Deploy the ExtraHop Discover Appliance with VMware

The ExtraHop virtual appliance can help you to monitor the performance of your applications across internal networks, the public internet, or a virtual desktop interface (VDI), including database and storage tiers. ExtraHop can monitor application performance across geographically distributed environments such as branch offices or virtualized environments using intra-VM traffic.

This guide explains how to install these products on the ESXi/ESX (VMware) platform:

  • EDA 1000v (Monitors up to 250 devices)
  • EDA 2000v (Monitors up to 1000 devices)
  • EDA 6100v (Monitors up to 3000 devices)

We assume you have some experience administering your hypervisor product.

The following diagram shows the high-level steps to install and use the ExtraHop virtual appliance. Installation time is approximately 15 minutes.

Contact us

We value your feedback.

Please let us know how we can improve this document. Send your comments or suggestions to documentation@extrahop.com.

If you need additional help, please contact ExtraHop Support. at or visit the ExtraHop Customer Support Portal at https://www.extrahop.com/support/portal/.

Email: support@extrahop.com

Support Portal Website: https://www.extrahop.com/support/portal/

Telephone:

  • 877-333-9872 (US)
  • +44 (0)203 7016850 (EMEA)
  • +65-31585513 (APAC)

Installation requirements

This section includes hardware and software requirements for the host on which you are installing the ExtraHop virtual appliance.

Disk requirements and recommendations

To ensure proper functionality of the virtual appliance:

  • Always use thick provisioning. The ExtraHop datastore requires low-level access to the complete drive and is not able to grow dynamically with thin provisioning. Thin provisioning can cause metric loss, VM lockups, and capture issues.
  • Do not change the default disk size on initial installation. Using the default disk size ensures correct lookback for ExtraHop metrics and proper system functionality. If your configuration requires a different disk size, contact your ExtraHop representative before changing it.
  • Do not migrate the VM. Although it is possible to migrate when the datastore is on a remote SAN, ExtraHop does not recommend this configuration.

System requirements: EDA 1000v

Installation has the following system requirements:

  • An existing installation of the VMware ESX/ESXi server version 4.0 and later
  • As vSphere client to deploy an OVF file

The following VMware ESX/ESXi server hardware is required for the EDA 1000v:

Processor
2 processing cores with hyper-threading support, VT-x technology, and 64-bit architecture
Memory
4 GB or higher
Disk
46 GB or higher (thick-provisioned)
Network
You can configure the EDA 1000v to monitor intra-VM or external traffic.
Intra-VM
One 1-Gbps Ethernet network port is required (for management). The management port must be accessible on port 443.
External

Two 1-Gbps Ethernet network ports are required for the physical port mirror and management. The physical port mirror interface must be connected to the port mirror of the switch.

The VMware ESX server must support network interface drivers. While it is possible to use a 10-Gbps Ethernet network port for the port mirror interface, it is not recommended as the virtual appliance cannot process more than 1 Gbps of traffic.
Registration
For registration purposes, the EDA 1000v requires outbound DNS connectivity on UDP port 53 unless managed by the ExtraHop Command appliance (ECA).
Note:Thick provisioning of disk space is a requirement. The ExtraHop system needs the entire virtual disk space to be available at boot time and not allocated as needed.

System requirements: EDA 2000v

Installation has the following system requirements:

  • An existing installation of the VMware ESX/ESXi server version 4.0 and later
  • As vSphere client to deploy an OVF file

The following VMware ESX/ESXi server hardware is required for the EDA 2000v:

Processor
6 processing cores with hyperthreading support, VT-x technology, and 64-bit architecture
Memory
6 GB or higher
Disk
255 GB or higher (thick-provisioned)
Network
You can configure the EDA 2000v to monitor intra-VM or external traffic.
Intra-VM
One 1-Gbps Ethernet network port is required (for management). The management interface must be accessible on port 443.
External

Two to four 1-Gbps Ethernet network ports are required for the physical port mirror and management. The physical port mirror interface must be connected to the port mirror of the switch. The VMware ESX server must support network interface drivers.

While it is possible to use a 10-Gbps Ethernet network port for the port mirror interface, it is not recommended as the virtual appliance cannot process more than 3 Gbps of traffic.

Registration
For registration purposes, the EDA 2000v requires outbound DNS connectivity on UDP port 53 unless managed by the ExtraHop Command appliance (ECA).
Note:Thick provisioning of disk space is a requirement. The ExtraHop system needs the entire virtual disk space to be available at boot time and not allocated as needed.

System requirements: 6100v

Installation has the following system requirements:

  • An existing installation of the VMware ESX/ESXi server version 5.1 and later
  • As vSphere client to deploy an OVF file

The following VMware ESX/ESXi server hardware is required for the EDA 6100v:

Processor
16 processing cores (minimum 2.5 Ghz clock speed) with hyperthreading support, VT-x technology, and 64-bit architecture
Memory
64 GB or higher
Disk
1 TB or higher (thick-provisioned)
Network
You can configure the EDA 6100v to monitor intra-VM or external traffic.
Intra-VM
One 1-Gbps Ethernet network port is required (for management). The management interface must be accessible on port 443.
External

Two to four 1-Gbps or 10-Gbps Ethernet network ports are required for the physical port mirror and management. The physical port mirror interface must be connected to the port mirror of the switch. The VMware ESX server must support network interface drivers.

Registration
For registration purposes, the EDA 6100v requires outbound DNS connectivity on UDP port 53 unless managed by the ExtraHop Command appliance (ECA).
Note:Thick provisioning of disk space is a requirement. The ExtraHop system needs the entire virtual disk space to be available at boot time and not allocated as needed.

Installing the ExtraHop VM

Before you install the ExtraHop virtual appliance, ensure the following:

  • You have downloaded the file for the ExtraHop virtual appliance (this is an OVA file for OVA-aware hypervisor products). If you have not downloaded the file, contact support@extrahop.com.
  • You have the ExtraHop virtual appliance license key provided by ExtraHop. If you do not have a license key, contact support@extrahop.com.
  • You have an existing installation of one of the following virtualization products:
  • Your host system meets the minimum hardware requirements, and you understand the disk requirements for setting up an ExtraHop appliance.
  • If you are using a software tap, you have administrative access to servers you want to monitor, and you are running a 64-bit operating system (Linux/Windows). If you are using Windows, you must be using Windows Server 2008 R2 or Windows Server 2012 (or later).
  • If you want to use Port Mirroring mode, you have administrative access to any physical or virtual switches that require configuration.

