How to pass SPAN port traffic from a cisco switch to a virtual machine NSM sensor running on proxmox using a dedicated network interface for mirrored

P

PNamusha

New Member
Jun 3, 2025
6
0
1
Hi

im new to proxmox, and im loving it every moment. so i want to install a network security monitoring sensor in production environment (Security Onion) to monitor traffic on our network on my proxmox production server. so, i have a server that have four NICs and i chose one to be dedicated port for mirrored traffic. so i run a cable that i connected to my cisco switch that is configured with mirror sessions. can any one please guide me on what i need to configure on proxmox for me to be able to capture all traffic from the switch to the sensor devise on proxmox. and i also wanted to know if i can use the same port for different sensors that i want to install on proxmox server.

Best Regards
 
Okay, so you mirror all your switch traffic to one port and have connected a NIC of the Proxmox host to it. Now you want this traffic to be forwarded to a VM, right?
If so, then it should be sufficient if you place a bridge on the interface and attach the desired VM to the bridge.
And yes in theory you could add multiple VMs to that bridge, but please be careful in case the VMs are trying to respond to the traffic.
 
Hi thanx for the prompt response. and yes, you got the scenario right. so, meaning I don't have to make any configuration of any sort on the proxmox server? i was thinking more on the promiscious mode configuration part. so, i just create a bridge, attach the vm and all traffic should pass through?
 
when you're using VLANs you should make the Bridge VLAN aware, but other that i don't think there is anything necessary.
Setting the bridge-port to promiscous is not necessary since ifup does this anyways, else the bridge would not get all traffic for other mac-addresses
 
PNamusha said:
Okay. thank you very much. I will give it a go and see what happens. thank you so much
Click to expand...
So, did it work? Just doing the bridge with the NIC and adding the guest vm to it, as per @hd-- suggestion, for me was a no go. I'll dive more into it...
 
melcon said:
So, did it work? Just doing the bridge with the NIC and adding the guest vm to it, as per @hd-- suggestion, for me was a no go. I'll dive more into it...
Click to expand...
Hi melcon.. i tried the suggestion but it actually never worked.. please feel to advice on how to get it work if you have any ideas, i will highly appreciate it
 
melcon said:
So, did it work? Just doing the bridge with the NIC and adding the guest vm to it, as per @hd-- suggestion, for me was a no go. I'll dive more into it...
Click to expand...
Hi Melcom.. sorry for the late reply. naahh.. i didnt work, im still struggling with it. please assist if you can
 
PNamusha said:
Hi Melcom.. sorry for the late reply. naahh.. i didnt work, im still struggling with it. please assist if you can
Click to expand...
did you get it right?
melcon said:
So, did it work? Just doing the bridge with the NIC and adding the guest vm to it, as per @hd-- suggestion, for me was a no go. I'll dive more into it...
Click to expand...
Hi melcom.. sorry for the late reply, naah, it didnt work. im still struggling with it. did you get it right? please assist if you can
 
PNamusha said:
Hi melcon.. i tried the suggestion but it actually never worked.. please feel to advice on how to get it work if you have any ideas, i will highly appreciate it
Click to expand...
Well, I have decided to reboot the host and now I can see the SPAN traffic showing up on vmbr1 from pve when looking at it with tcpdump. However, the vm still doesn't get any of it yet.
 
Last edited:
You must log in or register to reply here.
Top Bottom