In this new post I’m going to show some parameters or concepts related to Port Mirroring, Trunking and Security Policies.
You might need to use a VM on your network to capture or analyze traffic passing through devices and this is somehow a common in these days for security purpose. On standard vSwitches this is done as follows:
- Consent to a VM to receive all traffic not destined precisely to it.
- Send all traffic to that VM
On standard vSwitches at the first step, go the settings page of the vSwitch and click on the Security and change the Promiscuous Mode to Accept.
On standard vSwitches this setting is done per vSwitch and affect all of the vPort Groups on that vSwitch. Then go to the properties/settings page of the vPort Group on which you have installed a VM to capture traffic and set the VLAN number to 4095.
As you know the range of the legal VLANs is 0 to 4096. By setting this special value, all of the packets which are seen by that vSwitch will be redirected to that VM attached to that vPort Group, regardless of any trunking configuration. Remember, “All” traffic from “All” of the vPort Groups on that vSwitch will be redirected to that VM.
If you have any other standard vSwitches, they will not be affected by this configuration and continue to act normally.
But if you licensed to use dvSwitches (Distribued Virtual Switches), you can achieve the same thing on these switches by following different steps. The security requirements are the same. That is, you need to change the security policy and Promiscuous Mode at the first place. But on a dvSwitch this policy can be set per dvPort Groups or per any dvPort. Usually you set the overall settings on a dvPort Group, then activate the override feature on the dvPort Group to be able to override settings on your single dvPort of your choice. The following picture shows that I’ve set override on all of the options:
Supposing our VM running WireShark is attached to the port 2 of the dvSwitch and is member of TDPG-204 dvPort Group, what we need to do is to change the settings of that port as the image depicts:
By clicking on the Edit icon at step 4, another window will appear. On this page click on Security and then enable Override checkbox by the Promiscuous Mode and change it to Accept.
After applying changes, any traffic passing on that dvPort Group will also be sent to the dvPort 2 and our sniffing app running on that VM. Remember that only traffic of the members of that dvPort Group (TDPG-204) will be copied to that dvPort and any other dvPort Groups will not be affected though.
Despite that we don’t usually need, but you can override VLAN settings on a dvPort Group too and set it to “Trunking”. What you need to know in this case is you also need to put that trunking port to “Promiscuous Mode: Accept”.