Deploy the OVA file (VMware ESX/ESXi Windows client)

To deploy the OVA file using VMware vSphere Client on a Windows machine, complete the following steps. This procedure assumes you have an existing installation of VMware ESX/ESXi 5.0 or later.

  1. Start the VMware vSphere client and connect to your ESX server.
  2. Click the File menu and select Deploy OVF Template.
  3. Deploy OVF template as detailed below. For most deployments, the default settings are sufficient.
    Source
    Browse to the location of the downloaded OVA file and then click Next.
    OVF Template Details
    Review the details and then click Next.
    Name and Location
    Configure the VM name and location. Give the VM a unique and specific name for the ESX Inventory and then click Next.
    Disk Format
    Select Thick Provision Lazy Zeroed and then click Next.
    Network Mapping
    Map the OVF-configured network interface labels with the correct ESX-configured interface labels and then click Next.
    Ready to Complete
    Verify the configuration, select the Power on after deployment checkbox, and then click Finish to begin the update.
    A status dialog box displays the deployment status. When the deployment is complete, you can see the unique name you assigned to the ExtraHop VM instance in the inventory tree for the ESX server to which it was deployed.

    The ExtraHop virtual appliance contains a preconfigured bridged virtual interface with the network label VM Network. If your ESX has a different interface label, you must reconfigure the network adapter on the ExtraHop virtual appliance before starting it. Refer to Mirroring Internal and External Traffic for information about how to set up port mirroring on an ESX host.

    To use RPCAP mode, configure network adapter 1 to have Internet access for managing the ExtraHop appliance, contacting the license server, and receiving network traffic through a software tap. Network adapter 2 can be optionally configured to receive mirrored network traffic when running in Port Mirroring mode. Refer to Software Tap on page 66 for more information.

  4. If you are using VMware version 5.1 or earlier, complete the following steps to select the network adapter. Otherwise, proceed to step 5.
    1. Select the Summary tab.
    2. Click Edit Settings, select Network adapter 1, select the correct network label from the Network label drop-down list, and then click OK.
    3. Optional: Select Network adapter 2, select the correct network label from the Network label drop-down list, and then click OK.
  5. Click the ExtraHop virtual appliance in the ESX Inventory and then select the Console tab.
  6. Click the console window and then press ENTER to display the IP.
  7. Optional: DHCP is enabled by default on the ExtraHop virtual appliance. To configure a static IP address, refer to Configure a Static IP Address.
  8. Log in to the Administration UI (https://<extrahop_ip>/admin).
    To apply a license, refer to Register the Discover Appliance.

Deploy the OVA file (VMware ESXi web client)

To deploy the OVA file using the VMware vSphere web client:

  1. Start the VMware vSphere client and connect to your ESX server.
  2. Deploy the ExtraHop OVA by following the OVF deployment wizard and accepting the defaults.
  3. When the console opens, wait several minutes for the login prompt, which displays the IP address. DHCP is enabled by default on the ExtraHop virtual appliance. Skip the next step if you do not want to configure a static IP.
  4. Optional: To configure a static IP, log in with the shell user account and the password default.
    extrahop>enable
    Password:
    extrahop#config
    extrahop(config)#int
    extrahop(config-if)#ip ipaddr 10.10.10.10 255.255.0.0 10.10.1.254 8.8.8.8
    extrahop(config-if)#exit
    extrahop(config) * #running_config save
    Would you like to write configuration changes to default config [Y/n]?: y
    extrahop(config)#

    For more information about configuring a static IP address, refer to Configure a Static IP Address.

  5. In VMware ESXi, configure the virtual switch to receive traffic and restart to see the changes.
  6. Go to https://<extrahop_ip>/admin/license/register, enter the product key, and click Register. Log in with the user account setup and the password default.
    For more information about applying a license, refer to Mirroring Internal and External Traffic.
  7. Your ExtraHop system is now ready for use. In the ExtraHop Admin UI, click the ExtraHop icon in the upper left corner to go to the ExtraHop Web UI default Summary dashboard.

Register the ExtraHop appliance

Complete the following steps to apply a product key supplied by ExtraHop Support.

If you do not have a product key, contact support@extrahop.com.

  1. In your browser, type the IP address of the ExtraHop appliance (https://<extrahop_ip_address>/admin).
  2. Review the license agreement, select I Agree, and then click Submit.
  3. On the login screen, type setup for the username.
  4. For the password, select from the following options:
    • For a physical appliance, type the service tag number found on the pullout tab on the front of the appliance.
      Note:The serial number for the EDA 1100 is located on the bottom of the appliance, and displayed in the Appliance info section of the LCD menu.
    • For a virtual appliance, type default.
  5. Click Log In.
  6. In the System Settings section, click License.
  7. Click Manage License.
  8. Click Register.
  9. Enter the product key and then click Register.
  10. Click Done.

(Optional) Configure a static IP address

The ExtraHop virtual appliance is delivered with DHCP enabled. If your network does not support DHCP, no IP address is acquired, and you must configure a static address manually. To configure a static IP address, complete the following steps:

  1. Log in to the console with the shell user account. At the password prompt, type default, and then press ENTER.
  2. To configure the static IP address, run the following commands:
    1. Enable privileged commands:
      enable
    2. At the password prompt, type default, and then press ENTER.
    3. Enter configuration mode:
      configure
    4. Enter the interface configuration mode:
      interface
    5. Run the ip command and specify the IP address and DNS settings in the following format: ip ipaddr <ip_address> <netmask> <gateway> <dns_server>
      For example:
      ip ipaddr 10.10.2.14 255.255.0.0 10.10.1.253 10.10.1.254
    6. Leave the interface configuration section:
      exit
    7. Save the running config file:
      running_config save
    8. Type y and then press ENTER.

Set up automatic restart

You can enable the VM to automatically restart in case of power failure. To set up automatic restart, complete the following steps.

