VMware Cloud Community
Pryzrak
Contributor
Contributor

Vswitch/portgroup dropping traffic in promisc mode

I've set up an IDS sensor as a VM with two interfaces within a vhost running ESXi 7. One is for management and alerts, while the other is in promiscuous mode for traffic monitoring. To ensure optimal monitoring, I've established a dedicated physical interface, Vswitch and portgroup exclusively for the monitoring interface, all also in promiscuous mode. Interestingly, the physical ESXi interface is handling about 7Gbps of traffic, but the VM's interface is only capturing 4.5Gbps. I suspect that the vswitch might be dropping some traffic, although there are no indications of dropped packets within the VM or ESXi UI. I'm puzzled about what type of traffic is being blocked or filtered and how to resolve this issue to allow the full 7Gbps traffic to reach the VM. I even attempted to directly forward the interface PCI hardware to the VM, but that resulted in dropping around 80% of the traffic, worsening the situation. Any help is appreciated. 

Reply
0 Kudos
3 Replies
vmngo
Contributor
Contributor

Is this a supported hardware on the VMware hardware compatibility list? Do you have the latest drivers/firmware for the nic? Are you looking at the logs specifically on the esxi host to verify network based metrics?

Reply
0 Kudos
Pryzrak
Contributor
Contributor

The hardware is a Dell R6515 with 710 series 10Gb interface card and using a 10G SFP for the monitoring side. I attached a diagram of exactly what I'm seeing. From the ESXi web UI, I'm seeing ~7Gbps on vmnic3. However after going through the vswitch and portgroup, the vm interface is only seeing 4.5Gbps. That's a difference of around 2.5Gbps. It's obvous that the vswitch or portgroup is filtering or blocking, but I can't figure out why and how to get the full traffic that's coming in. I don't know if there has been fixes for things like this.

Pryzrak_0-1691861433101.png

 

Reply
0 Kudos
ThePitViper
Enthusiast
Enthusiast

If you don't mind, I would like to ask you a few questions to help answer the question better.

  1.  What is the Firmware/Package version you are using for the NICs?
  2. Can you check that there is not a MTU mismatch between the VMK and the Physical switch?
  3. What is your Ring Buffer set to for ESXi?
  4. Do you have Multi-RSS enabled?
Reply
0 Kudos