Blog :: Network Operations

Configure a mirror port in VMware

Today, I’d like to walk you through the process to configure a mirror port in VMware’s VSphere.  After you’ve deployed your new FlowPro Virtual Appliance, the steps to which you can find outlined here, you may wonder why you do not see traffic in your NetFlow collector. A very likely reason is that you may not have gone through the steps of configuring a mirror port in VMware where your FlowPro is deployed. Below are the steps required to configure a mirror port in VMware.

Configure a mirror port in VMware

  1. The first step is to select the host on which you need to configure a mirror port.  With the host selected, click on the “Configuration” tab.
    Mirror1.jpg
  2. From the “Configuration” tab, select “Networking” and open the “Properties…” menu.
    Mirror2.jpg
  3. Within the “Properties” window, select “Add.” to create a new virtual switch.
    Mirror3.jpg
  4. After selecting the “Add.” button, a new window will open. Here is where you will select the connection type. Keep the connection type set to “Virtual Machine,” then select “Next.”
    Mirror4.jpg
  5. You’ll now configure the name of the mirror port in the “Network Label” section. Change the name of the “Network Label” (as you can see below, I named it “Mirror Port”).  Select “Next.”
    Mirror5.jpg
  6. Verify the information and if everything looks as it should, select “Finish.”
    Mirror6.jpg
  7. You’ve now successfully added a mirror port in VMware, but we’re not finished yet. We now need to enable “Promiscuous Mode” on the new mirror port.  With the new “Mirror Port” selected, click “Edit.”
    Mirror7.jpg
  8. Select the “Security” tab and click the checkbox next to “Promiscuous Mode.” In the drop-down menu, select “Accept” to allow this traffic.
    Mirror8.jpg

Configuring our VM

Now we will set our Flowpro Defender’s monitor port to use our new “Mirror Port.”

  1. With the Flowpro Defender VM selected, click on “Edit Settings.”
    Mirror9.jpg
  2. With the Network adapter selected, change the “Network Connection” from “VM Network” to our new “Mirror Port.” If you are not sure which adapter is the monitor port of the VM, log into the console and run “ifconfig.”  You can match the MAC address for “mon1” to that of the adapter in the Settings page of the VM.
    Mirror10.jpg

That’s it. Now you have mirrored traffic flowing into the monitoring port of the FlowPro. You can test this in a few ways.

The last thing you’ll want to do is test everything.  You can test this in a few ways.

  1. Log into the FlowPro via SSH or the console of VSphere with the “flowpro” user.
  2. From the command line, use the “snoop {ip address},” where {ip address} is the address of your NetFlow collector, to see all traffic flowing to or from the FlowPro VM.

If you have any questions or need help to configure a mirror port in VMware, give us a call. Our fantastic support team will help you along the way.

 

Related

jeffm

Inspecting encrypted traffic with JA3 and JA3S fingerprinting

Two years ago, I wrote a blog about tracking malware in encrypted traffic. The overall theme of that blog was that encryption has become

::
jeff

Configuring an ERSPAN within VMware and Cisco Switches

With the ever-growing support for flow exports, the need for probes and port mirroring has become a lot more limited. There are certain environments

::

Network Problem Solving Use Cases

In the last year I’ve been fortunate enough to be a Field Engineer for a company that I love. I’ve had the incredible opportunity

::