Configure ERSPAN with VMware

The Encapsulated Remote Switched Port Analyzer (ERSPAN) enables you to monitor traffic on multiple network interfaces or VLANs and then send the monitored traffic to one or more destinations. The following procedures explain how to configure ERSPAN on an ExtraHop appliance with a vSphere client that is running on a Windows machine.

You must have experience with basic VMware ESX and ESXi administration.

For more information, see the following documentation:

Configure the ExtraHop interface settings

Note:If you select Interface 1 and the ExtraHop Discover appliance is a node in a Command cluster, you must remove the node from the cluster before you can configure Interface 1 settings.

If you select Interface 1 for management and Interface 2 for ERSPAN, you cannot configure both interfaces on the same subnet.

  1. From the ExtraHop Admin UI, in the Network Settings, click Connectivity.
  2. In the Interfaces section, click Interface 1.
  3. From the Interface Mode drop-down list, select Management Port + RPCAP/ERSPAN Target.
  4. To enable DHCP, select the checkbox.
  5. In the IP Address field, type the IP address that you want to assign to the ExtraHop port for ERSPAN traffic.
  6. In the Netmask field, type the netmask of the ExtraHop appliance.
  7. In the Gateway field, type the gateway IP address for the ExtraHop appliance.
  8. Click Save.
  9. Optional: Disable the remaining interfaces, based on your configuration needs.
    Note:For more information about setting up network interfaces, see the Connectivity section of the ExtraHop Admin UI Guide.

Configure VMware

  1. Open vCenter and navigate to the virtual distributed switch (vDS) where you want to monitor traffic.
  2. Click the Manage tab, and then click Settings.
  3. Click Port Mirroring.
  4. Select a port mirroring session with Encapsulated Remote Mirroring (L3) Source enabled, and then click Edit.
    For more information about creating a port mirroring session, see your vSphere documentation.
  5. In the Properties section, from the Status drop-down list, select Enabled.
  6. In the Sources section, create a source port with the following fields.
    1. In the Destinations section, click the green plus (+) sign to add the IP addresses that should receive the traffic.
    2. Click OK to save the changes and exit the editor window.
      Consider turning off TCP segmentation offloading on the operating systems involved in forwarded communication.
Log into the ExtraHop Web UI and view monitored traffic.
Published 2018-09-10 15:36