance and to all users who must access the management interface.
    • If you need to access the management interface from an external computer, configure a physical interface on the virtual capture bridge.

Create the Virtual Capture Bridge

Before you enable packet capture by an ExtraHop virtual appliance, you must create a virtual bridge that is set to promiscuous mode. If you want to capture traffic from an external network, you must add a physical interface to the bridge, and that interface must be also be set to promiscuous mode.

The following procedure describes how to create a virtual bridge with Open vSwitch. For information on how to create a virtual bridge with the built-in Linux bridge, refer to the documentation for your KVM system.

  1. Log into the KVM system and create a virtual bridge by running the following command:
    sudo ovs-vsctl add-br <bridge name>

    Replace <bridge name> with the name of your virtual bridge.

  2. Put the virtual bridge in promiscuous mode by running the following command:
    sudo ifconfig <bridge name> promisc

    Replace <bridge name> with the name of your virtual bridge.

  3. (Optional) If you want to access traffic on an external network, add a physical interface to the bridge by running the following command.
    sudo ovs-vsctl add-port <bridge name> <port name>

    Replace <port name> with the name of the port you want to add to the bridge.

  4. If you added a physical interface to the bridge, put that interface in promiscuous mode by running the following command:
    sudo ifconfig <port name> promisc
Note: If you want the interface changes to persist after a reboot, add the ifconfig commands to your /etc/network/interfaces file.

Edit the Domain XML Configuration File

After you create your virtual bridge, edit the configuration file, and create the ExtraHop virtual appliance.

  1. Extract the tar.gz file that contains the installation package.
  2. Copy the two disks extrahop-boot.qcow2 and extrahop-data.qcow2 to your KVM system. Make a note of the location where you store these files.
  3. Open the domain XML configuration file. Find and edit the following values:
    • Change the VM name (ExtraHop-EH1000v or ExtraHop-EH2000v) to the name you want to use for your ExtraHop virtual appliance.
      <name>ExtraHop-EH1000v</name>
    • Change the source file path ([PATH_TO_STORAGE]) to the location where you stored the virtual disk files in step 1.
      <source file='[PATH_TO_STORAGE]/extrahop-data.qcow2'/> <source file='[PATH_TO_STORAGE]/extrahop-data.qcow2'/>
    • Change the source bridge for your capture network (mirrorbr0) to match the name of your capture bridge.
      <interface type='bridge'> <source bridge='mirrorbr0'/> <virtualport type='openvswitch'> </virtualport> <model type='virtio'/> <alias name='net1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </interface>
      Note: If you are configuring the built-in Linux bridge, remove the virtualport type setting.
    • Change the source bridge for the management network (ovsbr0) to match the name of your management bridge.
      <interface type='bridge'> <source bridge='ovsbr0'/> <virtualport type='openvswitch'> </virtualport> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface>
      Note: If you are configuring the built-in Linux bridge, remove the virtualport type setting.
    • For the EH2000v only: You can configure two additional bridges on the EH2000v. To configure another management bridge, use the configuration pattern for the ovsbr0 source bridge. To configure another capture bridge, use the configuration pattern for the mirrorbr0 source bridge.
  4. Save the XML file.
  5. Log in to the KVM console, and create the new ExtraHop virtual appliance with your revised domain XML configuration file by running the following command:
    virsh create <domain XML file>

    Replace <domain XML file> with the name of your domain XML configuration file (eh1000v_KVM.xml or eh2000v_KVM.xml).

Configure a Mirror Session on the Capture Bridge

This procedure explains how to configure a mirror session on an Open vSwitch virtual bridge.

  1. Log in to the KVM console, and export the configuration file for your new ExtraHop virtual appliance by running the following command:
    sudo virsh dumpxml [ExtraHop-EH1000v]

    Replace ExtraHop-EH1000v with the name of your ExtraHop virtual appliance. Be sure to include the square brackets around the name of your ExtraHop virtual appliance.

  2. In the XML output, find the name of your capture bridge. Locate the line that designates the target dev for this bridge (<target dev = 'virtual port name'>). Make a note of the virtual port name assigned to the target dev.
  3. Add the virtual port to the bridge by running the following command:
    sudo ovs-vsctl add-port <bridge name> <virtual port name>

    Replace <bridge name> with the name of your capture bridge and <virtual port name> with the name of virtual port from the target dev setting that you noted in step 2.

  4. Place this virtual port in promiscuous mode by running the following command:
    sudo ifconfig <virtual port name> promisc
  5. (Optional) To monitor traffic from an external network, use the following procedure to configure a mirror on the bridge. For more information, see Port Mirroring with Linux Bridges.
    1. Create the port mirror on the capture bridge by running the following command:
      sudo ovs-vsctl -- --id=@m create mirror name=<your mirror name> -- add bridge <bridge name> mirrors @m

      Replace <your mirror name> with the name you want to use for the mirror and <bridge name> with the name of your capture bridge.

    2. Add a physical interface to the mirror by running the following command:
      sudo ovs-vsctl -- --id=@<mirror port name> get port <mirror port name> -- set mirror extrahop_mirror select_src_port=@<mirror port name> select_dst_port=@<mirror port name>

      Replace <mirror port name> with the name of the port you want to mirror.

      Note: This example adds the port as both a source port (to capture outgoing traffic) and as a destination port (to capture incoming traffic). If you want to capture traffic in only one direction on the port, add the port as a source port (select_src_port) or a destination port (select_dst_port) only.
    3. Add the virtual port name (from step 2) as the output port for the mirror by running the following command:
      sudo ovs-vsctl -- --id=@<virtual port name> get port <virtual port name> -- set mirror <your mirror name> output-port=@<virtual port name>

Next Steps

After you have created your new ExtraHop virtual appliance, you can log in to the management interface through a web browser to apply your license key, see network traffic, and customize your ExtraHop virtual appliance.

  1. Log in to the KVM console and get the IP address for your new ExtraHop virtual appliance by running the following command:
    sudo virsh console [ExtraHop-EH1000v]

    Replace ExtraHop-EH1000v with the name of your ExtraHop virtual appliance.

  2. Open your web browser, and enter the IP address of your ExtraHop virtual appliance.
  3. Log in with the default user name (setup) and password (default).
  4. Apply your license key. See the Admin UI Users Guide for instructions.
  5. For more information about ExtraHop features, see the Web UI Users Guide.
Published 2017-07-17 18:27