  1. Select the network at the top of the tree control in the left panel.
  2. Click the Configuration tab.
  3. In the Software panel, click Virtual Machine Startup/Shutdown.
  4. Click the Properties link.
  5. In the dialog box, select the Allow virtual machine to start/stop… checkbox.
  6. Highlight the virtual machine and use the Move Up and Move Down buttons to move the virtual machine to the Automatic Startup section.
  7. Click OK.
  8. The virtual machine now restarts automatically when its associated ESX server restarts.

Mirror Wire Data

This section includes procedures for mirroring data to your ExtraHop virtual appliance.

Mirroring internal and external traffic

The ExtraHop virtual appliance can be configured to monitor network traffic in the following network configuration examples. Each example requires a modification to the network configuration of its hypervisor host and uses Network Adapter 1 as the management interface.

Note:Monitoring external network-mirrored traffic requires an external NIC and an associated virtual switch.

Monitoring intra-VM traffic

This scenario requires a second VM port group on the default virtual switch of the ESX host for monitoring traffic within the virtual switch as well as external traffic in and out of the switch.

  1. Start the VMware vSphere client and connect to your ESX server.
  2. Select the ESX host at the top of the tree control in the left panel and then click the Configuration tab. In the Configuration tab, click Networking under the Hardware section.

    This view shows how the virtual switch is configured. It displays the physical NIC to which the vSwitch is tied (vmnic0 is eth0) and which networking components are using that vSwitch (VM Network Port Group, Service Console). The VM Network port group contains the VM network.

  3. To add a port group to the vSwitch0, click Add Networking.
    The Add Network Wizard window appears.
  4. Select Virtual Machine as the connection type and then click Next.
  5. In the Network Access step, select Use vSwitch0 and then click Next.
  6. In the Connection Settings step, assign a unique name to the new port group, click the VLAN ID drop-down menu, and select All (VLAN 4095).
  7. Click Next.

    The virtual switch appears as follows:

  8. Click Finish to exit the Add Network Wizard.
  9. Set the Remote Port Mirror to Promiscuous Mode as follows.
    1. Click the Properties link next to vSwitch0. In the vSwitch0 Properties window, select the newly created Port Group (Local Port Mirror in the example below) and click the Edit button.
    2. Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.
    3. Click Close to exit the vSwitch0 Properties window.
  10. Click the Getting Started tab and then click Edit Virtual Machine Settings.
  11. Click Network Adapter 2, click the Network label drop-down menu, select Local Port Mirror, and then click OK.
  12. Restart the ExtraHop VM to activate the new adapter setting.

Monitoring external mirrored traffic to the VM

This scenario requires a second physical network interface and the creation of a second vSwitch associated with that NIC. This NIC then connects to a mirror, tap, or aggregator that copies traffic from a switch. This setup is useful for monitoring the intranet of an office.

  1. Start the VMware vSphere client and connect to your ESX server.
  2. Select the ESX host at the top of the tree control in the left panel and then click the Configuration tab. In the Configuration tab, click Networking under the Hardware section.

    This view shows how the virtual switch is configured. It displays the physical NIC to which the vSwitch is tied (vmnic0 is eth0) and which networking components are using that vSwitch (VM Network Port Group, Service Console). The VM Network port group contains the VM network.

  3. To add a second vSwitch, click Add Networking. The Add Network Wizard window appears. Select Virtual Machine as the connection type and then click Next.
  4. In the Network Access step, select Create a vSphere standard switch, ensure vmnic1 is selected, and then click Next.
  5. In the Connection Settings step, assign a unique name to the new port group (Remote Port Mirror in the example below), click the VLAN ID drop-down menu, and select All (VLAN 4095).
  6. Click Next and then click Finish to exit the Add Network Wizard.
  7. The Networking section of the configuration table for the ESX host appears as follows.
  8. Set the Remote Port Mirror to Promiscuous Mode as follows.
    1. Click the Properties link next to vSwitch1. In the vSwitch1 Properties window, select vSwitch and click the Edit button.
    2. Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.
    3. Click Close to exit the vSwitch1 Properties window.
  9. Select the ExtraHop Virtual Appliance at the top of the tree control in the left panel, click the Getting Started tab, and then click Edit Virtual Machine Settings.
  10. Click Network Adapter 2, click the Network label drop-down menu, select Remote Port Mirror, and then click OK.
  11. Restart the ExtraHop VM to activate the new adapter setting.

Monitoring external mirrored traffic to the VM (EDA 2000v or EDA 6100v)

In this scenario, you must create a third and fourth physical network interface and two more vSwitches associated with those NICs. These NICs then connect to a mirror, tap, or aggregator that copies traffic from a switch.

  1. Start the VMware vSphere client and connect to your ESX server.
  2. Select the ESX host at the top of the navigation tree in the left panel and then click the Configuration tab. In the Configuration tab, click Networking under the Hardware section.
  3. To add a third vSwitch, click Add Networking. The Add Network Wizard window appears. Select Virtual Machine as the connection type and then click Next.
  4. In the Network Access step, select Create a vSphere standard switch, ensure vmnic2 is selected, and then click Next.
  5. In the Connection Settings step, assign a unique name to the new port group (Remote Port Mirror 2, for example), click the VLAN ID drop-down menu, and select All (VLAN 4095).
  6. Click Next and then click Finish to exit the Add Network Wizard.
  7. The Networking section of the configuration table for the ESX host appears as follows.
  8. Set the Remote Port Mirror to Promiscuous Mode as follows.
    1. Click the Properties link next to vSwitch2. In the vSwitch2 Properties window, select vSwitch and click the Edit button.
    2. Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.
    3. Click Close to exit the vSwitch2 Properties window.
  9. Select the ExtraHop Virtual Appliance at the top of the naviagation tree in the left panel, click the Getting Started tab, and then click Edit Virtual Machine Settings.
  10. Click Network Adapter 3, click the Network label drop-down menu, select Remote Port Mirror 2, and then click OK.
  11. Repeat steps 2 through 10 to add a fourth vSwitch.
  12. Restart the ExtraHop VM to activate the new adapter setting.

Monitoring both intra-VM and external mirrored traffic to the VM (EDA 2000v or EDA 6100v)

In this scenario, you can monitor a mix of intra-VM and external mirrored traffic on up to three virtual interfaces.

