cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3293
Views
2
Helpful
4
Replies
Highlighted
Beginner

Cisco VM Wireless Controller and promiscuous Mode

Just setting up a new virtual wireless controller and would like to better explain to the customer why we need to enable the setting on a virtual switch.  can someone help me understand what will or will not work if the setting if off vs on.

Everyone's tags (1)
4 REPLIES 4
Highlighted
Enthusiast

Cisco VM Wireless Controller and promiscuous Mode

VMWare provides a pretty good explanation of the topic.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1002934

Since the "data port" of the vWLC is generally (but not required) to be used for mulitple networks such as management as well as any dynamic interfaces you create, the promicuous mode will make sure "all" traffic is passed through the vSwitch/port-group to the "vm"/vWLC in this case.  In the case of the vWLC, you will also configure your VM Network to allow all VLANs (VLAN 4095).  This allows the VM infrastructure to pass all 802.1q trunk tags to/from the vWLC for the various interfaces.  If promiscuous mode is not configured, the vSwitch will only pass traffic to the VM that is for it's respective network, which will either be a single VLAN (if defined and not VLAN 4095) or the native VLAN (if using VLAN 4095) of the switchport, since the ESX host doesn't "know" which newtwork the management actually resides on when using VLAN 4095.

Basically, if you're going to have more interfaces than just a "management" interface (ie, various dynamic interfaces) You "must" configure both promiscuous mode as well as specify VLAN 4095 for the "vlan assignment" of the VM Network you attach the vWLC Data port to.

Highlighted
Rising star

Cisco VM Wireless Controller and promiscuous Mode

Highlighted
Beginner

Cisco VM Wireless Controller and promiscuous Mode

Bumping this thread because I just ran into this and still don't entirely understand why promiscuous mode is needed.

I read about it in the Cisco Virtual WLC Deployment Guide and thought I didn't need it (and was unsure of the impact since the guide implies configuring it on the entire vSwitch instead of just a new port-group).. .therefore ignored that part.   

Promiscuous mode is a security policy which can be defined at the virtual switch or portgroup level in vSphere ESX/ESXi. A virtual machine, Service Console, or VMkernel network interface in a portgroup which allows the use of promiscuous mode can see all network traffic traversing the virtual switch.

By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest's network adapter in promiscuous mode causes it to receive all frames passed on the virtual switch that are allowed under the VLAN policy for the associated portgroup. This can be useful for intrusion detection monitoring or if a sniffer needs to analyze all traffic on the network segment.

The vWLC Data Port requires the assigned vSwitch to accept Promiscuous mode for proper operations.

So without promiscuous mode configured, I could ping and login just fine to the mgmt interface.  So ARP and therefore broadcasts must be making it through to the WLC.  But the AP's wouldn't join the vWLC.  Debugs on the vWLC showed discovery requests received from the AP's, then discovery responses going back out to the AP, but the vWLC would never see a join from the AP.  Indeed, enabling promiscuous mode fixes everything.

So a few questions:

q1.  Why would ARP and therefore broadcasts work without promiscuous mode enabled, yet not AP Joins?  Aren't joins just broadcasts?  (in my case the AP and vWLC are in the same subnet/vlan).  If I put wireshark on any existing VM I have (not using promiscuous mode) of course I see broadcasts, multicasts, etc.  What is so special about a join?

q2.  I'm also trying to understand vmware's definition of what Promiscuous mode = "accept" means.  If I have 100 VM's hanging off a vswitch, does "accept" mean (1) "only if a VM requests promiscuous mode, send that 1 VM everything" or (2) "send everything through that vSwitch to all 100VM's"

(1)  would be what I hope would happen

(2) would be what I'm afraid would happen — and is more like port mirroring (and really suck if we don't have enough physical ports to make a new vSwitch)

q3.  Depending on the answer to q2, I would imagine most people aren't really going to add an entirely new vSwitch for wireless.  So is adding a new portgroup to an existing vSwitch the better way to go (even if the vlan is the same as an existing portgroup in the existing vSwitch)?  And then just making that new portgroup accept promiscuous mode instead of the entire existing vSwitch?

Thoughts?

Beginner

Cisco VM Wireless Controller and promiscuous Mode

I think I understand the reasoning as to why the promiscuous mode would need to be enabled when used with central switching.

However if you use Flexmode with local switching the vWLC management port would only need to be connected to the AP's on the vlan that manages the AP's. The vlan's needed for the various SSID would only be needed at the AP's not the vWLC. Or am I missing something here?

CreatePlease to create content
Content for Community-Ad