Start Demo

Deploy the ExtraHop Discover Appliance with VMware

The ExtraHop virtual appliance can help you to monitor the performance of your applications across internal networks, the public internet, or a virtual desktop interface (VDI), including database and storage tiers. ExtraHop can monitor application performance across geographically distributed environments such as branch offices or virtualized environments through intra-VM traffic.

Before you begin

  • You must have familiarity with administrating VMware. The images in this guide are from VMware version 5.0.0, and some of the menu selections might have changed.
  • We recommend that you upgrade to the latest patch for the vSphere environment, to avoid any known issues.

This guide explains how to deploy the following ExtraHop Discover virtual appliances on the VMware ESXi/ESX platform:

  • EDA 1000v (Monitors up to 250 devices)
  • Reveal(x) EDA 1100v (Monitors up to 250 devices)
  • EDA 2000v (Monitors up to 1000 devices)
  • EDA 6100v (Monitors up to 3000 devices)

Virtual machine requirements

You must have an existing installation of the VMware ESX/ESXi server version 5.5 or later, capable of hosting the Discover virtual appliance. In addition, you need a vSphere client to deploy the OVF file and to manage the virtual machine.

The following table provides the server hardware requirements for each Discover model.
Appliance CPU RAM Disk
EDA 1000v 2 processing cores with hyper-threading support, VT-x or AMD-V technology, and 64-bit architecture.

If you want to enable SSL decryption, 3 CPUs are required. For more information, see Add a CPU Core to the EDA 1000v with VMware.

 4 GB 46 GB or higher disk (thick-provisioned)
Reveal(x) EDA 1100v 4 processing cores with hyper-threading support, VT-x or AMD-V technology, and 64-bit architecture. 8 GB 46 GB or higher disk (thick-provisioned)
EDA 2000v 6 processing cores with hyper-threading support, VT-x or AMD-V technology, and 64-bit architecture. 6 GB 255 GB or higher disk (thick-provisioned)
EDA 6100v 16 processing cores with hyper-threading support, VT-x or AMD-V technology, and 64-bit architecture. 64 GB 1 TB or higher disk (thick-provisioned)
To ensure proper functionality of the virtual appliance:
  • Make sure that the VMware ESX/ESXi server is configured with the correct date and time.
  • Always choose thick provisioning. The ExtraHop datastore requires low-level access to the complete drive and is not able to grow dynamically with thin provisioning. Thin provisioning can cause metric loss, VM lockups, and capture issues.
  • Do not change the default disk size on initial installation. The default disk size ensures correct lookback for ExtraHop metrics and proper system functionality. If your configuration requires a different disk size, contact your ExtraHop representative before you make any changes.
  • Do not migrate the VM. Although it is possible to migrate when the datastore is on a remote SAN, ExtraHop does not recommend this configuration.
Important:If you want to deploy more than one ExtraHop virtual appliance, create the new instance with the original deployment package or clone an existing instance that has never been started.

Network requirements

You can monitor intra-VM or external traffic with the Discover virtual appliance.
Appliance Intra-VM External
EDA 1000v One 1-Gbps Ethernet network port is required (for management). The management port must be accessible on port 443. Two 1-Gbps Ethernet network ports are required. One for the physical port mirror and one for management. The physical port mirror interface must be connected to the port mirror of the switch.

While it is possible to configure a 10-Gbps Ethernet network port for the port mirror interface, it is not recommended as the virtual appliance cannot process more than 1 Gbps of traffic.
EDA 2000v One 1-Gbps Ethernet network port is required (for management). The management interface must be accessible on port 443. Two to four 1-Gbps Ethernet network ports are required for the physical port mirror and management. The physical port mirror interface must be connected to the port mirror of the switch. The VMware ESX server must support network interface drivers.

While it is possible to configure a 10-Gbps Ethernet network port for the port mirror interface, it is not recommended as the virtual appliance cannot process more than 3 Gbps of traffic.
EDA 6100v One 1-Gbps Ethernet network port is required (for management). The management interface must be accessible on port 443. A 10-Gbps Ethernet network port is recommended for the physical port mirror. Optionally, you can configure two to four 1-Gbps Ethernet network ports for the physical port mirror and management.

The physical port mirror interface must be connected to the port mirror of the switch. The VMware ESX server must support network interface drivers.
Note:For registration purposes, the virtual Discover appliance requires outbound DNS connectivity on UDP port 53 unless managed by the ExtraHop Command appliance.

Deploy the OVA file through the VMware vSphere web client

ExtraHop distributes the Discover virtual appliance package in the open virtual appliance (OVA) format.

