Port Mirroring on VMware Cloud on AWS

Learn how to set up Port Mirroring on VMware Cloud on AWS: a feature on virtual or physical switch that allows users to capture all packets from a port and send it to a destination device.

This short blog post will walk through how to set up Port Mirroring on VMware Cloud on AWS.

Port Mirroring is a feature on virtual or physical switch that allows users to capture all packets from a port and send it to a destination device.

It is typically used for the following use cases:

  • Copy traffic to an advanced firewall (IPS / IDS) to inspect the traffic.
  • Copy voice traffic to a voice recorder (often used in “Call Centre” to record conversations with customers).
  • And finally, it’s primarily used for troubleshooting. We often mirror traffic to the packet capture software Wireshark to understand packet loss or application issues.

With Port Mirroring, users must always decide:

  1. What traffic they want to monitor (“the source”),
  2. In which direction (traffic to “the source”, traffic from “the source” or both), and
  3. Where they want to send it to (a monitoring device, which might be local or remote).

There are different types of port mirroring sessions: Local Switch Port Analyzer (SPAN), Remote SPAN and Encapsulated Remote SPAN.

VMware Cloud on AWS leverages Encapsulated Remote SPAN to:

  1. copy traffic leaving or entering a virtual port,
  2. encapsulate the traffic in a GRE (Generic Routing Encapsulation) packet, and
  3. send it to a destination device (usually a machine running a Wireshark, a more advanced network packet analyser or a IDS/IPS for security analysis).

Today, VMware Cloud on AWS users can select one or multiple virtual machines as source. When you select a VM, all its vNICs will be selected to a port mirroring session (you cannot select a single vNIC – all vNICs will be monitored).

You can create a Port Mirroring on the VMware Cloud on AWS console or using the APIs.

Before you do that, you need to allow traffic from the ESXi hosts to the destination device. In the example below, we will mirror traffic and send it to a VM running Wireshark.

On the VMC console, click on Networking & Security and Security / Edge Firewall / Management Gateway.

Create a rule named Wireshark that allows communication from the ESXi hosts in the SDDC to Wireshark. This rule is needed to allow port mirroring traffic to be sent from the ESXi hosts directly to Wireshark.

We are going to monitor traffic to our web VMs on the subnet (created in a previous blog) and copy all the traffic to the web VMs to our WireShark application running on the VM with the IP address.

On the VMware Cloud on AWS Console, go ahead and create a mirroring session:

It might not be intuitive to everyone so we will spell it out here:

  • Ingress is the outbound network traffic from the VM to the logical network.
  • Egress is the inbound network traffic from the logical network to the VM.

We select Egress as we want to see the traffic to the WebFarm (which is a group previously defined including the web servers running on the segment).

Once we start capturing the traffic on the Wireshark VM, we can see the traffic being copied across onto the Wireshark. Below is an output from Wireshark:

  • The outer header has a source IP of (the ESXi host) and a destination IP of (the Wireshark VM) and is using GRE.
  • The inside header has a source IP of (traffic coming from the Elastic Load-Balancer in the connected AWS VPC and over the ENI to the webserver) and a destination IP of (one of my web servers) and the destination port of 80 (HTTP).

It is so ridiculously easy to set up it’s unfair – I have now full visibility of my traffic within the VMware Cloud on AWS in minutes.

Thanks for reading and feel free to head over to nicovibert.com for more content on VMware Cloud on AWS.

About the Authors

Nicolas Vibert

Lead Solution Engineer - VMware Cloud at VMware

I am Nico Vibert and currently work for VMware as a Lead Solution Engineer for the VMware Cloud on AWS service. Most of my career has been spent in the networking world, from a junior support engineer working for a Cisco partner to a senior network architect working for Cisco itself. I finally joined VMware late in 2015 and worked on the network virtualization software NSX until I transitioned to the VMware Cloud on AWS team. If you’re really that curious, you can find out more on my LinkedIn profile. I have a strong technical background which I have validated with 17 certifications over my career, across multiple vendors (Cisco, VMware, AWS, etc.). I hold the Cisco CCIE certification, recognised as one of the toughest certifications in the IT Industry (I recently published some thoughts on my 10-year anniversary as a CCIE). To complement my technical certifications and expertise, I built solid enterprise architecture skills (based on TOGAF) and have written business cases and devised complex financial ROI models. I am a polished presenter and can articulate complex solutions from CxO-level to entry-level engineer. I regularly speak at events, whether on a large scale such as VMworld, Cisco Live or at smaller forums such as VMUGs or local events. Finally, I’m passionate about knowledge sharing and mentoring: I regularly train new hires and take the time to mentor individuals across VMware.

Leave a Reply

Your email address will not be published. Required fields are marked *