VMware Cloud Community
AhmadMDS
Enthusiast
Enthusiast
‎02-27-2020 02:39 AM

Promiscuous Mode

Hello Experts!

i have a question regarding how Promiscuous mode on a port group and what traffic will be monitored.

let's pretend that we have the following scenario:

- One distributed switch

- One port group tagged with VLAN7

- One port group tagged with VLAN8

I have one VM in VLAN7 that require Promiscuous mode to be enabled on the port group but i don't want it to see all the traffic on the virtual switch.

so i am planing to create a new port group tagged with VLAN7 that is connected only to that VM, and i will enable promiscuous mode on this port group only.

what do you think will happen? will this VM be able to see all the traffic on the virtual switch? will the VM be able to see the traffic destined to all the VMs in VLAN 7 even if they are in a different port group?

thank you in advance for your clarifications

regards,

Tags (1)
0 Kudos
3 Replies
scott28tt
VMware Employee
VMware Employee
‎02-27-2020 03:02 AM

See here: VMware Knowledge Base


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos
AhmadMDS
Enthusiast
Enthusiast
‎02-27-2020 03:46 AM

thank you Scott for your answer

yes i have read this article before opening this discussion, but i got lost a bit regarding the below mentioned points:

- A virtual machine, Service Console or VMkernel network interface in a portgroup which allows use of promiscuous mode can see all network traffic traversing the virtual switch.

- Placing the guest's network adapter in promiscuous mode causes it to receive all frames passed on the virtual switch that are allowed under the VLAN policy for the associated portgroup.

the first point mentions that all the traffic on the virtual switch will be monitored, while the second point mentions that only the traffic of the VLAN tagged on that virtual port group that has promiscuous mode enabled will be seen.

so which one is correct and how it works in my scenario

best regards,

0 Kudos
scott28tt
VMware Employee
VMware Employee
‎02-27-2020 04:46 AM

I think that by default it would be specific to whichever VLAN(s) the VM is part of based on it's own port group connection.

Unless that port group is set to VLAN 4095.

See this: VMware Knowledge Base


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
0 Kudos