Deploy the ExtraHop Discover Appliance

with VMware
Published: 2018-03-15

The ExtraHop virtual appliance can help you to monitor the performance of your applications across
internal networks, the public internet, or a virtual desktop interface (VDI), including database and storage
tiers. ExtraHop can monitor application performance across geographically distributed environments such
as branch offices or virtualized environments through intra-VM traffic.
This guide explains how to deploy the following ExtraHop Discover virtual appliances on the VMware ESXi/
ESX platform:
• EDA 1000v (Monitors up to 250 devices)
• EDA 2000v (Monitors up to 1000 devices)
• EDA 6100v (Monitors up to 3000 devices)

Virtual machine requirements

You must have an existing installation of the VMware ESX/ESXi server version 5.5 or later, capable of
hosting the Discover virtual appliance. In addition, you need a vSphere client to deploy the OVF file and to
manage the virtual machine.
The following table provides the server hardware requirements for each Discover model.

Table 1:

Appliance CPU RAM Disk

EDA 1000v 2 processing cores with 4GB or higher 46 GB or higher disk
hyper-threading support, (thick-provisioned)
VT-x technology, and 64-
bit architecture.
If you want to enable
SSL decryption, 3 CPUs
are required. For more
information, see Add a
CPU Core to the EDA
1000v with VMware .

EDA 2000v 6 processing cores with 6 GB or higher 255 GB or higher disk

hyper-threading support, (thick-provisioned)
VT-x technology, and 64-
bit architecture.
EDA 6100v 16 processing cores 64 GB or higher 1 TB or higher disk
(minimum 2.5 Ghz clock (thick-provisioned)
speed) with hyper-
threading support, VT-
x technology, and 64-bit
architecture.

To ensure proper functionality of the virtual appliance:

©
2018 ExtraHop Networks, Inc. All rights reserved.
 • Always choose thick provisioning. The ExtraHop datastore requires low-level access to the complete
drive and is not able to grow dynamically with thin provisioning. Thin provisioning can cause metric
loss, VM lockups, and capture issues.
• Do not change the default disk size on initial installation. The default disk size ensures correct
lookback for ExtraHop metrics and proper system functionality. If your configuration requires a
different disk size, contact your ExtraHop representative before you make any changes.
• Do not migrate the VM. Although it is possible to migrate when the datastore is on a remote SAN,
ExtraHop does not recommend this configuration.
Important: If you want to deploy more than one ExtraHop virtual appliance, create the new
instance with the original deployment package or clone an existing instance that has
never been started.

Network requirements
You can monitor intra-VM or external traffic with the Discover virtual appliance.

Appliance Intra-VM External

EDA 1000v One 1-Gbps Ethernet network Two 1-Gbps Ethernet network
port is required (for management). ports are required. One for the
The management port must be physical port mirror and one
accessible on port 443. for management. The physical
port mirror interface must be
connected to the port mirror of the
switch.
While it is possible to configure
a 10-Gbps Ethernet network port
for the port mirror interface, it is
not recommended as the virtual
appliance cannot process more
than 1 Gbps of traffic.

EDA 2000v One 1-Gbps Ethernet network Two to four 1-Gbps Ethernet
port is required (for management). network ports are required for
The management interface must the physical port mirror and
be accessible on port 443. management. The physical
port mirror interface must be
connected to the port mirror of the
switch. The VMware ESX server
must support network interface
drivers.
While it is possible to configure
a 10-Gbps Ethernet network port
for the port mirror interface, it is
not recommended as the virtual
appliance cannot process more
than 3 Gbps of traffic.

EDA 6100v One 1-Gbps Ethernet network A 10-Gbps Ethernet network

port is required (for management). port is recommended for the
The management interface must physical port mirror. Optionally,
be accessible on port 443. you can configure two to four
1-Gbps Ethernet network ports

Deploy the ExtraHop Discover Appliance with VMware 2

 Appliance Intra-VM External
for the physical port mirror and
management.
The physical port mirror interface
must be connected to the port
mirror of the switch. The VMware
ESX server must support network
interface drivers.

Note: For registration purposes, the virtual Discover appliance requires outbound DNS
connectivity on UDP port 53 unless managed by the ExtraHop Command appliance.

