Promiscuous mode on different port group ( same vSwitch)

Posted on 2011-10-24
Last Modified: 2013-11-05

I have a vSwitch VS1 with two port groups PG1 and PG2:

VS1: Promiscuous mode:Reject
PG1:Promiscuous mode:Reject
PG2: Promiscuous mode:Accept

Both PG1 and PG2 are configured as same VLAN.

I put a Linux VM under PG2, configured as Promiscuous enabled, then I found when I run tcpdump, it capthced traffics for VMs on both PG1 and PG2 group.

I thought it should only capture the traffic on PG2 group? Anybody can confirm if this also happen on your ESX environment?

My ESX server is 4.0 U2.

Question by:jackiechen858
    LVL 116

    Expert Comment

    by:Andrew Hancock (VMware vExpert / EE MVE)
    But it's capturing traffic on the vSwitch VS1
    LVL 7

    Author Comment

    So it's not limited to port group PG2 only?

    this document :

    mentioned :

    If enabling Promiscuous Mode was acceptable in all environments, we would be in great shape.  However, some of our customers have told us that they don’t feel comfortable with this configuration for their virtual switches.  We completely understand their position, because we don’t want that extra traffic either!  We’re only interested in traffic for the servers we’ve migrated into the cloud.  Thankfully there is a quick and simple solution.  The CloudSwitch Appliance can be configured with its own Port Group and Promiscuous Mode can be enabled only for this port group.  In this configuration, the CSA will never receive traffic from any other node on its switch since Promiscuous Mode applies only to itself.

    This is not official Vmware document though.

    LVL 116

    Expert Comment

    by:Andrew Hancock (VMware vExpert / EE MVE)
    Yes, that is very true. Some organisations, do not want Desktops and Servers to start sniffing LAN traffic!
    LVL 7

    Author Comment

    Sorry, my question is:

    If I only setup "Promiscuous mode:Accept" on one port group, reject it on the other port group and the vSwitch level,  will it still be able to capture traffic on another port group on the same vSwitch?

    The above paragraph I quoted seems to claim Promiscuous Mode only work inside the configured port group; but my test result says different.

    LVL 116

    Accepted Solution

    See here

    By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest adapter in promiscuous mode causes it to detect all frames passed on the virtual switch that are allowed under the VLAN policy for the associated portgroup. This can be useful for intrusion detection monitoring or if a sniffer needs to be run to analyze all traffic on the wire.

    Promiscuous mode is disabled by default, should not be turned on unless specifically needed. Software running inside a virtual machine may be able to monitor any and all traffic moving across a vSwitch if it is allowed to enter promiscuous mode.


    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    In this article, I am going to expose some of the hidden, undocumented, unsupported features and functions of the VMware vSphere Hypervisor (ESXi). VMware vSphere ESXi 4.x, and ESXi 5.0 does not officially support Raw Disk Mapping of Local Stora…
    One of the new features of a version 7.0 or later virtual machine, supported in VMware vSphere 4.1, 5.0 or the VMware vSphere Hypervisor ESXi 4.1, ESXi 5.0 often overlooked by VMware Administrators is the ability to add and connect USB devices conne…
    Teach the user how to configure vSphere clusters to support the VMware FT feature Open vSphere Web Client: Verify vSphere HA is enabled: Verify netowrking for vMotion and FT Logging is in place or create it: Turn On FT for a virtual machine: Verify …
    Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now