Configure ERSPAN with VMware

The Encapsulated Remote Switched Port Analyzer (ERSPAN) enables you to monitor traffic on multiple network interfaces or VLANs and then send the monitored traffic to one or more destinations. The following procedures explain how to configure an interface on an ExtraHop Discover appliance to receive ERSPAN traffic and how to configure the VMware server with the vSphere Web Client.

You must have experience with basic VMware ESX and ESXi administration to complete these procedures.

For more information about configuring networking on the Discover appliance, see the ExtraHop Admin UI Guide.

For more information about configuring the VMware vSphere server, see the Working with Port Mirroring section in the ESXi and vCenter Server 6.0 Documentation.

Configure the ExtraHop interface settings

When you configure ERSPAN, the source and destination must have an IP address on the same subnet and share a dedicated VLAN for ERSPAN. The following figure is an example of an ERSPAN configuration:

  1. Log into the Admin UI on the Discover appliance.
  2. In the Network Settings, click Connectivity.
  3. In the Interfaces section, click Interface 1.
    Note:If you select Interface 1 for management and Interface 2 for ERSPAN, you cannot configure both interfaces on the same subnet.
  4. Select Management Port + RPCAP/ERSPAN Target from the Interface Mode drop-down list.
  5. Complete the remaining fields and then click Save.
  6. Optional: Depending on your configuration, configure or disable the remaining interfaces.
    Note:For more information about setting up network interfaces, see the Connectivity section of the ExtraHop Admin UI Guide.

Configure port mirroring on the vSphere server

  1. Log in to the vSphere Web Client and select the virtual distributed switch (VDS) from which you want to monitor traffic.
  2. Click the Manage tab, and then click Settings.
  3. Click Port Mirroring.
  4. Click New... to create a port mirroring session to mirror vSphere distributed switch traffic to specific physical switch ports.
    Tip:For detailed information about creating a port mirroring session, see your vSphere documentation.
    1. In the Select session type section, select Encapsulated Remote Mirroring (L3) Source and click Next.
    2. In the Edit properties section, specify the name, description, and session details for the new port mirroring session. Select Enabled from the Status drop-down list and then click Next.
    3. In the Select sources section, select existing ports or create new source ports and then click Next.
    4. In the Select Destinations section, click the green plus (+) sign to add the IP addresses that should receive the traffic.
    5. In the Ready to complete section, verify the settings and then click Finish.
    Tip:Consider turning off TCP segmentation offloading on the operating systems where the forwarded communication is coming from.
Published 2017-06-26 16:05