How to deploy Skylight sensor: capture Virtual Appliance in VMware

Introduction

This article explains how to deploy a Skylight sensor: capture (previously PVX) Virtual Appliance in VMware.

Basic Principles

North to South Visibility

• 100% user activities covered
• 100% applications analyzed
• Long look back retention
• Performance baselines
• L2 to application transactions
• Automated analysis

East to West Visibility

• Addresses both infrastructure and application requirements
• Non-intrusive virtualized datacenter integration
• Full application-chain insight across hybrid clouds & SDNs
• Fast time to value
• Low TCO

Universal Coverage: Virtual, IaaS, SDN

Skylight sensor: capture leverages its pure software sniffer to deliver agentless performance management in virtualized and cloud environments.

Others relying on hardware components offer intrusive alternatives requiring NICs, Network Packet Brokers (NPB), and generate additional traffic load.

In VMware, there are three traffic capture techniques based on:

• Virtual Standard Switch (VSS)
• Distributed Virtual Switch (DVS)
• Encapsulated Remote SPAN (ERSPAN)

The choice is basically based on two factors:

1. The VMware vSphere license : « Enterprise+ » or not
2. The PVX VA (Virtual Appliance) location vs the location of the VMs you intend to monitor the traffic from/to.

(✓) = Not recommended

How to Install Skylight sensor: capture in a VMware Environment

With the vSphere web client

To install Skylight sensor: capture in a VMware environment

1. Select Hosts & Clusters.
2. From this list, select Datacenter-PVX.
3. Go to the ACTIONS menu.
4. Select Deploy OVF Template…

5. In the Select an OVF template step, select the Local file radio button and click Choose files
6. Browse to your local copy of the PVX.ova file.
7. Click Open.

8. Click on NEXT.

9. In the Select a name and folder step, change the name of the Skylight sensor: capture VA (if needed) (1).
10. Choose the Site (container) in which to deploy Skylight sensor: capture VA (2).
11. Click NEXT (3).

12. In the Select a compute resource step, choose the ESX Host on which to install Skylight sensor: capture VA (1) and click NEXT (2)

13. In the Review details step, click NEXT.

14. In the License agreements step, accept the license agreement (1) and click NEXT(2).

15. In the Select storage step, choose your storage strategy (if not sure, select Thin Provision (1)) and click NEXT (2).

16. In the Select Networks step, let the destination network remain default (we’ll adjust this later), just click NEXT.

17. In the Ready to complete step, click FINISH.

• Skylight sensor: capture VA is being deployed:
  

• Skylight sensor: capture VA has been succesfully deployed:
  

How to Add Sniffing Interfaces to the Skylight sensor: capture Virtual Appliance

To add sniffing interfaces to the Skylight sensor: capture virtual appliance

1. Select Hosts & Clusters.
2. Select SkyLIGHT PVX.
3. Go to the ACTIONS menu.
4. In the drop-down menu, select Edit Settings...

5. Click ADD NEW DEVICE.
6. In the drop-down menu, select Network Adapter.
7. Click OK.

• You can create up to 10 network interfaces per Skylight sensor: capture VA (VMware limitation).

Virtual Standard Switch (VSS) Configuration

Scenario 1 - for intra-VMs capture only: Goal is to capture traffic between VM1 and VM2

Configure the Mirror VSS

1. Select Hosts & Clusters.
2. Choose 192.168.33.131.
3. Select the Configure tab.
4. Select Virtual switches.
5. Click on vSwitch0.

• In the Port Groups tab, Management Network is the standard VMKernel Port Group and VM Network is the default VSS for virtual machine deployment.

• Perform identical VSS configuration on the second ESK Host (192.168.33.132).

To configure the Mirror VSS

1. Select Hosts & Clusters.
2. Choose 192.168.33.131.
3. Select the Configure tab.
4. Select Virtual switches.
5. Click on Add Networking.

6. In the Select connection type step, select the Virtual Machine Port Group for a Standard Switch radio button (1) and click NEXT (2).

7. In the Select target device step, select the New standard switch radio button (1), change the MTU value to 9,000 if you want to analyze jumbo frames (2) and click NEXT (3).

