VMware Cloud Community
lonelysysop
Contributor
Contributor
‎09-03-2021 02:06 PM

Trying to figure out port mirroring....help!

Working with 7.0 vSphere cluster.

Across the cluster I have 2 vDS with multiple vDPG. Most vDPGs are tagged vlans, some are not....shouldn't really matter for what I am doing. I have a VM pinned to each host in the cluster with a interface that is intended to be where all captured traffic flows.

How do I setup a port mirror that captures all traffic for a vDS that would capture all traffic only on that particular ESX host? My goal is to not have any mirrored traffic passing between physical ESX hosts, it should stay local to that particular host and only be mirrored to a local port mirroring destination.

I tried creating a DPM, but it wants me to select "ports" which seems like those would change as vmotion moves things around.

Or am I just doing it wrong? 

If I was on a cisco switch I'd be looking for something like:

monitor session 1 source vlan 1 - 4094 both
monitor session 1 destination int (where collector is connected)

But I know this is different.

0 Kudos
3 Replies
Ardaneh
Enthusiast
Enthusiast
‎09-03-2021 11:17 PM

When it comes to port mirroring in vSphere, you have multiple options:

The first option that is "Distributed Port Mirroring" allows mirroring a virtual port inside a vSwitch to another port inside the same vSwitch. both VMs must run on the same host, so you should use the DRS rule to stick those VMs together on the same host.

A "Remote Mirroring Session (Source or Destination)" is used when the source and destination are running on a different ESXi host, vSwitch, or a physical switch and you should keep in mind that the source or destination must be physical. this session is an L2 protocol, which means that it cannot traverse L3 devices.

The "Encapsulated Remote Mirroring" session is used when source and destination are running on different L3 networks.

I hope it can be helpful

0 Kudos
lonelysysop
Contributor
Contributor
‎09-07-2021 07:38 AM

>The first option that is "Distributed Port Mirroring" allows mirroring a virtual port inside a vSwitch to another port inside the same vSwitch. both VMs must run on the same host, so you should use the DRS rule to stick those VMs together on the same host.

Is it limited to only monitoring (sourcing) a single virtual port? I'm looking to get all vlan traffic on a given vswitch. I need to capture traffic between VMs on that host (in same vlan/portgroup) as well as any egress/ingress traffic on that vswitch.

0 Kudos
Ardaneh
Enthusiast
Enthusiast
‎09-10-2021 10:16 PM

Yes, that option is limited to a single virtual port inside a vSwitch, so if you want to capture all traffic on a specific host, I believe you can use "pktcap-uw" command in ESXi

I hope this can be helpful

Cheers

0 Kudos