Follow

Mirroring traffic from a physical switch to a virtual sensor (vSensor)

It may be desirable to mirror traffic from a physical switch to a Vectra Cognito vSensor.  There are two ways to mirror traffic from a physical switch into a VMware ESXi hypervisor host for monitoring by a Vectra Cognito vSensor.

The first method utilizes a dedicated physical NIC on the host chassis to carry tagged or untagged traffic from the mirror session on the switch, to the vSensor on the host.  The second method utilizes a VLAN that is trunked over a link to the host.

Method 1: Dedicated link to ESXi host

Utilizing a dedicated link from the physical switch to the ESXi host may require the addition of a dedicated vSwitch due to VLAN tagging.  The following procedure outlines the necessary steps required to setup ESXi's network to accomplish this.

Step 1:  Add a new virtual switch

To add new virtual switch, enter the "Networking" menu and choose "Add standard virtual switch":

image1.png

Create the new vSwitch by choosing the appropriate physical NIC that is attached to the mirror output port as the Uplink.

Under Security settings, enable "Promiscuous mode":

image2.png

Step 2: Create port group for capture interface

On the "Port groups" tab, click "Add port group":

image3.png

Enter VLAN ID 4095 to monitor all VLANs being trunked (including native) over the physical link from the switch.

Select the virtual switch created in the previous step for "Virtual switch".

Ensure that the port group's security settings are being inherited from the vSwitch.

Step 3:  Configure vSensor's Network Adapter

Edit the settings of the Cognito vSensor.

Select the newly created port group in the previous step for the appropriate capture interface:

image4.png

Click "Save".

Step 4:  Verify vSensor is receiving packets

Log in to the vSensor's CLI (default credentials found in this article).

Run the command "show traffic stats", verify the interface is receiving traffic as expected.

image5.png

Method 2: Utilizing a VLAN tag over an existing trunked link

When a dedicated physical link between the switch and the ESXi host is not desired or possible, a switch's mirroring session output can usually be configured to output on a VLAN.

Physical switch configuration

Configuration on the physical network will vary by deployment and network vendor. As an example, on a Cisco switch, traffic may be mirrored from a physical port to a VLAN using a configuration similar to below.

Please note that this example configuration may not work for your switch and your switch vendor should be contacted prior to making any changes.  Particular attention should be paid to the feature set of the physical switch and the software version it is running.

! Example Cisco switch configuration for RSPAN to VLAN
interface GigabitEthernet0/2 description ESX hypervisor switchport trunk encapsulation dot1q switchport trunk allowed vlan <INTERNAL VLAN list of Company plus the RSPAN VLAN 4000> switchport mode trunk switchport nonegotiate spanning-tree portfast trunk spanning-tree guard root interface GigabitEthernet0/3 description Server port switchport trunk encapsulation dot1q switchport trunk allowed vlan <INTERNAL VLAN list of Company> switchport mode trunk switchport nonegotiate spanning-tree portfast trunk spanning-tree guard root vlan 4000 name rspan remote-span monitor session 1 source interface GigabitEthernet0/3 both monitor session 1 destination vlan 4000 end

Step 1:  Create the Port group

Create a port group for the vSensor's capture interface.

In ESXi's Networking menu, choose "Port groups" tab.

Click on "Add port group".

Enter the VLAN ID that the switch will be mirroring traffic over (tag 4000 in this case).

Choose the appropriate Virtual switch that has the physical link trunking the VLAN.

Ensure "Promiscuous mode" is enabled under "Security":

image6.png

Step 2:  Configure the vSensor

Edit the settings of the vSensor.

Select the newly created port group in the previous step for the appropriate capture interface:

image7.png

Click "Save".

Step 3:  Verify vSensor is receiving packets

Log in to the vSensor's CLI (default credentials found in this article).

Run the command "show traffic stats", verify the interface is receiving traffic as expected.

image5.png

Was this article helpful?
0 out of 0 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.