  1. To monitor intra-VM traffic on one or more virtual interfaces, create a VM port group on the default virtual switch of the ESX host for each interface as described in Monitoring Intra-VM Traffic.
  2. To monitor external mirrored traffic on one or more virtual interfaces, create a physical network interface and corresponding vSwitch for each interface as described in Monitoring External Mirrored Traffic to the VM.
  3. Click Network Adapter x and select an option from the Network label drop-down list for each interface.

Mirroring VLANs

To mirror VLANs, you must either set the destination port on the port mirror configuration to VLAN Trunking or set the exact VLAN ID on the ports of the VLANS you are mirroring.

Configure Remote Switched Port Analyzer (RSPAN)

Before performing the procedures in this section, you must download and install the vSphere Web Client and the VMware Client Integration plugin. These procedures require an uplink port (HW NIC) attached to the switch (preferably one that is not used for general network traffic). Direct access to the iDRAC console is preferred.

To configure RSPAN, complete the following steps:
Note:While the following steps are required for RSPAN configuration, most deployments have completed the first four steps prior to installing the ExtraHop system.
  1. Create a Virtual Distributed Switch (VDS).
  2. Add port groups to the VDS.
  3. Add the host to the VDS.
  4. Migrate the host to the VDS.
  5. Add uplink ports to the VDS.
  6. Configure the port mirror.
  7. Associate a physical NIC to the uplink port.

Create a VDS

  1. Log in to the vSphere web client version 5.1.
  2. In the left panel, click Distributed Switches.
  3. Above the list of switches, click the Create a new distributed switch icon.
  4. In the New Distributed Switch window, enter a name for the switch, select the destination server, and click Next.
  5. Select the distributed switch version and click Next.
  6. Edit the following settings:
    1. Set the Number of uplinks to two or more.
    2. Click the Network I/O Control drop-down list and select one of the following options.
      Disabled
      SPAN traffic on a dedicated NIC. (Recommended)
      Enabled
      SPAN traffic on the same NIC as your monitored traffic. (Not recommended)

Add port groups to the VDS

It is best practice to add port groups immediately after creating the VDS so that migration of the host and its interfaces will be easier.

  1. Click the Create a new distributed port group icon.
  2. In the New Distributed Port Group window, enter a name for the port group and click Next.
  3. Configure the following settings:
    1. Click the Port binding drop-down list and select Static binding.
    2. Click the Port allocation drop-down list and select Fixed.
    3. In the Number of ports field, enter the number of ports you want to connect.
    4. Use the default settings for the remaining items.
    5. Click Next.
  4. Verify your settings and click Finish.
  5. The new port group appears on the Manage tab.
  6. Repeat these steps for the port group(s) containing monitored traffic.

Add a host to the VDS

Skip this procedure if all the hosts have already been added to the cluster. It is best practice to dedicate one uplink for management and one for spanning.

  1. In the left panel tree control, click the switch.
  2. Click the Manage tab.
  3. Click Settings.
  4. Click the Add Hosts icon.
  5. In the Add and Manage Hosts dialog box, click the Add Hosts radio button and click Next.
  6. Click the green + icon to add a host.
  7. In the list of available hosts, select the checkbox next to the host and click OK.
  8. Select the host from the list and click Next.
  9. Select the checkboxes next to the network adapters you want to add to the host and click Next.
  10. Assign one of the NICs to the management port group.
    1. Select the network adapter from the list and click the Assign Port Group icon.
    2. In the Select Network pop-up window, select the port group to assign to the network adapter for managment.
    3. Assign one of the NICs to the monitoring port group.
  11. Select the network adapter from the list and click the Assign Port Group icon.
  12. In the Select Network pop-up window, select the port group to assign to the network adapter for monitoring.
  13. Once you have assigned each adapter to a Destination Port Group (far right column), click Next.
  14. On the Validate Changes screen, check that the status has passed and click Next.
  15. Select the Migrate Virtual Machine Networking checkbox and the list of virtual machines appears.
  16. Click the Assign Port Group icon and assign a network adapter for management and a network adapter for monitoring, and click Next.
  17. Verify your settings and click Finish.
  18. View the progress bar in the right panel and wait for the system to add the host.

    Refer to the following example configuration.

Migrate the host to the VDS

  1. Browse to the vCenterBrowse to the vCenter’s Networking Tree Control.
  2. Select the vDS you are modifying.
  3. Click the Manage tab.
  4. Click the Settings tab.
  5. Go to the sidebar and click Topology.

Configure a port mirror on a virtual distributed switch

The ExtraHop virtual Discover appliance can be deployed in environments with multiple ESX servers connected with a virtual distributed switch (VDS). This procedure includes configuring a port mirror to view traffic on a VDS, configuring the local switch to view external traffic, and configuring the ExtraHop virtual Discover appliance to do a combination of both.

This guide assumes that the ExtraHop Discover appliance is deployed on an ESX host managed by vCenter with a VDS already configured. For more information about virtual distributed switches, refer to http://www.vmware.com/products/datacenter-virtualization/vsphere/distributed-switch.html.

Port mirroring with VMware requires the source port and destination port to be on the same ESX host, so an ExtraHop virtual Discover appliance must be on each host that has mirrored ports. The following diagram describes which traffic type is mirrored based on the mirror's destination port's host location.

Note:

To mirror VLANs, you must either set the destination port on the port mirror configuration to VLAN Trunking or set the exact VLAN ID on the ports of the VLANS you are mirroring. Refer to Mirroring VLANs for detailed instructions.

  1. Access the vCenter distributed switch.
    1. Open vSphere and log in to the vCenter.
    2. Under Inventory, click Networking, and select the VDS you want to monitor.
  2. Optional: Create a new port group. We recommend that you create a port group to keep all ports related to monitoring in one port group.
    1. Right-click the name of the VDS and select New Port Group.
    2. Give the VDS a name and choose the number of ports you want to make available. The default number of ports is 128, but we recommend that you set this number lower to reflect the likely number of traffic mirroring ports.
  3. Assign the ExtraHop VM to the port group.
    1. Change the Inventory setting to Hosts and Clusters.
    2. Right-click the ExtraHop VM on the ESX host and select Edit Settings.
    3. Change the Ethernet 2 (capture port) setting to the new port group and click OK.
  4. Verify the VM and port group assignment.
    1. Return to the Networking section and select Monitor Port Group.
    2. Click the Ports tab. The ExtraHop monitor interface is displayed and assigned to a port.
    3. Note the port ID for a later step (such as 282 in the example below). This ID will be the destination for the port mirror configuration.
  5. Find the set of source ports. The source ports can be a continuous range of ports or a specific port, but the ports cannot be uplink ports. Ports can be unassigned, but they have to exist. To find the ports you want to assign, select the VDS in the tree control and click the Ports tab. If you only want to send ports from specific port groups, you can view the ports associated to each port group.)

