vSphere 5 How To Series: vDS Port Mirroring
August 11, 2011 by nashwj
In this installment of the vSphere 5 How To series we’ll take a look at the new port mirroring feature in the vDS (vSphere Distributed Switch). Up until now you had to get a little fancy to do traffic sniffing and port spanning with the normal vSwitch or vDS. You could do it in hardware, assuming the traffic flowed across a hardware switch, or you could use the Cisco Nexus 1000v distributed switch. Now with vSphere 5 you can do it with the standard vDS.
Configuration for this is very simple. It is done from the configuration window for the main vDS. All you really have to do is set the source vDS port and your destination. You have two choices for destination:
- Another vDS port (a VM, basically)
- A physical uplink
The choice of a physical uplink lets you send the mirrored traffic to a physical switch and then do whatever you want. Notice that there is no option to send to another IP address, like you can with the Nexus 1000v. To do that you’d need to send it out a physical uplink and then capture it on the physical switch and encapsulate it there. So for some remote mirroring you may need to do a two step process. One annoyance is that the physical uplink selection isn’t the uplink on a host. It’s an uplink on the host where the VM currently resides. That means if you have 5 hosts and your VM may be moved around then you really need to monitor those 5 uplinks, or at least be prepared to do that. There is no way to say send all traffic through dvuplink3 on vSphere host 5. It’s just dvuplink3.
Let’s walk through the configuration…. First, you need to figure out what you want to mirror and the find that VM’s (and/or NIC’s) vDS port ID. You can see this in the Ports tab under the main vDS as shown here:
In this example I am going to mirror traffic from my vCenter server, named vCenter5, to a test system named ViewXP-1. That means going by my dVS port mapping that I am going to mirror from dvs port 100 to port 10. To do that edit the settings on the main dVS and select the Port Mirroring tab:
Next you need to create a new port mirroring session. To do that click the Add button.
On the first General Properties screen you provide some information such as the name of the session and an optional description. You also have some other options to set:
- Allow normal IO on destination ports – Do you want the destination port you define to handle normal I/O as well as receive mirror traffic?
- Encapsulation VLAN - You can optionally encapsulate the mirror traffic in to another VLAN. Useful if you are sending it outside your virtual environment.
- Mirrored packet length - If you need to change the packet size that holds the mirrored traffic you can set that here and it will be fragmented as needed.
When satisfied click Next to select your traffic mirror source.
Here you select your source port. At the top you can decide which traffic flow you want to mirror, ingress, egress, or both. In the Port IDs field enter the port IDs you want to mirror. You can enter more than one. Click the arrow to shift them to the column on the right. Click Next to choose your destination.
This window is very similar to the last one. If you choose Port as your destination you just type it in the left field and move it to the right. You can also, as well as in addition to, select a physical uplink as shown in the screenshot. Note again, there is no selection for host…only uplink. When you are finished choose Next.
You will then see the final window and have the option to go ahead and enable this mirroring session. You can set up many different sessions but leave them disabled until you need them. So if there is something you need to mirror often you can leave the session disabled and not have to configure it every time.
When a session is active you can see the configuration here on the Port Mirroring tab again. Finally, a screenshot showing the results.
Exciting, huh? Well, this is a screenshot of Wireshark from the ViewXP-1 VM. I filtered it down to show things to/from the IP of 192.168.200.32 which was a system I was using to test and from which I pinged vCenter. You can see vCenter5 traffic (192.168.200.203) being mirrored to this VM. One thing to note is that you do not need to enable Promiscuous Mode or anything like that on the vDS port-group. No default setting needs to be changed for port mirroring to work.
Finally, I did a video demonstration of the feature as well.