Hi,
I installed a virtual vmware purview/analytics AAE in deployment mode 2 (Interface mirrored), with eth0 for netflow and management and eth1 for mirror packet reception:
0. Accept settings and continue
1. Hostname: interpur
2. Deployment Mode: Dual Interface Mirrored
3. Management Interface Configuration (eth0):
Address: 192.168.64.220
Netmask: 255.255.254.0
Gateway: 192.168.64.1
Nameserver: [our dns]
Domain name: [our domain]
4. NIS Server/Domain: Not Configured
5. Monitor Interface Configuration :
Tap Mode Interfaces eth1
An SSA switch sends its netflow packets towards 192.168.64.220 and has a mirror-n towards one of its switch ports which is directly connected to the AAE's host. (AAE's eth1 is mapped to a dedicated vswitch with promiscuous mode and All VLAN (4095) enabled. This vswitch uses the esxi-host's physical adpater which is directly connected to the SSA mirror port ge.1.17.)
SSA mirror and netflowconfig:
# mirror
set mirror create 2
set mirror 2 mirrorN 15
set mirror ports ge.1.17 2
# policy
set policy profile 1 name Purviewmirror pvid-status enable pvid 4095 mirror-destination 2
set policy rule admin-profile port lag.0.4 mask 16 port-string lag.0.4 admin-pid 1
set policy rule admin-profile port lag.0.5 mask 16 port-string lag.0.5 admin-pid 1
set policy rule admin-profile port ge.1.45 mask 16 port-string ge.1.45 admin-pid 1
set policy rule admin-profile port tg.1.4 mask 16 port-string tg.1.4 admin-pid 1
# netflow
set netflow export-interval 1
set netflow export-destination 192.168.64.220 2055
set netflow export-version 9
set netflow port lag.0.4-5 enable rx
set netflow port ge.1.45 enable rx
set netflow port tg.1.4 enable rx
set netflow template refresh-rate 30 timeout 1
set netflow cache enableAAE receives netflow packets on eth0:
root@interpur:~$ tcpdump -i eth0 udp port 2055
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:28:35.047775 IP 192.168.64.9.2055 > interpur.man.htw-berlin.de.2055: UDP, length 1420
11:28:35.052489 IP 192.168.64.9.2055 > interpur.man.htw-berlin.de.2055: UDP, length 1444
11:28:35.058061 IP 192.168.64.9.2055 > interpur.man.htw-berlin.de.2055: UDP, length 1464
...AAE receives mirror packets on eth1:
root@interpur:~$ tcpdump -i eth1 -c 2
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:32:07.549780 20:b3:99??72:3b (oui Unknown) > 20:b3:99:55:a0:1f (oui Unknown), ethertype Unknown (0x7034), length 70:
0x0000: a001 0800 4500 0034 01b2 4000 3406 395e ....E..4..@.4.9^
0x0010: 40ca 7004 8d2d cdb8 0050 c52b 245a cadb @.p..-...P.+$Z..
0x0020: 12e4 469b 8010 003e e21e 0000 0101 080a ..F....>........
0x0030: 6b12 fa03 36f0 de74 k...6..t
11:32:07.549789 20:b3:99??72:3b (oui Unknown) > 20:b3:99:55:a0:1f (oui Unknown), ethertype Unknown (0x7034), length 64:
0x0000: a001 0800 4500 002c 104b 0000 3006 d058 ....E..,.K..0..X
0x0010: bad4 81d1 8d2d e055 0aac 0913 8d2d e055 .....-.U.....-.U
0x0020: 0000 0000 6002 11b4 5b0f 0000 0204 05ac ....'...[.......
0x0030: 0000 ..
Management Center also shows netflow and mirror packets:
But the Identification Rate stays at 0% and Application Infos are not populated. What could be the reason? AAE was enforced and rebooted.
I installed a virtual vmware purview/analytics AAE in deployment mode 2 (Interface mirrored), with eth0 for netflow and management and eth1 for mirror packet reception:
0. Accept settings and continue
1. Hostname: interpur
2. Deployment Mode: Dual Interface Mirrored
3. Management Interface Configuration (eth0):
Address: 192.168.64.220
Netmask: 255.255.254.0
Gateway: 192.168.64.1
Nameserver: [our dns]
Domain name: [our domain]
4. NIS Server/Domain: Not Configured
5. Monitor Interface Configuration :
Tap Mode Interfaces eth1
An SSA switch sends its netflow packets towards 192.168.64.220 and has a mirror-n towards one of its switch ports which is directly connected to the AAE's host. (AAE's eth1 is mapped to a dedicated vswitch with promiscuous mode and All VLAN (4095) enabled. This vswitch uses the esxi-host's physical adpater which is directly connected to the SSA mirror port ge.1.17.)
SSA mirror and netflowconfig:
# mirror
set mirror create 2
set mirror 2 mirrorN 15
set mirror ports ge.1.17 2
# policy
set policy profile 1 name Purviewmirror pvid-status enable pvid 4095 mirror-destination 2
set policy rule admin-profile port lag.0.4 mask 16 port-string lag.0.4 admin-pid 1
set policy rule admin-profile port lag.0.5 mask 16 port-string lag.0.5 admin-pid 1
set policy rule admin-profile port ge.1.45 mask 16 port-string ge.1.45 admin-pid 1
set policy rule admin-profile port tg.1.4 mask 16 port-string tg.1.4 admin-pid 1
# netflow
set netflow export-interval 1
set netflow export-destination 192.168.64.220 2055
set netflow export-version 9
set netflow port lag.0.4-5 enable rx
set netflow port ge.1.45 enable rx
set netflow port tg.1.4 enable rx
set netflow template refresh-rate 30 timeout 1
set netflow cache enableAAE receives netflow packets on eth0:
root@interpur:~$ tcpdump -i eth0 udp port 2055
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:28:35.047775 IP 192.168.64.9.2055 > interpur.man.htw-berlin.de.2055: UDP, length 1420
11:28:35.052489 IP 192.168.64.9.2055 > interpur.man.htw-berlin.de.2055: UDP, length 1444
11:28:35.058061 IP 192.168.64.9.2055 > interpur.man.htw-berlin.de.2055: UDP, length 1464
...AAE receives mirror packets on eth1:
root@interpur:~$ tcpdump -i eth1 -c 2
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:32:07.549780 20:b3:99??72:3b (oui Unknown) > 20:b3:99:55:a0:1f (oui Unknown), ethertype Unknown (0x7034), length 70:
0x0000: a001 0800 4500 0034 01b2 4000 3406 395e ....E..4..@.4.9^
0x0010: 40ca 7004 8d2d cdb8 0050 c52b 245a cadb @.p..-...P.+$Z..
0x0020: 12e4 469b 8010 003e e21e 0000 0101 080a ..F....>........
0x0030: 6b12 fa03 36f0 de74 k...6..t
11:32:07.549789 20:b3:99??72:3b (oui Unknown) > 20:b3:99:55:a0:1f (oui Unknown), ethertype Unknown (0x7034), length 64:
0x0000: a001 0800 4500 002c 104b 0000 3006 d058 ....E..,.K..0..X
0x0010: bad4 81d1 8d2d e055 0aac 0913 8d2d e055 .....-.U.....-.U
0x0020: 0000 0000 6002 11b4 5b0f 0000 0204 05ac ....'...[.......
0x0030: 0000 ..
Management Center also shows netflow and mirror packets:
But the Identification Rate stays at 0% and Application Infos are not populated. What could be the reason? AAE was enforced and rebooted.
