Re: vSwitch Network Traffic Visibility

bhamblin · ‎07-29-2009

We are using ESXi 4 to build a network used for testing a software application. How do I make ALL network traffic on the virtual switch between VM's visible on the physical nic as well?

I do not have the option of monitoring the virtual switch traffic from a virtual machine on the ESXi Server.

Any help would be greatly appreciated.

weinstein5 · ‎07-29-2009

Welcome to the Forums - if the traffic is staying internal to the virtual switch you will not be able to monitor it without a VM on the same virtual machine port group unless if course you were to implement a Nexus 1000v virtual switch - which I believe requires Enterprise Plus license -

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

bhamblin · ‎07-30-2009

What if I wanted to implement an intrusion detection system as a vm? It would have to have access to all network traffic on the virtual switch as well as the physical nic.

Is this possible?

jbogardus · ‎07-30-2009

You may want to consider the capabilities of promiscuous mode on the vNIC and vSwitch to see all traffic on the vSwitch

http://communities.vmware.com/message/371562

The other option you can look at is VMDirectPath PCI Passthrough functionality. This dedicates a PCI device such as a NIC to be used directly by a VM rather than going through virtualization levels like the vSwitch. So to the VM it would appear like it is connected directly to the physical switch and have access to watch the traffic on the physical switch. To use Passthrough your host needs to meet certain requirements. If it does you can configure what devices are enable for passthrough in the 'Hardware - Advanced Settings' section of the Configuration tab for the host. Once the device is enable for passthrough it can be added as a PCI Device within the properties of the VM.

meistermn · ‎09-17-2009

Maybe inmon helps

http://www.inmon.com/products/virtual-probe/index.php

sto6ma9ch · ‎03-24-2010

I attempted to create an IDS environment for one of our VMware environments. It worked, but I ran into network performance issues that affected that whole network at that site (not just VMware). Here's what I did to set up the IDS:

We have physical uplinks to an internal and DMZ network which translate to Internal and DMZ Distributed vSwitches. I created a port group on each dvSwitch that trunks VLANs 0-4094 and allows promiscuous mode. I named these port groups "Internal Probe" and "DMZ Probe"
I created a RHEL VM with three NICs to be used as an IDS sensor: 1connected to the internal network, 1 to the Internal Probe, and the last to the DMZ Probe.
I set up Snort on each RHEL VM and told each to send their events to the main VM.
I cloned that RHEL VM for each ESX server we have, moved them so there is one running on each ESX server, and disabled DRS fo those VMs.
I set up a RHEL VM to use as the main log collector. One NIC to the Internal port group.
I set up IPSec between each collector VM and the main VM.

Sensor events were working correctly, but we noticed some definite lag between even other hosts not within VMware. The biggest hit was probably the View virtual desktop environment. I'm not sure why setting up these sensors would have affected the network outside VMware, though.

All

vSwitch Network Traffic Visibility