# Traffic Mirroring deployment
## Traffic Mirroring Deployment Overview
Prism Central is the only supported method for deployment using Traffic Mirroring as a steering method. Prism Central is required to create and manage Traffic Mirroring Sessions in the UI. Traffic Mirroring Sessions can also be created in the ACLI, but this is not in scope for this guide and Nutanix has stated to Vectra that ACLI access is planned to be removed in a future release and therefore, Vectra is not documenting CLI based Traffic Mirroring.
Below is an overview of the major steps:
{% stepper %}
{% step %}
#### [Create vSensor VM](#id-1.-create-vsensor-vm)
* One NIC will a standard NIC that will be used for management (MGT1).
* A special **Mirror Destination NIC** will be added to be used as the vSensor capture port. Only Mirror Destination NICs can be used as destinations in a traffic mirroring session.
* The disk size can be altered during deployment for 4, 8, or 16 core vSensors.
* 2 core vSensors do not need their disk size altered.
* If you miss this step, with the vSensor VM powered off, you can follow the instructions from [Increase vSensor VM Disk Size (if required)](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances/service-chaining-1.0-deployment#id-2.-increase-vdisk-size-vsensor-vm-if-required) to alter disk size after deployment or change the size by updating the VM in Prism Central UI.
{% endstep %}
{% step %}
#### [Set VM Affinity](#id-2.-set-vm-affinity)
Affinity should be set in Nutanix to keep the Vectra vSensor VM deployed on a specific AHV host.
{% endstep %}
{% step %}
#### [Create a Traffic Mirroring Session](#id-3.-create-a-traffic-mirroring-session)
This can also be done after initial vSensor configuration and pairing in Step 4 but if you don't have a traffic mirroring session configured, you won't be able to validate traffic.
There is no risk, just bear in mind that traffic that is mirrored to the vSensor before it is paired to the Brain will not be forwarded to the Brain appliance for processing.
{% endstep %}
{% step %}
#### [Perform Post Deployment Configuration](#id-4.-perform-post-deployment-configuration)
* Intial vSensor configuration at the CLI.
* Pairing the vSensor to your Brain appliance.
* Validate traffic is being captured by the vSensor.
{% endstep %}
{% step %}
#### Repeat as Needed
Add additional vSensors and create/update traffic mirroring sessions as required for your deployment.
{% endstep %}
{% endstepper %}
## 1. Create vSensor VM
Navigate in Prism Central to *Infrastructure → Compute → VMs → Create VM* and you will be presented with a four-page dialog to create the vSensor VM:
#### Configuration - Page 1
* **Name** – Use a name of your choice.
* **Description** – Optional.
* **Project/Cluster** – Set if required for your org.
* **Number of VMs**
* Normally 1 if deploying a single vSensor.
* This can be set to more than 1 if you are deploying multiple identically configured vSensors. The additional vSensors would be named with -1, -2, etc after the configured name.
* **VM Properties**
* Refer to [Nutanix vSensor Requirements and Performance](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances/introduction-and-requirements#nutanix-vsensor-requirements-and-performance) for vSensor specification.
* **CPUs** – Set to 2, 4, 8, or 16 based on the size vSensor you are deploying.
* **Cores** – Always set to 1.
* **Memory** – Set to 8, 8, 16, or 64 based on the size of vSensor you are deploying.
* **Advanced Settings** – Not required.
#### Resources - Page 2
* **Disks** – Add the disks per the screenshots below, cloning them from the uploaded vSensor images.
* Disk size can be changed per the vSensor specifications to avoid doing it in [Step 2](#id-2.-increase-vdisk-size-vsensor-vm-if-required) below.
* **Network** – Attach to the subnet of your choice.
* This will be where the Mangement (MGT1) interface of the vSensor will be connected.
* Initially it will boot with DHCP, but this can be changed to static at the CLI of the vSensor.
* See [Initial vSensor configuration at vSensor CLI](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances/nutanix-vsensor/initial-vsensor-configuration-at-cli) for details.
* **Add Mirror Destination NIC** – Click here to add the NIC that will become the vSensor capture port.
* **Boot Configuration**
* This must be set to **Legacy BIOS Mode** with **Default Boot Order (CD-ROM, Disk, Network)**.
* The `seed.iso` (CD-ROM) is read during vSensor boot to help configure network adapters.
* **Shield VM Security Settings** – Not required.
#### Management - Page 3
* **Enable ‘Default-Storage’ Policy**
* Whether you enable this or not will depend on your defaults.
* As per the [Nutanix vSensor Requirements and Throughput](#nutanix-vsensor-requirements-and-throughput):
* Vectra recommends that Sensors are configured to use storage local to the hypervisor and are not stored on a SAN. Vectra vSensors require extremely high throughput from their disk storage and this throughput cannot normally be sustained by SAN systems without impact to other SAN users.
