Configure ERSPAN with VMware

The Encapsulated Remote Switched Port Analyzer (ERSPAN) enables you to monitor traffic on multiple network interfaces or VLANs and then send the monitored traffic to one or more destinations. The ExtraHop system supports the VMware Encapsulated Remote Mirroring Source packet mirror feature, an ERSPAN-like capability.

The following procedures explain how to configure an interface on the ExtraHop system to receive ERSPAN traffic and how to configure the VMware server with the vSphere Web Client.

For more information about configuring networking on the ExtraHop system, see the ExtraHop Admin UI Guide.

For more information about configuring the VMware vSphere server, see Working with Port Mirroring in the VMware documentation.

Configure the ExtraHop interface settings

  1. Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
  2. In the Network Settings, click Connectivity.
  3. In the Interfaces section, click Interface 1.
    Note:If you select Interface 1 for management and Interface 2 for ERSPAN, you cannot configure both interfaces on the same subnet.
  4. Select Management Port + RPCAP/ERSPAN/VXLAN Target from the Interface Mode drop-down list.
  5. Complete the remaining fields and then click Save.
  6. (Optional): Depending on your configuration, configure or disable the remaining interfaces.
    Note:For more information about setting up network interfaces, see the Connectivity section in the ExtraHop Administration Guide.

Configure port mirroring on the vSphere server

  1. Log in to the vSphere Web Client and select the vSphere distributed switch (VDS) from which you want to monitor traffic.
  2. Click the Settingstab.
  3. In the Settings section, click Port Mirroring.
  4. Click New... to create a port mirroring session to mirror vSphere distributed switch traffic to specific physical switch ports.
    Tip:For detailed information about creating a port mirroring session, see your vSphere documentation.
    1. In the Select session type section, select Encapsulated Remote Mirroring (L3) Source and click Next.
    2. In the Edit properties section, configure the following settings:

      Name: Specify the name.

      Status: Select Enabled from the drop-down list.

      Encapsulation type: Select ERSPAN Type II from the drop-down list

      Note:GRE is a supported encapsulation type; however, you must configure Network Overlay Decapsulation for NVGRE on the sensor.

    3. Click Next.
    4. In the Select Ports section, select virtual ports to include in this mirror.
      Warning: Do not include any VMkernel (vmk) ports, any ports connected to the virtual Reveal(x) sensor, or any ports that might be carrying the ERSPAN data created by this mirror. Adding these ports will compound the traffic destined for the sensor, and disrupt the networking capabilities of the dvSwitch, and any hosts or interfaces participating in the dvSwitch will become permanently unavailable.
    5. Click Next.
    6. In the Select destinations section, click the plus sign (+) to add the IP address or addresses that should receive the mirrored traffic.
    7. In the Ready to complete section, verify the settings and then click Finish.
    Tip:Consider turning off TCP segmentation offloading on the operating systems where the mirrored traffic is coming from.
Published 2022-01-14 20:14