On 2/29/16 11:46 , Rob Seastrom wrote: > >> On Feb 27, 2016, at 4:34 PM, Robert Mustacchi <[email protected]> wrote: >> >> On 2/26/16 16:23 , Rob Seastrom wrote: >>> >>> Hi folks, >>> >>> Maybe my Google-fu is failing me (and searching my archives of this list >>> has failed me too)... but has anyone got a recipe for passing through a >>> physical NIC in a mode where it can go promiscuous mode to a SmartMachine? >>> Is that even possible with Crossbow in the middle? >>> >>> Use case is monitoring span/port mirrors on a couple of switches, or maybe >>> optical taps if I manage to find my junk box. I see that Snort is in >>> pkgsrc - don't know if that means people are running it just on a >>> SmartMachine to monitor traffic to and from it, or if folks are actually >>> running a full blown network IDS on SmartOS. >> >> While you can't assign a physical nic itself you can opt to allow the >> vnic to have unfiltered access to the underlying device's promiscuous >> mode with the vmadm property 'nics.*.allow_unfiltered_promisc'. >> >> That should do what you need, I expect, but still allow other zones to >> leverage the device (which would not really be possible if you assigned >> the NIC fully to the zone). > > > Not sure what I'm doing wrong here, but I'm only seeing broadcast and > multicast traffic. The vnic in the zone doesn't show PROMISC in the flags > when I'm running tcpdump or snoop.
For what it's worth, I don't see the PROMISC flag on a VNIC normally. > I can see all traffic just fine when I run snoop in the global zone. > > A possible added difficulty is that the mirror port is spitting out 802.1q > tagged traffic. I was only getting the LLDP traffic between the switch and > the router (i.e. untagged) before I configured the nic with a vlan in the > smartmachine. When I originally did the unfiltered promisc bits it was focused on additional mac addresses for KVM guests which would still be on the same VLAN. There could be some gotchas there. Though, I'd also run dladm show-linkprop to verify that it's been properly set. Note that this will require the zone to be halted and then started up again. Robert ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
