How promiscuous mode works at the virtual switch and portgroup levels
search cancel

How promiscuous mode works at the virtual switch and portgroup levels

book

Article ID: 324553

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

  • Promiscuous mode is a security policy which can be defined at the virtual switch or portgroup level in vSphere ESX/ESXi.
  • A virtual machine, Service Console or VMkernel network interface in a portgroup which allows use of promiscuous mode can see all network traffic traversing the virtual switch.
  • By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest's network adapter in promiscuous mode causes it to receive all frames passed on the virtual switch on that host only that are allowed under the VLAN policy for the associated port group. This can be useful for intrusion detection monitoring or if a sniffer needs to analyze all traffic on the network segment.
  • For more information on configuring a virtual switch or portgroup to allow promiscuous mode, see Configuring promiscuous mode on a virtual switch or portgroup.

Environment

VMware ESXi

Resolution

  • When promiscuous mode is enabled at the portgroup level, objects defined within that portgroup have the option of receiving all incoming traffic on the same port group on that same host. Interfaces and virtual machines within the portgroup will be able to see all traffic passing on the portgroup on that host, but all other portgroups within the same virtual switch do not.
  • When promiscuous mode is enabled at the virtual switch level, all portgroups within the vSwitch will default to allowing promiscuous mode. However, promiscuous mode can be explicitly disabled at one or more portgroups within the vSwitch, which override the vSwitch defined default.
  • If software within a virtual machine is attempting to put the guest network adapter in promiscuous mode, contrary to the defined vSwitch or portgroup security policy, it may be necessary to investigate if the virtual machine is running undesired software.
  • For more information, see Identifying virtual machines attempting to use promiscuous network mode on ESX/ESXi.

Additional Information

Note: Any VM connected to a promiscuous portgroup can view all traffic traversing the associated virtual switch. If promiscuous mode is enabled at the vSwitch level, ensure it is explicitly disabled on portgroups that do not require it.

This setting is useful for scenarios such as:

  • Deploying IDS/IPS solutions to monitor all traffic on specific portgroups.
  • Capturing all network traffic from a specific VM.
  • Using port mirroring for multiple VMs.
  • Monitoring all traffic on one or more portgroups.

When deploying third-party traffic inspection appliances, consult and adhere to the vendor’s official deployment recommendations and best practices. Enabling promiscuous mode duplicates traffic, which introduces additional load and may lead to performance degradation.

Powered by Wolken Software