Installing a Virtual Appliance on a VMware ESX Cluster

Introduction

This article walks through the installation process for installing a virtual network appliance on a VMware ESX Cluster.

Pre-requisites & System Requirement
Part 1 – Capture Configuration
Part 2 – Virtual Appliance Installation
Part 3 - Configure Remote Sensor Affinity Rules

Pre-requisites & System Requirement

Before proceeding with the installation, ensure that the virtual appliance(s) meets the following minimum system requirements. These requirements are included in the specific sections below but are included here for reference.

	Requirements for Primary Virtual Appliance	Requirements for Remote Virtual Appliance
Platform	VMware vCenter v6.7	VMware vCenter v6.7
Storage	1TB + 512GB, capable of providing at least 1024 IOPS/TB	1TB, capable of providing at least 256 IOPS/TB
Memory	32GB	8GB
CPU	4 vCPUs	2 vCPUs
Distribution	1 Field Effect VM per physical ESXi host (depending on capture configuration)

Part 1 – Capture Configuration

Field Effect relies on receiving full packet capture to provide advanced analytic capabilities. Field Effect and ESX can support many different capture configurations; if you wish to use a method not described in this guide, contact us for additional assistance.

VMware can provide a configuration similar to port mirroring by enabling “promiscuous mode” on a Virtual Switch (vSwitch) or Distributed Switch (dSwitch) port group, however in this configuration you will require a virtual appliance for each physical ESX host (as promiscuous mode on a port group will not mirror traffic across physical hosts).

We recommend that a unique Port Group be created for your virtual appliance(s) to use to capture network traffic. This avoids allowing all VMs connected to a given virtual switch to observe all network traffic across that switch.

Another option VMware provides is called Encapsulated Remote SPAN (ERSPAN). This may be a viable option if you have virtual firewall(s) or some other virtual infrastructure that acts as a traffic aggregation point.

Virtual Switch Capture

If you are using vSwitches to manage networks in your ESX cluster, you will need to configure each vSwitch to allow packets to be captured:

Select the Host in vCenter. From the ACTIONS dropdown menu, select Add Networking.

Select Virtual Machine Port Group for a Standard Switch and click Next.

Choose Select an existing standard switch and choose the switch you’d like to monitor traffic from. When selected, click Next.

Give the device a label (ex: “CovalenceCapture”) and click Next and then Finish.

Next, select the ESXi host, and select Virtual switches from the Configure tab’s Networking section.

Select the vSwitch and then select Edit Settings from the CovalenceCapture port group’s ellipses (…).

From the Security section, select Override for “Promiscuous mode” and ensure that it’s set to Accept. When ready, click OK.

If you use VLANs, ensure that the VLAN ID is set to All (4095). Now any VM attached to this port group will have promiscuous mode access to all network traffic transiting this vSwitch.

Distributed Switch Capture

If you are using dSwitches (distributed switches) to manage networks in your ESX cluster you only need to complete these steps once within vCenter for each dSwitch you would like to monitor:

In vCenter, select Networks and click on the distributed switch that you want to capture traffic from. In the Distributed Port Group section, select New Distributed Port Group.

Use the name “CovalenceCapture” and click Next.

Leave defaults unless otherwise needed for your environment and click Next. Then click Finish to confirm.

Select the “CovalenceCapture” port group from the tree menu on the left. From the ACTIONS tab, click Edit Settings in the Settings section.

From the Security section, select Override for Promiscuous mode, and set the slide to Accept.

If VLANs are in use, select VLAN. For VLAN type select “VLAN trunking”, then for range input “0-4094”. This ensures that the port group captures any VLAN tagged traffic. Click OK.

Now any VM attached to this port group will have promiscuous mode access to all network traffic transiting this dSwitch.

Encapsulated Remote SPAN (ERSPAN)

This option may be viable if:

You’re using distributed switches; and
You have virtual firewall(s) that act as a traffic aggregation point.

The benefit of an ERSPAN configuration is that you do not need a virtual appliance for each physical host and don’t need to configure any affinity rules for the virtual appliance(s).

The potential issue with an ERSPAN configuration is additional traffic across your switch fabric (since this traffic can be sent from one ESX host to another).

In order to configure ERSPAN, use the following steps (you may need to come back to this after configuring your virtual appliance):

NOTE: this ERSPAN configuration is based on VMWare documentation

1. Browse to the distributed switch in the vSphere Client navigator.

2. Click the Configure tab and expand Settings.

3. Select Port Mirroring and then click NEW…

4. Select Encapsulated Remote Mirroring (L3) Source as session type.

On the Edit Properties page, set the name according to your organizational standards or something descriptive, like “CovalenceSession1”. Set Encapsulation Type to “ERSPAN Type III”. Leave remaining settings as defaults.

5. On the Select sources page, select the relevant VM ports. Ideally this should be the internal side of any virtual firewall(s), that will mirror primarily north/south traffic.

