VMware Cloud Community
JamesConaway
Enthusiast
Enthusiast
‎02-18-2011 08:53 AM

1000v promiscuous veth port groups

I have setup a promiscuous VETH  port group on a 1000v. I have found it works, as in the veth port group  can ping all VM's in the secondary community and isolated vLans.


My  problem is that Cisco is saying this is NOT supported. They state that  the only ports that can be configured as promiscuous are eth ports. This  eliminates any possibilty of having VM's have promiscuous access to any  PVLan zone.

Why then does the CLI allow for applying "switchport mode private-vlan promiscuous" to a vethernet interface?

port-profile type vethernet SamplePP

  vmware port-group

  switchport mode private-vlan promiscuous

  switchport private-vlan host-association 555 521

  switchport private-vlan mapping 555 520-530,532

  no shutdown

  state enabled

What function is served by applying a promiscuous PVLan to a eth interface?

If you found this at all helpful please award points by using the correct or helpful buttons! Thanks!
0 Kudos
3 Replies
lwatta
Hot Shot
Hot Shot
‎02-18-2011 11:51 AM

We support promiscous on eth interfaces so you can extend the PVLAN implementations northbound into your physical network. To do this we have to be able to support promisicous trunk on the eth interfaces.

Generally you don't want VMs to be on a promiscious network as then they can see all the traffic from all VMs. I assume you are doing something with your network config that you want a VM to see all traffic?

louis

0 Kudos
JamesConaway
Enthusiast
Enthusiast
‎02-18-2011 01:25 PM

Generally you don't want to, but what if we want to. Let's say for example we want a sniffer VM to monitor all traffic, or a authentication server available for all the various VM's in the various secondary PVLans be able to get to.

Is it possible to setup promiscious PVLans on vEth interfaces?

If yes, why would Cisco allow it, but not support it?

If you found this at all helpful please award points by using the correct or helpful buttons! Thanks!
0 Kudos
lwatta
Hot Shot
Hot Shot
‎02-22-2011 03:45 AM

Engineering says they do allow and support it. The Doc team is updating the documentation so you are safe to set veth ports as promiscuous ports for PVLAN.

louis

0 Kudos