8. In the Create a Standard Switch step, click NEXT (1), OK in the pop-up window (2) and NEXT once more (3).
   If you intend to only capture intra-virtual machine traffic, you do not need to specify a physical interface for this vSwitch.

9. In the Connection settings step, Fill in the name you that you want for the default Port Group of this new vSwitch (1), select one of two available options (2) and click NEXT (3).

10. In the Ready to complete step, review and click FINISH.

• A new VSS (vSwitch1) has been created on ESX Host 192.168.33.131.

• Note that a VSS is configured per ESX Host. No vSwitch1 has been created on the ESX Host 192.168.33.132.

Connect the Skylight sensor: capture VA sniffing i/f to the VSS

To connect the Skylight sensor: capture VA sniffing i/f to the VSS

1. Select Hosts & Clusters.
2. Select SkyLIGHT PVX.
3. Go to the ACTIONS menu.
4. In the drop-down menu, select Edit Settings...

5. Under Network adapter 2, select VM Network (1), Mirror (2), and then OK (3).

6. Click OK once more.

Configure the Promiscious mode on the VSS

To configure the Promiscious mode on the VSS

1. Select Hosts & Clusters.
2. Choose 192.168.33.131.
3. Select the Configure tab.
4. Select Virtual switches.
5. Click on vSwitch1.
6. Click Edit...

7. Under the Security step (1), click the arrow (2) and select Accept (3) to enable Promiscuous mode.

Migrate the VMs for which you want to capture the traffic

To migrate the VMs for which you want to capture the traffic

1. Select Hosts & Clusters.
2. Select Front-end Server.
3. Go to the ACTIONS menu.
4. In the drop-down menu, select Edit Settings...

5. Under Network adapter 2, select VM Network (1), Mirror (2), OK (3), and then OK (4) again.

6. Check to see if all virtual machines to monitor have been correctly moved to 'Mirror' Port Group of the vSwitch 1.

Scenario 2 – You need to capture traffic between physical network and VMs…

This scenario is a combination of scenario 1 and captureing traffic between physical network and virtual machines. The VSS must be connected to a physical host interface.

To capture traffic between physical network and VMs

1. Select Hosts & Clusters.
2. Choose 192.168.33.131.
3. Select the Configure tab.
4. Select Physical adapters. There is one available physical network interface.

6. Select Hosts & Clusters (1); choose 192.168.33.131 (2); select the Configure tab (3); select Virtual switches (4), vSwitch1 (5), and then click Manage Physical Adapters... (6).

7. In the Manage Physical Network Adapters dialog window, click the Add button (1), select the network adapter (2), click OK (3), and then click OK (4) again.

8. Review the Active adapters configuration and click OK.

Scenario 3 – VSS segmentation with multiple Port Groups

This scenario may be utilized if you intend to monitor traffic from and to VM1 only.

1. Select Hosts & Clusters.
2. Choose 192.168.33.131.
3. Select the Configure tab.
4. Select Virtual switches.
5. Select vSwitch1.
6. Click Add Networking...

7. In the Selected connection type step, select the Virtual Machine Port Group for a Standard Switch radio button (1) and click NEXT.

8. In the Select target device step, select an existing standard switch, vSwitch1 (1) and click NEXT.

9. In the Connection settings step, fill in the name of the new Port Group (1) and select VLANID All (4095) (2) in order to take VLANs into account. Then click NEXT (3).

10. In the Ready to complete step, review and click FINISH.

• vSwitch1 has been segmented into two Port Groups. Mirror can be put in promiscious mode while VM Network 2 cannot.

Distributed Virtual Switch (DVS) Configuration

Example of DVS already configured for the customer

• In the above figure, both ESX Hosts are using the DVS.

• In the above figure, all virtual machines are connected to the DVS.

Requirements

1. DVS creation for Skylight sensor: capture VA admin port

• Create the DVS
• Add the Host to the DVS
• Change DVS MTU

2. Mirroring configuration

DVS Creation for Skylight sensor: capture VA Admin Port Procedure

1. Create the DVS.

• A DVS is created at the Site level, not at an ESX Host level.
  

• Fill in a name for the DVS and click NEXT.

• Select the version corresponding to the oldest version of the ESX Hosts that will be connected to the DVS and click NEXT.

• Select 1 as one physical NIC that will be used, choose a name for the default Port Group associated to the DVS, and click NEXT.

