How to pass SPAN port traffic from a cisco switch to a virtual machine NSM sensor running on proxmox using a dedicated network interface for mirrored

[PNamusha]

Hi

im new to proxmox, and im loving it every moment. so i want to install a network security monitoring sensor in production environment (Security Onion) to monitor traffic on our network on my proxmox production server. so, i have a server that have four NICs and i chose one to be dedicated port for mirrored traffic. so i run a cable that i connected to my cisco switch that is configured with mirror sessions. can any one please guide me on what i need to configure on proxmox for me to be able to capture all traffic from the switch to the sensor devise on proxmox. and i also wanted to know if i can use the same port for different sensors that i want to install on proxmox server.

Best Regards

 

[hd--]

Okay, so you mirror all your switch traffic to one port and have connected a NIC of the Proxmox host to it. Now you want this traffic to be forwarded to a VM, right?
If so, then it should be sufficient if you place a bridge on the interface and attach the desired VM to the bridge.
And yes in theory you could add multiple VMs to that bridge, but please be careful in case the VMs are trying to respond to the traffic.

 

[PNamusha]

Hi thanx for the prompt response. and yes, you got the scenario right. so, meaning I don't have to make any configuration of any sort on the proxmox server? i was thinking more on the promiscious mode configuration part. so, i just create a bridge, attach the vm and all traffic should pass through?

 

[hd--]

when you're using VLANs you should make the Bridge VLAN aware, but other that i don't think there is anything necessary.
Setting the bridge-port to promiscous is not necessary since ifup does this anyways, else the bridge would not get all traffic for other mac-addresses

 

[PNamusha]

Okay. thank you very much. I will give it a go and see what happens. thank you so much