The Encapsulated Remote Switched Port Analyzer (ERSPAN) enables you to monitor traffic on multiple network interfaces or VLANs and then send the monitored traffic to one or more destinations. The ExtraHop system supports the VMware Encapsulated Remote Mirroring Source packet mirror feature, an ERSPAN-like capability.
The following procedures explain how to configure an interface on the ExtraHop system to receive ERSPAN traffic and how to configure the VMware server with the vSphere Web Client.
For more information about configuring networking on the ExtraHop system, see the ExtraHop Admin UI Guide.
For more information about configuring the VMware vSphere server, see Working with Port Mirroring in the VMware documentation.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Network Settings, click Connectivity.
In the Interfaces section, click Interface
Note: If you select Interface 1 for management and Interface 2 for ERSPAN, you cannot configure both interfaces on the same subnet.
- Select Management Port + RPCAP/ERSPAN/VXLAN Target from the Interface Mode drop-down list.
- Complete the remaining fields and then click Save.
Depending on your configuration, configure or disable the remaining
Note: For more information about setting up network interfaces, see the Connectivity section in the ExtraHop Administration Guide.
- Log in to the vSphere Web Client and select the vSphere distributed switch (VDS) from which you want to monitor traffic.
- Click the Settingstab.
In the Settings section, click Port Mirroring.
Click New... to create a port mirroring session to
mirror vSphere distributed switch traffic to specific physical switch
Tip: For detailed information about creating a port mirroring session, see your vSphere documentation.
In the Select session type section, select
Encapsulated Remote Mirroring (L3) Source and
In the Edit properties section, configure the
Name: Specify the name.
Status: Select Enabled from the drop-down list.
Encapsulation type: Select ERSPAN Type II from the drop-down list
Note: GRE is a supported encapsulation type; however, you must configure Network Overlay Decapsulation for NVGRE on the sensor.
- Click Next.
In the Select Ports section, select virtual ports
to include in this mirror.
Warning: Do not include any VMkernel (vmk) ports, any ports connected to the virtual Reveal(x) sensor, or any ports that might be carrying the ERSPAN data created by this mirror. Adding these ports will compound the traffic destined for the sensor, and disrupt the networking capabilities of the dvSwitch, and any hosts or interfaces participating in the dvSwitch will become permanently unavailable.
- Click Next.
In the Select destinations section, click the plus sign
(+) to add the IP address or addresses that
should receive the mirrored traffic.
In the Ready to complete section, verify the
settings and then click Finish.
Tip: Consider turning off TCP segmentation offloading on the operating systems where the mirrored traffic is coming from.
- In the Select session type section, select Encapsulated Remote Mirroring (L3) Source and click Next.