Our corporate security folks are looking for a way to monitor and control network communication between guests on an ESX 3.0.1 host. On physical servers they just log into the switch and send all the traffic to one of their sniffer boxes. However, that's not really an option with a VMware virtual switch.
This isn't really my speciality, but if I put the switch into promiscuous mode when they need to do some work would they be able to see more traffic at the physical switch port? Other ideas?
I'm assuming you are doing vlan trunking for your vm's. Is that the case?
The network guys over here end up creating a feed port on the physical switch that the hosts are connected to. That feed port can see all the trafic on that collision domain or VLAN. I'm not real sure if you can do vlan trunking on a feed port, but it sounds reasonable. Then they could capture all day long on that port.
If you are using internal networking on your vm's then I'm not sure. You are probably on to something with the promiscuous mode.
All of the guests on a host are in the same collision domain so the feed port idea might work - I'll have to talk to one of the network admins and probably just do a sniff and see what shows up. The thing they're most concerned about is being able to see all the traffic between guests on the same host. I'm not sure if the VMware virtual switch which the guests are connected to would actually pass along all the packets upstream to the physical switch where they can be intercepted at the feed port or just pass them between the guests.