Deploy the ExtraHop Discover Appliance with VMware

Introduction

The ExtraHop virtual appliance can help you to monitor the performance of your applications across internal networks, the public internet, or a virtual desktop interface (VDI), including database and storage tiers. ExtraHop can monitor application performance across geographically distributed environments such as branch offices or virtualized environments using intra-VM traffic.

This guide explains how to install these products:

  • EH1000v (Monitors up to 250 devices)
  • EH2000v (Monitors up to 1000 devices)
  • EH6100v (Monitors up to 3000 devices)

On these platforms:

  • ESXi/ESX (VMware)

We assume you have some experience administering your hypervisor product.

The following diagram shows the high-level steps to install and use the ExtraHop virtual appliance. Installation time is approximately 15 minutes.

Feedback

We value your feedback. Please let us know how we can improve this document. Send your comments or suggestions to documentation@extrahop.com.

Use the following documentation to assist you with the procedures in this guide:

Installation Requirements

This section includes hardware and software requirements for the host on which you are installing the ExtraHop virtual appliance.

Disk Requirements and Recommendations

To ensure proper functionality of the virtual appliance:

  • Always use thick provisioning. The ExtraHop datastore requires low-level access to the complete drive and is not able to grow dynamically with thin provisioning. Thin provisioning can cause metric loss, VM lockups, and capture issues.

  • Do not change the default disk size on initial installation. Using the default disk size ensures correct lookback for ExtraHop metrics and proper system functionality. If your configuration requires a different disk size, contact your ExtraHop representative before changing it.

  • Do not migrate the VM. Although it is possible to migrate when the datastore is on a remote SAN, ExtraHop does not recommend this configuration.

System Requirements: EH1000v

Installation has the following system requirements:

  • An existing installation of the VMware ESX/ESXi server version 4.0 and later

  • As vSphere client to deploy an OVF file

The following VMware ESX/ESXi server hardware is required for the EH1000v:

  • Processor: 2 processing cores with hyper-threading support, VT-x technology, and 64-bit architecture

  • Memory: 4 GB or higher

  • Disk: 46 GB or higher (thick-provisioned)

  • Network: You can configure the EH1000v to monitor intra-VM or external traffic.

    • Intra-VM: One 1-Gbps Ethernet network port is required (for management). The management port must be accessible on port 443.

    • External: Two 1-Gbps Ethernet network ports are required for the physical port mirror and management. The physical port mirror interface must be connected to the port mirror of the switch. The VMware ESX server must support network interface drivers. While it is possible to use a 10-Gbps Ethernet network port for the port mirror interface, it is not recommended as the virtual appliance cannot process more than 1 Gbps of traffic.

  • Registration: For registration purposes, the EH1000v requires outbound DNS connectivity on UDP port 53 unless managed by the ExtraHop Central Manager (ECM).

Note: Thick provisioning of disk space is a requirement. The ExtraHop system needs the entire virtual disk space to be available at boot time and not allocated as needed.

System Requirements: EH2000v

Installation has the following system requirements:

  • An existing installation of the VMware ESX/ESXi server version 4.0 and later

  • As vSphere client to deploy an OVF file

The following VMware ESX/ESXi server hardware is required for the EH2000v:

  • Processor: 6 processing cores with hyperthreading support, VT-x technology, and 64-bit architecture

  • Memory: 6 GB or higher

  • Disk: 255 GB or higher (thick-provisioned)

  • Network: You can configure the EH2000v to monitor intra-VM or external traffic.

    • Intra-VM: One 1-Gbps Ethernet network port is required (for management). The management interface must be accessible on port 443.

    • External: Two to four 1-Gbps Ethernet network ports are required for the physical port mirror and management. The physical port mirror interface must be connected to the port mirror of the switch. The VMware ESX server must support network interface drivers. While it is possible to use a 10-Gbps Ethernet network port for the port mirror interface, it is not recommended as the virtual appliance cannot process more than 3 Gbps of traffic.

  • Registration: For registration purposes, the EH2000v requires outbound DNS connectivity on UDP port 53 unless managed by the ExtraHop Central Manager (ECM).

Note: Thick provisioning of disk space is a requirement. The ExtraHop system needs the entire virtual disk space to be available at boot time and not allocated as needed.

System Requirements: 6100v

Installation has the following system requirements:

  • An existing installation of the VMware ESX/ESXi server version 5.1 and later

  • As vSphere client to deploy an OVF file

The following VMware ESX/ESXi server hardware is required for the EH6100v:

  • Processor: 16 processing cores (minimum 2.5 Ghz clock speed) with hyperthreading support, VT-x technology, and 64-bit architecture

  • Memory: 64 GB or higher

  • Disk: 1 TB or higher (thick-provisioned)

  • Network: You can configure the EH6100v to monitor intra-VM or external traffic.

    • Intra-VM: One 1-Gbps Ethernet network port is required (for management). The management interface must be accessible on port 443.

    • External: Two to four 1-Gbps or 10-Gbps Ethernet network ports are required for the physical port mirror and management. The physical port mirror interface must be connected to the port mirror of the switch. The VMware ESX server must support network interface drivers.

  • Registration: For registration purposes, the EH6100v requires outbound DNS connectivity on UDP port 53 unless managed by the ExtraHop Central Manager (ECM).

Note: Thick provisioning of disk space is a requirement. The ExtraHop system needs the entire virtual disk space to be available at boot time and not allocated as needed.

Installing the ExtraHop VM

Before you install the ExtraHop virtual appliance, ensure the following:

  • You have downloaded the file for the ExtraHop virtual appliance (this is an OVA file for OVA-aware hypervisor products). If you have not downloaded the file, contact support@extrahop.com.

  • You have the ExtraHop virtual appliance license key provided by ExtraHop. If you do not have a license key, contact support@extrahop.com.

  • You have an existing installation of one of the following virtualization products:

  • Your host system meets the minimum hardware requirements, and you understand the disk requirements for setting up an ExtraHop appliance.

  • If you are using a software tap, you have administrative access to servers you want to monitor, and you are running a 64-bit operating system (Linux/Windows). If you are using Windows, you must be using Windows Server 2008 R2 or Windows Server 2012 (or later).

  • If you want to use Port Mirroring mode, you have administrative access to any physical or virtual switches that require configuration.

