Problem:
I needed to capture all traffic from a particular network port (an IP phone system connected to a Cisco SG300 switch) and mirror this data to a virtual machine in our virtual infrastructure. So effectively I needed to setup port mirroring from a physical network port to a VMWare ESXi virtual machine.
Solution:
The solution turned out to be fairly simple but involved a few steps. You probably already roughly know what you need to do to get this working if you are reading this but I’ll give you a quick overview anyway. Port mirroring or port SPAN essentially allows you to replicate all traffic on a switch to another port on a switch. Why would you want to do this? Most of the time this is for monitoring purposes but there may be cases (usually involving VOIP phone systems) were there is a production need. As mentioned the port traffic is replicated to another port. The port that the traffic is replicated to then needs to be connected to a NIC on your ESXi host.
Once you have the NIC connected to your host you need to create a new standard vSwitch and assign the NIC connected to the replicated port to it. You then need to configure the vSwitch in promiscuous mode and give it a name. If you have your switch configured correctly you can create a VM on the host (unless you have one already) and create a new NIC using the new vSwitch you created for the network.
Configuring ESXi
First create a new Standard vSwitch, this is going to be the target for your port mirror. Make sure that you name it appropriately so that it is easy to assign it to your VMs without confusion.
Make sure that you then assign the NIC that you connected to the port that is being replicated in the Network adapters tab.
Then most importantly make sure that you set the Security settings of both the vSwitch and the port group to Accept promiscuous mode.
Next set the VLAN ID to All.
Then you need to add a NIC to your VM and select the network that you created above.
Switch Configuration
I was using a Cisco SF300 switch so in the GUI this was a simple matter of going to Diagnostics>Port and VLAN Mirroring and choosing my source and destination ports. Please note that adding the port mirror does not cause any network interruption or downtime on the switch and can be done in working hours safely.
Testing
To test I first installed Wireshark and selected the NIC that I had bound the mirrored port to.
I then started a continuous ping from my desktop to the device connected to the port that I was mirroring from. I then added a filter to Wireshark using the syntax ip.addr == 10.200.20.40 (this is the IP of the machine I was pinging from).
Once I could see the ICMP packets I knew that everything was working ok and that I had successfully mirrored the port and sent the traffic to the 2nd NIC of my VM in ESXi.
Thanks so much friend. You save me from searching around. First I thought it was impossible with standard vSwitch, the only I missed was to see VLAN in the port group to All 4095. Once I did that, it works perfectly.
No problem, glad I could help.
Hi Robin,
Hope your help bro:
The ESXi is hosting 10 VMs but it has only an physical port. So I dont have a dedicated physical port for receive mirrored traffic. Have any way for this case?
Thanks bro,
Jose
hi,
really appreciate your tutorial here. its exactly what i;ve been trying to wrap my head around to port mirror pfsense traffic to my SecurityOnion VM.
i made all your same configs but my options for VLAN in port group doesn’t list the “All 4095”. there isn’t even a drop down option just an entry field to type a VLAN number.
what number should i put in the field or other suggestion you have about that?
i’m running VMware ESXi 6.7 and using web interface management client.
Hi, I’m bit confused and not really familiar with SPAN port,
what are your source FE1 and destination FE12?
Thanks
Hi Im karthi,
I have one doubt in this session, like can i have this same setup in the VDS as as well since i’m not able to see the all ports instead its retrieving as VLAN TRUNK 1-4095
Please confirm me in the same or try to mail me in vteamops.solutions@gmail.com
Really nice article and resolved my port mirroring requirement.
Thank you
Does this work with ESXI 7? I have this configured but when I uses Wireshark I only see source traffic from the device that is mirrored but no destination traffic.