Hi Yves - I got this from my TAM.
Using VMware functionality for the port mirroring has proven difficult in our case. Before we installed NSX, we used the dSwitch port mirroring, and that worked fine. If you try to do the same with NSX installed (two VLANs, send them to a NIC on a tap VM), all traffic on the NSX segments configured with the source VLANs is blocked. Yes I know, this sounds wierd, and it is.
So I asked my TAM how they recommend we configure this (keep in mind - we're on VLAN backed segments for NSX, so no overlay or geneva tunneling - we only use NSX for its DFW, currently). He recommended we solve this on Cisco.
That proved to be a challenge as well, as the Cisco port mirroring needs a physical port to send the traffic to. In a vSphere environment, you don't want to remove an uplink from any hosts and dedicate for port mirroring, as this impacts redundancy and constency across the cluster, and introduces a set of risks.
Right now we're looking at Netscout as a possible solution.
Original Message:
Sent: Nov 14, 2024 03:17 AM
From: Yves Hertoghs
Subject: Alternatives to port mirroring in a vSphere + NSX environment
Hi, where exactly do you read that VMware does not recommend port mirroring and pointing to Cisco ?
NSX also has a packet copy feature, which uses the DFW function to duplicate a packet and send it out to a service VM running locally. Eg GIGAMON or NETSCOUT.
Yves
Original Message:
Sent: Nov 13, 2024 04:26 AM
From: bjornl
Subject: Alternatives to port mirroring in a vSphere + NSX environment
Hi,
vSphere + NSX (not overlay - using VLAN backed segments). I have 4 VMs with two NICs each. I'd like to take all network IO on those four and send them to a 5'th VM that will gather and analyze the data.
VMware does not recommend solving it with port mirroring on dSwitch or in NSX, they point to Cisco.
You can do it with Cisco, but you need a physical NIC that can be a dedicated destination for the packets. This is highly unpractical in a vSphere environment, you don't want special configurations with one or more hoste having one less physical NIC available for VM and management traffic.
Has anyone been able to solve this in a slick way that gets me the best of all worlds?