Deploy the OVA File (VMware ESX/ESXi Windows Client)

To deploy the OVA file using VMware vSphere Client on a Windows machine, complete the following steps. This procedure assumes you have an existing installation of VMware ESX/ESXi 5.0 or later.

  1. Start the VMware vSphere client and connect to your ESX server.

  2. Click the File menu and select Deploy OVF Template.

  3. Deploy OVF template as detailed below. For most deployments, the default settings are sufficient.

    1. Source: Browse to the location of the downloaded OVA file and then click Next.

    2. OVF Template Details: Review the details and then click Next.

    3. Name and Location: Configure the VM name and location. Give the VM a unique and specific name for the ESX Inventory and then click Next.

    4. Disk Format: Select Thick Provision Lazy Zeroed and then click Next.

    5. Network Mapping: Map the OVF-configured network interface labels with the correct ESX-configured interface labels and then click Next.

    6. Ready to Complete: Verify the configuration, select the Power on after deployment checkbox, and then click Finish to begin the update.

  4. A status dialog box displays the deployment status. When the deployment is complete, you can see the unique name you assigned to the ExtraHop VM instance in the inventory tree for the ESX server to which it was deployed.

    The ExtraHop virtual appliance contains a preconfigured bridged virtual interface with the network label VM Network. If your ESX has a different interface label, you must reconfigure the network adapter on the ExtraHop virtual appliance before starting it. Refer to Mirroring Internal and External Traffic on page 17 for information about how to set up port mirroring on an ESX host.

    To use RPCAP mode, configure network adapter 1 to have Internet access for managing the ExtraHop appliance, contacting the license server, and receiving network traffic through a software tap. Network adapter 2 can be optionally configured to receive mirrored network traffic when running in Port Mirroring mode. Refer to Software Tap on page 66 for more information.

  5. If you are using VMware version 5.1 or earlier, complete the following steps to select the network adapter. Otherwise, proceed to step 5.

    1. Select the Summary tab.

    2. Click Edit Settings, select Network adapter 1, select the correct network label from the Network label drop-down list, and then click OK.

    3. (Optional) Select Network adapter 2, select the correct network label from the Network label drop-down list, and then click OK.

  6. Click the ExtraHop virtual appliance in the ESX Inventory and then select the Console tab.

  7. Click the console window and then press Enter to display the IP.

  8. (Optional) DHCP is enabled by default on the ExtraHop virtual appliance. To configure a static IP address, refer to Configure a Static IP Address on page 14.

  9. Log in to the Administration UI (https://<extrahop_ip>/admin).

    To apply a license, refer to Register the Discover Appliance on page 13.

Deploy the OVA File (VMware ESXi Web Client)

To deploy the OVA file using the VMware vSphere web client:

  1. Start the VMware vSphere client and connect to your ESX server.
  2. Deploy the ExtraHop OVA by following the OVF deployment wizard and accepting the defaults.
  3. When the console opens, wait several minutes for the login prompt, which displays the IP address. DHCP is enabled by default on the ExtraHop virtual appliance. Skip the next step if you do not want to configure a static IP.
  4. (Optional) To configure a static IP, log in with the shell user account and the password default. The enable password is also default. Enter the following in the console window. This example uses Google’s public server, 8.8.8.8.

    extrahop>enable
    Password:
    extrahop#config
    extrahop(config)#int
    extrahop(config-if)#ip ipaddr 10.10.10.10 255.255.0.0 10.10.1.254 8.8.8.8
    extrahop(config-if)#exit
    extrahop(config) * #running_config save
    Would you like to write configuration changes to default config [Y/n]?: y
    extrahop(config)#
    

    For more information about configuring a static IP address, refer to Configure a Static IP Address on page 14.

  5. In VMware ESXi, configure the virtual switch to receive traffic and restart to see the changes.
  6. Go to https://<extrahop_ip>/admin/license/register, enter the product key, and click Register. Log in with the user account setup and the password default.

    For more information about applying a license, refer to Register the Discover Appliance on page 13.

  7. Your ExtraHop system is now ready for use. In the ExtraHop Admin UI, click the ExtraHop icon in the upper left corner to go to the ExtraHop Web UI default Summary dashboard.

Register the Discover Appliance

Complete the following steps to apply the product key supplied by ExtraHop Customer Support. If you do not have a product key, contact support@extrahop.com.

  1. In your browser, type the IP address of the Explore appliance (https://<explore_ip_address>). If your browser prompts you about security certificates, ignore the warning and proceed.
  2. Review the license agreement, select I Agree, and then click Submit.
  3. On the log in screen, type setup for the user name and default for the password, and then click Log In.
  4. In the System Settings section, click License.
  5. Click Manage License.
  6. Click Register.
  7. Enter the product key and then click Register.

Configure a Static IP Address

The ExtraHop virtual appliance is delivered with DHCP enabled. If your network does not support DHCP, no IP address is acquired, and you must configure a static address manually. To configure a static IP address, complete the following steps:

  1. Log in to the console with the shell user account. At the password prompt, type default, and then press ENTER.

  2. Run the following command to enable privileged commands:
    enable
  3. At the password prompt, type default, and then press ENTER.
  4. Run the following command to enter configuration mode:
    configure
  5. Run the following command to enter the interface configuration mode:
    interface
  6. Run the ip command and specify the IP address and DNS settings in the following format: ip ipaddr <ip_address> <netmask> <gateway> <dns_server>

    For example:

    extrahop[ESA](config-if)# ip ipaddr 10.10.2.14 255.255.0.0 10.10.1.253 10.10.1.254
  7. Run the following command to leave the interface configuration section:
    exit
  8. Run the following command to save the running config file:
    running_config save
  9. Type Y and then press ENTER.

Setting Up Automatic Restart

You can enable the VM to automatically restart in case of power failure. To set up automatic restart, complete the following steps.

  1. Select the network at the top of the tree control in the left panel.
  2. Click the Configuration tab.
  3. In the Software panel, click Virtual Machine Startup/Shutdown.
  4. Click the Properties link.
  5. In the dialog box, select the Allow virtual machine to start/stop… checkbox.
  6. Highlight the virtual machine and use the Move Up and Move Down buttons to move the virtual machine to the Automatic Startup section.
  7. Click OK.
  8. The virtual machine now restarts automatically when its associated ESX server restarts.

Mirror Wire Data

This section includes procedures for mirroring data to your ExtraHop virtual appliance.

