|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Port mirroring and promiscuous mode
Thanks for the response. Ok, so it seems like I shouldn't be bothering with port mirroring, and should just enable promiscuous mode on the VIF connected to the VM? I've tried that following this[0] guide, and didn't see any of the other traffic. Are promiscuous interfaces given seporate VIF IDs (VIF104.1 -> tap104.1)? You say promiscuous mode requires hardware configuration, but I shouldn't have to configure any hardware since I'm using OpenVSwitch right? Do you know if there's a GUI OpenVSwitch configuration tool I could use to get this up and running while I learn its CLI? I was attempting to follow this[1] guide for setting up port mirroring, which is where I got the idea. I'm perfectly fine with just use promiscuous mode if it can work for what I need. My IDS VM has two networks connected to it, Network 0 which is connection to the live internet, and Network 1, which connects me to other VMs running test traffic between themselves. Could Network 0 be causing any issues with this? [0] - https://support.citrix.com/article/CTX121729 [1] - https://blog.rootshell.be/2013/09/09/xenserver-port-mirroring/ ________________________________ Thanks, Jake Tarren ________________________________________ From: Xen-users [xen-users-bounces@xxxxxxxxxxxxx] on behalf of Austin S. Hemmelgarn [ahferroin7@xxxxxxxxx] Sent: Monday, April 18, 2016 2:12 PM To: xen-users@xxxxxxxxxxxxx Subject: Re: [Xen-users] Port mirroring and promiscuous mode On 2016-04-18 14:37, Tarren, Jacob A. (LARC-B703)[LITES II] wrote: > Hello! > > I've just started experimenting with Xen, and so far I like it, but I'm > running into an issue setting up port mirroring and promiscuous mode. > > I'm trying to get all traffic on a network within my Xen server to be > mirrored to a specific VM so I can practice with an IDS. I've > determined that the VM I want my IDS on is connected via vif104.1, and I > think I should run this command to create a mirror over the whole network: > > /ovs-vsctl --set Bridge xenbr1 mirrors=@m -- -- id=@vif93.0 get Port > vif93.0 -- --id=@vif78.3 get Port vif78.3 -- --id=@vif72.0 get Port > vif72.0 -- --id=@79.1 get Port vif79.1 -- --id=@tap93.0 get Port tap93.0 > -- --id=@xenbr1 get Port xenbr1 -- --id=@vif62.3 get Port vif62.3 -- > --id=@tap62.3 get Port tap62.3 -- --id=@eth1 get Port eth1 -- > --id=@vif104.1 get Port vif104.1 -- -- --id=@m create Mirror > name=xenbr1-everything-mirror > select-dst-port=@vif93.0,@vif78.3,@vif72.0,@vif79.1,@tap93.0,@xenbr1,@vif62.3,@vif103.1,@tap62.3,@eth1 > select-src-port=@vif93.0,@vif78.3,@vif72.0,@vif79.1,@tap93.0,@xenbr1,@vif62.3,@vif103.1,@tap62.3,@eth1 > output-port=@vif104.1/ > > > After running that, I should set vif104.1 into promiscuous mode with: > /xe vif-param-set uuid=<uuid_of_vif> other-config:promiscuous="true"/ > > Unfortunately, when I try running the ovs-vsctl command I get: > /ovs-vsctl: unrecognized option `--set'/ > I think this is because I'm specifying multiple dst-ports and src-ports > but I'm not sure. > > I'm also a bit confused on the difference between port mirroring and > promiscuous mode in general. Would someone please explain that to me > and help me figure out how to achieve the desired result? Also, I'd > like to make this persistent across reboots, but it appears the VIF IDs > change each time the VM reboots. Is there a way to stop that? I can't help much with the OpenVSwitch stuff, but I can definitely try to help with the explanation of port mirroring versus promiscuous mode and the VIF ID bits. Port mirroring usually refers to monitoring specific ports, and more importantly, is done at a relatively high level in the network stack. IP and Ethernet have no concept of ports, so port mirroring has to be done at the level of TCP/UDP or whatever other protocol you are using. Promiscuous mode however is done at a very low level. When set on an Ethernet interface connected to a properly configured switch, it means that that interface will receive a copy of every single Ethernet frame that goes through that switch (and possibly through the entire network if the other switches are configured properly). In general, promiscuous mode is better for both IDS and network diagnostics, but it requires proper configuration of the network hardware, and puts more load on the monitoring system (because it has to process every frame on the network). Port mirroring by contrast provides less coverage (because it's fully possible to run things on other protocols, and it's not too hard to do some really crazy cloaking), doesn't need properly configured hardware, and puts more load on your firewall system (or whatever other system you're using to do the port mirroring). As far as the VIF ID's changing, what you want is the 'vifname=' parameter for the network configuration. The default value for this configures the VIF name as 'vif<DOMID>.<DEVID>', which guarantees a unique name on a single boot of a single host (which is good enough for most things), but this in turn can cause issues when you try to do things like routing in Domain-0 instead of using a bridge interface or something similar. _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |