Start Demo

Configure ERSPAN with VMware

The Encapsulated Remote Switched Port Analyzer (ERSPAN) enables you to monitor traffic on multiple network interfaces or VLANs and then send the monitored traffic to one or more destinations. We support the VMware Encapsulated Remote Mirroring Source packet mirror feature, an ERSPAN-like capability.

The following procedures explain how to configure an interface on the ExtraHop system to receive ERSPAN traffic and how to configure the VMware server with the vSphere Web Client.

For more information about configuring networking on the ExtraHop system, see the ExtraHop Admin UI Guide.

For more information about configuring the VMware vSphere server, see the Working with Port Mirroring section in the ESXi and vCenter Server 6.0 Documentation.

Configure the ExtraHop interface settings

  1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
  2. In the Network Settings, click Connectivity.
  3. In the Interfaces section, click Interface 1.
    Note:If you select Interface 1 for management and Interface 2 for ERSPAN, you cannot configure both interfaces on the same subnet.
  4. Select Management Port + RPCAP/ERSPAN/VXLAN Target from the Interface Mode drop-down list.
  5. Complete the remaining fields and then click Save.
  6. (Optional): Depending on your configuration, configure or disable the remaining interfaces.
    Note:For more information about setting up network interfaces, see the Connectivity section in the ExtraHop Administration Guide.

Configure port mirroring on the vSphere server

  1. Log in to the vSphere Web Client and select the vSphere distributed switch (VDS) from which you want to monitor traffic.
  2. Click the Manage tab, and then click Settings.
  3. Click Port Mirroring.
  4. Click New... to create a port mirroring session to mirror vSphere distributed switch traffic to specific physical switch ports.
    Tip:For detailed information about creating a port mirroring session, see your vSphere documentation.
    1. In the Select session type section, select Encapsulated Remote Mirroring (L3) Source and click Next.
    2. In the Edit properties section, specify the name, description, and session details for the new port mirroring session. Select Enabled from the Status drop-down list and then click Next.
    3. In the Select sources section, select existing ports or create new source ports and then click Next.
      Warning: Do not include any VMkernel (vmk) ports, any ports connected to the virtual Reveal(x) sensor, or any ports that might be carrying the ERSPAN data created by this mirror. Adding these ports will compound the traffic destined for the sensor and disrupt the networking capabilities of the dvSwitch, causing any hosts or interfaces participating in the dvSwitch to become permanently unavailable.
    4. In the Select Destinations section, click the green plus (+) sign to add the IP addresses that should receive the traffic.
    5. In the Ready to complete section, verify the settings and then click Finish.
    Tip:Consider turning off TCP segmentation offloading on the operating systems where the forwarded communication is coming from.
Published 2023-05-30