© 2018 ExtraHop Networks, Inc. All rights reserved.

Configure RSPAN with VMwarePublished: 2018-04-19

A Remote Switched Port Analyzer (RSPAN) enables you to monitor traffic on one switch through adevice on another switch, and then send the monitored traffic to one or more destinations. The followingprocedures explain how to configure RSPAN in a VMware environment for a virtual ExtraHop Discoverappliance.

Before you begin

• You must have experience with basic VMware ESX and ESXi administration through the VMwarevSphere Web Client to complete these procedures.

• This configuration requires an uplink port (or hardware NIC) to be attached to the switch (preferablyone that is not designated for general network traffic).

For information about configuring the VMware vSphere server, see the Working with Port Mirroring sectionin the ESXi and vCenter documentation for your version of VMware.

For information about configuring VMware with a Discover appliance, see Deploy the ExtraHop DiscoverAppliance with VMware .

The following steps outline the key procedures that are required to configure RSPAN with VMware foran ExtraHop Discover appliance. Note that procedures in these steps might vary between versions ofVMware.

1. Create a virtual distributed switch (VDS)

2. Add port groups to the VDS

3. Add a host to the VDS

4. Add uplink ports to the VDS

5. Configure a port mirror on the VDS

6. Associate a physical NIC to the uplink port

Note: While these steps are required for RSPAN configuration, most deployments havecompleted the first four steps prior to installing the ExtraHop Discover appliance.

Create a virtual distributed switchComplete the following steps to create a virtual distributed switch (VDS). The VDS carries traffic from yourvirtual machines (VM) to your physical network and to other VMs.

1. Log into the vSphere Web Client.

2. In the left panel, click Distributed Switches.

Configure RSPAN with VMware 2

3. Above the list of switches, click the Create a new distributed switch icon.

4. In the New Distributed Switch window, type a name for the switch, select the destination server, andthen click Next.

5. Select the distributed switch version and click Next.

Configure RSPAN with VMware 3

6. Edit the following settings:

a) Set the Number of uplinks to two or more if your SPAN traffic is on a dedicated NIC, which is therecommended configuration. Otherwise, set this value to 1.

b) Click the Network I/O Control drop-down list and select one of the following options.

Disabled

If your SPAN traffic on a dedicated NIC. (Recommended)

Enabled

If your SPAN traffic is on the same NIC as your monitored traffic.

Add port groups to the VDSComplete the following steps to add port groups when you deploy a new virtual machine or add a new ESXhost into your VDS environment. Port groups enable you to properly associate the new machine or host tothe port group immediately.

1. Click the Create a new distributed port group icon.

2. In the New Distributed Port Group window, type a name for the port group and click Next.

3. Configure the following settings:

Configure RSPAN with VMware 4

a) Click the Port binding drop-down list and select Static binding.b) Click the Port allocation drop-down list and select Fixed.c) In the Number of ports field, type the number of ports you want to connect.d) Leave the default settings for the remaining items.e) Click Next.

4. Verify your settings and click Finish.

The new port group appears on the Manage tab.

5. Repeat these steps for any additional port groups.

Configure RSPAN with VMware 5

Add a host to the VDSComplete the following steps to add a host to the VDS. Skip this procedure if all hosts have already beenadded to the cluster. We recommend that you dedicate one uplink for management and one uplink forspanning.

1. In the left panel tree control, click the switch.

2. Click the Manage tab.

3. Click Settings.

4. Click the Add Hosts icon.

5. In the Add and Manage Hosts dialog box, click the Add Hosts radio button and click Next.

6. Click the green + icon to add a host.

7. In the list of available hosts, select the checkbox next to the host and click OK.

Configure RSPAN with VMware 6

8. Select the host from the list and click Next.

9. Select the checkboxes next to the network adapters you want to add to the host and click Next.

10. Assign one of the NICs to the management port group.

a) Select the network adapter from the list and click the Assign Port Group icon.b) In the Select Network pop-up window, select the port group to assign to the network adapter for

management.c) Assign one NIC to the monitoring port group.

11. Select the network adapter from the list and click the Assign Port Group icon.

12. In the Select Network pop-up window, select the port group to assign to the network adapter formonitoring.

13. After you have assigned each adapter to a Destination Port Group (in the far right column), click Next.

14. On the Validate Changes screen, verify that the status has passed and click Next.

15. Select the Migrate Virtual Machine Networking checkbox.

The list of virtual machines appears.

Configure RSPAN with VMware 7

16. Click the Assign Port Group icon and assign a network adapter for management and a networkadapter for monitoring, and click Next.

17. Verify your settings and click Finish.

18. View the progress bar in the right panel and wait for the system to add the host.

The following figure shows an example configuration.

Add uplink ports to the VDSComplete the following steps to add an uplink port to the VDS. You must assign one uplink port to the VDSfor each associated host.

Configure RSPAN with VMware 8

1. Browse to a host in the vSphere Web Client.

2. Click the Manage tab, and then select Networking Virtual > Switches.

3. From the list, select the distributed switch you want to add an uplink port to.

4. Click Manage the physical network adapters.

5. Click Add.

6. From the list, select a network adapter and then select the uplink port from the drop-down menu thatyou want to assign to the network adapter.