Mirroring Internal and External Traffic

The ExtraHop virtual appliance can be configured to monitor network traffic in the following network configuration examples. Each example requires a modification to the network configuration of its hypervisor host and uses Network Adapter 1 as the management interface.

Note: Monitoring external network-mirrored traffic requires an external NIC and an associated virtual switch.

Monitoring Intra-VM Traffic

This scenario requires a second VM port group on the default virtual switch of the ESX host for monitoring traffic within the virtual switch as well as external traffic in and out of the switch.

  1. Start the VMware vSphere client and connect to your ESX server.

  2. Select the ESX host at the top of the tree control in the left panel and then click the Configuration tab. In the Configuration tab, click Networking under the Hardware section.

    This view shows how the virtual switch is configured. It displays the physical NIC to which the vSwitch is tied (vmnic0 is eth0) and which networking components are using that vSwitch (VM Network Port Group, Service Console). The VM Network port group contains the VM network.

  3. To add a port group to the vSwitch0, click Add Networking. The Add Network Wizard window appears. Select Virtual Machine as the connection type and then click Next.

  4. In the Network Access step, select Use vSwitch0 and then click Next.

  5. In the Connection Settings step, assign a unique name to the new port group, click the VLAN ID drop-down menu, and select All (VLAN 4095).

  6. Click Next. The virtual switch appears as follows.

  7. Click Finish to exit the Add Network Wizard.

  8. Set the Remote Port Mirror to Promiscuous Mode as follows.

    1. Click the Properties link next to vSwitch0. In the vSwitch0 Properties window, select the newly created Port Group (Local Port Mirror in the example below) and click the Edit button.

    2. Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.

    3. Click Close to exit the vSwitch0 Properties window.

  9. Click the Getting Started tab and then click Edit Virtual Machine Settings.

  10. Click Network Adapter 2, click the Network label drop-down menu, select Local Port Mirror, and then click OK.

  11. Restart the ExtraHop VM to activate the new adapter setting.

Monitoring External Mirrored Traffic to the VM

This scenario requires a second physical network interface and the creation of a second vSwitch associated with that NIC. This NIC then connects to a mirror, tap, or aggregator that copies traffic from a switch. This setup is useful for monitoring the intranet of an office.

  1. Start the VMware vSphere client and connect to your ESX server.

  2. Select the ESX host at the top of the tree control in the left panel and then click the Configuration tab. In the Configuration tab, click Networking under the Hardware section.

    This view shows how the virtual switch is configured. It displays the physical NIC to which the vSwitch is tied (vmnic0 is eth0) and which networking components are using that vSwitch (VM Network Port Group, Service Console). The VM Network port group contains the VM network.

  3. To add a second vSwitch, click Add Networking. The Add Network Wizard window appears. Select Virtual Machine as the connection type and then click Next.

  4. In the Network Access step, select Create a vSphere standard switch, ensure vmnic1 is selected, and then click Next.

  5. In the Connection Settings step, assign a unique name to the new port group (Remote Port Mirror in the example below), click the VLAN ID drop-down menu, and select All (VLAN 4095).

  6. Click Next and then click Finish to exit the Add Network Wizard.

  7. The Networking section of the configuration table for the ESX host appears as follows.

  8. Set the Remote Port Mirror to Promiscuous Mode as follows.

    1. Click the Properties link next to vSwitch1. In the vSwitch1 Properties window, select vSwitch and click the Edit button.

    2. Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.

    3. Click Close to exit the vSwitch1 Properties window.

  9. Select the ExtraHop Virtual Appliance at the top of the tree control in the left panel, click the Getting Started tab, and then click Edit Virtual Machine Settings.

  10. Click Network Adapter 2, click the Network label drop-down menu, select Remote Port Mirror, and then click OK.

  11. Restart the ExtraHop VM to activate the new adapter setting.

Monitoring External Mirrored Traffic to the VM (EH2000v or EH6100v)

In this scenario, you must create a third and fourth physical network interface and two more vSwitches associated with those NICs. These NICs then connect to a mirror, tap, or aggregator that copies traffic from a switch.

  1. Start the VMware vSphere client and connect to your ESX server.

  2. Select the ESX host at the top of the navigation tree in the left panel and then click the Configuration tab. In the Configuration tab, click Networking under the Hardware section.

  3. To add a third vSwitch, click Add Networking. The Add Network Wizard window appears. Select Virtual Machine as the connection type and then click Next.

  4. In the Network Access step, select Create a vSphere standard switch, ensure vmnic2 is selected, and then click Next.

  5. In the Connection Settings step, assign a unique name to the new port group (Remote Port Mirror 2, for example), click the VLAN ID drop-down menu, and select All (VLAN 4095).

  6. Click Next and then click Finish to exit the Add Network Wizard.

  7. The Networking section of the configuration table for the ESX host appears as follows.

  8. Set the Remote Port Mirror to Promiscuous Mode as follows.

    1. Click the Properties link next to vSwitch2. In the vSwitch2 Properties window, select vSwitch and click the Edit button.

    2. Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.

    3. Click Close to exit the vSwitch2 Properties window.

  9. Select the ExtraHop Virtual Appliance at the top of the naviagation tree in the left panel, click the Getting Started tab, and then click Edit Virtual Machine Settings.

  10. Click Network Adapter 3, click the Network label drop-down menu, select Remote Port Mirror 2, and then click OK.

  11. Repeat steps 2 through 10 to add a fourth vSwitch.

  12. Restart the ExtraHop VM to activate the new adapter setting.

Monitoring Both Intra-VM and External Mirrored Traffic to the VM (EH2000v or EH6100v)

In this scenario, you can monitor a mix of intra-VM and external mirrored traffic on up to three virtual interfaces.

  1. To monitor intra-VM traffic on one or more virtual interfaces, create a VM port group on the default virtual switch of the ESX host for each interface as described in Monitoring Intra-VM Traffic on page 18.

  2. To monitor external mirrored traffic on one or more virtual interfaces, create a physical network interface and corresponding vSwitch for each interface as described in Monitoring External Mirrored Traffic to the VM on page 23.

  3. Click Network Adapter x and select an option from the Network label drop-down list for each interface.

  4. Click OK when finished.

    The following is an example of the configuration for monitoring both intra-VM and external mirrored traffic on the EH2000.

Mirroring VLANs

To mirror VLANs, you must either set the destination port on the port mirror configuration to VLAN Trunking or set the exact VLAN ID on the ports of the VLANS you are mirroring.

