VMware Cloud Community
VambertoJR
Contributor
Contributor

Mirror all traffic to Snort VM

Hello Folks

I would like to install a NIDS (SNORT) to analyze the traffic of my VMS but I don't know how to configure my Vcenter to mirror all the traffic from all VMs to Snort VM.

Let me introduce you to how my environment is

We have 6 Vlans

Vlan10 (ID 10)

Vlan20 (ID 20)

Vlan30 (ID 30)

Vlan40 (ID 40)

Vlan50 (ID 50)

Vlan60 (ID 60)

We are using a DVS to connect all environment and the Snort VM is in Vlan10

Thanks for all your help

Reply
0 Kudos
2 Replies
erikverbruggen
Hot Shot
Hot Shot

You can create a port mirror on the vDS to mirror traffic from all port groups to another portgroup where only the Snort VM is attached to.

More information about port mirroring can be found in the vsphere documentation

VMware vSphere 6.5 Documentation Library

Reply
0 Kudos
VambertoJR
Contributor
Contributor

Hello Erik

First of all thanks for your help.

Let me tell what a did...

I created a new port group call promisc with promiscuous mode and vlan id 10 and assigns the vm snort to this port group.

I have a doubt about the correct type of mirroring . Is the correct option to cohose a mirroring in my case is " Distributed Port Mirroring" or "Remote Mirroring Destination" ? 

Thanks and regards

Reply
0 Kudos