7. Click OK.

Configure a port mirrorComplete the following steps to configure a port mirror to view traffic on the VDS, to configure the localswitch to view external traffic, and to configure the ExtraHop virtual Discover appliance to do a combinationof both. The ExtraHop virtual Discover appliance can be deployed in environments with multiple ESXservers connected with a virtual distributed switch (VDS).

The ExtraHop Discover appliance must be deployed on an ESX host managed by vCenter with a VDSalready configured. For more information about virtual distributed switches, see the following VMwaredocumentation: http://www.vmware.com/products/datacenter-virtualization/vsphere/distributed-switch.html

.

Port mirroring with VMware requires the source port and destination port to be on the same ESX host,therefore the virtual Discover appliance must be on each host that has mirrored ports. The followingdiagram describes which traffic type is mirrored based on the mirror's destination port's host location.

1. Access the virtual distributed switch.

a) Open vSphere and log into vCenter.b) Under Inventory, click Networking, and select the VDS you want to monitor.

Configure RSPAN with VMware 9

2. Optional: Create a new port group. We recommend that you collect all ports for monitoring in one portgroup.

a) Right-click the name of the VDS and select New Port Group.

b) Give the VDS a name and choose the number of ports you want to make available. The defaultnumber of ports is 128, but we recommend that you set this number lower to reflect the likelynumber of traffic mirroring ports.

Configure RSPAN with VMware 10

3. Assign the ExtraHop VM to the port group.

a) Change the Inventory setting to Hosts and Clusters.b) Right-click the ExtraHop VM on the ESX host and select Edit Settings.c) Change the Ethernet 2 (capture port) setting to the new port group and click OK.

4. Verify the VM and port group assignment.

a) Return to the Networking section and select Monitor Port Group.b) Click the Ports tab. The ExtraHop monitor interface is displayed and assigned to a port.c) Note the port ID for a later step (such as 282 in the example below). This ID will be the destination

for the port mirror configuration.

Configure RSPAN with VMware 11

5. Find the set of source ports. The source ports can be a continuous range of ports or a specific port,but the ports cannot be uplink ports. Ports can be unassigned, but they have to exist. To find the portsyou want to assign, select the VDS in the tree control and click the Ports tab. If you only want to sendports from specific port groups, you can view the ports associated with each port group.)

The ports in the figure below are sorted by name to show all the uplink ports and to ensure that theseports are not in range. Note the range.

6. Configure the port mirror.

a) Right-click the name of the VDS and select Edit Setting.b) In the Settings dialog box, click the Port Mirroring tab.c) Click Add, type a name, and then complete the Port Mirror Wizard.d) Choose the source ports.e) Select the destination port, which is the port associated with the Discover appliance.f) Review the results and click Finish.g) Click OK to push the changes to the ESX servers.

All ports in the source list that are on the same physical ESX host as the destination port will bemonitored. Traffic on ESX hosts remote to the destination port will not be monitored unless theESX hosts communicate with ports mirrored on the destination's host.

The ExtraHop virtual appliance will now monitor all data going in and out of each port on theactive ports you have defined. Check for errors in the status pane at the bottom of the screen, andif necessary, repeat the setup in the Port Mirror Wizard.

Configure RSPAN with VMware 12

The following cases might cause errors during setup:

• Non-instantiated ports in the range.• Ports that are Uplink ports for the source.• Source or destination ports that have the promiscuous flag enabled.• Destination assignments to an already-assigned destination.• More than 4000 ports in your source list. (In this case, the Port Mirror Wizard errors out and

you will need to recreate the mirror setup with a smaller range.)

To send more ports, edit the current port mirror. If the port count for that port mirror is over4000, we recommend that you associate another interface from the VM to the monitor portgroup with an EDA 2000v and create a separate mirror for that interface. Sending differentports to different capture ports is not recommended because traffic between the mirroredsource ports might not be complete or might result in multiple devices.

Associate a physical NIC to the uplink portComplete the following steps for each host to associate the physical VMNIC with the new uplink port forport mirroring.

1. Browse to the vCenter hosts tree control and select Hosts.

2. Select the host you want to configure.

Configure RSPAN with VMware 13

3. Select the Manage tab and click Networking.

4. In the left pull-out tree control, select Virtual Switches and select your VDS from the list.

5. Click the Add host networking icon.

6. In the Add Networking pop-up window, select the Physical Network Adapter radio button, and clickNext.

7. On the Select target device screen, click Browse.

Configure RSPAN with VMware 14

8. In the Select Switch pop-up window, select the VDS, and click OK.

9. Click Next.

10. Select the uplink port and click the green + icon.

11. From the Uplink port drop-down list, select Span Out, select the VMNIC, and then click OK.

12. Click Next.

13. Verify your settings and click Finish.

14. Repeat these steps for each host in your VDS.

The following figure shows an example configuration of uplink ports associated with physical NICs.

Configure RSPAN with VMware 15