To set a port group to VLAN Trunking:

  1. Right-click the port group and click Edit Settings.

  2. In the tree control, select VLAN.

  3. In the VLAN type field, enter VLAN Trunking.

  4. In the VLAN trunk range field, enter 1-4094. (Zero and 4095 are invalid options.)

  5. Click OK.

To set a specific port:

  1. Right-click the port group and select Edit Settings.

  2. In the tree control, select Advanced.

  3. Click Edit Override Settings.

  4. In the Port Group Override Settings dialog box, click the Yes radio button next to VLAN.

  5. Click OK and close the settings window.

  6. Click the Ports tab.

  7. Right-click the port you want to mirror to and select Edit Settings.

  8. In the tree control, select VLAN in the tree control.

  9. In the VLAN type field, enter VLAN Trunking.

  10. In the VLAN trunk range field, enter 1-4094. (Zero and 4095 are invalid options.)

  11. Click OK.

Remote Switched Port Analyzer (RSPAN)

Before performing the procedures in this section, you must download and install the vSphere Web Client and the VMware Client Integration plugin. These procedures require an uplink port (HW NIC) attached to the switch (preferably one that is not used for general network traffic). Direct access to the iDRAC console is preferred.

To configure RSPAN, complete the following steps:

  1. Create a Virtual Distributed Switch (VDS).
  2. Add port groups to the VDS.
  3. Add the host to the VDS.
  4. Migrate the host to the VDS.
  5. Add uplink ports to the VDS.
  6. Configure the port mirror.
  7. Associate a physical NIC to the uplink port.
  8. Note: While the above steps are required for RSPAN configuration, most deployments have completed the first four steps prior to installing the ExtraHop system.

Create a VDS

  1. Log in to the vSphere web client version 5.1.

  2. In the left panel, click Distributed Switches.

  3. Above the list of switches, click the Create a new distributed switch icon.

  4. In the New Distributed Switch window, enter a name for the switch, select the destination server, and click Next.

  5. Select the distributed switch version and click Next.

  6. Edit the following settings:

    1. Set the Number of uplinks to two or more.

    2. Click the Network I/O Control drop-down list and select one of the following options.

      • Disabled: SPAN traffic on a dedicated NIC. (Recommended)

      • Enabled: SPAN traffic on the same NIC as your monitored traffic. (Not recommended)

  7. Deselect the Create a default port group checkbox.

  8. Enter a name in the Port group name field.

  9. Click Next.

  10. Verify your settings and click Finish.

  11. In the left panel, click the VDS to see the uplinks you created in the main panel.

  12. Connect the uplink ports to physical NICs.

Add Port Groups to the VDS

It is best practice to add port groups immediately after creating the VDS so that migration of the host and its interfaces will be easier.

  1. Click the Create a new distributed port group icon.

  2. In the New Distributed Port Group window, enter a name for the port group and click Next.

  3. Configure the following settings:

    1. Click the Port binding drop-down list and select Static binding.

    2. Click the Port allocation drop-down list and select Fixed.

    3. In the Number of ports field, enter the number of ports you want to connect.

    4. Use the default settings for the remaining items.

    5. Click Next.

  4. Verify your settings and click Finish.

  5. The new port group appears on the Manage tab.

  6. Repeat these steps for the port group(s) containing monitored traffic.

Add a Host to the VDS

Skip this procedure if all the hosts have already been added to the cluster.

It is best practice to dedicate one uplink for management and one for spanning.

  1. In the left panel tree control, click the switch.

  2. Click the Manage tab.

  3. Click Settings.

  4. Click the Add Hosts icon.

  5. In the Add and Manage Hosts dialog box, click the Add Hosts radio button and click Next.

  6. Click the green + icon to add a host.

  7. In the list of available hosts, select the checkbox next to the host and click OK.

  8. Select the host from the list and click Next.

  9. Select the checkboxes next to the network adapters you want to add to the host and click Next.

  10. Assign one of the NICs to the management port group.

    1. Select the network adapter from the list and click the Assign Port Group icon.

    2. In the Select Network pop-up window, select the port group to assign to the network adapter for managment.

    3. Assign one of the NICs to the monitoring port group.

  11. Select the network adapter from the list and click the Assign Port Group icon.

  12. In the Select Network pop-up window, select the port group to assign to the network adapter for monitoring.

  13. Once you have assigned each adapter to a Destination Port Group (far right column), click Next.

  14. On the Validate Changes screen, check that the status has passed and click Next.

  15. Select the Migrate Virtual Machine Networking checkbox and the list of virtual machines appears.

  16. Click the Assign Port Group icon and assign a network adapter for management and a network adapter for monitoring, and click Next.

  17. Verify your settings and click Finish.

  18. View the progress bar in the right panel and wait for the system to add the host.

    Refer to the following example configuration.

Migrate the Host to the VDS

  1. Browse to the vCenterBrowse to the vCenter’s Networking Tree Control.

  2. Select the vDS you are modifying.

  3. Click the Manage tab.

  4. Click the Settings tab.

  5. Go to the sidebar and click Topology.

Configure a Port Mirror on a Virtual Distributed Switch

The ExtraHop virtual appliance can be deployed in environments with multiple ESX servers connected with a virtual distributed switch (VDS). This procedure includes configuring a port mirror to view traffic on a VDS, using the local switch configuration to view external traffic, and using the ExtraHop virtual appliance to do a combination of both.

This guide assumes that the ExtraHop is deployed on an ESX host managed by vCenter with a VDS already configured. For more information about virtual distributed switches, refer to http://www.vmware.com/products/datacenter-virtualization/vsphere/distributed-switch.html.

Port mirroring with VMware requires that the source port and destination port be on the same ESX host, so an ExtraHop virtual appliance must be on each host that has mirrored ports. The following diagram describes which traffic type is mirrored based on the mirror's destination port's host location.

Note: To mirror VLANs, you must either set the destination port on the port mirror configuration to VLAN Trunking or set the exact VLAN ID on the ports of the VLANS you are mirroring. Refer to Mirroring VLANs on page 33 for detailed instructions.

To configure a port mirror on a VDS:

  1. Access the vCenter’s distributed switch.

    1. Using vSphere, log in to the vCenter.

    2. Under Inventory, click Networking, and select the VDS you want to monitor.

  2. (Optional) Create a new port group. ExtraHop recommends creating a port group to keep all ports related to monitoring in one port group.

