Deploy the EDA 10200 sensor
This guide explains how to install the rack-mounted EDA 10200 sensor.
This installation enables you to run network performance monitoring, network detection and response, and intrusion detection on a single sensor. By adding the IDS module, you can also upload and view IDS detections.
Important: | The IDS module requires the NDR module. Before you can enable the IDS module on this sensor, you must upgrade the sensor firmware to version 9.6 or later. When the upgrade completes, you can apply the new license to the sensor. |
Note: | If you have enabled the IDS module on this sensor, and your ExtraHop system does not have direct access to the Internet and access to ExtraHop Cloud Services, you will need to upload IDS rules manually. For more information, see Upload IDS rules to the ExtraHop system through the REST API. |
Installation prerequisites
- Sensor
- 2U of rack space and electrical connections for 2 x 1100 W power supplies.
- Management
- One 10/100/1000BASE-T network port or one 10GBASE-SR port for appliance management.
- Monitoring (capture)
- High-performance interfaces: One to four network ports for connection to 100 GbE, 40 GbE, 25 GbE, or 10 GbE sources of packet data, depending on the ordered configuration.
- Management + monitoring interfaces: One to three network ports for connection to 1 GbE sources of packet data.
- Network Access
- Ensure that administrators can access the Administration settings on the sensor over TCP port 443.
- Configure your firewall rules to allow outbound access over port 443 to ExtraHop Cloud Services.
For more information about the interfaces on the ExtraHop system, see the ExtraHop Hardware FAQ.
Rear panel ports
EDA 10200
- One iDRAC interface port
- One RS-232 serial port to connect a console device
- One VGA port to connect an external display
- Two USB 3.0 ports to connect input devices such as a keyboard and mouse
- Two power ports to connect the appliance to an AC power source
- Two 10 GbE ports. Ports 1 and 2 can be configured as a management port,
management and flow target, or management and RPCAP/ERSPAN/VXLAN/GENEVE
target.
Note: While 10 GbE management + capture interfaces on this sensor can conduct management functions at 10 Gbps speeds, processing traffic such as ERSPAN, VXLAN, and GENEVE is limited to 1 Gbps. - Two 10/100/1000BASE-T network ports. Port 3 is the primary management port. These ports can be configured as a monitoring port, management port, management and flow target, or management and RPCAP/ERSPAN/VXLAN/GENEVE target.
- Four 100 GbE-capable ports on two network adapters. These ports are the high-performance monitoring (capture) interfaces.
Supported packet source connectivity
EDA 10200 Connector | Peer Connector for Packet Source | Customer-Supplied Cabling | Supported Operating Speeds |
---|---|---|---|
Transceiver-based Connectivity | |||
100 GbE QSFP28 SR4 transceiver | 100 GbE QSFP28 SR4 transceiver | Multi-mode fiber MPO connectors |
100 Gbps, 40 Gbps |
40 GbE QSFP+ SR4 transceiver | Multi-mode fiber MPO connectors |
40 Gbps | |
40 GbE QSFP SR BiDi transceiver (Customer-supplied Cisco QSFP-40G-SR-BD only) | 40 GbE QSFP+ SR BiDi transceiver | Duplex multi-mode fiber LC connectors | 40 Gbps |
25 GbE SFP28 SR transceiver (with QSFP28-to-SFP28 adapter) | 25 GbE SFP28 SR transceiver | Multi-mode fiber LC connectors |
25 Gbps, 10 Gbps |
10 GbE SFP+ SR transceiver | Multi-mode fiber LC connectors |
10 Gbps | |
Direct Attach Connectivity | |||
Customer-supplied QSFP28 DAC cable, such as the Mellanox MCP1600-Cxxx series | 100 Gbps | ||
QSFP28-to-SFP28 adapter with customer-supplied SFP28 DAC cable, such as the Mellanox MCP2M00-Axxx series | 25 Gbps | ||
Customer-supplied RJ45 Ethernet cable 1 Gbps | 1 Gbps |
Note: | The packet processing capability of the sensor is 100 Gbps. While it is possible to oversubscribe the sensor by sending more than 100 Gbps of packet data across the four 100 GbE-capable ports, inbound workloads that exceed 100 Gbps will result in dropped packets. |
Traffic distribution guidelines
- Packets from the same flow should be received on the same interface, or on interfaces of the same network interface card (NIC).
- The ingest on each NIC should not exceed 75% of the rated analysis throughput for the sensor to ensure that traffic is balanced across system resources.
- If your data feed does not require both interfaces on the NIC, disable the unconfigured interfaces in the Administration settings. For example, configure the sensor with a single interface to ingest 50 Gbps on each NIC. Disable the extraneous ports on each NIC. This configuration optimizes performance for 100 Gbps.
- A single high-performance ERSPAN target is expected to process 20 to 30 Gbps. On larger sensors, distribute ERSPAN traffic to more interfaces to scale traffic ingest.
Configure the management IP address
DHCP is enabled by default on the ExtraHop system. When you power on the system, interface 3 attempts to acquire an IP address through DHCP. If successful, the IP address appears on the home screen of the LCD.
Important: | We strongly recommend configuring a unique hostname. If the system IP address changes, the ExtraHop console can re-establish connection easily to the system by hostname. |
Configure a static IP address through the LCD
Configure an IP address through the CLI
Complete the following steps to manually configure an IP address from the CLI.
(Optional) Configure the 10 GbE management interface
You can configure a 10 GbE port (port 1 or port 2) to manage the system. The commands below move the settings from port 3 to port 1 and then disables port 3. Alternatively, you can configure the 10 GbE management interface in the Administration settings.
Configure the sensor
Next steps
After the system is licensed, and you have verified that traffic is detected, complete the recommended procedures in the post-deployment checklist.
Thank you for your feedback. Can we contact you to ask follow up questions?