• Click FINSH.

• DVS has been created but a physical interface (NIC) has yet to be assiociated.

2. Add the Host to the DVS.

• Only the ESX Host that hosts the Skylight sensor: capture virtual appliance has to be part of the DVS.

• Select the available NIC that has yet to be assigned.

• During the DVS creation process, we have created just one uplick; select it and click OK.

• The physical NIC (vmnic1) has been assigned to the default Port Group of the DVS.

• Click NEXT.

• Select the Admin interface of your Skylight sensor: capture virtual appliance. It will be connected to the DVS.

• Click OK.

• The Skylight sensor: capture virtual appliance Admin interface has been assigned; click NEXT.

• Click FINISH.

3. Change DVS MTU.

Mirroring Configuration Procedure

We'll configure a DVS mirroring to capture traffic between the Front-end and Back-end servers (in both directions).

Remember the Port ID for:

• The virtual machines to monitor (Port ID 1 and 3)
• The Skylight sensor: capture virtual appliance capture interface (Port ID 2)

The reason being, it will be useful in real enterprise environments.

• In the Select session type step, select Distributed Port Mirroring as session type and click NEXT.

• In the Edit properties step, fIll in a name, select Enabled if you want to immediately activate the mirror after creation, and click NEXT.

• In the Select sources step, select the source ports of the port mirroring session, click OK, and then click NEXT.

• The traffic is captured in both directions by default. Click NEXT.

• In the Select destinations step, select the destination ports and the uplinks of the port mirroring session, click OK, and then click NEXT.

• Click NEXT.

• Review and click FINISH.

• Configuration is complete.

This setup below is configurable without any warning message but is NOT supported by VMware due to the fact that you won’t see any captured traffic on Skylight sensor: capture VA.

ERSPAN Configuration

This includes the original traffic between virtual machine 1 and virtual machine 2.

• We now want to capture the traffic between two virtual machines located on separate ESX Hosts.

• The two virtual machines we want to capture the traffic from are located on an ESX Host that is not covered by a Skylight sensor: capture virtual appliance.

• In the Select session type step, select Encapsulated Remote Mirroring (L3) Source as port mirroring session type and click NEXT.

• In the Edit properties step, choose a name, select an Encapsulation type, and click NEXT.
• Skylight sensor: capture supports the three types of encapsulation; notice that ERSPAN Type III supports timestamping.

• Review and click FINISH.

• Configuration is complete.

vMotion

• vMotion is the VMware’s ability to dynamically move VMs from host depending on certain criteria (failures, workloads, …)
• Customers are allowed to let Skylight sensor: capture VA being vMotioned together with customers’ VMs as this does not change the UUID.

	vMotion supported	Limitations
Virtual Standard Switch (VSS)		The VSS should be identical (same name and configuration) on every hosts that are part of the vMotion scope
Distributed Virtual Switch (DVS)		As DVS-based mirroring does not work between different hosts, Skylight sensor: capture VA must follow the VMs it is monitoring (possible via Affinity configuration)
ERSPAN

• One possibility to insure some VMs stay on the same host is to configure VM-VM affinity.
• VMware affinity configuration requires the usage of VMware clusters. The following sections show how to create a cluster, put host in it and configure VM-VM affinity. This is provided as a reference as this kind of configuration is normally part of the customer’s whole VMware strategy and should be in place or configured by the customer themselves.

VMware Cluster Configuration

• Create a new cluster by selecting New Cluster... in the ACTIONS drop-down menu.

• Choose a name for the cluster and ensure to turn ON DRS, then click OK.

Adding Host to the Cluster

• Add a host to the new cluster by selecting Move To... in the ACTIONS drop-down menu.

• Select destination and click OK.

• Option is to be checked with the customer as it depends on the current configuration.

VM-VM Affinity Configuration

• In the Configure tab, select VM/Host Rules and click Add...

• Choose a name for the rule (ensure Enable rule is checkmarked and that Type is Keep Virtual Machines Together).
• Click Add..., and select the virtual machines that must stay together on the same ESX Host.
• Once finished, click OK.

• Review the new VM/Host Rule and click OK.

• The VM-VM Affinity configuration is complete and will appear under VM/Host Rules.