    The ports in the figure below are sorted by name to show all the uplink ports and to ensure that these ports are not in range. Note the range.

  6. Configure the port mirror.
    1. Right-click the name of the VDS and select Edit Setting.
    2. In the Settings dialog box, click the Port Mirroring tab.
    3. Click Add, enter a name, and then complete the Port Mirror Wizard.
    4. Choose the source ports.
    5. Select the destination port using the port associated with ExtraHop.
    6. Review the results and click Finish.
    7. Click OK to push the changes to the ESX servers.
      All ports in the source list that are on the same physical ESX host as the destination port will be monitored. Traffic on ESX hosts remote to the destination port will not be monitored unless the ESX hosts communicate with ports mirrored on the destination's host.

      The ExtraHop virtual appliance will now monitor all data going in and out of each port on the active ports you have defined. Check for errors in the status pane at the bottom of the screen, and if necessary, repeat the setup in the Port Mirror Wizard.

      The following cases might cause errors during setup:

      • Non-instantiated ports in the range.
      • Ports that are Uplink ports for the source.
      • Source or destination ports that have the promiscuous flag enabled.
      • Destination assignments to an already-assigned destination.
      • More than 4000 ports in your source list. (In this case, the Port Mirror Wizard errors out and you will need to recreate the mirror setup with a smaller range.)

        To send more ports, edit the current port mirror. If the port count for that port mirror is over 4000, ExtraHop recommends using an EDA 2000v to associate another interface from the VM to the monitor port group and creating a separate mirror for that interface. Sending different ports to different capture ports is not recommended because traffic between the mirrored source ports might not be complete or might result in multiple devices.

For each host, designate the physical VMNIC to associate with the new uplink port to be used with port mirroring.

  1. Browse to the vCenter's hosts tree control and select Hosts.
  2. Select the host you want to configure.
  3. Select the Manage tab and click Networking.
  4. In the left pull-out tree control, select Virtual Switches and select your VDS from the list.
  5. Click the Add host networking icon.
  6. In the Add Networking pop-up window, select the Physical Network Adapter radio button, and click Next.
  7. On the Select target device screen, click Browse.
  8. In the Select Switch pop-up window, select the VDS, and click OK.
  9. Click Next.
  10. Select the uplink port and click the green + icon.
  11. Click the Uplink port drop-down list, click Span Out, select the VMNIC, and click OK.
  12. Click Next.
  13. Verify your settings and click Finish.
  14. Repeat these steps for each host in your VDS.

    Refer to the following example showing uplink ports with physical NICs associated with them.

Encapsulated Remote Switched Port Analyzer (ERSPAN)

The Encapsulated Remote Switched Port Analyzer (ERSPAN), or remote port mirror, allows you to collect data on multiple network interfaces or VLANs and then send the data to one or more destinations.

When you configure ERSPAN, the source and destination must have an IP address on the same subnet and share a dedicated VLAN for ERSPAN. The following is an example of an ERSPAN configuration:

Configuring ERSPAN with the Nexus 1000V

To configure ERSPAN on an ExtraHop appliance, complete the following steps.

  1. Log in to the Admin UI (https://<extrahop_ip>/admin).
  2. Go to the Network Settings section and click Connectivity.
  3. In the Interfaces section click Interface 1.
  4. On the Network Settings for Interface 1 page, click the Interface Mode drop-down list and select Management Port + RPCAP/ERSPAN Target.
  5. Complete the remaining fields and click Save.
  6. Depending on your configuration, set or disable the remaining interfaces.
    Note:For more information about setting up the network interfaces, refer to the Connectivity section of the ExtraHop Admin UI Guide.
  7. Log in to your virtual supervisor module (VSM). Run the following command to display the virtual Ethernet hosts:
    Switch# Show int virt
  8. Enter config mode.
    Switch# config terminal
  9. Create new monitor (port mirroring) session
    switch(config)# monitor session 1 type erspan-source
  10. Enter the ExtraHop ERSPAN target IP.
    switch(config-erspan-src)# destination ip 10.10.247.93
  11. Set an ERSPAN ID.
    switch(config-erspan-src)# erspan-id 1
  12. Set the MTU to 9000.
    switch(config-erspan-src)# mtu 9000
    Note:To minimize the chance of drops, set the ERSPAN MTU as high as possible. On the Cisco Nexus 1000V, change the default MTU of 1500 to the current max of 9000. In addition, consider turning off TCP segmentation offloading on the operating systems involved in forwarded communication.
  13. Add data sources.
    • The following example shows data being taken from a guest.
      switch(config-erspan-src)# source interface vethernet 3-5 both

      In this example, both means the VM is both sending and receiving data.

    • The following example shows data being taken from all traffic received by the VLAN.
      switch(config-erspan-src)# source vlan 1010 rx
  14. Enable the monitoring session.
    switch(config-erspan-src)# no shut
  15. Exit from ERSPAN source to config mode.
    switch(config-erspan-src)# exit
  16. Exit config mode to the enable prompt
    switch(config)# exit
  17. Save your changes.
    switch# copy running-config startup-config
  18. Check the settings.
    switch# show monitor session 1

    A functioning monitoring session will look similar to this example.

    session 1
    ---------------
    type : erspan-source
    state : up
    source intf :
    rx : Veth3 Veth4 Veth5
        tx : Veth3 Veth4 Veth5
    	both : Veth3 Veth4 Veth5
    source VLANs :
    	rx : 1010
    	tx :
    	both :
    source port-profile :
    	rx :
    	tx :
    	both :
    filter VLANs : filter not specified
    destination IP : 10.10.247.93
    ERSPAN ID : 1
    ERSPAN TTL : 64
    ERSPAN IP Prec. : 0
    ERSPAN DSCP : 0
    ERSPAN MTU : 9000
    ERSPAN Header Type: 2
  19. Log in to the ExtraHop Web UI (https://<extrahop_ip>/extrahop) to view wire data.

