Views:

1. Introduction

Deep Discovery Inspector (DDI) and Deep Discovery Inspector Virtual Appliance (vDDI) can monitor mirrored traffic using vSphere distributed switches.

  • Supported scenarios

A total of 7 scenarios are supported for DDI hardware / virtual appliance and different SPAN types.

  • Terms of Traffic Mirroring
    • vDS (vSphere Distributed Switch) is a distributed-mode vSS (vSphere Standard Switch)
      • vDS is centralized to vCenter Server
      • Most users using VMWare takes advantages of vDS for ease of enterprise-wide management
    • Source port: also called a monitored port, is a port that you monitor for network traffic analysis
    • Destination port: a port that receives a copy of traffic from the source port

This article describes:

  • What needs to be considered to decide the scenario you use focusing on the "Virtual Appliance (vDDI)" scenarios: Scenario3 - Scenario7
  • Configuration steps summary

There are several items that needs to be considered.

  • Traffic Mirroring types
    • RSPAN (Remote SPAN): mirror traffic across layer2 network, so, RSPAN scenarios should be used within the same L2 network. If there are several L2 networks, each L2 network needs to have one vDDI.
    • RSPAN scenario requires that you configure a VLAN for RSPAN on your physical switches. If you cannot configure a VLAN, consider using ERSPAN scenario
    • ERSPAN (Encapsulated Remote SPAN): mirror traffic across layer3 network. So, the destination IP must be routable.
      • Traffic mirroring via ERSPAN consumes additional L3 bandwidth. We recommend to deploy it with a dedicated L3 resources.
    • Local SPAN (Switched Port ANalyzer): mirror traffic from source port(s) to destination port(s) on the same virtual switch. The source virtual machines and destination vDDI must be on the same ESXi host. If they are on the different ESXI host, consider using RSPAN or ERSPAN scenario.
  • For the physical switch, make sure it supports ERSPAN or RSPAN. Configure it correctly.
  • Check the traffic throughput you need to monitor. vDDI offers 3 types of license.
    • vDDI-250 (Mbps)
    • vDDI-500 (Mbps)
    • vDDI-1000 (Mbps)
      • Check that your vDDI is setup with enough resource. For the detail, refer to Installation and Deployment Guide > Chapter 6: Virtual Appliance Deployment > Virtual Host Appliance Requirements
      • Also check the Virtual Appliance Physical NIC requirements, refer to Installation and Deployment Guide > Chapter 9: Port Mirroring on a VMware Virtual Distributed Switch > Requirements for Virtual Appliances with a VDS
  • Source/Destination
    • Understand what will be mirroring source or destination based on the scenario you choose.
      • ERSPAN: the destination is always vDDI
      • RSPAN: the destination is always the switch prior to vDDI

Create a vDS and distributed port group(s) in advance. For the detail, refer to Installataion and Deployment Guide >Chapter 9: Port Mirroring on a VMware Virtual Distributed Switch > Creating a VMware vSphere Distributed Switch (VDS)

Configure the mirroring source and destination based on the scenario.:

(Scenario3): ERSPAN: Configuring Mirrored External Network Traffic Monitoring with Encapsulated Remote Mirroring

Encapsulated remote mirroring enables you to monitor traffic on multiple network interfaces or VLANs and send the monitored traffic to one or more destinations.

Here is a summary of the configuration. For the detailed steps, make sure to refer to Deep Discovery Inspector Installation and Deployment Guide: Chapter 9: Port Mirroring on a VMware Virtual Distributed Switch > Deep Discovery Inspector Virtual Appliance with a VDS > Virtual Appliance - Monitoring Mirrored External Network Traffic using a VDS > Virtual Appliance - Configuring Mirrored External Network Traffic Monitoring with Encapsulated Remote Mirroring

  1. Configure source (Physical Switch)
    1. Configure the switch to encapsulate and forward mirrored traffic to a specified destination IP ※ The destination IP must be routable from the source switch
  2. Configure destination (vDDI)
    1. Go to Administration > System Settings > Network Interface
    2. Enable target port’s Encapsulated Remote Mirroring, and type the IP set in previous step1

(Scenario4): RSPAN: Configuring Mirrored External Network Traffic Monitoring with Remote Mirroring

Remote mirroring enables you to monitor traffic on one switch through a device on another switch and send the monitored traffic to one or more destinations. Remote mirroring requires that you configure a remote mirroring VLAN on your physical switches.

