You can monitor port mirroring sessions for troubleshooting and other purposes.
This feature has the following restrictions:
A source mirror port cannot be in more than one mirror session.
A destination port can only receive mirror traffic.
With KVM, multiple NICs can be attached to the same OVS port. The mirroring happens at the OVS uplink port, meaning that traffic on all the pNICs attached to the OVS port is mirrored.
Mirror session source and destination ports must be on the same host vSwitch. Therefore, if you vMotion the VM that has the source or destination port to another host, traffic on that port can no longer be mirrored.
On ESXi, when mirroring is enabled on the uplink, raw production TCP packets are encapsulated using the Geneve protocol by VDL2 into UDP packets. A physical NIC that supports TSO (TCP segmentation offload) can change the packets and mark the packets with the MUST_TSO flag. On a monitor VM with VMXNET3 or E1000 vNICs, the driver treats the packets as regular UDP packets and cannot handle the MUST_TSO flag, and will drop the packets.
If a lot of traffic is mirrored to a monitor VM, there is a potential for the driver's buffer ring to become full and packets to be dropped. To alleviate the problem, you can take one or more of the following actions:
Increase the rx buffer ring size.
Assign more CPU resources to the VM.
Use the Data Plane Development Kit (DPDK) to improve packet processing performance.
Make sure that the monitor VM's MTU setting (in the case of KVM, the hypervisor's virtual NIC device's MTU setting also) is large enough to handle the packets. This is especially important for encapsulated packets because encapsulation increases the size of packets. Otherwise, packets might be dropped. This is not an issue with ESXi VMs with VMXNET3 NICs, but is a potential issue with other types of NICs on both ESXi and KVM VMs.
In an L3 port mirroring session involving VMs on KVM hosts, you must set the MTU size to be large enough to handle the extra bytes required by encapsulation. The mirror traffic goes through an OVS interface and OVS uplink. You must set the OVS interface's MTU to be at least 100 bytes larger than the size of the original packet (before encapsulation and mirroring). If you see dropped packets, increase the MTU setting for the host's virtual NIC and the OVS interface. Use the following command to set the MTU for an OVS interface:
ovs-vsctl -- set interface <ovs_Interface> mtu_request=<MTU>
When you monitor the logical port of a VM and the uplink port of a host where the VM resides, you will see different behaviors depending on whether the host is ESXi or KVM. For ESXi, the logical-port mirror packets and the uplink mirror packets are tagged with the same VLAN ID and appear the same to the monitor VM. For KVM, the logical-port mirror packets are not tagged with a VLAN ID but the uplink mirror packets are tagged, and they appear different to the monitor VM.
- From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
- Select from the navigation panel.
- Enter a session name.
- Select a transport node from the drop-down menu.
A port mirroring session must be between NICs on the same transport node.
- Select a direction from the drop-down menu.
The choices are Bidirectional, Ingress, and Egress.
- (Optional) Select a packet truncation value.
- Click Next.
- Select source PNICs.
- (Optional) Toggle the Encapsulated Packet switch to disable the capturing of encapsulated traffic.
This switch is enabled by default.
- Select source VNICs.
- Select a destination.
You can select up to 3 VMs and up to 3 VNICs.
- Click Save.
You cannot change the source and destination after saving the port mirroring session.