    1. Right-click the name of the VDS and select New Port Group.

    2. Give it a name and choose the number of ports you want to make available. The default is 128, but ExtraHop recommends that you set this number lower to reflect the likely number of traffic mirroring ports.

  3. Assign the ExtraHop VM to the port group.

    1. Change the Inventory setting to Hosts and Clusters.

    2. Right-click the ExtraHop VM on the ESX host and select Edit Settings.

    3. Change the Ethernet 2 (capture port) setting to the new port group and click OK.

  4. Verify the VM and port group assignment.

    1. Return to the Networking section and select Monitor Port Group.

    2. Click the Ports tab. The ExtraHop monitor interface is displayed and assigned to a port.

    3. Note the port ID for use later (282 in the example below). This will be the destination for the port mirror configuration.

  5. Find the set of source ports. The source ports can be a range or specific ports, but they cannot be uplink ports and there can be no gaps in the range. Ports can be unassigned, but they have to exist. To find the ports you want to use, select the vDS in the tree control and click the Ports tab. If you only want to send ports from specific port groups, you can view the ports associated to each port group.)

    The ports below are sorted by name to show all the Uplink ports and to ensure that these ports are not in range. Note the range.

  6. Configure the port mirror.

    1. Right-click the name of the vDS and select Edit Setting.

    2. In the Settings dialog box, click the Port Mirroring tab.

    3. Click Add, enter a name, and then complete the Port Mirror Wizard.

    4. Choose the source ports.

    5. Select the destination port using the port associated with ExtraHop.

    6. Review the results and click Finish.

    7. Click OK to push the changes to the ESX servers.

    8. All ports in the source list that are on the same physical ESX host as the destination port will be monitored. Traffic on ESX hosts remote to the destination port will not be monitored unless the ESX hosts communicate with ports mirrored on the destination's host.

      The ExtraHop virtual appliance will now monitor all data going in and out of each port on the active ports you have defined. Check for errors in the status pane at the bottom of the screen, and if necessary, repeat the setup in the Port Mirror Wizard.

      The following cases may cause errors during setup:

      • Non-instantiated ports in the range.

      • Ports that are Uplink ports for the source.

      • Source or destination ports that have the promiscuous flag enabled.

      • Destination assignments to an already-assigned destination.

      • More than 4000 ports in your source list. (In this case, the Port Mirror Wizard errors out and you will need to recreate the mirror setup with a smaller range.)

        To send more ports, edit the current port mirror. If the port count for that port mirror is over 4000, ExtraHop recommends using an EH2000v to associate another interface from the VM to the monitor port group and creating a separate mirror for that interface. Sending different ports to different capture ports is not recommended because traffic between the mirrored source ports might not be complete or might result in multiple devices.

For each host, designate the physical VMNIC to associate with the new uplink port to be used with port mirroring.

  1. Browse to the vCenter's hosts tree control and select Hosts.

  2. Select the host you want to configure.

  3. Select the Manage tab and click Networking.

  4. In the left pull-out tree control, select Virtual Switches and select your VDS from the list.

  5. Click the Add host networking icon.

  6. In the Add Networking pop-up window, select the Physical Network Adapter radio button, and click Next.

  7. On the Select target device screen, click Browse.

  8. In the Select Switch pop-up window, select the VDS, and click OK.

  9. Click Next.

  10. Select the uplink port and click the green + icon.

  11. Click the Uplink port drop-down list, click Span Out, select the VMNIC, and click OK.

  12. Click Next.

  13. Verify your settings and click Finish.

  14. Repeat these steps for each host in your VDS.

    Refer to the following example showing uplink ports with physical NICs associated with them.

Encapsulated Remote Switched Port Analyzer (ERSPAN)

The Encapsulated Remote Switched Port Analyzer (ERSPAN), or remote port mirror, allows you to collect data on multiple network interfaces or VLANs and then send the data to one or more destinations.

When you configure ERSPAN, the source and destination must have an IP address on the same subnet and share a dedicated VLAN for ERSPAN. The following is an example of an ERSPAN configuration:

Configuring ERSPAN with the Nexus 1000V

To configure ERSPAN on an ExtraHop appliance, complete the following steps.

  1. Log in to the Admin UI (https://<extrahop_ip>/admin).

  2. Go to the Network Settings section and click Connectivity.

  3. Go to the Interface 1 section and click Change.

  4. On the Network Settings for Interface 1 page, click the Interface Mode drop-down list and select Management Port + RPCAP/ERSPAN Target.

  5. Complete the remaining fields and click Save.

  6. Depending on your configuration, set or disable the remaining interfaces.

    Note: For more information about setting up the network interfaces, refer to the Connectivity section of the ExtraHop Admin UI Users Guide.

  1. Log in to your virtual supervisor module (VSM).Determine virtual Ethernet hosts that you want to monitor.

    Switch# Show int virt
  2. Enter config mode.

    Switch# config terminal
  3. Create new monitor session aka, a port mirroring session

    switch(config)# monitor session 1 type erspan-source
  4. Enter the ExtraHop ERSPAN target IP.

    switch(config-erspan-src)# destination ip 10.10.247.93
  5. Set an ERSPAN ID.

    switch(config-erspan-src)# erspan-id 1
  6. Set the MTU to 9000.

    switch(config-erspan-src)# mtu 9000

    Note: To minimize the chance of drops, set the ERSPAN MTU as high as possible. On the Cisco Nexus 1000V, change the default MTU of 1500 to the current max of 9000. In addition, consider turning off TCP segmentation offloading on the operating systems involved in forwarded communication.

  7. Add data sources.

    • The following example shows data being taken from a guest.

      switch(config-erspan-src)# source interface vethernet 3-5 both

      In this example, both means the VM is both sending and receiving data.