Deploy the OVA file through the VMware vSphere web client
ExtraHop distributes the Discover virtual appliance package in the open virtual appliance (OVA) format.
Before you begin
If you have not already done so, download the ExtraHop Discover virtual appliance OVA file for VMware
from the ExtraHop Customer Portal .
1. Start the VMware vSphere web client and connect to your ESX server.
2. Select the data center where you want to deploy the Discover virtual appliance.
3. Select Deploy OVF Template… from the Actions menu.
4. Follow the wizard prompts to deploy the virtual machine. For most deployments, the default settings
are sufficient.
a) Select Local file and then click Browse….
b) Select the OVA file on your local machine and then click Open.
c) Click Next.
d) Review the virtual appliance details and then click Next.
e) Specify a name and location for the appliance and then click Next.
f) For Disk Format, select Thick Provision Lazy Zeroed and then click Next.
g) Map the OVF-configured network interface labels with the correct ESX-configured interface labels
and then click Next.
h) Verify the configuration, select the Power on after deployment checkbox, and then click Finish
to begin the deployment. When the deployment is complete, you can see the unique name you
assigned to the ExtraHop VM instance in the inventory tree for the ESX server to which it was
deployed.
5. The Discover appliance contains a preconfigured bridged virtual interface with the network label, VM
Network. If your ESX has a different interface label, you must reconfigure the network adapter on the
Discover virtual appliance before starting the appliance.
a) Select the Summary tab.
b) Click Edit Settings, select Network adapter 1, select the correct network label from the Network
label drop-down list, and then click OK.
6. Select the Discover virtual appliance in the ESX Inventory and then select Open Console from the
Actions menu.
7. Click the console window and then press ENTER to display the IP.
Note: DHCP is enabled by default on the ExtraHop virtual appliance. To configure a static IP
address, see the Configure a Static IP Address section.
8. In VMware ESXi, configure the virtual switch to receive traffic and restart to see the changes.

Deploy the ExtraHop Discover Appliance with VMware 3

Configure a static IP address through the CLI
The ExtraHop appliance is delivered with DHCP enabled. If your network does not support DHCP, no IP
address is acquired, and you must configure a static address manually.
1. Establish a console connection to the ExtraHop appliance.
2. At the login prompt, type shell and then press ENTER.
3. At the password prompt, type default, and then press ENTER.
4. To configure the static IP address, run the following commands:
a) Enable privileged commands:

enable
b) At the password prompt, type default, and then press ENTER.
c) Enter configuration mode:

configure
d) Enter the interface configuration mode:

interface
e) Run the ip command and specify the IP address and DNS settings in the following format: ip
ipaddr <ip_address> <netmask> <gateway> <dns_server>
For example:

ip ipaddr 10.10.2.14 255.255.0.0 10.10.1.253 10.10.1.254

f) Leave the interface configuration section:

exit
g) Save the running config file:

running_config save
h) Type y and then press ENTER.

Register the ExtraHop appliance

Complete the following steps to apply a product key.
If you do not have a product key, contact your ExtraHop account team.
Tip: To verify that your environment can resolve DNS entries for the ExtraHop licensing server,
open a terminal application on your Windows, Linux, or Mac OS client and run the following
command:

nslookup -type=NS d.extrahop.com

If the name resolution is successful, output similar to the following appears:

Non-authoritative answer:
d.extrahop.com nameserver = ns0.use.d.extrahop.com.
d.extrahop.com nameserver = ns0.usw.d.extrahop.com.

1. In your browser, type the URL of the ExtraHop Admin UI, https://<extrahop_ip_address>/
admin.

Deploy the ExtraHop Discover Appliance with VMware 4

 2. Review the license agreement, select I Agree, and then click Submit.
3. On the login screen, type setup for the username.
4. For the password, select from the following options:
• For 1U and 2U appliances, type the service tag number found on the pullout tab on the front of the
appliance.
• For the EDA 1100, type the serial number displayed in the Appliance info section of the LCD
menu. The serial number is also printed on the bottom of the appliance.
• For a virtual appliance, type default.
5. Click Log In.
6. In the Appliance Settings section, click License.
7. Click Manage License.
8. Click Register.
9. Enter the product key and then click Register.
10. Click Done.

