newbhere
Contributor
Contributor

Port mirroring available with vswitch or only dvswitch?

I am port mirroring on a Juniper switch and are connecting the analyzer port from switch to a nic that is connected to a separate vswitch and setting promiscuous mode on it.  I then connect this to a nic on the VM.  Will this not work on a vswitch and only on dvswitch?  Since I am not doing the actual port mirroring on the host and done on the physical switch I am not sure where the issue is.  Problem is, it was working and then stopped about two weeks ago.  Trying to determine if it is a ESX issue or Juniper issue.

0 Kudos
2 Replies
MKguy
Virtuoso
Virtuoso

So the ESXi side is completely unaware of the mirroring in your setup? In that case it should not make any difference whether you use a standard or distributed vSwitch. The forwarding logic is exactly the same. Just make sure the actual port group where you connect the analyzer VM has promiscuous mode enabled too (not overwritten) and not just the vSwitch.

Do the frames mirrored by your juniper switch arrive with 802.1Q tags on the port? Is the port group of the analyzer VM configured with that VLAN or VLAN ID 4095 (see http://kb.vmware.com/kb/1004074)?

The easiest way to figure out whether the issue is on the ESXi or Juniper side would be just to test your port mirroring setup with a physical, non-ESXi system.

Anyways, having said that I'm a little surprised it used to work like you described before if I think about it. I thought a vSwitch should drop unknown incoming unicast frames with a destination unicast MAC that does not match any of the attached vNICs (or custom ones if you enable MAC address change).

See this wonderful article:

http://blog.ioshints.info/2010/11/vmware-virtual-switch-no-need-for-stp.html

Unicast packets received through the uplink ports and addressed to unknown MAC addresses are dropped.

This drop should be implicit before the promiscuous mode setting takes effect, so you shouldn't see anything expect a few multicast and broadcast frames. Do you not even see any multicast/broadcast frames?

-- http://alpacapowered.wordpress.com
0 Kudos
mrlesmithjr
Enthusiast
Enthusiast

If you want to see a way on how to accomplish this using vDS (vSphere Distributed Switch) have a look at the link below. The scenario provided is using a Cisco switch but the same logic should follow. This solution works very well.

http://everythingshouldbevirtual.com/vmware-vds-rspan-port-mirroring

everythingshouldbevirtual.com @mrlesmithjr
0 Kudos