    • The following example shows data being taken from all traffic received by the VLAN.

      switch(config-erspan-src)# source vlan 1010 rx
  8. Enable the monitoring session.

    switch(config-erspan-src)# no shut
  9. Exit from ERSPAN source to config mode.

    switch(config-erspan-src)# exit
  10. Exit config mode to the enable prompt

    switch(config)# exit
  11. Save your changes.

    switch# copy running-config startup-config
  12. Check the settings.

    switch# show monitor session 1

    A functioning monitoring session will look similar to this example.

    session 1
    ---------------
    type : erspan-source
    state : up
    source intf :
    rx : Veth3 Veth4 Veth5
        tx : Veth3 Veth4 Veth5
    	both : Veth3 Veth4 Veth5
    source VLANs :
    	rx : 1010
    	tx :
    	both :
    source port-profile :
    	rx :
    	tx :
    	both :
    filter VLANs : filter not specified
    destination IP : 10.10.247.93
    ERSPAN ID : 1
    ERSPAN TTL : 64
    ERSPAN IP Prec. : 0
    ERSPAN DSCP : 0
    ERSPAN MTU : 9000
    ERSPAN Header Type: 2
  13. Log in to the ExtraHop Web UI (https://<extrahop_ip>/extrahop) to view wire data.

Configuring ERSPAN with VMware

This procedure is for use with VMware vCenter 5.1 and later.

To configure ERSPAN on an ExtraHop appliance, complete the following steps.

  1. Log in to the Admin UI (https://<extrahop_ip>/admin).

  2. Go to the Network Settings section and click Connectivity.

  3. Go to the Interface 1 section and click Change.

  4. On the Network Settings for Interface 1 page, click the Interface Mode drop-down list and select Management Port + RPCAP/ERSPAN Target.

  5. Complete the remaining fields and click Save.

  6. Depending on your configuration, set or disable the remaining interfaces.

    Note: For more information about setting up the network interfaces, refer to the Connectivity section of the ExtraHop Admin UI Users Guide.

  1. Open vCenter and navigate to the virtual distributed switch (vDS) from which you want to monitor traffic.

  2. Click the Manage tab, click Settings, and click Port Mirroring.

    Select a port mirroring session with Encapsulated Remote Mirroring (L3) Source enabled and click Edit. For more information about creating a port mirroring session, refer to vSphere documentation.

  3. In the Properties section, click the Status drop-down list and select Enabled.

  4. In the Sources section, create a source port with a port ID, host, connectee, and traffic direction.

  5. In the Destinations section, click the green + sign to add IP addresses to receive the traffic.

  6. Click OK to save the changes and exit the editor window.

    Note: Consider turning off TCP segmentation offloading on the operating systems involved in forwarded communication.

  7. Log in to the ExtraHop Web UI (https://<extrahop_ip>/extrahop) to view wire data.

Software Tap

A software tap forwards traffic from any host to ExtraHop. A software tap is conceptually similar to a physical network tap, but implemented in software. In these topics and the industry, this software is alternately referred to as a packet forwarder, or sometimes RPCAP, which stands for Remote Packet Capture.

To use the software tap, ensure the following:

  • You have administrative access to servers you want to monitor.
  • You are running a 64-bit Linux or Windows OS. If you are using Windows, you are using Windows Server 2008 R2 or 2012.

To ensure proper functionality of the ExtraHop virtual appliance:

Install the Software Tap on a Linux Server

You must install the software tap on each server to be monitored in order to forward packets to the ExtraHop system. You can retrieve the commands from the procedures in this section or the ExtraHop Admin UI: https://<discover_ip_address>/admin/capture/rpcapd/linux/. The bottom of the ExtraHop Admin UI page contains links to automatically download the software tap.

Debian-Based Systems

To download and install the software tap on Debian-based systems:

  1. Run one of the following commands to download the software tap on the server:

    wget --no-check-certificate 'https://<extrahop_ip_address>/tools/rpcapd_<extrahop_firmware_version>_amd64.deb'
    curl -Ok 'https://<discover_ip_address>/tools/rpcapd_<extrahop_firmware_version>_amd64.deb'

    Where <extrahop_ip_address> is the interface 1 (management) IP address and <extrahop_firmware_version> is the firmware version.

  2. Run the following command to install and run the software tap on the server:

    sudo dpkg -i rpcapd_<extrahop_firmware_version>_amd64.deb
  3. At the prompt, enter the ExtraHop IP address, confirm the default connection to port 2003, and press ENTER.

  4. (Optional) Run the following commands to verify the ExtraHop system is receiving traffic:

    sudo dpkg --get-selections | grep rpcapd
    sudo service rpcapd status
  5. (Optional) Run the following command to change the ExtraHop IP address, port number, or arguments to the service:

    sudo dpkg-reconfigure rpcapd

RPM-Based Systems

To download and install the software tap on RPM-based systems:

  1. Run one of the following commands to download the software tap on the server:

    wget --no-check-certificate 'https://<extrahop_ip_address>/tools/rpcapd-<extrahop_firmware_version>.x86_64.rpm'
    curl -Ok 'https://<extrahop_ip_address>/tools/rpcapd-<extrahop_firmware_version>.x86_64.rpm'

    Replace <extrahop_ip_address> with the interface 1 (management) IP address.

    Replace <extrahop_firmware_version> with the firmware version.

  2. Run the following command to install and run the software tap on the server:

    sudo rpm -i rpcapd-<extrahop_firmware_version>.x86_64.rpm
  3. Run one of the following commands to open and edit the rpcapd.ini file in a text editor:

    vim /opt/extrahop/etc/rpcapd.ini
    nano /opt/extrahop/etc/rpcapd.ini
  4. Example output:

    #ActiveClient = <TARGETIP>,<TARGETPORT>
    NullAuthPermit = YES

    Replace <TARGETIP> with your ExtraHop system's IP address and <TARGETPORT> with 2003, and uncomment the line by deleting the number sign (#) at the beginning of the line.

    Example output:

    ActiveClient = 10.10.10.10,2003
    NullAuthPermit = YES
  5. Run the following command to start sending traffic to the ExtraHop system:

    sudo /etc/init.d/rpcapd start
  6. (Optional) Run the following command to verify the ExtraHop system is receiving traffic:

    sudo service rpcapd status

Other Linux Systems

To download and install the software tap on another Linux system:

  1. Run one of the following commands to download the software tap on the server:

    wget --no-check-certificate 'https://<extrahop_ip_address>/tools/rpcapd-<extrahop_firmware_version>.tar.gz'
    curl -Ok 'https://<extrahop_ip_address>/tools/rpcapd-<extrahop_firmware_version>.tar.gz'

    Replace <extrahop_ip_address> with the interface 1 (management) IP address.

    Replace <extrahop_firmware_version> with the firmware version.