6. On the Select destinations page, add an entry for the IP of the virtual appliance.

Notes:
- We recommend this IP be configured on a second network interface on the virtual appliance.
- The network interface and IP address of the receiving interfaces must be reachable by the ESX host.
- Contact Field Effect support for assistance with configuring the IP on this secondary interface after Part 2 of this guide is completed.

7. Complete the Setup.

Part 2 – Virtual Appliance Installation

Depending on the traffic capture configuration, you may need one virtual machine for each physical ESXi host in your cluster on which you are capturing traffic, and one primary appliance for Field Effect if you do not have a physical appliance. If you only have a single ESX host and no physical appliance, then you only need a primary virtual appliance.

The primary appliance runs the Field Effect UI, databases, and analysis; it requires storage which can provide at least 1024 IOPS/TB.

The remote sensors inspect traffic and report to the primary appliance and can run on storage rated for lower IOPS (256 IOPS/TB).

Primary Appliance

This is required if you do not have a physical network appliance.

Upload the provided Field Effect Installer ISO to your ESX cluster.

Open the New Virtual Machine wizard from the ACTIONS Tab.

Use the name “Covalence Primary”, or another name fitting your virtual machine naming scheme. When ready, click Next.

Select the Cluster or Host, as desired, and click Next.

Choose the storage path for the primary server. The data store should be able to provide 1024 IOPS or more. SSDs and most NAS or SAN storage system should be able to meet this requirement, but local HDDs are unlikely to be sufficiently fast.

For the Select Compatibly step, select ESXi 7.0 or later.

Choose Linux and Ubuntu Linux for the Guest OS options.

Configure the virtual machine’s hardware:

4 CPUs
32GB of Memory
Networking:
- You may use a single network interface for both management and capture (management functions such as accessing the Field Effect UI and allowing the Field Effect VM to reach back to Field Effect for remote management).
- Or, you can use one network interface for management and a different one for capture.
- In either of the above cases, ensure the capture network interface is connected to the previously created port group.
- If you have multiple vSwitches or dSwitches to monitor, you will need to add additional network interfaces and connect them to the appropriate port groups.
Storage:
- First Hard Drive: 512GB (if your environment has multiple tiers of storage, this should be on 1024 IOPS/TB or more).
- Second Hard Drive: 1TB (this may be on slower storage).
Connect the Installer ISO, make sure it’s set to connect at power on.

Click Next, then Finish, and boot the virtual machine.

Choose a primary network interface
Configure a static IP if you do not have a DHCP server on the configured network. The installer will use DHCP by default.

When the installer completes, the virtual machine will reboot automatically and show a login prompt. Record the mac address from the network interface within the virtual machine’s settings.

Remote Sensors

The Steps for configuring remote sensor are very similar to the previous procedure for the virtual appliance. For each ESXi host:

Upload the provided Installer ISO to your ESX cluster.
Open the “New VM” Wizard.
Use the name “Covalence Remote N” where N is a number from 1 to 9, or another name fitting your virtual machine naming scheme.
Select the cluster, and a specific host which does not yet have a remote sensor virtual machine.
Choose the storage path for the primary server. The data store should be able to provide 256 IOPS or more. SSDs, most NAS or SAN storage systems, and local HDDs should be able to meet this requirement.
Choose “Linux”, and “Ubuntu Linux” for the Guest OS options.
Configure the virtual machine’s hardware
1. CPUs
2. 8GB of Memory
3. Networking
  1. You may use a single network interface for both management and capture (management functions such as accessing the Field Effect UI and allowing the VM to reach back to Field Effect for remote management).
  2. Or, you can use one network interface for management and a different one for capture.
  3. In either of the above cases, ensure the capture network interface is connected to the previously created port group.
  4. If you have multiple vSwitches or dSwitches to monitor, you will need to add additional network interfaces and connect them to the appropriate port groups
4. 1TB hard drive (lower storage speed is acceptable here, although dependant on expected network traffic throughput)
5. Connect the Installer ISO, make sure set to connect at power on
Select “Finish” and then boot the virtual machine.
The Installer will run automatically
1. Choose the first interface in the list (usually ens160)
2. If you do not have a DHCP server or wish to use a static IP, configure that at the same time
When the installer completes the virtual machine will reboot automatically and show a login prompt.
Record the mac address from the management network interface from the virtual machine settings.

Provide Management MAC Addresses to Field Effect Support

The installer configures a minimal system which connects back to Field Effect for further configuration and customization.

Please provide the MAC addresses for the management and remote sensor management network interfaces to FES Support so that we can complete the setup. The MAC addresses allow us to identify which system is which remotely.

Part 3 - Configure Remote Sensor Affinity Rules

If using vSwitch/dSwitch port groups in promiscuous mode for traffic capture, ESX must be configured with affinity rules to keep the remote sensors which were built in part 2 running on the specified systems. Without affinity rules the sensors may be migrated to a single host, which would prevent Field Effect from inspecting all the network traffic from the cluster.

Select the cluster, then within the Configure tab, click VM/Host Groups.