VMware Cloud Community
farri304
Contributor
Contributor
Jump to solution

IDS dvPortGroup need Promiscuous and 4095?

Hey all.

I am setting up an IDS appliance on each of my hosts using distributed switches. I created a dvPortGroup just for the IDS appliance and set it to Promiscuous Mode to collect traffic on the dvSwitch. We are using VLAN Trunking so the VLAN mode is set to VST, meaning I cannot assign VLAN 4095 to any port group.

My question is, will setting the dvPortGroup for the IDS appliance at Promiscuous Mode be enough to collect all the traffic on the switch? I always assumed you also had to set the VLAN ID for 4095 but using VST prevents this.

Thanks.

Joe

Twitter: @joefarri
Tags (3)
0 Kudos
1 Solution

Accepted Solutions
chriswahl
Virtuoso
Virtuoso
Jump to solution

The port group with promiscuous mode is still bound to the VLAN that it lives in. Per VMware: How promiscuous mode works at the virtual switch and portgroup levels

By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest's network adapter in promiscuous mode causes it to receive all frames passed on the virtual switch that are allowed under the VLAN policy for the associated portgroup. This can be useful for intrusion detection monitoring or if a sniffer needs to to analyze all traffic on the network segment.

Set the trunk range on that port group to cover all the VLANs you wish to do traffic sniffing on, which is possible even with VST.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators

View solution in original post

0 Kudos
2 Replies
chriswahl
Virtuoso
Virtuoso
Jump to solution

The port group with promiscuous mode is still bound to the VLAN that it lives in. Per VMware: How promiscuous mode works at the virtual switch and portgroup levels

By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest's network adapter in promiscuous mode causes it to receive all frames passed on the virtual switch that are allowed under the VLAN policy for the associated portgroup. This can be useful for intrusion detection monitoring or if a sniffer needs to to analyze all traffic on the network segment.

Set the trunk range on that port group to cover all the VLANs you wish to do traffic sniffing on, which is possible even with VST.

VCDX #104 (DCV, NV) ஃ WahlNetwork.com ஃ @ChrisWahl ஃ Author, Networking for VMware Administrators
0 Kudos
farri304
Contributor
Contributor
Jump to solution

That's what I ended up doing and it did work. Thanks for the quick response Chris.

Cheers

Joe

Twitter: @joefarri
0 Kudos