Installing splunk stream in virtual host and capturing network traffic from Cisco switches



We hace around 5 Cisco switch that we wanted to capture traffic from.

Questions :
1) can we install splunk stream on a virtual host in esxi and span port the switch to the nic in the virtual host? Or does the switch need to span port to the physical nic from the esxi machine?

2) since we have 5 Cisco switch that we will be capturing from, does it mean that we need to enable 5 nic in the virtual host and span port the switches to it? Or does the esxi host need to have 5 mic?

I only have experience in capturing traffic from 1 device span port to a physical host nic.

Your guidance will be much appreciated.


It depends on your topology or what you intend to capture.

In the most basic configuration, you would define a monitor session (SPAN) destination interface on each switch and physically connect those interfaces to your VMware host hardware.

If you have trunk interfaces between your switches, you can define an RSPAN VLAN to forward traffic to an interface on one switch and connect that interface to your VMware host hardware.

You would couple either solution with an appropriate virtual switch configuration to bring the physical traffic to your virtual machine. With RSPAN, you can also forward traffic between virtual switches on multiple VMware hosts, which is desirable if you want to see VM-to-VM traffic.

All of this comes at a cost, of course. You're increasing utilization of your switches, both physical and virtual, by mirroring or copying frames. Your switches will prefer live frames over monitored frames, so you'll likely see drops on your monitor interfaces.

You also can't exceed the capacity of your monitor interfaces. I.e. It's not possible to monitor two fully utilized 1 Gbps interfaces over a single 1 Gbps monitor interface. I haven't used ERSPAN, but if your switches support it, the tunnel may mitigate drops during periods of increased activity.

i see...

in my case, if the 5 switches are connected to a master core switch, then span porting at the core switch only should be sufficient right?

also, instead of using UF as the collection node, can we use HF as collection node?


If your switches support the feature and you have the capacity, yes, you should be able to use RSPAN to send traffic to a monitor port on the core switch.

You can install Stream as a standalone Stream forwarder (no local instance of Splunk necessary), as an add-on on a Universal Forwarder, or as an add-on on a full instance of Splunk Enterprise (a heavy forwarder). Where and how you install Stream depends on your requirements.

If you install the app and add-on on a single instance of Splunk Enterprise, you can manage everything locally and forward to indexers as needed.

Whether or not this will meet your performance requirements depends on the volume and type of traffic you need to analyze. Since you're planning to install Stream on a virtual machine, the amount data you can process depends largely on whether you dedicate a physical interface--which is not always possible in converged environments--and pin CPU and memory resources.

