VMware NSX

Hello,

       I want to be able to set up a ER-Span (port mirror) within NSX to an IDS appliance.  The documentation for setting this up warns that this is not suitable for long term monitoring since it affects performance.   Is there another way to set up a port mirror for overly segments within NSX?  Or has anyone done this before and not had any performance issues?

Thank you.

Hi,

as the official documentation states, Port Mirroring of NSX is not meant for permanent use, only for troubleshooting purposes.

Think about about it - you are duplicating packets, this consumes resources. You need to design the network path the mirrored packets take towards their IDPS appliance destination somewhere else on the network (vmk0, or a separate vmk-Port, may even using the Mirroring Stack). How long does this take? Is this added latency acceptable? When will I hit a network or IDPS appliance bottleneck? And as its not meant for permanent use, may there are also internal limitations which you may be hitting when mirroring too many packets (no knowledge here, just a thought to keep in mind).

As an (not really widely used) alternative there is/was 3rd party Network Introspection, for both E-W (distributed level close to any vNIC) as well as N-S (in a Stateful NSX-Gateway resp. its active Service Router instance). But this capability has been announced EoA recently: https://knowledge.broadcom.com/external/article/322083/end-of-availability-announcement-for-nsx.html

The KB also states the other option which has now been available since v3.0/v3.1 timeframe - use NSXs own IDPS capability (requires the "Advanced Threat Prevention (ATP)" license though), both available as Distributed IDPS as well as Centralized IDPS (as mentioned before, E-W & N-S).

Thats the best way forward IMHO.

BR
Steffen