Re: Promiscuous Mode network with vCloud

cfor · ‎08-03-2011

We have many vApps we would like to create that will require Promiscuous Mode to be enabled on one or more networks in our vApp. How in vCloud do you setup a vAppNetwork in a vApp template that will allow Promiscuous Mode access from a vm on the network?

ChrisF (VCP4, VCP5, VCP-Cloud) - If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

gaadmin · ‎08-08-2011

I think you'd need to set up a new port group on your vSwitches or dVswitches... You can set the promiscuous mode there.

cfor · ‎08-08-2011

I am confused by the idea of creating a new port group - as I undersantd it VCD dynamicly builds new port groups as it neesd them in order to handle the isoluation support for each vapp. The problem I am having is the port groups it is making (100's of them) all have promiscuous disabled - I would like to know how to tell it (even if via the API) to create the in Promiscuous enabled mode.

Thanks

ChrisF (VCP4, VCP5, VCP-Cloud) - If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

cfor · ‎08-11-2011

I am starting to think this can not be done... I have been digging all over Vcloud and the API's and I can not find a way to tell a Vapp template that on of it's internal networks needs to be created in promiscuous mode on deploy.

ChrisF (VCP4, VCP5, VCP-Cloud) - If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

nirvy · ‎12-14-2011

I'm using vCloud Director 1.5 for this...

You can enable promiscuos mode on the network pool, but all future created portgroups will have it enabled. To do this, you need to access the database directly and execute the following command:

update network_pool set promiscuous_mode = 1;

Once done, quit the SQL editor and restart the vcd services. All future portgroups will be promiscuous mode enabled automatically.

You may need to adjust the syntax for your own environment, have a look at the contents of the table with

select * from network_pool;

Note: I have a vCloud LAB... it's not in production so I can mess around all I like. don't blame me if it all goes tits up for you

To enable promiscuous mode individually I guess you would have to write some code with PowerCLI or something.

cfor · ‎12-14-2011

That might help for the pool, but what I am looking to do is on a one (of several) vApp networks inside a single vApp template, I want to set the network to PROM mode. That way each time the vapp is deployed (100's of times a week) it will come up with one of the newly created port groups (for the vApp network) in PROM mode.

ChrisF (VCP4, VCP5, VCP-Cloud) - If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Timvandervoord · ‎02-08-2013

We have managed to do this using an orchestrator workflow. The workflow executes a script that looks for dvPortgroups with "PROMISC" in the name, when found it enables promiscuous mode on that portgroup. You can schedule this script or as we did use an AMQP broker to intercept vCloud deploy events and execute the script then.

The script we use is:

// Get dvPortgroups and loop through all of them

var networks = VcPlugin.getAllDistributedVirtualPortgroups();
for (i in networks) {

// If "PROMISC" is in the name of the dvPortgroup we will enable promiscuous mode, if not skip this dvPortgroup

if(networks[i].name.search("PROMISC") > 0) {

// If promiscuouse mode is already enabled we don't need to enable it again

       if(networks[i].config.defaultPortConfig.securityPolicy.allowPromiscuous.value) {
        System.log("DVPortgroup " + networks[i].name + " already on promiscuous mode");
       } else {
        System.log("DVPortgroup " + networks[i].name + " promiscuous mode allow");

        // Some general information
        var spec = new VcDVPortgroupConfigSpec();
        spec.configVersion = networks[i].config.configVersion;
        var defaultPortConfig = new VcVMwareDVSPortSetting();
        var securityPolicy = new VcDVSSecurityPolicy();

        // Set security settings
        securityPolicy.inherited = false;
        securityPolicy.allowPromiscuous = new VcBoolPolicy();
        securityPolicy.allowPromiscuous.inherited = false;
        securityPolicy.allowPromiscuous.value = true;
        securityPolicy.macChanges = new VcBoolPolicy();
        securityPolicy.macChanges.inherited = false;
        securityPolicy.macChanges.value = true;
        securityPolicy.forgedTransmits = new VcBoolPolicy();
        securityPolicy.forgedTransmits.inherited = false;
        securityPolicy.forgedTransmits.value = true;

        // Submit task to reconfigure
        defaultPortConfig.securityPolicy = securityPolicy;
        spec.defaultPortConfig = defaultPortConfig;
        networks[i].reconfigureDVPortgroup_Task(spec);
       }
    }
}

A similar script should also be posible with powerCli.

moenster · ‎03-14-2013

This script works great, thanks for sharing.

Regards Henrik

M.v.h. Henrik

IamTHEvilONE · ‎03-14-2013

For those that enabled Promiscuous Mode, can you guys see if your vmkernel log on the ESXi hosts have entries contianing the term 'vsla_fence'?

A_Mikkelsen · ‎03-18-2013

Very usefull.

Thanks for sharing

br

A. Mikkelsen

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points. Regards A. Mikkelsen

barnette08 · ‎10-16-2013

Was there ever any closure to this post other than the vCO workflow?

cfor · ‎10-16-2013

No, only method really found currently is using a workflow engine (like VCO) to set the property when needed.

I would just advise be careful, PROM networking on a busy host can drop the network speed a bunch (it 1/4's the speed for us with vCloud fenced networks) - So take a good look at why you need it, and look for other options if possible.

ChrisF (VCP4, VCP5, VCP-Cloud) - If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful