Port mirroring is the capability on a network switch to send a copy of network packets seen on a switch port to a network-monitoring device connected to another switch port. Port mirroring is also referred to as Switch Port Analyzer (SPAN) on Cisco switches. In VMware vSphere 5, a Distributed Switch provides a similar port mirroring capability that is available on a physical network switch. After a port mirror session is configured with a destination—a virtual machine, a vmknic or an uplink port—the Distributed Switch copies packets to the destination.
Port mirroring provides visibility into
• Intrahost virtual machine traffic (virtual machine–to–virtual machine traffic on the same host)
• Interhost virtual machine traffic (virtual machine–to–virtual machine traffic on different hosts)
Figure below shows different types of traffic flows that can be monitored when a virtual machine on a host acts as a destination or monitoring device. All traffic shown by the orange dotted line with arrow is mirrored traffic that is sent to the destination virtual machine.
The terms Ingress source and Egress source are with respect to the VDS. For example, when you want to monitor the traffic that is going out of a virtual machine towards the VDS, it is called Ingress Source traffic. The traffic seeks ingress to the VDS and hence the source is called Ingress. If you want to monitor traffic that is received by a virtual machine, then configure the port mirroring session with the traffic source as Egress Source as shown in the top right corner diagram of the figure below.
Following figure shows the traffic flow when the mirror destination is configured as an uplink port. In this case both the normal traffic as well as mirror traffic flows through the same physical uplink.
When network administrators are concerned about the impact of the mirror traffic on normal traffic, they can choose a separate uplink port to send mirror traffic. The figure below shows the traffic flow when a separate uplink port is configured to carry mirror traffic.
Usage
The port mirroring capability on a Distributed Switch is a valuable tool that helps network administrators in debugging network issues in a virtual infrastructure. The granular control over monitoring ingress, egress or all traffic of a port helps administrators fine-tune what traffic is sent for analysis.
Configuration
Port mirror configuration can be done at the Distributed Switch level, where a network administrator can create a port mirror session by identifying the traffic source that needs monitoring and the traffic destination where the traffic will be mirrored to. The traffic source can be any port with ingress, egress or all traffic selected. The traffic destination can be any virtual machine, vmknic or uplink port.
The following figure is the first screen of port mirror session configuration process. In this step users can define the name of the port mirror session and choose if they want to allow normal I/O on a destination port. They can also choose a VLAN to encapsulate these mirrored packets by selecting the Encapsulations VLAN box.
Once you click next, the configuration screen will provide the option to choose the source that you want to monitor. Depending on what traffic you want to monitor you can choose Ingress, Egress, or Ingress/Egress in the traffic direction pull down menu as shown in figure below. Then specify the Port ID of that particular source VM. To get the corresponding dvPort number or Port ID number of a VM use the following steps:
1. Switch to the Home > Inventory > Networking view.
2. Select dvSwitch and choose the Ports tab on the right panel. Scroll down to see the virtual machines and the associated port ID.
Enter the port number in the Port ID field and move it to the right panel and then click next.
In the next step you have the option to configure the destination where you want to mirror the traffic to. There are two options provided in the Destination type pull down menu as shown in figure below.
This completes the creation of the port mirroring session. As shown in below, you can find the details about the port mirror session and also note that the status of the session is disabled.
To enable the port mirroring session, click Edit in the figure above. This will pop up the panel with an option to enable the session. Select the status as enabled as shown in figure below. This enables the port mirror session and VDS will mirror the traffic to selected destination port.
This covers the trouble shooting and monitoring features of vSphere 5. I will talk about the enhancements to the Network I/O control (NIOC) feature in my next post. So please stay tuned.
