ERSPAN and VDS Traffic path?


#1

Hi All, had an interesting question from colleague today regarding the path mirrored traffic takes from ESX to EH when using ERSPAN.

For example, assume we have 10 ESXi hosts and all use a vds switch. We are also using a physical Extrahop device. All vm’s reside within vlan 100 and we setup ERSPAN with source = vlan 100 and destination of EH interface IP. vm1 then begins chatting with vm6 who currently live on ESX1 and ESX6 respectively. Is there a way to determine which uplinks would be used to send the mirrored traffic to the physical Extrahop device? Is it evenly distributed among ESXi hosts or does it favor an uplink from a specific ESX Host?

The concern is uplink saturation.

Thanks!


#2

Hi @dkraut.

Is it possible to select a preferred uplink on each host?


#3

Traffic sent and received on a ESXi host is encapsulated and sent from that host. So in a system with 10 ESXi hosts on the same VDS with ERSPAN, ExtraHop would get ERSPAN traffic from all the hosts. Your next question might be: wouldn’t ExtraHop potentially receive duplicate traffic? Yes, and ExtraHop is able to de-duplicate in its processing.


#4

This appears to primarily be a question about how VDS works in VMWare, I would love if a VMware representative could chime in. Has the question been proposed to VMWare as well?

My Experience with troubleshooting ERSPAN traffic in VMWare is that the traffic actually is sent from the management port of the VDS. So saturation and significant data loss with ERSPAN and a saturated VDS is totally a possibility.


#5

Thanks Guys. That was next question nick. In a physical environment, span traffic is dropped before normal traffic if congestion occurs so I’m left wondering if VDS behaves the same way? My guess is yes, but it’s only a guess.

And yes, I agree that this is really a VDS question so I did post on vmware as well, but have only received the quiet chirps of crickets. >

https://communities.vmware.com/message/2637843#2637843


#6

Hello dkraut,

I have not seen an environment reach saturation on the VDS that I could contribute directly to ERSPAN. Sorry, again I am going to have to defer to VMWare for verification for how ERSPAN can affect your VMWare deployment.

thanks
Nick