Mirror Wire Data with VMware
The ExtraHop virtual sensor can be configured to monitor network traffic in the following network configuration examples.
- Monitoring traffic on multiple network interfaces or VLANs with ERSPAN
- Monitoring
Intra-VM Traffic
- One virtual interface on the EDA 1000v or 1100v
- Up to three virtual interfaces on the EDA 2000v or EDA 6100v
- Monitoring external mirrored traffic to the VM
- Monitoring external mirrored traffic to the VM (EDA 2000v or EDA 6100v)
- Monitoring both intra-VM and external mirrored traffic to the VM (EDA 2000v or EDA 6100v)
Note: | Monitoring external network-mirrored traffic requires an external NIC and an associated virtual switch. |
Monitoring traffic on multiple network interfaces or VLANs with ERSPAN
This scenario requires you to configure an interface on the ExtraHop system to receive ERSPAN traffic and configure the VMware server to mirror traffic from specified ports.
See Configure ERSPAN with VMware for configuration details.
Monitoring intra-VM traffic
This scenario requires a second VM port group on the default virtual switch of the ESX host for monitoring traffic within the virtual switch as well as external traffic in and out of the switch.
Monitoring external mirrored traffic to the VM
This scenario requires a second physical network interface and the creation of a second vSwitch associated with that NIC. This NIC then connects to a mirror, tap, or aggregator that copies traffic from a switch. This setup is useful for monitoring the intranet of an office.
Monitoring external mirrored traffic to the VM (EDA 2000v or EDA 6100v)
In this scenario, you must create a third and fourth physical network interface and two more vSwitches associated with those NICs. These NICs then connect to a mirror, tap, or aggregator that copies traffic from a switch.
- Start the VMware vSphere client and connect to your ESX server.
- Select the ESX host at the top of the navigation tree in the left panel and then click the Configure tab.
- Click Networking and then click Add Networking.
- Select Virtual Machine Port Group for a Standard Switch as the connection type and then click Next.
- In the Select target device step, choose Select an existing standard switch and then click Next. The default switch is vSwitch0.
- In the Connection settings step, assign a unique name to the new port group (Remote Port Mirror 2, for example), click the VLAN ID drop-down menu, and select All (VLAN 4095).
- Click Next and then click Finish.
-
Set the Remote Port Mirror to Promiscuous Mode as follows.
- In the left panel, select the ExtraHop virtual sensor.
- Click the Actions drop-down menu and then select Edit Settings….
- Click Network Adapter 3 and then click Browse… from the drop-down menu.
- Click Remote Port Mirror 2, and then click OK.
- Repeat steps 3 through 10 to add a fourth vSwitch.
- Restart the ExtraHop VM to activate the new adapter setting.
Monitoring both intra-VM and external mirrored traffic to the VM (EDA 2000v or EDA 6100v)
In this scenario, you can monitor a mix of intra-VM and external mirrored traffic on up to three virtual interfaces.
- To monitor intra-VM traffic on one or more virtual interfaces, create a VM port group on the default virtual switch of the ESX host for each interface as described in Monitoring Intra-VM Traffic.
- To monitor external mirrored traffic on one or more virtual interfaces, create a physical network interface and corresponding vSwitch for each interface as described in Monitoring External Mirrored Traffic to the VM.
- Click Network Adapter x and select an option from the Network label drop-down list for each interface.
Mirroring VLANs
To mirror VLANs, you must either set the destination port on the port mirror configuration to VLAN Trunking or set the exact VLAN ID on the ports of the VLANS you are mirroring.
Thank you for your feedback. Can we contact you to ask follow up questions?