VMware vSphere

 View Only

  • 1.  Mirror all traffic to Snort VM

    Posted May 05, 2017 01:28 PM

    Hello Folks

    I would like to install a NIDS (SNORT) to analyze the traffic of my VMS but I don't know how to configure my Vcenter to mirror all the traffic from all VMs to Snort VM.

    Let me introduce you to how my environment is

    We have 6 Vlans

    Vlan10 (ID 10)

    Vlan20 (ID 20)

    Vlan30 (ID 30)

    Vlan40 (ID 40)

    Vlan50 (ID 50)

    Vlan60 (ID 60)

    We are using a DVS to connect all environment and the Snort VM is in Vlan10

    Thanks for all your help



  • 2.  RE: Mirror all traffic to Snort VM

    Posted May 05, 2017 08:08 PM

    You can create a port mirror on the vDS to mirror traffic from all port groups to another portgroup where only the Snort VM is attached to.

    More information about port mirroring can be found in the vsphere documentation

    VMware vSphere 6.5 Documentation Library



  • 3.  RE: Mirror all traffic to Snort VM

    Posted May 08, 2017 12:23 PM

    Hello Erik

    First of all thanks for your help.

    Let me tell what a did...

    I created a new port group call promisc with promiscuous mode and vlan id 10 and assigns the vm snort to this port group.

    I have a doubt about the correct type of mirroring . Is the correct option to cohose a mirroring in my case is " Distributed Port Mirroring" or "Remote Mirroring Destination" ? 

    Thanks and regards