VMware NSX

 View Only
Expand all | Collapse all

Promiscuous mode on an NSX-T Segment

  • 1.  Promiscuous mode on an NSX-T Segment

    Posted Feb 28, 2020 12:27 PM

    How can I enable promiscuous mode on an NSX-T Segment? "Mac Learning" is enabled, but the application which requires promiscuous mode doesn't work. I can set promiscuous mode with the command:

    nsxdp-cli vswitch l2sec set

    But this has to be done on each ESXi host in the cluster and I would like to avoid having to do that.



  • 2.  RE: Promiscuous mode on an NSX-T Segment

    Posted Feb 28, 2020 06:27 PM

    Hi,

    Promiscuous mode doesn't exist within NSX-T. Use MAC learning or/and port mirroring instead.



  • 3.  RE: Promiscuous mode on an NSX-T Segment

    Posted Feb 29, 2020 02:30 PM

    Here is a blog about promiscuous mode in NSX-T, so looks like it exists, but it needs to be configured on each host manually:

    Nesting vSphere vDS on NSX-T N-VDS – doOdzZZ'sNotes

    MAC learning doesn't work in this scenario. Do you have any more details on how we can use port mirroring to replace promiscuous mode? Thanks.



  • 4.  RE: Promiscuous mode on an NSX-T Segment

    Posted Feb 29, 2020 03:04 PM

    Port mirroring replaces promiscuous mode in the sense that you can mirror network traffic of segment ports, segments, and virtual machines to a L2 or L3 destination (like a VM or a physical/virtualized network monitoring application).



  • 5.  RE: Promiscuous mode on an NSX-T Segment

    Posted Feb 29, 2020 04:59 PM

    We have two VMs using VRRP (Virtual Router Redundancy Protocol) on NIC2 connected to a dedicated Distributerd Port Group on a vDS. When we move NIC2 from the vDS to a Segment on an N-VDS, the virtual IP keeps flapping back and forth between the VMs. Enabling MAC learning on the Segment didn't resolve this. Promiscuous mode is enabled on the vDS.



  • 6.  RE: Promiscuous mode on an NSX-T Segment

    Posted Feb 29, 2020 05:09 PM

    VRRP (often) uses multicast. Are you sure you aren't blocking multicast traffic somewhere like in the DFW?

    Could you tell me which VRRP implementation the VMs are using? Is this keepalived or something else?



  • 7.  RE: Promiscuous mode on an NSX-T Segment

    Posted Mar 02, 2020 02:06 PM

    The DFW is not configured yet, only the default Any - Any - Allow rule. I can double check tomorrow though.

    The VMs are running Aruba Mobility Master.

    Cheers.



  • 8.  RE: Promiscuous mode on an NSX-T Segment

    Posted Mar 02, 2020 02:18 PM

    Have you tried to enable "MAC Change" on a MAC Discovery segment profile attached to the segments?



  • 9.  RE: Promiscuous mode on an NSX-T Segment

    Posted Mar 02, 2020 02:28 PM

    Yes, we enabled "MAC Change", "MAC Learning" and "Unknown Unicast Flooding".



  • 10.  RE: Promiscuous mode on an NSX-T Segment

    Posted Mar 07, 2020 06:03 AM

    Would like to know too, having the same problem here



  • 11.  RE: Promiscuous mode on an NSX-T Segment

    Posted Mar 07, 2020 06:17 AM

    Hi,

    We have still not been able to use promiscuous mode on NSX-T. Rumors say it will be a new feature in the next NSX-T release coming soon. Please let me know if you figure out how to do it :-)



  • 12.  RE: Promiscuous mode on an NSX-T Segment
    Best Answer

    Posted Mar 07, 2020 09:23 AM

    Once again, there is no promiscuous mode for NSX-T N-VDS based segments the way there is for VDS based port groups. At least not as of version 2.5.

