• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1196
  • Last Modified:

Promiscuous mode on different port group ( same vSwitch)

I have a vSwitch VS1 with two port groups PG1 and PG2:

VS1: Promiscuous mode:Reject
PG1:Promiscuous mode:Reject
PG2: Promiscuous mode:Accept

Both PG1 and PG2 are configured as same VLAN.

I put a Linux VM under PG2, configured as Promiscuous enabled, then I found when I run tcpdump, it capthced traffics for VMs on both PG1 and PG2 group.

I thought it should only capture the traffic on PG2 group? Anybody can confirm if this also happen on your ESX environment?

My ESX server is 4.0 U2.

  • 3
  • 2
1 Solution
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
But it's capturing traffic on the vSwitch VS1
jackiechen858Author Commented:
So it's not limited to port group PG2 only?

this document :

mentioned :

If enabling Promiscuous Mode was acceptable in all environments, we would be in great shape.  However, some of our customers have told us that they don’t feel comfortable with this configuration for their virtual switches.  We completely understand their position, because we don’t want that extra traffic either!  We’re only interested in traffic for the servers we’ve migrated into the cloud.  Thankfully there is a quick and simple solution.  The CloudSwitch Appliance can be configured with its own Port Group and Promiscuous Mode can be enabled only for this port group.  In this configuration, the CSA will never receive traffic from any other node on its switch since Promiscuous Mode applies only to itself.

This is not official Vmware document though.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Yes, that is very true. Some organisations, do not want Desktops and Servers to start sniffing LAN traffic!
jackiechen858Author Commented:
Sorry, my question is:

If I only setup "Promiscuous mode:Accept" on one port group, reject it on the other port group and the vSwitch level,  will it still be able to capture traffic on another port group on the same vSwitch?

The above paragraph I quoted seems to claim Promiscuous Mode only work inside the configured port group; but my test result says different.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
See here

By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest adapter in promiscuous mode causes it to detect all frames passed on the virtual switch that are allowed under the VLAN policy for the associated portgroup. This can be useful for intrusion detection monitoring or if a sniffer needs to be run to analyze all traffic on the wire.

Promiscuous mode is disabled by default, should not be turned on unless specifically needed. Software running inside a virtual machine may be able to monitor any and all traffic moving across a vSwitch if it is allowed to enter promiscuous mode.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now