Before you begin

If you have not already done so, download the ExtraHop Discover virtual appliance OVA file for VMware from the ExtraHop Customer Portal.
  1. Start the VMware vSphere web client and connect to your ESX server.
  2. Select the data center where you want to deploy the Discover virtual appliance.
  3. Select Deploy OVF Template… from the Actions menu.
  4. Follow the wizard prompts to deploy the virtual machine. For most deployments, the default settings are sufficient.
    1. Select Local file and then click Browse….
    2. Select the OVA file on your local machine and then click Open.
    3. Click Next.
    4. Review the virtual appliance details and then click Next.
    5. Specify a name and location for the appliance and then click Next.
    6. For Disk Format, select Thick Provision Lazy Zeroed and then click Next.
    7. Map the OVF-configured network interface labels with the correct ESX-configured interface labels and then click Next.
    8. Verify the configuration, select the Power on after deployment checkbox, and then click Finish to begin the deployment. When the deployment is complete, you can see the unique name you assigned to the ExtraHop VM instance in the inventory tree for the ESX server to which it was deployed.
  5. The Discover appliance contains a preconfigured bridged virtual interface with the network label, VM Network. If your ESX has a different interface label, you must reconfigure the network adapter on the Discover virtual appliance before starting the appliance.
    1. Select the Summary tab.
    2. Click Edit Settings, select Network adapter 1, select the correct network label from the Network label drop-down list, and then click OK.
  6. Select the Discover virtual appliance in the ESX Inventory and then select Open Console from the Actions menu.
  7. Click the console window and then press ENTER to display the IP.
    Note:DHCP is enabled by default on the ExtraHop virtual appliance. To configure a static IP address, see the Configure a Static IP Address section.
  8. In VMware ESXi, configure the virtual switch to receive traffic and restart to see the changes.

Configure a static IP address through the CLI

The ExtraHop appliance is delivered with DHCP enabled. If your network does not support DHCP, no IP address is acquired, and you must configure a static address manually.

  1. Establish a console connection to the ExtraHop appliance.
  2. At the login prompt, type shell and then press ENTER.
  3. At the password prompt, type default, and then press ENTER.
  4. To configure the static IP address, run the following commands:
    1. Enable privileged commands: 
      enable
    2. At the password prompt, type default, and then press ENTER.
    3. Enter configuration mode: 
      configure
    4. Enter the interface configuration mode: 
      interface
    5. Run the ip command and specify the IP address and DNS settings in the following format: ip ipaddr <ip_address> <netmask> <gateway> <dns_server>
      For example:
      ip ipaddr 10.10.2.14 255.255.0.0 10.10.1.253 10.10.1.254
    6. Leave the interface configuration section: 
      exit
    7. Save the running config file: 
      running_config save
    8. Type y and then press ENTER.

Configure the Discover appliance

After you configure an IP address for the Discover appliance, open a web browser and navigate to the ExtraHop Web UI through the configured IP address. Accept the license agreement and then log in. The default login name is setup and the password is default. Enter the product key to license the appliance.

After the appliance is licensed, and you have verified that traffic is detected, complete the recommended procedures in the post-deployment checklist.

Mirror Wire Data

This section includes procedures for mirroring data to your ExtraHop virtual appliance.

Mirroring internal and external traffic

The ExtraHop Discover virtual appliance can be configured to monitor network traffic in the following network configuration examples.

Note:Monitoring external network-mirrored traffic requires an external NIC and an associated virtual switch.

Monitoring intra-VM traffic

This scenario requires a second VM port group on the default virtual switch of the ESX host for monitoring traffic within the virtual switch as well as external traffic in and out of the switch.

  1. Start the VMware vSphere client and connect to your ESX server.
  2. Select the ESX host at the top of the tree control in the left panel and then click the Configuration tab. In the Configuration tab, click Networking under the Hardware section.

    This view shows how the virtual switch is configured. It displays the physical NIC to which the vSwitch is tied (vmnic0 is eth0) and which networking components are using that vSwitch (VM Network Port Group, Service Console). The VM Network port group contains the VM network.

  3. To add a port group to the vSwitch0, click Add Networking.
    The Add Network Wizard window appears.
  4. Select Virtual Machine as the connection type and then click Next.
  5. In the Network Access step, select Use vSwitch0 and then click Next.
  6. In the Connection Settings step, assign a unique name to the new port group, click the VLAN ID drop-down menu, and select All (VLAN 4095).
  7. Click Next.

    The virtual switch appears as follows:

  8. Click Finish to exit the Add Network Wizard.
  9. Set the Remote Port Mirror to Promiscuous Mode as follows.
    1. Click the Properties link next to vSwitch0. In the vSwitch0 Properties window, select the newly created Port Group (Local Port Mirror in the example below) and click the Edit button.
    2. Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.
    3. Click Close to exit the vSwitch0 Properties window.
  10. Click the Getting Started tab and then click Edit Virtual Machine Settings.
  11. Click Network Adapter 2, click the Network label drop-down menu, select Local Port Mirror, and then click OK.
  12. Restart the ExtraHop Discover virtual appliance to activate the new adapter setting.

