The Encapsulated Remote Switched Port Analyzer (ERSPAN) enables you to monitor traffic on multiple network interfaces or VLANs and then send the monitored traffic to one or more destinations. The following procedures explain how to configure ERSPAN on an ExtraHop appliance with a vSphere client that is running on a Windows machine.
You must have experience with basic VMware ESX and ESXi administration.
- VMware: Select Port Mirroring Session Type with the vSphere Web Client
- ExtraHop: ExtraHop Admin UI Guide
|Note:||If you select Interface 1 and the ExtraHop Discover
appliance is a node in a Command cluster, you must remove the node from the cluster
before you can configure Interface 1 settings. |
If you select Interface 1 for management and Interface 2 for ERSPAN, you cannot configure both interfaces on the same subnet.
- From the ExtraHop Admin UI, in the Network Settings, click Connectivity.
- In the Interfaces section, click Interface 1.
- From the Interface Mode drop-down list, select Management Port + RPCAP/ERSPAN Target.
- To enable DHCP, select the checkbox.
- In the IP Address field, type the IP address that you want to assign to the ExtraHop port for ERSPAN traffic.
- In the Netmask field, type the netmask of the ExtraHop appliance.
- In the Gateway field, type the gateway IP address for the ExtraHop appliance.
- Click Save.
- Optional: Disable the remaining interfaces, based on your configuration needs.
- Open vCenter and navigate to the virtual distributed switch (vDS) where you want to monitor traffic.
- Click the Manage tab, and then click Settings.
- Click Port Mirroring.
Select a port mirroring session with Encapsulated Remote Mirroring (L3) Source
enabled, and then click Edit.
For more information about creating a port mirroring session, see your vSphere documentation.
- In the Properties section, from the Status drop-down list, select Enabled.
In the Sources section, create a source port with the
- In the Destinations section, click the green plus (+) sign to add the IP addresses that should receive the traffic.
Click OK to save the changes and exit the editor
Consider turning off TCP segmentation offloading on the operating systems involved in forwarded communication.