  2. Run the following commands to install and run the software tap on the server:

    tar xf rpcapd-<extrahop_firmware_version>.tar.gz
    cd rpcapd
    sudo ./install.sh <extrahop_ip> 2003
  3. (Optional) Run the following command to verify the ExtraHop system is receiving traffic:

    sudo /etc/init.d/rpcapd status

To run the software tap on servers with multiple interfaces, refer to Monitoring Multiple Interfaces on a Linux Server on page 72.

Install the Software Tap on a Windows Server

You must install the software tap on each server to be monitored in order to forward packets to the ExtraHop system. To download and install the software tap:

  1. Go to https://<extrahop_ip_address>/admin/capture/rpcapd/windows/ to download the RPCAP Service for Windows installer file.

  2. When the file is finished downloading, click it to open the installer.

  3. In the wizard, select the components to install.

  4. Complete the ExtraHop IP and ExtraHop Port fields and click Next. The default port is 2003.

  5. (Optional) Enter additional arguments in the text box and click Next.

  6. Browse to and select the destination folder to install RPCAP Service.

  7. (Optional) If RPCAP Service was previously installed, click Yes to delete the previous service.

  8. When the installation is complete, click Close.

Monitoring Multiple Interfaces on a Linux Server

For servers with multiple interfaces, you can configure the software tap to forward packets from a particular interface or from multiple interfaces by editing its configuration file on the server.

To edit the configuration file, complete the following steps.

  1. After installing the software tap, open the configuration file on the server: /opt/extrahop/etc/rpcapd.ini

    The configuration file contains this text or similar:

    ActiveClient = 10.0.0.100,2003
    NullAuthPermit = YES
  2. Modify the existing ActiveClient line and create an ActiveClient line for each additional interface to be monitored. Specify each interface by its interface name or IP address.

    ActiveClient = <extrahop_ip>, <extrahop_port>, ifname=<interface_name>

    or

    ActiveClient = <extrahop_ip>, <extrahop_port>, ifaddr=<interface_address>

    <interface_name> is the name of the interface from which you want to forward packets.

    <interface_address> specifies the IP address of the interface from which the packets are forwarded. <interface_address> may be either the IP address itself, such as 10.10.1.100, or a CIDR specification (network IP address/subnet prefix length) that contains the IP address, such as 10.10.1.0/24.

    For every ActiveClient line, the software tap independently forwards packets from the interface specified in the line.

    The following is an example of the configuration file specifying two interfaces using the interface name:

    ActiveClient = 10.10.6.45, 2003, ifname=eth0
    ActiveClient = 10.10.6.45, 2003, ifname=eth1
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces using the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.100
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.100
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces using CIDR specifications that contain the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.0/24
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.0/24
    NullAuthPermit = YES
  3. Save the configuration file. Make sure to save the file in ASCII format to prevent errors.

  4. Restart the software tap by running the command

    sudo /etc/init.d/rpcapd restart
    Note: To reinstall the software tap after changing the configuration file, run the installation command and replace <extrahop_ip> and <extrahop_port> with the –k flag in order to preserve the modified configuration file. For example:
    sudo sh ./install-rpcapd.sh –k

Monitoring Multiple Interfaces on a Windows Server

For servers with multiple interfaces, you can configure the software tap to forward packets from a particular interface or from multiple interfaces by editing its configuration file on the server.

To edit the configuration file, complete the following steps.

  1. After installing the software tap, on the server, open the configuration file: C:\Program Files\rpcapd\rpcapd.ini

    The configuration file contains this text or similar:

    ActiveClient = 10.0.0.100,2003
    NullAuthPermit = YES
  2. Modify the existing ActiveClient line and create an ActiveClient line for each additional interface to be monitored. Specify each interface by its interface name or IP address. For every ActiveClient line, the software tap will independently forward packets from the interface specified in the line:

    ActiveClient = <extrahop_ip>, <extrahop_port>, ifname=<interface_address>

    or

    ActiveClient = <extrahop_ip>, <extrahop_port>, ifaddr=<interface_name>

    <interface_address> specifies the IP address of the interface from which the packets are forwarded. <interface_address> may be either the IP address itself, such as 10.10.1.100, or a CIDR specification (network IP address/subnet prefix length) that contains the IP address, such as 10.10.1.0/24.

    <interface_name> is the name of the interface from which the packets are forwarded. The name is formatted as \Device\NPF_{<GUID>}, where <GUID> is the globally unique identifier (GUID) of the interface. For example, if the interface GUID is 2C2FC212-701D-42E6-9EAE-BEE969FEFB3F, the interface name is \Device\NPF_{2C2FC212-701D-42E6-9EAE-BEE969FEFB3F}.

    The following is an example of the configuration file specifying two interfaces using the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.100
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.100
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces using CIDR specifications that contain the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.0/24
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.0/24
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces using the interface name:

    ActiveClient = 10.10.6.45, 2003, ifname=\Device\NPF_{2C2FC212-701D-42E6-9EAE-BEE969FEFB3F}
    ActiveClient = 10.10.6.45, 2003, ifname=\Device\NPF_{3C2FC212-701D-42E6-9EAE-BEE969FEFB3F}
    NullAuthPermit = YES
  3. Save the configuration (.ini) file. Make sure to save the file in ASCII format to prevent errors.

  4. Restart the software tap by running the command

    restart-service rpcapd
    Note: To reinstall the software tap after changing the configuration file, run the installation command and replace –RpcapIp and –RpcapPort with the -KeepConfig flag in order to preserve the modified configuration file. For example:
    .\install-rpcapd.ps1 -MgmtIp <extrahop_ip> -KeepConfig

    or

    .\install-rpcapd.ps1 –InputDir . -KeepConfig

Configuring Additional RPCAP Settings

By default, the ExtraHop system accepts forwarded packets on port 2003. The servers using the software tap are directed to forward all traffic as denoted by the wildcard (*) in the Interface Address column.

(Optional) To specify another port, complete the following steps.

  1. Go to the RPCAP Settings section and click Change.

  2. Change and modify the settings on the Add RPCAP Port Definition page.

  • Port: Specifies the listening port on the ExtraHop system. Each port must be unique for each interface subnet on the same server. Different subnets across servers are able to use the same port.

  • Interface Address: Specifies a subnet on the packet-forwarding server. If the server has multiple interfaces that match the interface address, the first interface on the server sends traffic to the ExtraHop system unless the interface name is specified.

  • Interface Name: Indicates the interface on the packet-forwarding server from which to forward packets.