Monitoring external mirrored traffic to the VM

This scenario requires a second physical network interface and the creation of a second vSwitch associated with that NIC. This NIC then connects to a mirror, tap, or aggregator that copies traffic from a switch. This setup is useful for monitoring the intranet of an office.

  1. Start the VMware vSphere client and connect to your ESX server.
  2. Select the ESX host at the top of the tree control in the left panel and then click the Configuration tab. In the Configuration tab, click Networking under the Hardware section.

    This view shows how the virtual switch is configured. It displays the physical NIC to which the vSwitch is tied (vmnic0 is eth0) and which networking components are using that vSwitch (VM Network Port Group, Service Console). The VM Network port group contains the VM network.

  3. To add a second vSwitch, click Add Networking. The Add Network Wizard window appears. Select Virtual Machine as the connection type and then click Next.
  4. In the Network Access step, select Create a vSphere standard switch, ensure vmnic1 is selected, and then click Next.
  5. In the Connection Settings step, assign a unique name to the new port group (Remote Port Mirror in the example below), click the VLAN ID drop-down menu, and select All (VLAN 4095).
  6. Click Next and then click Finish to exit the Add Network Wizard.
  7. The Networking section of the configuration table for the ESX host appears as follows.
  8. Set the Remote Port Mirror to Promiscuous Mode as follows.
    1. Click the Properties link next to vSwitch1. In the vSwitch1 Properties window, select vSwitch and click the Edit button.
    2. Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.
    3. Click Close to exit the vSwitch1 Properties window.
  9. Select the ExtraHop Virtual Appliance at the top of the tree control in the left panel, click the Getting Started tab, and then click Edit Virtual Machine Settings.
  10. Click Network Adapter 2, click the Network label drop-down menu, select Remote Port Mirror, and then click OK.
  11. Restart the ExtraHop VM to activate the new adapter setting.

Monitoring external mirrored traffic to the VM (EDA 2000v or EDA 6100v)

In this scenario, you must create a third and fourth physical network interface and two more vSwitches associated with those NICs. These NICs then connect to a mirror, tap, or aggregator that copies traffic from a switch.

  1. Start the VMware vSphere client and connect to your ESX server.
  2. Select the ESX host at the top of the navigation tree in the left panel and then click the Configuration tab. In the Configuration tab, click Networking under the Hardware section.
  3. To add a third vSwitch, click Add Networking. The Add Network Wizard window appears. Select Virtual Machine as the connection type and then click Next.
  4. In the Network Access step, select Create a vSphere standard switch, ensure vmnic2 is selected, and then click Next.
  5. In the Connection Settings step, assign a unique name to the new port group (Remote Port Mirror 2, for example), click the VLAN ID drop-down menu, and select All (VLAN 4095).
  6. Click Next and then click Finish to exit the Add Network Wizard.
  7. The Networking section of the configuration table for the ESX host appears as follows.
  8. Set the Remote Port Mirror to Promiscuous Mode as follows.
    1. Click the Properties link next to vSwitch2. In the vSwitch2 Properties window, select vSwitch and click the Edit button.
    2. Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.
    3. Click Close to exit the vSwitch2 Properties window.
  9. Select the ExtraHop Virtual Appliance at the top of the naviagation tree in the left panel, click the Getting Started tab, and then click Edit Virtual Machine Settings.
  10. Click Network Adapter 3, click the Network label drop-down menu, select Remote Port Mirror 2, and then click OK.
  11. Repeat steps 2 through 10 to add a fourth vSwitch.
  12. Restart the ExtraHop VM to activate the new adapter setting.

Monitoring both intra-VM and external mirrored traffic to the VM (EDA 2000v or EDA 6100v)

In this scenario, you can monitor a mix of intra-VM and external mirrored traffic on up to three virtual interfaces.

  1. To monitor intra-VM traffic on one or more virtual interfaces, create a VM port group on the default virtual switch of the ESX host for each interface as described in Monitoring Intra-VM Traffic.
  2. To monitor external mirrored traffic on one or more virtual interfaces, create a physical network interface and corresponding vSwitch for each interface as described in Monitoring External Mirrored Traffic to the VM.
  3. Click Network Adapter x and select an option from the Network label drop-down list for each interface.

Mirroring VLANs

To mirror VLANs, you must either set the destination port on the port mirror configuration to VLAN Trunking or set the exact VLAN ID on the ports of the VLANS you are mirroring.

For information about configuring RSPAN, ERSPAN, and RPCAP to monitor remote devices, see the following topics.

Published 2021-03-03 11:01