Configure vSphere to Send East/West Traffic to FlowSensor

Introduction

This document describes how to configure vSphere so East/West traffic can be sent to Secure Network Analytics Flow Sensor

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• VMware vSphere
• Secure Network Analytics (SNA)

Components Used

VMware vSphere release 7.0.3.

Secure Network Analytics release 7.4.2.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure

In vSphere review the Datacenter for the number of ESXi hosts and determine which hosts you wish to collect East/West traffic from.

In this image, of the four hosts, only two are of discussed whose last two octets are 38.51, and 66.27.

The ESXi host 38.51 runs release 7.0.3, and the ESXi host 66.27 runs release 6.7.0.

An SNA Flow Sensor release 7.4.2 has been deployed on the 38.51 ESXi host, it has been configured with two IP addresses with the last octets of 39.93 and 39.94.

There are two other devices, an SNA Manager and Data Node called Manager and DN1 respectively.

The last two octets of these two hosts are 66.215 and 66.217 for the Manager and DN1 respectively.

Both of these hosts are deployed on the ESXi host whose last two octets are 66.27, this is a different ESXi than the Flow Sensor is deployed on.

Traffic between the Manager and DN1 host is not seen outside of the proxy switch on the 66.27 ESXi host.

The SNA Manager:

The SNA DN1:

Configurations

Create a version 6.5.0 Distributed Switch called DSwitch and a Distributed Port Group called DPortGroup.

The virtual machines, and the two Uplinks for the ESXi hosts were added to the Distributed Port Group on the DSwitch.

On the DSwitch, configure an ERSPAN Type II mirroring session.

For the Port mirroring session, all hosts on the 66.27 ESXi hosts (including the Manager and DN1) were selected.

For the destination, set it to the IP of the eth1 interface on the Flow Sensor, 39.94.

The eth0 and eth1 interfaces of the Flow Sensor is shown in the DPortGroup associated with 38.51.

The eth0 interfaces of the Manager and DN1 are shown in the DPortGroup associated with 66.27.

Verify

From the CLI of the Flow Sensor a tcpdump is ran to show that the GRE tunnel comes up on the eth1 interface.

A flow search for the Manager and DN1 devices are ran on the SNA Manager that receives netflow from the Flow Sensor shows traffic between the Manager and DN1 host.