Port Mirroring on VMware Cloud on AWS

Learn how to set up Port Mirroring on VMware Cloud on AWS: a feature on virtual or physical switch that allows users to capture all packets from a port and send it to a destination device.

This short blog post will walk through how to set up Port Mirroring on VMware Cloud on AWS.

Port Mirroring is a feature on virtual or physical switch that allows users to capture all packets from a port and send it to a destination device.

It is typically used for the following use cases:

  • Copy traffic to an advanced firewall (IPS / IDS) to inspect the traffic.
  • Copy voice traffic to a voice recorder (often used in “Call Centre” to record conversations with customers).
  • And finally, it’s primarily used for troubleshooting. We often mirror traffic to the packet capture software Wireshark to understand packet loss or application issues.

With Port Mirroring, users must always decide:

  1. What traffic they want to monitor (“the source”),
  2. In which direction (traffic to “the source”, traffic from “the source” or both), and
  3. Where they want to send it to (a monitoring device, which might be local or remote).

There are different types of port mirroring sessions: Local Switch Port Analyzer (SPAN), Remote SPAN and Encapsulated Remote SPAN.

VMware Cloud on AWS leverages Encapsulated Remote SPAN to:

  1. copy traffic leaving or entering a virtual port,
  2. encapsulate the traffic in a GRE (Generic Routing Encapsulation) packet, and
  3. send it to a destination device (usually a machine running a Wireshark, a more advanced network packet analyser or a IDS/IPS for security analysis).

Today, VMware Cloud on AWS users can select one or multiple virtual machines as source. When you select a VM, all its vNICs will be selected to a port mirroring session (you cannot select a single vNIC – all vNICs will be monitored).

You can create a Port Mirroring on the VMware Cloud on AWS console or using the APIs.

Before you do that, you need to allow traffic from the ESXi hosts to the destination device. In the example below, we will mirror traffic and send it to a VM running Wireshark.

On the VMC console, click on Networking & Security and Security / Edge Firewall / Management Gateway.

Create a rule named Wireshark that allows communication from the ESXi hosts in the SDDC to Wireshark. This rule is needed to allow port mirroring traffic to be sent from the ESXi hosts directly to Wireshark.

 

 

We are going to monitor traffic to our web VMs on the 172.30.120.0/24 subnet (created in a previous blog) and copy all the traffic to the web VMs to our WireShark application running on the VM with the 192.168.1.134 IP address.

 

 

On the VMware Cloud on AWS Console, go ahead and create a mirroring session:

 

 

It might not be intuitive to everyone so we will spell it out here:

  • Ingress is the outbound network traffic from the VM to the logical network.
  • Egress is the inbound network traffic from the logical network to the VM.

We select Egress as we want to see the traffic to the WebFarm (which is a group previously defined including the web servers running on the 172.30.120.0/24 segment).

Once we start capturing the traffic on the Wireshark VM, we can see the traffic being copied across onto the Wireshark. Below is an output from Wireshark:

 

 

  • The outer header has a source IP of 10.56.32.4 (the ESXi host) and a destination IP of 192.168.1.134 (the Wireshark VM) and is using GRE.
  • The inside header has a source IP of 172.31.26.221 (traffic coming from the Elastic Load-Balancer in the connected AWS VPC and over the ENI to the webserver) and a destination IP of 172.30.120.18 (one of my web servers) and the destination port of 80 (HTTP).

It is so ridiculously easy to set up it’s unfair – I have now full visibility of my traffic within the VMware Cloud on AWS in minutes.

Thanks for reading and feel free to head over to nicovibert.com for more content on VMware Cloud on AWS.