The Blog is Back!and I Made a Change!
Learn more featured post
Jasonnash
11
August, 2011

vSphere 5 How To Series: vDS Port Mirroring

In this installment of the vSphere 5 How To series we’ll take a look at the new port mirroring feature in the vDS (vSphere Distributed Switch).  Up until now you had to get a little fancy to do traffic sniffing and port spanning with the normal vSwitch or vDS.  You could do it in hardware, assuming the traffic flowed across a hardware switch, or you could use the Cisco Nexus 1000v distributed switch.  Now with vSphere 5 you can do it with the standard vDS.

Configuration for this is very simple.  It is done from the configuration window for the main vDS.  All you really have to do is set the source vDS port and your destination.  You have two choices for destination:

  • Another vDS port (a VM, basically)
  • A physical uplink
The choice of a physical uplink lets you send the mirrored traffic to a physical switch and then do whatever you want.  Notice that there is no option to send to another IP address, like you can with the Nexus 1000v.  To do that you’d need to send it out a physical uplink and then capture it on the physical switch and encapsulate it there.  So for some remote mirroring you may need to do a two step process.  One annoyance is that the physical uplink selection isn’t the uplink on a host.  It’s an uplink on the host where the VM currently resides.  That means if you have 5 hosts and your VM may be moved around then you really need to monitor those 5 uplinks, or at least be prepared to do that.  There is no way to say send all traffic through dvuplink3 on vSphere host 5.  It’s just dvuplink3.

Let’s walk through the configuration….  First, you need to figure out what you want to mirror and the find that VM’s (and/or NIC’s) vDS port ID.  You can see this in the Ports tab under the main vDS as shown here:

In this example I am going to mirror traffic from my vCenter server, named vCenter5, to a test system named ViewXP-1.  That means going by my dVS port mapping that I am going to mirror from dvs port 100 to port 10.  To do that edit the settings on the main dVS and select the Port Mirroring tab:

Next you need to create a new port mirroring session.  To do that click the Add button.

On the first General Properties screen you provide some information such as the name of the session and an optional description.  You also have some other options to set:

  • Allow normal IO on destination ports – Do you want the destination port you define to handle normal I/O as well as receive mirror traffic?
  • Encapsulation VLAN – You can optionally encapsulate the mirror traffic in to another VLAN.  Useful if you are sending it outside your virtual environment.
  • Mirrored packet length – If you need to change the packet size that holds the mirrored traffic you can set that here and it will be fragmented as needed.
When satisfied click Next to select your traffic mirror source.

Here you select your source port.  At the top you can decide which traffic flow you want to mirror, ingress, egress, or both.  In the Port IDs field enter the port IDs you want to mirror.  You can enter more than one.  Click the arrow to shift them to the column on the right.  Click Next to choose your destination.

This window is very similar to the last one.  If you choose Port as your destination you just type it in the left field and move it to the right.  You can also, as well as in addition to, select a physical uplink as shown in the screenshot.  Note again, there is no selection for host…only uplink.  When you are finished choose Next.

You will then see the final window and have the option to go ahead and enable this mirroring session.  You can set up many different sessions but leave them disabled until you need them.  So if there is something you need to mirror often you can leave the session disabled and not have to configure it every time.

When a session is active you can see the configuration here on the Port Mirroring tab again.  Finally, a screenshot showing the results.

Exciting, huh?  Well, this is a screenshot of Wireshark from the ViewXP-1 VM.  I filtered it down to show things to/from the IP of 192.168.200.32 which was a system I was using to test and from which I pinged vCenter.  You can see vCenter5 traffic (192.168.200.203) being mirrored to this VM.  One thing to note is that you do not need to enable Promiscuous Mode or anything like that on the vDS port-group.  No default setting needs to be changed for port mirroring to work.

Finally, I did a video demonstration of the feature as well.

[youtube=http://www.youtube.com/watch?v=lExdHJR266c]

9 thoughts on “vSphere 5 How To Series: vDS Port Mirroring”

  1. Great post and walk-through on the setup! This is a much needed feature!

    One question I had around this was about sending traffic from multiple VM’s out a dvUplink port. Say I have a port mirror setup to collect on two different ports (can be on the same or different port group, doesn’t really matter). Those two ports correspond to VM-A which is located on Host-A, and VM-B which is located on Host-B. The destination for this will be an uplink port, so say dvUplink1.

    In this case, is it going to send out mirrored traffic for VM-A to Host-A’s pNIC connected to dvUplink1 and VM-B’s traffic to Host-B’s pNIC on dvUplink1? Or will it aggregate the traffic and only send it out one pNIC?

    If that’s the case, I need connections from both hosts to run back to a physical box that is collecting traffic.Just playing a scenario out in my head and figured I’d see if you had tested this use case at all.

  2. Are there limitations to the port mirroring in vSphere 5. For example on a typical Cisco switch, you can not send the same source to multiple different destinations and you can only do two SPAN sessions

    1. I know this is an older post – but I’ve confirmed with VMWare support that there is one limitation. Even when using distributed virtual switches, if you are capturing traffic on another VM as Jason did in his example and you have multiple ESX hosts, you will need to migrate your sniffing VM to the same physical host as your target even if it’s on the same distributed virtual switch and port group. Apparently this is a known issue at this time even with Update 1.

Leave a Reply

Your email address will not be published. Required fields are marked *