Post-deployment actions
After you deploy the Discover appliance, review the Discover and Command Post-deployment Checklist
and configure additional settings.

Mirror Wire Data

This section includes procedures for mirroring data to your ExtraHop virtual appliance.

Mirroring internal and external traffic

The ExtraHop Discover virtual appliance can be configured to monitor network traffic in the following
network configuration examples.
• Monitoring Intra-VM Traffic
• One virtual interface on the EDA 1000v
• Up to three virtual interfaces on the EDA 2000v or EDA 6100v
• Monitoring external mirrored traffic to the VM
• Monitoring external mirrored traffic to the VM (EDA 2000v or EDA 6100v)
• Monitoring both intra-VM and external mirrored traffic to the VM (EDA 2000v or EDA 6100v)
Note: Monitoring external network-mirrored traffic requires an external NIC and an associated
virtual switch.

Monitoring intra-VM traffic

This scenario requires a second VM port group on the default virtual switch of the ESX host for monitoring
traffic within the virtual switch as well as external traffic in and out of the switch.
1. Start the VMware vSphere client and connect to your ESX server.
2. Select the ESX host at the top of the tree control in the left panel and then click the Configuration tab.
In the Configuration tab, click Networking under the Hardware section.

Deploy the ExtraHop Discover Appliance with VMware 5

 This view shows how the virtual switch is configured. It displays the physical NIC to which the vSwitch
is tied (vmnic0 is eth0) and which networking components are using that vSwitch (VM Network Port
Group, Service Console). The VM Network port group contains the VM network.
3. To add a port group to the vSwitch0, click Add Networking.
The Add Network Wizard window appears.
4. Select Virtual Machine as the connection type and then click Next.

5. In the Network Access step, select Use vSwitch0 and then click Next.

Deploy the ExtraHop Discover Appliance with VMware 6

6. In the Connection Settings step, assign a unique name to the new port group, click the VLAN ID drop-
down menu, and select All (VLAN 4095).

Deploy the ExtraHop Discover Appliance with VMware 7

7. Click Next.
The virtual switch appears as follows:

8. Click Finish to exit the Add Network Wizard.

9. Set the Remote Port Mirror to Promiscuous Mode as follows.
a) Click the Properties link next to vSwitch0. In the vSwitch0 Properties window, select the newly
created Port Group (Local Port Mirror in the example below) and click the Edit button.

Deploy the ExtraHop Discover Appliance with VMware 8

 b) Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.
c) Click Close to exit the vSwitch0 Properties window.
10. Click the Getting Started tab and then click Edit Virtual Machine Settings.
11. Click Network Adapter 2, click the Network label drop-down menu, select Local Port Mirror, and
then click OK.

Deploy the ExtraHop Discover Appliance with VMware 9

 12. Restart the ExtraHop Discover virtual appliance to activate the new adapter setting.

Monitoring external mirrored traffic to the VM

This scenario requires a second physical network interface and the creation of a second vSwitch
associated with that NIC. This NIC then connects to a mirror, tap, or aggregator that copies traffic from a
switch. This setup is useful for monitoring the intranet of an office.
1. Start the VMware vSphere client and connect to your ESX server.
2. Select the ESX host at the top of the tree control in the left panel and then click the Configuration tab.
In the Configuration tab, click Networking under the Hardware section.

Deploy the ExtraHop Discover Appliance with VMware 10

 This view shows how the virtual switch is configured. It displays the physical NIC to which the vSwitch
is tied (vmnic0 is eth0) and which networking components are using that vSwitch (VM Network Port
Group, Service Console). The VM Network port group contains the VM network.
3. To add a second vSwitch, click Add Networking. The Add Network Wizard window appears. Select
Virtual Machine as the connection type and then click Next.

4. In the Network Access step, select Create a vSphere standard switch, ensure vmnic1 is selected,
and then click Next.

Deploy the ExtraHop Discover Appliance with VMware 11

5. In the Connection Settings step, assign a unique name to the new port group (Remote Port Mirror
in the example below), click the VLAN ID drop-down menu, and select All (VLAN 4095).

