Promiscuous Mode and Server Team Concerns Solution
11-11-2019 10:35 PM - edited 11-14-2019 12:55 AM
Hey Aruba Customers and Partners!
Quickly, one of the common concerns I have when deploying Aruba virtual appliances on VMware and other hypervisors is enabling Promiscuous mode on the vSwitch. Whether it's
ClearPass (CPPM spoofs the activate MAC so promiscuous not needed, FT is another story) or vMobility Controller VIPs, Promiscuous mode is needed to enable the guest OS to receive packets not originally destined for it's MAC address.
Often a vMC sits within a common VLAN used by other production workloads. When this happens, the virtual team often raise a security concern about enabling a global vSwitch/vDS change for all workloads, or they don't want to modify the existing virtual port group with the other workloads attached.
The simple answer that is often overlooked is create another virtual port group. This can be the same VLAN configuration as your other port groups, yet you can adjust all sorts of settings such as priority uplinks, load balancing algorithms, and of course, Promiscuous mode.
For example, in my home lab I have VMs gallore in my basic vSwitch. Windows servers, file servers, etc. Yet, I have no need for them to see other packets not destined for them. There are no VIPs and no fake MAC addresses hosted on those VMs. Yet, I run a VIP between my two Virtual Mobililty Controllers, and I do need to see incoming packets destined for that VIP address, as well as each potential owner of that VIP to be able to send packets (Forged Transmits) from the VIP MAC address.
Firstly, configure a new Virtual Machine Port Group matching the VLAN settings you need. ie: 4095 for presenting every VLAN, or the specific VLAN(s) you need on the workloads attached to the port group. Don't worry if this overlaps another virtual port group with the same VLAN settings.
Then, simply edit the virtual port group and override the settings inherited from the vSwitch/vDS itself. These are old thick vSphere client sceenshots, but you get the idea.
Remember, Promiscuous is not just a song from Nelly Furtado, but it's needed for virtual appliances as well. I hope this helps... And I'm curious whether you hear the same concerns. This was a quick post that I'll proof later - sorry if there are spelling errors.