Configuring ERSPAN with VMware

This procedure requires VMware vCenter 5.1 or later.

  1. Log in to the Admin UI (https://<extrahop_ip>/admin).
  2. In the Network Settings section, click Connectivity.
  3. In the Interfaces section click Interface 1.
  4. On the Network Settings for Interface 1 page, click the Interface Mode drop-down list and select Management Port + RPCAP/ERSPAN Target.
  5. Complete the remaining fields and click Save.
  6. Depending on your configuration, set or disable the remaining interfaces.
    Note:For more information about setting up the network interfaces, see the Connectivity section in the ExtraHop Admin UI Guide.
  7. Open vCenter and navigate to the virtual distributed switch (vDS) from which you want to monitor traffic.
  8. Click the Manage tab, click Settings, and click Port Mirroring.

    Select a port mirroring session with Encapsulated Remote Mirroring (L3) Source enabled and click Edit. For more information about creating a port mirroring session, refer to vSphere documentation.

  9. In the Properties section, click the Status drop-down list and select Enabled.
  10. In the Sources section, create a source port with a port ID, host, connectee, and traffic direction.
  11. In the Destinations section, click the green + sign to add IP addresses to receive the traffic.
  12. Click OK to save the changes and exit the editor window.
    Consider turning off TCP segmentation offloading on the operating systems involved in forwarded communication.
  13. Log in to the ExtraHop Web UI (https://<extrahop_ip>/extrahop) to view wire data.

Software Tap

A software tap forwards traffic from any host to ExtraHop. A software tap is conceptually similar to a physical network tap, but implemented in software. In these topics and the industry, this software is alternately referred to as a packet forwarder, or sometimes RPCAP, which stands for Remote Packet Capture.

To implement the software tap, ensure the following:

  • You have administrative access to servers you want to monitor.
  • You are running a 64-bit Linux or Windows OS (Windows Server 2008 R2 or 2012).

To ensure proper functionality of the ExtraHop virtual appliance:

  • Ensure RPCAP is enabled on the ExtraHop virtual appliance. See the Configuring additional RPCAP settings section for optional settings.
  • Install the software tap on the servers sending traffic.
  • Analyze traffic in the ExtraHop Web UI.

Install the software tap on a Linux server

You must install the software tap on each server to be monitored in order to forward packets to the ExtraHop system. You can retrieve the commands from the procedures in this section or the ExtraHop Admin UI: https://<discover_ip_address>/admin/capture/rpcapd/linux/. The bottom of the ExtraHop Admin UI page contains links to automatically download the software tap.

Download and install on Debian-based systems

To download and install the software tap on Debian-based systems:

  1. Download the software tap on the server by running one of the following commands:
    • wget --no-check-certificate 'https://<extrahop_ip_address>/tools/rpcapd_<extrahop_firmware_version>_amd64.deb'
      
    • curl -Ok 'https://<discover_ip_address>/tools/rpcapd_<extrahop_firmware_version>_amd64.deb'

    Where <extrahop_ip_address> is the Interface 1 (management) IP address and <extrahop_firmware_version> is the firmware version.

  2. Run the software tap on the server by running the following command:
    sudo dpkg -i rpcapd_<extrahop_firmware_version>_amd64.deb
  3. At the prompt, enter the ExtraHop IP address, confirm the default connection to port 2003, and press ENTER.
  4. Optional: Verify the ExtraHop system is receiving traffic by running the following commands:
    sudo dpkg --get-selections | grep rpcapd
    
    sudo service rpcapd status
  5. Optional: To change the ExtraHop IP address, port number, or arguments to the service, run the following command.
    sudo dpkg-reconfigure rpcapd
Download and install on RPM-based systems

To download and install the software tap on RPM-based systems:

  1. Download the software tap on the server by running on of the following commands:
    • wget --no-check-certificate 'https://<extrahop_ip_address>/tools/rpcapd-<extrahop_firmware_version>.x86_64.rpm'
      
    • curl -Ok 'https://<extrahop_ip_address>/tools/rpcapd-<extrahop_firmware_version>.x86_64.rpm'

    Where <extrahop_ip_address> is the IP address for interface 1 (management), and <extrahop_firmware_version> is the firmware version.

  2. Install and run the software tap on the server by running the following command:
    sudo rpm -i rpcapd-<extrahop_firmware_version>.x86_64.rpm
  3. Open and edit the rpcapd.ini file in a text editor by running one of the following commands:
    vim /opt/extrahop/etc/rpcapd.ini
    nano /opt/extrahop/etc/rpcapd.ini
    Example output:
    #ActiveClient = <TARGETIP>,<TARGETPORT>
    NullAuthPermit = YES

    Replace <TARGETIP> with the IP address of the Discover appliance, and <TARGETPORT> with 2003. In addition, uncomment the line by deleting the number sign (#) at the beginning of the line.

    For example:
    ActiveClient = 10.10.10.10,2003
    NullAuthPermit = YES
  4. Start sending traffic to the ExtraHop system by running the following command:
    sudo /etc/init.d/rpcapd start
  5. Optional: Verify the ExtraHop system is receiving traffic by running the following command:
    sudo service rpcapd status
Download and install on other Linux systems
  1. Download the software tap on the server by running one of the following commands:
    • wget --no-check-certificate 'https://<extrahop_ip_address>/tools/rpcapd-<extrahop_firmware_version>.tar.gz'
      
    • curl -Ok 'https://<extrahop_ip_address>/tools/rpcapd-<extrahop_firmware_version>.tar.gz'

    Where <extrahop_ip_address> is the IP address for Interface 1 (management), and <extrahop_firmware_version> is the firmware version.

  2. Install and run the software tap on the server by running the following commands:
    1. Extract the software tap files from the archive file:
      tar xf rpcapd-<extrahop_firmware_version>.tar.gz
    2. Change to the rpcapd directory:
      cd rpcapd
    3. Run the installation script:
      sudo ./install.sh <extrahop_ip> 2003
  3. Optional: Verify the ExtraHop system is receiving traffic by running the following command:
    sudo /etc/init.d/rpcapd status
To run the software tap on servers with multiple interfaces, See Monitoring multiple interfaces on a Linux server.