    This is the correct answer even though you might not like it :-)



  • 13.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jan 21, 2021 01:10 PM

    Hi,

    For running Nested environments on NSX-T Backed Segments on VDS7 it is a requirement set.

    nsxdp-cli vswitch l2sec set --dvport <dvportgroup id> -dvs Global-NVDS --mac-change --forge-src --promisc

    Source

    http://notes.doodzzz.net/2019/10/27/nesting-vsphere-vds-on-nsx-t-n-vds/

    Thanks

    Victor



  • 14.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jan 21, 2021 02:33 PM

    Hi,

    I stand corrected... MAC Learning on the NSX-T Segment at physical layer addresses this now.

    https://www.virtuallyghetto.com/2019/11/running-nested-esxi-nsx-v-or-nsx-t-on-top-of-nsx-t.html

    Thanks,

    Victor



  • 15.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jan 21, 2021 04:35 PM

    Thanks for your input, but this does not address the issue in my original post

     

     

     



  • 16.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jun 10, 2021 01:05 PM

    Hello,

    I encountered the same issue after a V2T migration.

    To resolve the issue on the MAC, I created a specific MAC Discovery Profile with MAC Learning enabled and attached it on Mobility Master Segment.

    Then I followed the recommendation of  . I created a new service with a service entry with type = IP and Additional Properties = VRRP

    I created a new rule with src/dst = Mobility Master group and the service previously created.

    And it works. No more flapping.

    Thanks  to have create this topic and  for your tips.



  • 17.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jun 13, 2021 08:58 AM

    Thanks for the update and happy it works for you.

    Not sure why it didn't work for my customer since they only had one DFW rule Any-Any-Allow.

    It was on NSX-T 2.4 or 2.5, so could be something has changed in later versions.



  • 18.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jun 14, 2021 07:52 AM

    I tried the rule Any-Any-Allow but it didn't work. the VRRP rule is mandatory.

    You could also try to add Mobility Master VMs in exclusion list.



  • 19.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jun 22, 2020 08:21 AM

    Ran into the same issue last week. Is anyone aware if this has been solved on NSX-T 2.5 yet?



  • 20.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jun 22, 2020 08:28 AM

    Hi,

    Promiscuous mode like we know it on VDS port groups is not implemented in 2.5 or 3.0.

    Keep in mind that this is not an NSX-T issue, but rather a functionality not implemented (yet).



  • 21.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jun 22, 2020 08:39 AM

    Hi,

    thanks for your quick reply! I'm not quite sure if Promiscuous mode is even an issue for us...

    We too have two Aruba Mobility Master VMs with non-working VRRP as soon as they are migrated onto a N-VDS. Tried every option NSX-T has to offer.



  • 22.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jun 22, 2020 08:43 AM

    Yes, I think it's an issue for you. It's bad design by Aruba to require promiscuous mode, but that's not something you can change :-)

    So you need to stick to VDS-based port groups for those VMs. With NSX-T <3.0 this means dedicated pNICS. From NSX-T 3.0 you can at least leverage VDS 7.0 and have everything on the same pNICS without having to collapse the vmkernel adapters into NSX-T (N-VDS).



  • 23.  RE: Promiscuous mode on an NSX-T Segment

    Posted Jun 22, 2020 08:30 AM

    I don't think so. Heard some rumors about this being implemented in NSX-T 3.0, but haven't had time to confirm it yet. Can't find it in the release notes though. My customer is still running a vDS occupying two extra NICs in each host just because of this.



  • 24.  RE: Promiscuous mode on an NSX-T Segment

    Broadcom Employee
    Posted Oct 19, 2020 03:55 PM

    I had that issue already seen in NSX-V. Two VRRP instances didn't worked with implicit allow.

    The solution for NSX-V was to add an additional Service (L3_others, Protocol Number 112).

    The solution for NSX-T could be to add an additional firewall rule with

    Create > Group with both VMs

    Create > A new service (IP > Additional Properties VRRP)

    Create > Firewall rule under Application /Src Group / Destination Group / Service VRRP / applied to Group / allow