6. Click Next and then click Finish to exit the Add Network Wizard.
7. The Networking section of the configuration table for the ESX host appears as follows.

Deploy the ExtraHop Discover Appliance with VMware 12

8. Set the Remote Port Mirror to Promiscuous Mode as follows.
a) Click the Properties link next to vSwitch1. In the vSwitch1 Properties window, select vSwitch and
click the Edit button.

Deploy the ExtraHop Discover Appliance with VMware 13

 b) Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.

c) Click Close to exit the vSwitch1 Properties window.

9. Select the ExtraHop Virtual Appliance at the top of the tree control in the left panel, click the Getting
Started tab, and then click Edit Virtual Machine Settings.
10. Click Network Adapter 2, click the Network label drop-down menu, select Remote Port Mirror, and
then click OK.

Deploy the ExtraHop Discover Appliance with VMware 14

 11. Restart the ExtraHop VM to activate the new adapter setting.

Monitoring external mirrored traffic to the VM (EDA 2000v or EDA 6100v)

In this scenario, you must create a third and fourth physical network interface and two more vSwitches
associated with those NICs. These NICs then connect to a mirror, tap, or aggregator that copies traffic from
a switch.
1. Start the VMware vSphere client and connect to your ESX server.
2. Select the ESX host at the top of the navigation tree in the left panel and then click the Configuration
tab. In the Configuration tab, click Networking under the Hardware section.

Deploy the ExtraHop Discover Appliance with VMware 15

3. To add a third vSwitch, click Add Networking. The Add Network Wizard window appears. Select
Virtual Machine as the connection type and then click Next.

4. In the Network Access step, select Create a vSphere standard switch, ensure vmnic2 is selected,
and then click Next.
5. In the Connection Settings step, assign a unique name to the new port group (Remote Port Mirror
2, for example), click the VLAN ID drop-down menu, and select All (VLAN 4095).
6. Click Next and then click Finish to exit the Add Network Wizard.
7. The Networking section of the configuration table for the ESX host appears as follows.

Deploy the ExtraHop Discover Appliance with VMware 16

8. Set the Remote Port Mirror to Promiscuous Mode as follows.
a) Click the Properties link next to vSwitch2. In the vSwitch2 Properties window, select vSwitch and
click the Edit button.
b) Click the Security tab, set the Promiscuous Mode to Accept, and then click OK.
c) Click Close to exit the vSwitch2 Properties window.
9. Select the ExtraHop Virtual Appliance at the top of the naviagation tree in the left panel, click the
Getting Started tab, and then click Edit Virtual Machine Settings.
10. Click Network Adapter 3, click the Network label drop-down menu, select Remote Port Mirror 2,
and then click OK.

Deploy the ExtraHop Discover Appliance with VMware 17

 11. Repeat steps 2 through 10 to add a fourth vSwitch.
12. Restart the ExtraHop VM to activate the new adapter setting.

Monitoring both intra-VM and external mirrored traffic to the VM (EDA 2000v or EDA
6100v)
In this scenario, you can monitor a mix of intra-VM and external mirrored traffic on up to three virtual
interfaces.
1. To monitor intra-VM traffic on one or more virtual interfaces, create a VM port group on the default
virtual switch of the ESX host for each interface as described in Monitoring Intra-VM Traffic.
2. To monitor external mirrored traffic on one or more virtual interfaces, create a physical network
interface and corresponding vSwitch for each interface as described in Monitoring External Mirrored
Traffic to the VM.
3. Click Network Adapter x and select an option from the Network label drop-down list for each
interface.

Deploy the ExtraHop Discover Appliance with VMware 18

Mirroring VLANs
To mirror VLANs, you must either set the destination port on the port mirror configuration to VLAN Trunking
or set the exact VLAN ID on the ports of the VLANS you are mirroring.

Related documentation
For information about configuring RSPAN, ERSPAN, and RPCAP to monitor remote devices, see the
following topics.
• Configure RSPAN with VMware
• Configure ERSPAN with VMware
• Configure ERSPAN with the Nexus 1000V
• Packet Forwarding with RPCAP

Deploy the ExtraHop Discover Appliance with VMware 19