Install the software tap on a Windows server

You must install the software tap on each server to be monitored in order to forward packets to the ExtraHop system.

  1. Go to https://<extrahop_ip_address>/admin/capture/rpcapd/windows/ to download the RPCAP Service for Windows installer file.
  2. When the file is finished downloading, double-click the file to start the installer.
  3. In the wizard, select the components to install.
  4. Complete the ExtraHop IP and ExtraHop Port fields and click Next. The default port is 2003.
  5. Optional: Enter additional arguments in the text box and click Next.
  6. Browse to and select the destination folder to install RPCAP Service.
  7. If RPCAP Service was previously installed, click Yes to delete the previous service.
  8. When the installation is complete, click Close.

Monitoring multiple interfaces on a Linux server

For servers with multiple interfaces, you can configure the software tap to forward packets from a particular interface or from multiple interfaces by editing its configuration file on the server.

To edit the configuration file, complete the following steps.

  1. After installing the software tap, open the configuration file, /opt/extrahop/etc/rpcapd.ini.
    The configuration file contains this text or similar:
    ActiveClient = 10.0.0.100,2003
    NullAuthPermit = YES
  2. Modify the existing ActiveClient line and create an ActiveClient line for each additional interface to be monitored. Specify each interface by its interface name or IP address.
    ActiveClient = <extrahop_ip>, <extrahop_port>, ifname=<interface_name>

    or

    ActiveClient = <extrahop_ip>, <extrahop_port>, ifaddr=<interface_address>

    Where <interface_name> is the name of the interface from which you want to forward packets, and <interface_address> is the IP address of the interface from which the packets are forwarded. The <interface_address> variable can be either the IP address itself, such as 10.10.1.100, or a CIDR specification (network IP address/subnet prefix length) that contains the IP address, such as 10.10.1.0/24.

    For every ActiveClient line, the software tap independently forwards packets from the interface specified in the line.

    The following is an example of the configuration file specifying two interfaces by the interface name:

    ActiveClient = 10.10.6.45, 2003, ifname=eth0
    ActiveClient = 10.10.6.45, 2003, ifname=eth1
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces by the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.100
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.100
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces using CIDR specifications that contain the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.0/24
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.0/24
    NullAuthPermit = YES
  3. Save the configuration file. Make sure to save the file in ASCII format to prevent errors.
  4. Restart the software tap by running the command:
    sudo /etc/init.d/rpcapd restart
    Note:To reinstall the software tap after changing the configuration file, run the installation command and replace <extrahop_ip> and <extrahop_port> with the –k flag in order to preserve the modified configuration file. For example:
    sudo sh ./install-rpcapd.sh –k

Monitoring multiple interfaces on a Windows server

For servers with multiple interfaces, you can configure the software tap to forward packets from a particular interface or from multiple interfaces by editing its configuration file on the server.

To edit the configuration file, complete the following steps.

  1. After installing the software tap, on the server, open the configuration file: C:\Program Files\rpcapd\rpcapd.ini
    The configuration file contains this text or similar:
    ActiveClient = 10.0.0.100,2003
    NullAuthPermit = YES
  2. Modify the existing ActiveClient line and create an ActiveClient line for each additional interface to be monitored. Specify each interface by its interface name or IP address.
    ActiveClient = <extrahop_ip>, <extrahop_port>, ifname=<interface_address>

    Where <interface_address> is the IP address of the interface from which the packets are forwarded and <interface_address> can be either the IP address itself, such as 10.10.1.100, or a CIDR specification (network IP address/subnet prefix length) that contains the IP address, such as 10.10.1.0/24.

    or

    ActiveClient = <extrahop_ip>, <extrahop_port>, ifaddr=<interface_name>

    Where <interface_name> is the name of the interface from which the packets are forwarded. The name is formatted as \Device\NPF_{<GUID>}, where <GUID> is the globally unique identifier (GUID) of the interface. For example, if the interface GUID is 2C2FC212-701D-42E6-9EAE-BEE969FEFB3F, the interface name is \Device\NPF_{2C2FC212-701D-42E6-9EAE-BEE969FEFB3F}.

    The following is an example of the configuration file specifying two interfaces with the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.100
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.100
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces with CIDR specifications that contain the interface IP address:

    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.1.0/24
    ActiveClient = 10.10.6.45, 2003, ifaddr=10.10.2.0/24
    NullAuthPermit = YES

    The following is an example of the configuration file specifying two interfaces with the interface name:

    ActiveClient = 10.10.6.45, 2003, ifname=\Device\NPF_{2C2FC212-701D-42E6-9EAE-BEE969FEFB3F}
    ActiveClient = 10.10.6.45, 2003, ifname=\Device\NPF_{3C2FC212-701D-42E6-9EAE-BEE969FEFB3F}
    NullAuthPermit = YES
  3. Save the configuration (.ini) file. Make sure to save the file in ASCII format to prevent errors.
  4. Restart the software tap by running the command:
    restart-service rpcapd
    Note:To reinstall the software tap after changing the configuration file, run the installation command and replace -RpcapIp and -RpcapPort with the -KeepConfig flag to preserve the modified configuration file. For example:
    .\install-rpcapd.ps1 -MgmtIp <extrahop_ip> -KeepConfig

    or

    .\install-rpcapd.ps1 –InputDir . -KeepConfig

Configuring additional RPCAP settings

By default, the ExtraHop system accepts forwarded packets on port 2003. The servers using the software tap are directed to forward all traffic as denoted by the wildcard (*) in the Interface Address column.

To specify another port, complete the following steps.

  1. Go to the RPCAP Settings section and click 2003.
  2. Change and modify the settings on the Add RPCAP Port Definition page.
    Port
    Specifies the listening port on the ExtraHop system. Each port must be unique for each interface subnet on the same server. Different subnets across servers are able to use the same port.
    Interface Address
    Specifies a subnet on the packet-forwarding server. If the server has multiple interfaces that match the interface address, the first interface on the server sends traffic to the ExtraHop system unless the interface name is specified.
    Interface Name
    Indicates the interface on the packet-forwarding server from which to forward packets.
    Note:You must specify an interface address or an interface name. If you specify both, then both criteria will apply.
    Filter
    Specifies the traffic to forward using Berkeley Packet Filter syntax. For example, TCP port 80 forwards only TCP traffic on port 80, and not TCP port 80 forwards only non-TCP traffic on port 80.
  3. Click Save.