    Note: You must specify an interface address or an interface name. If you specify both, then both criteria will apply.
  • Filter: Specifies the traffic to forward using Berkeley Packet Filter syntax. For example, TCP port 80 forwards only TCP traffic on port 80, and not TCP port 80 forwards only non-TCP traffic on port 80.

Analyzing Wire Data from a Software Tap

To find out how much wire data the ExtraHop system is receiving from the software tap:

  1. Log in to the ExtraHop Web UI (https://<extrahop_ip>/extrahop) and click the Settings button.

  2. Click System Health to get more information about the forwarded traffic. This page displays a Packets and Throughput graph for each software tap connected to the ExtraHop system.

  3. The RPCAP Packets and Throughput graphs contain four metrics:

    • Encapsulation: The total number of RPCAP encapsulation packets received by the ExtraHop system.

    • Tunnel Eligible: Total number of packets eligible to be forwarded to the ExtraHop system.

    • Tunnel Sent: Total number of RPCAP-tunneled packets forwarded to the ExtraHop system.

    • Tunnel Received: Total number of RPCAP-tunneled packets received by the ExtraHop system.

    The tunnel eligible, tunnel sent, and tunnel received values are equal if the ExtraHop system is receiving and processing all the packets sent by the server. If they are not equal, use the following reference for troubleshooting:

    • If Tunnel Sent is less than Tunnel Eligible, the server is not able to forward all of the traffic. This behavior may indicate that packet forwarding requires more processing or outbound bandwidth resources on the server. Consider separating the forwarding process onto a separate CPU or allocating a dedicated interface for forwarding traffic.

    • If Tunnel Received is less than Tunnel Sent, the ExtraHop system is not receiving all the traffic forwarded by the server. This behavior may be due to network congestion or insufficient resources on the ExtraHop system. If you suspect it is the latter, contact ExtraHop Support.

  4. Once you have verified that the ExtraHop system is receiving traffic, exit the System Health page and view metrics in the ExtraHop Web UI.

Removing the Software Tap from a Linux Server

To remove the software tap, run the commands in one of the following sections.

Debian-Based Systems

To stop and remove the software tap from a Debian-based Linux server, run the following commands:

sudo service rpcapd stop
sudo dpkg -r rpcapd
sudo dpkg --get-selections | grep rpcapd

You can also set the -P flag to completely remove the package from your system.

RPM-Based Systems

To stop and remove the software tap from a RPM-based Linux server, run the following commands:

service rpcapd stop
rpm -e rpcapd-<extrahop_firmware_version>.x86_64

Generic/Other Linux Systems

To stop and remove the software tap from another Linux server, run the following commands:

sudo /etc/init.d/rpcapd stop
sudo update-rc.d -f rpcapd remove
sudo rm -rf /opt/extrahop
sudo rm -f /etc/init.d/rpcapd

Removing the Software Tap from a Windows Server

To remove the software tap from a Windows server or your Windows desktop:

  1. Go to the Start Menu and select Control Panel.

  2. Select Uninstall a program.

  3. Select RPCAP Service for Windows.

  4. In the pop-up dialog box, click Remove.

  5. When the removal is complete, click Close.

Appendix

This section includes reference material you may find helpful.

Interface Configuration Options

Note: If a node is a member of a Command cluster, you must remove the node from the cluster before you can configure Interface 1 settings.

EH1000v

  Default Configuration Optional Configuration
Interface 1 Management Port Management Port + RPCAP/ERSPAN Target
Interface 2 Monitoring Any*
Throughput 1 Gbps 1 Gbps

EH2000v

  Default Configuration Optional Configuration
Interface 1 Management Port Management Port + RPCAP/ERSPAN Target
Interface 2 Monitoring Any*
Interface 3 Monitoring Any*
Interface 4 Monitoring Any*
Throughput 3 Gbps 3 Gbps

EH6100v

  Default Configuration Optional Configuration
Interface 1 Management Port Management Port + RPCAP/ERSPAN Target
Interface 2 Monitoring Any*
Interface 3 Monitoring Any*
Interface 4 Monitoring Any*
Throughput 10 Gbps 10 Gbps

*Refers to one of the following options:

  • Management + RPCAP/ERSPAN
  • Management Only
  • Monitoring
  • Disabled
Note: If you configure RPCAP/ERSPAN on multiple interfaces, each interface must be on its own subnet.

Network Mirroring with VMware

Depending upon the version of VMware you're running, you have these network mirroring capabilities:

VMware 4.0

  • Run a group of interfaces in Promiscuous mode on single host

  • Receive traffic through a port mirror

  • Mirror traffic by creating port groups and vSwitches in Promiscuous mode

  • Receive traffic through an external port mirror with a dedicated physical interface in Promiscuous mode

VMware 5.0, 5.1, 5.5 and 6.0

  • Run a group of interfaces in Promiscuous mode on single host

  • Receive traffic through a port mirror

  • Mirror traffic by creating port groups and vSwitches in Promiscuous mode

  • Receive traffic through a port mirror with a VDS

VMware 5.1, 5.5 and 6.0

  • RSPAN

  • ERSPAN

OVA Package Overview

ExtraHop distributes virtual appliances as preconfigured virtual machines optimized to work with supported hypervisors.

Note: OVF refers to a folder with files that define a preconfigured virtual machine. OVA refers to a single-archive file that contains the zipped contents of the OVF folder. Hyper-V uses a proprietary file format, not the OVA file format.

EH1000v

  • 2 CPUs

  • 4 GB RAM

  • Datastore 1: One 4 GB disk, thick-provisioned

  • Datastore 2: One 42 GB disk, thick-provisioned

  • Two network interfaces

    • One bridged network interface for management

    • One network interface for port mirroring or capturing traffic from the VM switch

EH2000v

  • 6 CPUs

  • 6 GB RAM

  • Datastore 1: One 4 GB disk, thick-provisioned

  • Datastore 2: One 250 GB disk, thick-provisioned

  • Four network interfaces

    • One bridged network interface for management

    • Three network interfaces for port mirroring or capturing traffic from the VM switch

EH6100v

  • 16 CPUs

  • 64 G RAM

  • Datastore 1: One 4 GB disk, thick-provisioned

  • Datastore 2: One 1 TB disk, thick-provisioned

  • Four network interfaces

    • One bridged network interface for management

    • Three network interfaces for port mirroring or capturing traffic from the VM switch

Published 2017-09-22 19:13