A question came up on twitter the other day about spanning a physical port to a virtual machine. The obvious answer is to use RSPAN, but in this particular case the switch did not support RSPAN so that wasn’t an option. Standard port spanning allows you to mirror one or more physical source ports or VLANs to one or more destination ports, but it does not allow you to set the target to a remote IP Address or a vSwitch. With this limitation in mind, I came up with a solution.
I exchanged a few tweets about the problem and then had an idea that I tested in the home lab. Its not particularly elegant, but it works so I though I’d knock up a quick blog post as it might help someone else trying to get this working. This is not exactly step-by-step, I’m assuming anyone wanting to do this knows their way around ESX.
The solution I came up with is as follows:
1. Find a spare NIC on a vSphere host
2. Connect the spare NIC to a port on the same switch as the port you want to monitor.
3. Configure a new Standard vSwitch on the vSphere host
4. Attach the spare vmnic to the vSwitch
5. Configure the vSwitch to allow promiscuous mode
6. Create an untagged Port Group called SPAN Target
7. Connect a VM running a sniffer to the Port Group
8. Configure a SPAN session using the spare vmnic’s switchport as the SPAN target
9. Start the sniffer and you should be capturing traffic from the physical port
Heres how to set this up:
Configure the ESXi Host
1. Configure a new Standard vSwitch specifically for the SPAN target
2. Add the spare NIC to the vSwitch as an uplink
3. Add a port group to the vSwitch – call it SPAN Target to make it obvious what it is for
4. Configure the vSwitch to allow promiscuous mode
Setup the VM
Next step is to get the sniffer VM setup. I prefer to use CentOS for sniffers, but any OS will do.
1. Create a new VM if you don’t have one already.
2. Install Wireshark (yum -y install wireshark and yum -y install wireshark-gnome)
3. For Windows, download from http://www.wireshark.org
4. Fire up the sniffer to make sure it works.
5. You should be able to see traffic to the VM and some non unicast traffic.
6. You will not be able to see unicast traffic NOT destined to your VM.
Set up the switch
We are going to setup a very basic SPAN session with one source and one destination port. Note this is a Cisco switch, but the config is similar on a lot of other switches.
conf t
monitor session 1 source interface Gi1/0/24
monitor session 1 destination interface Gi1/0/16
end
Let’s confirm that the destination port we use in the SPAN session on the switch is definitely the vmnic on the ESX server. Looks like it is.
Note that once you start the SPAN session into the ESX server, that the CDP information on the vSwitch becomes unreliable. It is seeing CDP from other locations and getting confused. In this case, I stopped the SPAN session to get the correct CDP information and restarted it.
Thats it, you should now be able to see all traffic in and out of the target port on your sniffer. So, lets test it…
In this case, the port I am using as the source is a link between two switches (the one in my study and the switch in the garage where the servers are). I should be able to see all traffic on the sniffer that passes across that link. I will send some pings from my Mac to various devices connected to the switch in the garage. All that traffic should be seen by the sniffer.
I have sent three sets of 4 pings to devices on the switch and set a filter on the sniffer to only display ICMP
4 x 3 pings = 12 packets and I should also see the replies,so the sniffer should have 24 frames in total in its display buffer.
It does, so we have a working SPAN Session.
Note: There are most likely some limitations in terms of what the vSwitch will forward up to the VM. I didn’t do much testing, but things like Spanning Tree are most likely not forwarded through the vSwitch to the sniffer, so you’ll near to bear this in mind.
source: http://packetzapper.wordpress.com/2012/03/19/how-to-span-a-physical-port-to-a-virtual-machine/
Комментариев нет:
Отправить комментарий