Analyzing wire data from a software tap

To find out how much wire data the ExtraHop system is receiving from the software tap:

  1. Log in to the ExtraHop Web UI (https://<extrahop_ip>/extrahop) and click the System Settings icon.
  2. Click System Health to get more information about the forwarded traffic. This page displays a Packets and Throughput graph for each software tap connected to the ExtraHop system.

    The RPCAP Packets and Throughput graphs contain four metrics:

    Encapsulation
    The total number of RPCAP encapsulation packets received by the ExtraHop system.
    Tunnel Eligible
    Total number of packets eligible to be forwarded to the ExtraHop system.
    Tunnel Sent
    Total number of RPCAP-tunneled packets forwarded to the ExtraHop system.
    Tunnel Received
    Total number of RPCAP-tunneled packets received by the ExtraHop system.

    The tunnel eligible, tunnel sent, and tunnel received values are equal if the ExtraHop system is receiving and processing all the packets sent by the server. If they are not equal, use the following reference for troubleshooting:

    • If Tunnel Sent is less than Tunnel Eligible, the server is not able to forward all of the traffic. This behavior may indicate that packet forwarding requires more processing or outbound bandwidth resources on the server. Consider separating the forwarding process onto a separate CPU or allocating a dedicated interface for forwarding traffic.
    • If Tunnel Received is less than Tunnel Sent, the ExtraHop system is not receiving all the traffic forwarded by the server. This behavior may be due to network congestion or insufficient resources on the ExtraHop system. If you suspect it is the latter, contact ExtraHop Support.
  3. Once you have verified that the ExtraHop system is receiving traffic, exit the System Health page and view metrics in the ExtraHop Web UI.

Removing the software tap from a Linux server

Run the following commands:
  • To stop and remove the software tap from a Debian-based Linux server, run the following commands:
    sudo service rpcapd stop
    sudo dpkg -r rpcapd
    sudo dpkg --get-selections | grep rpcapd

    You can also set the -P flag to completely remove the package from your system.

  • To stop and remove the software tap from a RPM-based Linux server, run the following commands:
    service rpcapd stop
    rpm -e rpcapd-<extrahop_firmware_version>.x86_64
  • To stop and remove the software tap from another Linux server, run the following commands:
    sudo /etc/init.d/rpcapd stop
    sudo update-rc.d -f rpcapd remove
    sudo rm -rf /opt/extrahop
    sudo rm -f /etc/init.d/rpcapd

Removing the software tap from a Windows server

To remove the software tap from a Windows server or your Windows desktop:

  1. Go to the Start Menu and select Control Panel.
  2. Select Uninstall a program.
  3. Select RPCAP Service for Windows.
  4. In the pop-up dialog box, click Remove.
  5. When the removal is complete, click Close.

Appendix

This section includes reference material you might find helpful.

Interface configuration options

Note:If a node is a member of a Command cluster, you must remove the node from the cluster before you can configure Interface 1 settings.

EDA 1000v

Default Configuration Optional Configuration
Interface 1 Management Port Management Port + RPCAP/ERSPAN Target
Interface 2 Monitoring Any*
Throughput 1 Gbps 1 Gbps

EDA 2000v

Default Configuration Optional Configuration
Interface 1 Management Port Management Port + RPCAP/ERSPAN Target
Interface 2 Monitoring Any*
Interface 3 Monitoring Any*
Interface 4 Monitoring Any*
Throughput 3 Gbps 3 Gbps

EDA 6100v

Default Configuration Optional Configuration
Interface 1 Management Port Management Port + RPCAP/ERSPAN Target
Interface 2 Monitoring Any*
Interface 3 Monitoring Any*
Interface 4 Monitoring Any*
Throughput 10 Gbps 10 Gbps

*Refers to one of the following options:

  • Management + RPCAP/ERSPAN
  • Management Only
  • Monitoring
  • Disabled
Note:If you configure RPCAP/ERSPAN on multiple interfaces, each interface must be on its own subnet.

Network mirroring with VMware

Depending upon the version of VMware you're running, you have these network mirroring capabilities:

VMware 4.0
  • Run a group of interfaces in Promiscuous mode on single host
  • Receive traffic through a port mirror
  • Mirror traffic by creating port groups and vSwitches in Promiscuous mode
  • Receive traffic through an external port mirror with a dedicated physical interface in Promiscuous mode
VMware 5.0, 5.1, 5.5 and 6.0
  • Run a group of interfaces in Promiscuous mode on single host
  • Receive traffic through a port mirror
  • Mirror traffic by creating port groups and vSwitches in Promiscuous mode
  • Receive traffic through a port mirror with a VDS
VMware 5.1, 5.5 and 6.0
  • RSPAN
  • ERSPAN

OVA package

ExtraHop distributes virtual appliances as preconfigured virtual machines optimized to work with supported hypervisors.

Note:OVF refers to a folder with files that define a preconfigured virtual machine. OVA refers to a single-archive file that contains the zipped contents of the OVF folder. Hyper-V uses a proprietary file format, not the OVA file format.
EDA 1000v
  • 2 CPUs
  • 4 GB RAM
  • Datastore 1: One 4 GB disk, thick-provisioned
  • Datastore 2: One 42 GB disk, thick-provisioned
  • Two network interfaces
    • One bridged network interface for management
    • One network interface for port mirroring or capturing traffic from the VM switch
EDA 2000v
  • 6 CPUs
  • 6 GB RAM
  • Datastore 1: One 4 GB disk, thick-provisioned
  • Datastore 2: One 250 GB disk, thick-provisioned
  • Four network interfaces
EDA 6100v
  • 16 CPUs
  • 64 G RAM
  • Datastore 1: One 4 GB disk, thick-provisioned
  • Datastore 2: One 1 TB disk, thick-provisioned
  • Four network interfaces
    • One bridged network interface for management
    • Three network interfaces for port mirroring or capturing traffic from the VM switch
Published 2017-08-18 20:55