* Also keep in mind that you will be pinning (setting affinity) for each vSensor to a specific node in each cluster.
* **Categories**
* If you don’t already have a category and value from prior vSensor deployments, leave this blank for now.
* If you have already created the category and value in [3. Create network function provider category and value](#id-3.-create-network-function-provider-category-and-value) and are deploying a new vSensor in this cluster, you can set the network\_function\_provider category and value that you previously created and won’t have to do it later in [6. Update the still powered off VM](#id-6.-update-the-still-powered-off-vm).
* **Timezone** – Configure per your standards.
* **Use this VM as an Agent VM**
* The vSensor needs to be set as an **Agent VM**.
* This can be enabled now, or it can be set during [6. Update the still powered off VM](#id-6.-update-the-still-powered-off-vm). Some configuration must be done at the CVM ACLI later anyway.
* **Guest Customization** – Not required.
#### Review - Page 4
* Review the settings, go back and change anything if required, and when ready, click **Create VM**.
#### Screenshot Examples
Full Prism Central VM configuration example screenshots below. Click to enlarge any image.
Configuration - Page 1
Resources - Page 2
Addiing seed.iso as CD-ROM on Resources - Page 2
Adding .qcow2 as Disk on Resources - Page 2
Attach to Subnet on Resources - Page 2
Management - Page 3
Review - Page 4
## 2. Set VM Affinity
Affinity ties the vSensor VM to a specific node so that is not moved from a node and setting it is a best practice
* This is setting an affinity to a specific node (also known as pinning).
* Since traffic mirroring sessions cannot mirror host ports across nodes, pinning the VM prevents the vSensor from moving to a location where the mirroring session would no longer function.
To set affinity using the ACLI.
* Log in to a CVM in your target cluster and access the ACLI.
* Execute the below ACLI command. `vSensor_Name` should be replaced by your vSensor name and `x.x.x.x` should be the IP of the node you are setting affinity to.
```
nutanix@CVM $ acli
vm.affinity_set vSensor_Name host_list=x.x.x.x
```
Affinity can also be set in the GUI without needing to find the IP of the node you are setting affinity to:
* Navigate in your Prism Element UI (for the cluster you are working on) to the VM table view, select your vSensor VM and click the “Update” button.
* Scroll down to the bottom and set the affinity to the specific node you desire.
## 3. Create a Traffic Mirroring Session
Please see [Traffic Mirroring](https://portal.nutanix.com/page/documents/details?targetId=Prism-Central-Guide-vpc_7_3:mul-traffic-mirror-pc-c.html) for full guidance from Nutanix with additional detail. This guide will contain only high-level steps for creating a session.
To create a Traffic Mirroring Session:
* In Prism Central, navigate to *Infrastructure → Network & Security → Network Services → Traffic Mirroring.*
* Click **Create Mirror Session**.
* On the first screen, give your session a name, optional description, choose the cluster, and virtual switch to use for the mirrored traffic.
{% hint style="info" %}
**Please Note:**
Nutanix recommends utilizing a non-default virtual switch with a Maximum Transmission Unit (MTU) configured between 1600 and 9000 for traffic mirroring to a destination on the remote host. You can also use the default virtual switch `VS0` for traffic mirroring with an MTU set to 1600 bytes. For more information on MTU, see [Requirements and Limitations of Flow Virtual Networking](https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Flow-Virtual-Networking-Guide:ear-flow-nw-requirements-pc-r.html) and [Configuring Virtual Switch for VPC Traffic Types](https://portal.nutanix.com/page/documents/details?targetId=AHV-Admin-Guide:ahv-cluster-nw-create-uplinks-vpcs-ahv-t.html).
{% endhint %}
* On the second screen, you can choose the source types, host ports, and VM interfaces that you wish to mirror on the **Source** side, and on the **Destination** side you will choose the vSensor you are using as the destination and its **Mirror Destination NIC**.
* Only VMs with **Mirror Destination NICs** that are not already mapped will be shown as options.
* For **Direction**, typically you will want to choose **Both** to capture both ingress and egress traffic.
* One the third summary screen, validate your choices and **Create and Enable Session**.
* Repeat these steps for other vSensors as required. Sessions can be updated by editing them.
## 4. Perform Post Deployment Configuration
The vSensor is now deployed in Nutanix and you can move on to [Post deployment configuration](https://docs.vectra.ai/deployment/ndr-virtual-cloud-appliances/nutanix-vsensor/post-deployment-configuration-shared-for-all-deployment-types) or repeat vSensor deployment and traffic mirroring configuration as required for your deployment.
