After some questions from curious students about the exact nature of the port mirroring options within a 5.1 or 5.5 Distributed Switch, I thought that I would make them the subject of my first post!
As a quick recap, Port Mirroring is the process of copying network packets from a specific source (switch port or VLAN) to a monitoring device on another port. The nature and location of the receiving device can vary (as will be discussed) and the replicated packets themselves are usually fed into troubleshooting or sniffing software (such as Wireshark) or perhaps network intrusion detection systems (IDS).
With VSphere 5.1 we had some additional options appear within the web client. If we fire it up, we see the following.
But what do those options actually do? When should we use one and not the other? Essentially VMware have added support for RSPAN and ERSPAN along with SPAN. SPAN is a switch feature from Cisco and translates as Switch Port ANalyser. These techniques provide us with the following functionality:
SPAN: This is local. Replicating of traffic from one port on a switch to another port on the same switch.
RSPAN: Remote SPAN. Replicating packets from one or more switch ports on one or more switches to a remote switch. This allows for centrally monitoring traffic from several locations on one device. Mirrored packets must be carried in a dedicated VLAN created for this purpose.
ERSPAN: Encapsulated Remote SPAN. Allows capturing data from several sources (switch/port) and mirroring that data to a target IP address.
So, getting to the point at last - what does this have to do with the options presented in the Vsphere Distributed Virtual Switch? Lets have a look at those VDS Mirroring options again.
Distributed Port Mirroring: This is the equivalent of SPAN. It enables us to mirror packets between VMs within the same ESXi host. No physical switch configuration is required, however, if either of the machines were to change host (through vMotion) then the mirroring session fails.
Remote Mirroring Source: This is the equivalent of RSPAN. It allows several Virtual Machines across ESXi hosts to have packets mirrored to a centralized physical receiver connected to a physical switch. As such, it requires physical switch configuration as well as the creation of a VDS mirroring session.
Remote Mirroring Destination: Allows you to centrally monitor the RSPAN VLAN traffic from a monitoring virtual machine running on an ESXi Host. This also requires physical switch configuration AND the configuration of the VDS mirroring session.
Encapsulated Remote Mirroring (L3) Source: This is the equivalent of ERSPAN. It enables the mirroring of a VDS VLAN and the transmission of that data to the IP address of a specific target. Naturally this enables sending data between domains and does not require physical switch configuration.
Distributed Port Mirroring (Legacy): This follows the behaviour of the old 5.0 switch. Packets can be mirrored to a destination VM on the same DVS or to a destination on the same physical switch by selecting an Uplink destination.
Hopefully this helped at least a little. Keep tuned for future posts!