HillviewAvenue
Contributor
Contributor

Promiscuous Mode on Machine Level?

Jump to solution

So I´m building a lab scenario that simulates 3 sites (HQ, branch1, branch2) and a small ISP network in between.

I normally would build that with just VLAN separation, but I wonder if separate switches are a stricter segmentation (think of VLAN hopping attacks, it´s harder to hop vswitches I hope (pun intended). What´s best practice here? One big vswitch with many portgroups or multiple switches (like in real life) with only a few portgroups per switch?

One of the virtual firewalls I´m testing demands promiscuous mode or does not work.I also need PM in order to sniff single segments, since the endpoints involved sometimes don´t have tcpdump available (hardened virtual appliances). So I need to build a sniffer VM that will then be patched into the various places. Easy to activate, but....

I´d like the "users" in my virtual ACME Corp. to not be able to run wireshark and see what they get.

AFAIK, PM can only be configured on vswitch or portgroup level, so it´s either everybody on the switch/vlan or nobody.

Is there any way to have PM enabled/disabled on port level?

Currently ESXi only, but I think about getting the VMUG subscription, so if some serious switching asks for something bigger than ESXi, I´d probably be able to get that (NSX? No idea, I only did host virtualization so far with simple network setups)

1 Solution

Accepted Solutions
IRIX201110141
Virtuoso
Virtuoso

Create a new PG with the same VLANID as the other and enable PM on the new PG. Change the vNIC config for that VM to use the new created PG.

Regards,

Joerg

View solution in original post

1 Reply
IRIX201110141
Virtuoso
Virtuoso

Create a new PG with the same VLANID as the other and enable PM on the new PG. Change the vNIC config for that VM to use the new created PG.

Regards,

Joerg

View solution in original post