Configure RSPAN with VMware
The Remote Switched Port Analyzer (RSPAN) enables you to monitor traffic on one switch through a device on another switch and then send the monitored traffic to one or more destinations.
Before you begin
- You must have experience with basic VMware ESX and ESXi administration through the VMware vSphere Web Client.
- You must have an uplink port (HW NIC) attached to the switch (preferably one that is not designated for general network traffic).
- Direct access to the iDRAC console is preferred.
For information about configuring the VMware vSphere server, see the Working with Port Mirroring section in the ESXi and vCenter documentation for your version of VMware.
For information about configuring VMware with a Discover appliance, see Deploy the ExtraHop Discover Appliance with VMware.
The following steps outline the key procedures that are required to configure RSPAN with VMware for a Discover appliance. Note that procedures in these steps might vary between versions of VMware.
Note: | While these steps are required for RSPAN configuration, most deployments have completed the first four steps prior to installing the Discover appliance. If you have an existing Virtual Distributed Switch, start with step 5. |
Create a virtual distributed switch
Complete the following steps to create a virtual distributed switch (VDS). The VDS carries traffic from your virtual machines (VM) to your physical network and to other VMs.
Add port groups to the VDS
Complete the following steps to add port groups when you deploy a new virtual machine or add a new ESX host into your VDS environment. Port groups enable you to properly associate the new machine or host to the port group that is being monitored immediately.
Add a host to the VDS
Complete the following steps to add a host to the VDS. Skip this procedure if all hosts have already been added to the cluster. We recommend that you dedicate one uplink for management and one uplink for spanning.
Add uplink ports to the VDS
Complete the following steps to add an uplink port to the VDS. You must assign one uplink port to the VDS for each associated host.
- Browse to a host in the vSphere Web Client.
-
Click the Manage tab, and then select .
- From the list, select the distributed switch you want to add an uplink port to.
- Click Manage the physical network adapters .
- Click Add .
- From the list, select a network adapter and then select the uplink port from the drop-down menu that you want to assign to the network adapter.
- Click OK.
Configure an RSPAN port mirror
Complete the following steps to configure an RSPAN port mirror to view traffic on the VDS, to configure the local switch to view external traffic, and to configure the virtual Discover appliance to do a combination of both. The virtual Discover appliance can be deployed in environments with multiple ESX servers connected with a virtual distributed switch (VDS).
Complete the following steps to configure a virtual Discover appliance as the destination for one or more RSPAN mirror sessions. The RPSAN mirror sessions can originate from either a virtual distributed switch (VDS) that mirrors local VM traffic or from a physical switch that mirrors external traffic.
The following steps are for a Discover appliance deployed on an ESX host that is managed by vCenter with a configured VDS. You must connect a local switch to an uplink port that is configured as a VLAN trunk port and that carries the RSPAN VLAN traffic. The RSPAN VLAN will carry the mirrored traffic and can span multiple switches to reach the virtual Discover appliance.
The following figure illustrates the port mirror setup.
- Click on Networking.
- Select your VDS and ensure that the Settings tab is selected.
-
Click Port mirroring.
- Click New....
-
In the Add Port Mirroring Session wizard, select Remote Mirroring
Destination, and then click Next.
- In the Name field, type a name to identify the port mirroring session.
- From the Status drop-down, select Enabled.
-
Click Next.
- Click the plus icon to add the source VLAN IDs that you want to monitor, and then click Next.
- Specify the destination port where you want to send mirrored traffic. This port is the virtual port on the VDS that corresponds to the monitoring interface on your virtual Discover appliance.
- Verify the summary information and then click Finish to add the port mirror.
Thank you for your feedback. Can we contact you to ask follow up questions?