User Tools

Site Tools


articles:proxmox_span

Configuring a Port Mirror on Proxmox VE for Trisul NSM

Proxmox VE is a leading enterprise virtualization platform that uses a KVM based hypervisor along with a nice web based management interface. We like Proxmox for NSM (Network Security Monitoring) applications due to its higher performance.

In this article we talk about how you can create a Proxmox Virtual Machine running TrisulNSM and how you can connect a port span cable and bring the traffic into the virtual machine.

The setup

The challenge is to map a single physical port on the server running Proxmox to an interval VM which will be running Trisul Network Analytics. The physical port will be typically connected to a Port Mirror or SPAN port on a switch whose traffic is to be monitored.

Create a new bridge

The good news is Proxmox is based on Debian9 and you can login directly to the system and make configuration changes. Logon to the Proxmox server directly and create a new Bridge and add the physical port as the only member of that bridge.

Edit /etc/network/interfaces and enter the following

auto vmbr7
iface vmbr7 inet manual
	bridge_ports enp2s0f1
	bridge_stp off
	bridge_fd 0
	bridge_ageing 0

Then

systemctl restart network

Basically, this creates a dumb bridge with zero bridge_ageing, so it will just forward all packets to who ever is connected.

Now brctl show should show you the new bridge.

Add a new interface to a VM using this bridge vmbr7

Next logon to Proxmox VE and add a new sniffing interface using Hardware → Add → Network Device

Then select the new bridge for this interface as shown below

Then go back and review the VM, there should be TWO intefaces, one for management and the other for the sniffing. It should look like this.

Configure the capture interface within the VM

Now boot up the VM and you will find two adapters. Using the MAC address you can go back to the Proxmox UI and determine which adapter maps to which bridge. Assign an IP address to the management interface and leave the other one without an IP.

Typing ifconfig -a gives you something like below

Make sure you do a ifconfig ens19 up. Otherwise you may not be able to capture from that interface

We're done. Now, all you need to do is capture from ens19 using Trisul Network Analytics. Install Trisul, then go to admin/admin Capture Profiles and select ens19.

Hope this helps. Trisul is designed to be frugal in resource usage , we can install several such Trisul on a single Proxmox platform using this technique.

-end-

articles/proxmox_span.txt · Last modified: 2018/04/27 17:52 by veera