|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Port mirroring and promiscuous mode
On 2016-04-18 14:37, Tarren, Jacob A. (LARC-B703)[LITES II] wrote: I can't help much with the OpenVSwitch stuff, but I can definitely try to help with the explanation of port mirroring versus promiscuous mode and the VIF ID bits.Hello! I've just started experimenting with Xen, and so far I like it, but I'm running into an issue setting up port mirroring and promiscuous mode. I'm trying to get all traffic on a network within my Xen server to be mirrored to a specific VM so I can practice with an IDS. I've determined that the VM I want my IDS on is connected via vif104.1, and I think I should run this command to create a mirror over the whole network: /ovs-vsctl --set Bridge xenbr1 mirrors=@m -- -- id=@vif93.0 get Port vif93.0 -- --id=@vif78.3 get Port vif78.3 -- --id=@vif72.0 get Port vif72.0 -- --id=@79.1 get Port vif79.1 -- --id=@tap93.0 get Port tap93.0 -- --id=@xenbr1 get Port xenbr1 -- --id=@vif62.3 get Port vif62.3 -- --id=@tap62.3 get Port tap62.3 -- --id=@eth1 get Port eth1 -- --id=@vif104.1 get Port vif104.1 -- -- --id=@m create Mirror name=xenbr1-everything-mirror select-dst-port=@vif93.0,@vif78.3,@vif72.0,@vif79.1,@tap93.0,@xenbr1,@vif62.3,@vif103.1,@tap62.3,@eth1 select-src-port=@vif93.0,@vif78.3,@vif72.0,@vif79.1,@tap93.0,@xenbr1,@vif62.3,@vif103.1,@tap62.3,@eth1 output-port=@vif104.1/ After running that, I should set vif104.1 into promiscuous mode with: /xe vif-param-set uuid=<uuid_of_vif> other-config:promiscuous="true"/ Unfortunately, when I try running the ovs-vsctl command I get: /ovs-vsctl: unrecognized option `--set'/ I think this is because I'm specifying multiple dst-ports and src-ports but I'm not sure. I'm also a bit confused on the difference between port mirroring and promiscuous mode in general. Would someone please explain that to me and help me figure out how to achieve the desired result? Also, I'd like to make this persistent across reboots, but it appears the VIF IDs change each time the VM reboots. Is there a way to stop that? Port mirroring usually refers to monitoring specific ports, and more importantly, is done at a relatively high level in the network stack. IP and Ethernet have no concept of ports, so port mirroring has to be done at the level of TCP/UDP or whatever other protocol you are using. Promiscuous mode however is done at a very low level. When set on an Ethernet interface connected to a properly configured switch, it means that that interface will receive a copy of every single Ethernet frame that goes through that switch (and possibly through the entire network if the other switches are configured properly). In general, promiscuous mode is better for both IDS and network diagnostics, but it requires proper configuration of the network hardware, and puts more load on the monitoring system (because it has to process every frame on the network). Port mirroring by contrast provides less coverage (because it's fully possible to run things on other protocols, and it's not too hard to do some really crazy cloaking), doesn't need properly configured hardware, and puts more load on your firewall system (or whatever other system you're using to do the port mirroring). As far as the VIF ID's changing, what you want is the 'vifname=' parameter for the network configuration. The default value for this configures the VIF name as 'vif<DOMID>.<DEVID>', which guarantees a unique name on a single boot of a single host (which is good enough for most things), but this in turn can cause issues when you try to do things like routing in Domain-0 instead of using a bridge interface or something similar. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |