Hi,
i’m responsible for a small IT environment with Linux, mostly SLES 15. We have some servers behind the network router, i don’t have access to the router. We are connected to the router with a switch, the upload of the switch goes via fibre to the router. We have a several powerful hosts running websites, databases and virtual machines (qemu-kvm). With the switch i wanted to mirror the upload port to one ethernet adapther of one server. I tested that, it works fine. The eth to which all traffic is mirrored is not used for anything else. My idea is to run Suricata in a virtual Ubuntu. Normally a vm is connected to the network via a bridge in the host server. I’m afraid that the vm attached to the bridge does not receive the traffic from the mirrored port. How can i achieve this ?
Thanks.
Bernd
Its been a long time since I tried this, but I know it does require some experimentation. I believe I got it work once by dedicating the NIC to the VM and making use of KVM’s passthrough mode.
I believe I also got it to work using macvlan as well, but can’t remember. Unfortunately I’m not setup to test at the moment.
The problem with the basic bridging is that the bridge is probably not going to pass any traffic to the VM that is not destined to the VMs MAC address, making this is a bit tricky, and not the same as dropping a physical box and network card on that switch port.
I got it. I attached a network adapter from the host to the guest via “PCI Passthrough”. The ethernet port from the host gets all packets from the switch and pass them through to the guest.