Configuring ERSPAN

VMware vDS provides industry-standard features to monitor the network traffic: port mirroring (Encapsulated Remote Switched Port Analyzer (ERSPAN)) and NetFlow (discussed later).

Port mirroring is used on a switch to send a copy of packets seen on one switch port (or an entire VLAN) to a monitoring connection on another switch port. Port mirroring is based on ERSPAN standards.

You can configure port mirroring using the vSphere Web Client, in the Configure tab of a vDS, in the Port mirroring menu. Just click on the New... icon:

There are different session types for the port mirroring:

• Distributed Port Mirroring: Mirror packets from some VMs on one host to a VM on the same host. For more information see this blog post: https://blogs.vmware.com/vsphere/2013/01/vsphere-5-1-vds-feature-enhancements-port-mirroring-part-1.html.
• Remote Mirroring Source: Mirror packets from some VMs on one host to a specific uplink port on the same host, with an external monitor system. For more information see this blog post: https://blogs.vmware.com/vsphere/2013/02/vsphere-5-1-vds-feature-enhancements-port-mirroring-part-2.html.
• Remote Mirroring Destination: Mirror packets from VMs on one host to a VM on another host. For more information see this blog post: https://blogs.vmware.com/vsphere/2013/02/vsphere-5-1-vds-feature-enhancements-port-mirroring-part-3.html.
• Encapsulated Remote Mirroring (L3) Source: Mirror packets from a number of distributed ports to the IP addresses of a remote agent. The virtual machine's traffic is mirrored to a remote physical destination through an IP tunnel.
• Distributed Port Mirroring (legacy): Mirror packets from a number of distributed ports to a number of distributed ports and/or uplink ports on the corresponding host.

For more information, see the vSphere 6.5 Networking guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.networking.doc/GUID-CFFD9157-FC17-440D-BDB4-E16FD447A1BA.html).