Unreliable Hyper-V Port Mirroring

Solomon Bachman 0 Reputation points
2024-05-15T20:02:13.73+00:00

To set the stage:

Host: Dell Server Windows Server 2019 Standard Xeon E-2660 64GB RAM Broadcom NetExtreme Gigabit Ethernet Card

Guest: Gen 1 Debian 12288 RAM (not dynamic) standard network adapters

Network Equipment: Cisco C3850s

Backstory: Implementing a new IDS from vendor which requires the sensor to have traffic mirrored into one of the network adapters. I've followed the standard instructions that you can find (anywhere, everywhere) to enable port mirroring (VM Network Adapter set to destination, VMQ Off - VMSwitch external port set to mirror mode 2).

Problem: When I create the adapter and set up port mirroring it works for a while (anywhere from 6 hours to 3 days so far) and then ceases to mirror traffic to the VMNetworkAdapter. I've confirmed that the traffic is still entering the host port using wireshark on the host machine, but sniffing the interface on the Guest the traffic is not being mirrored. What blows my mind is that it functions for a while and then stops.

Has anyone run into this? Is this an expectation issue, am I expecting an unusual use to function reliably when I shouldn't?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,831 questions
Hyper-V
Hyper-V
A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,760 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ian Xue 38,551 Reputation points Microsoft Vendor
    2024-05-17T03:57:13.88+00:00

    Hi Solomon,

    Hope you're doing well.

    Implementing port mirroring in a virtualized environment can be challenging, especially when it involves integration with physical network infrastructure and specific requirements for traffic analysis, such as an Intrusion Detection System (IDS). The intermittent functionality you're experiencing is unusual and suggests potential issues with configuration, compatibility, or network stability.

    Since this involves a vendor-provided IDS, engage the vendor's support team. They might have specific insights or configurations that need to be applied to ensure compatibility and stable operation.

    Best Regards,

    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.