For the detailed steps, make sure to refer to Deep Discovery Inspector Installation and Deployment Guide: Chapter 9: Port Mirroring on a VMware Virtual Distributed Switch > Deep Discovery Inspector Virtual Appliance with a VDS > Virtual Appliance - Monitoring Mirrored External Network Traffic using a VDS > Virtual Appliance - Configuring Mirrored External Network Traffic Monitoring with Remote Mirroring

  • 1: Before you begin, verify that the uplink ports of the ESXi hosts that receive the traffic are linked to the physical switch trunk port.
  • 2: Ensure intermediate switch(es) between the source and the destination can direct mirrored traffic
  1. Configure source (Physical Switch)
    1. Configure the switch to tag and forward mirrored traffic with a specified VLAN ID
  2. Configure destination (vDS)
    1. On vDS, add a new Remote Mirroring Destination session
    2. Add the VLAN ID set in previous step1
    3. Add the vDDI data port to receive mirrored traffic

(Scenario5): ERSPAN: Configuring Mirrored VM Traffic Monitoring with Encapsulated Remote Mirroring

Encapsulated remote mirroring enables you to monitor traffic on multiple network interfaces or VLANs and send the monitored traffic to one or more destinations.

Here is a summary of the configuration

For the detailed steps, make sure to refer to Deep Discovery Inspector Installation and Deployment Guide: Chapter 9: Port Mirroring on a VMware Virtual Distributed Switch > Deep Discovery Inspector Virtual Appliance with a VDS > Virtual Appliance - Monitoring Mirrored VM Traffic from a VDS > Virtual Appliance - Monitoring Mirrored VM Traffic from Different ESXi Hosts > Virtual Appliance - Configuring Mirrored VM Traffic Monitoring with Encapsulated Remote Mirroring

  1. Configure source (vDS)
    1. On vDS, add a new Encapsulated Remote Mirroring (L3) Source session
    2. Select Encapsulate type and source VMs
    3. Add a destination IP
      • The destination IP must be routable from the VMKernel port of the ESXi host
  2. Configure destination (vDDI)
    1. Go to Administration > System Settings > Network Interface
    2. Enable target port’s Encapsulated Remote Mirroring, and type the IP set in previous step c

(Scenario6): RSPAN: Configuring Mirrored VM Traffic Monitoring with Remote Mirroring

Remote mirroring enables you to monitor traffic on one switch through a device on another switch and send the monitored traffic to one or more destination. Remote mirroring requires that you configure a remote mirroring VLAN on your physical switches

Here is a summary of the configuration,

For the detailed steps, make sure to refer to Deep Discovery Inspector Installation and Deployment Guide: Chapter 9: Port Mirroring on a VMware Virtual Distributed Switch > Deep Discovery Inspector Virtual Appliance with a VDS > Virtual Appliance - Monitoring Mirrored VM Traffic from a VDS > Virtual Appliance - Monitoring Mirrored Traffic from Different ESXi Hosts > Virtual Appliance - Configuring Mirrored VM Traffic Monitoring with Remote Mirroring

  • 1: Before you begin, verify that the uplink ports of the ESXi hosts that receive the traffic are linked to the physical switch trunk port.
  • 2: Ensure intermediate switch(es) between the source and the destination can direct mirrored traffic
  1. Configure source (vDS)
    1. On vDS, add a new Remote Mirroring Source session
    2. Specify Encapsulation VLAN ID
    3. Select source VMs
    4. Add an uplink to send out mirrored traffic
  2. Configure destination (vDS)
    1. On vDS, add a new Remote Mirroring Destination session
    2. Add the VLAN ID set in previous step b
    3. Add the vDDI data port to receive mirrored traffic

(Scenario7): Local SPAN: Distributed Port Mirroring on a vDS (Source and Destination on the same ESXi)

The distributed port mirroring for the virtual distributed switch enables you to monitor traffic from a set of distributed ports to other distributed ports. The source virtual machines and distination DDI must be on the same ESXi host.

Here is a summary of the configuration,

For the detailed steps, make sure to refer to Deep Discovery Inspector Installation and Deployment Guide: Chapter 9: Port Mirroring on a VMware Virtual Distributed Switch > Deep Discovery Inspector Virtual Appliance with a VDS > Virtual Appliance - Monitoring Mirrored VM Traffic from a VDS > Virtual Appliance - Monitoring Mirrored Traffic from the same ESXi Hosts > Virtual Appliance - Configuring Distributed Port Mirroring on a VDS (Source and Destination on the same ESXi)

  1. Configure source and destination (vDS)
    1. On vDS, add a new Distributed Port Mirroring session
    2. Select source VMs
    3. Add the vDDI data port to receive mirrored traffic
Keywords: deploy, how to, vDDI, Deep Discovery Inspector Virtual Appliance, virtual Distributed Switch, vDS, mirrored traffic, monitor, virtual, mirrored, traffic