Security Analytics Virtual Appliance may not receive VLAN tagged traffic

book

Article ID: 168455

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

The Security Analytics system can capture and index VLAN-tagged traffic.

When running Security Analytics (SA) as a virtual appliance under ESX, the virtual networking components of ESX, by default, will discard VLAN-tagged traffic before it reaches the SA VM. Therefore that traffic will not be found in the SA.
 

Cause

Within the configuration of an ESX vSwitch, the default behavior of a Virtual Machine Port Group is to discard incoming VLAN-tagged traffic before it gets to the VM.  For more detail on Virtual Machine Port Groups, please see VMware's ESXi or vSphere documentation.

 

Resolution

For each vSwitch being used to send Capture traffic to the SA VMs, click "Properties...":

ESX vSwitch overview

Select the Virtual Machine Port Group for the SA VM's capture interface(s), and select "Edit...":

ESX vSwitch properties page

Modify the port group's VLAN ID field to pass either the single desired VLAN ID (a number between 1 and 4094) that the SA VM needs to capture, or, set it to "All (4095)" to pass all VLAN-tagged traffic to the SA VM. Click OK to save changes.

ESX Virtual Machine Port Group properties

The SA VM should now see the desired VLAN-tagged traffic on its Capture interface(s).
 

Attachments