Port mirroring lets you replicate and redirect all of the traffic coming from a source. The mirrored traffic is sent encapsulated within a Generic Routing Encapsulation (GRE) tunnel to a collector so that all of the original packet information is preserved while traversing the network to a remote destination.
- Troubleshooting - Analyze the traffic to detect intrusion and debug and diagnose errors on a network.
- Compliance and monitoring - Forward all of the monitored traffic to a network appliance for analysis and remediation.
Port mirroring includes a source group where the data is monitored and a destination group where the collected data is copied to. The source group membership criteria require VMs to be grouped based on the workload such as web group or application group. The destination group membership criteria require VMs to be grouped based on IP addresses.
Port mirroring has one enforcement point, where you can apply policy rules to your SDDC environment.
The traffic direction for port mirroring is Ingress, Egress, or Bi Directional traffic.
- Ingress is the outbound network traffic from the VM to the logical network.
- Egress is the inbound network traffic from the logical network to the VM.
- Bi Directional is the two-way of traffic from the VM to the logical network and from the logical network to the VM. This is the default option.
See Add a Port Mirroring Profile in the NSX-T Data Center Administration Guide for more information about port mirroring with NSX-T.
Port mirroring can generate a lot of network traffic. As a best practice, limit its use to a maximum of 6 VMs at a time for short periods of troubleshooting and remediation.
Verify that workload groups with IP address and VM membership criteria are available. See Add or Modify a Compute Group.
- Login to VMware Cloud on AWS GovCloud console at https://www.vmc-us-gov.vmware.com/.
- Select .
- On the Port Mirroring page Click ADD PROFILE and give the profile a Name and an optional Description.
- Specify the profile parameters.
Parameter Description Direction Select a traffic direction from the drop-down list. Snap Length Specify the number of bytes to capture from a packet. Source Sources can include segments, segment ports, groups of VMs, and groups of vNICs. Destination Destinations are groups of up to three IP addresses. You can use existing inventory groups or create new ones from the Set Destination page. Encapsulation Type Must be GRE. GRE Key
Identifies a particular GRE data stream, as defined in RFC 6245. Enter a random 32-bit value to identify mirrored packets from the logical port.
This Key value is copied to the Key field in the GRE header of each mirror packet. If the Key value is set to 0, the default definition is copied to the Key field in the GRE header.
The default 32-bit value is made of the following values.
- The first 24-bit is a VNI value. VNI is part of the IP header of encapsulated frames.
- The 25th bit indicates if the first 24-bit is a valid VNI value. One represents a valid value and zero represents an invalid value.
- The 26th bit indicates the direction of the mirrored traffic. One represents an ingress direction and zero represents an egress direction.
- The remaining six bits are not used.
- (Optional) Tag the port mirroring profile.
See Add Tags to an Object in the NSX-T Data Center Administration Guide for more information about tagging NSX-T objects.
- Click SAVE to save the session.
What to do next
Click the ellipses button next to a port mirroring profile and select Edit to make configuration changes.