In virtual networking, we have multiple policy settings that we can configure on standard switch or distributed switch in vSphere. In previous posts, we discussed basics of virtual networking along with switch types and had switch properties walkthrough.
Check previous posts here,
In this post, we will begin our discussion about network policies. With this post we will discuss promiscuous mode under Security settings in virtual networking.
This is one of the security policy setting that we can set in the properties of a virtual standard switch or in the properties of a port group on it. In standard switch, switch acts as parent and port group act as child.
Below are the standard switch properties.
Below is the screen shot of port group settings in standard switch.
In case of Distributed switch, due to granular level management, policies are configured either on port group or individual port level. In distributed switch, portgroup acts as parent and individual port acts as child.
As you can see in below screenshot, in distributes switch properties, there are no security settings available.
So you need to edit portgroup properties or individual port. Below is the screenshot of individual port settings.
For our discussion in this post, I will use standard switch here onwards.
Why do we need promiscuous mode?
As we all know, Switch is a point to point device and it maintains the MAC table to record information of connected nodes. Because of this we get better performance and point to point delivery unlike HUB which uses broadcast method to deliver the traffic to destination.
In virtual networking, virtual switches do not anything different. They will handle traffic just like physical switches.
Let us take a scenario here to understand promiscuous mode. Lets say we have 3 VMs of which 2 are connected to a PROD portgroup and one is connected to QA portgroup as shown in below diagram.
Now the requirement is that Linux VM should be able to capture all the packets that are being delivered to any of the Windows VMs in PROD protgroup. We have installed Wireshark tool in Linux VM for our requirement of packet capturing. This can be useful for intrusion detection monitoring or if a sniffer needs to analyze all traffic on the network segment.
But the challenge here would be, can we capture packets of windows VMs that are connected to PROD on to the linux VM which is connected to QA Portgroup?
Basically we are talking about remote capturing, which is generally not done by tools like Wireshark. We use these tools to do capturing on local network interface. And as we discussed earlier switch will deliver traffic only to the specific destination as it performs point to point delivery.
You might have a thought that why can’t we install tool directly on server?
Most of the time, we avoid installing freeware tools on critical production servers and obviously we do not want to install them in multiple servers since these tools perform packet capture on local interface only.
Hence to fulfill this requirement, we enable the Promiscuous Mode in the properties of portgroup QA so that linux VM on this portgroup can capture the traffic being delivered to windows VMs connected to PROD protgroup.
How does that work?
As I mentioned earlier, switch is point to point device, and we do respect that. We don’t want switch to do deliveries of the packets to multiple destinations. Basically what promiscuous mode does is that it gives the visibility of traffic flowing through the switch to the VM connected on port group where we enabled promiscuous mode.
Rest all VMs connected to any other portgroups other than QA will behave as regular switch communication with no traffic visibility that is not destined to them.
Be careful where you enable the setting. As Promiscuous Mode can be enabled either on whole switch or just a Portgroup in standard switches as we discussed earlier. As in this example, We enabled it only on QA port group because only VMs connected to it should get visibility.
If we enable it on switch level, then due to inheritance, all port groups will get visibility of traffic flowing through the switch.
By default, this policy is set to Reject on virtual switches (standard or distributed) in vSphere.
All port groups in standard switches and ports in distributed switches will also be set to Reject by default as they inherit the settings from parents.
As discussed earlier, in Distributed switch unlike standard switch, policies are configured on Portgroup or individual ports level. Portgroups act as parent and individual ports will be child.
Thats it in this post. Hope it clears concept around promiscuous mode.
Check the next post in this series on MAC address Types, Forged transmit and MAC Changes.