Unreliable Hyper-V Port Mirroring

Question

To set the stage:

Host: Dell Server Windows Server 2019 Standard Xeon E-2660 64GB RAM Broadcom NetExtreme Gigabit Ethernet Card

Guest: Gen 1 Debian 12288 RAM (not dynamic) standard network adapters

Network Equipment: Cisco C3850s

Backstory: Implementing a new IDS from vendor which requires the sensor to have traffic mirrored into one of the network adapters. I've followed the standard instructions that you can find (anywhere, everywhere) to enable port mirroring (VM Network Adapter set to destination, VMQ Off - VMSwitch external port set to mirror mode 2).

Problem: When I create the adapter and set up port mirroring it works for a while (anywhere from 6 hours to 3 days so far) and then ceases to mirror traffic to the VMNetworkAdapter. I've confirmed that the traffic is still entering the host port using wireshark on the host machine, but sniffing the interface on the Guest the traffic is not being mirrored. What blows my mind is that it functions for a while and then stops.

Has anyone run into this? Is this an expectation issue, am I expecting an unusual use to function reliably when I shouldn't?

Answer 1

Hi Solomon,

Hope you're doing well.

Implementing port mirroring in a virtualized environment can be challenging, especially when it involves integration with physical network infrastructure and specific requirements for traffic analysis, such as an Intrusion Detection System (IDS). The intermittent functionality you're experiencing is unusual and suggests potential issues with configuration, compatibility, or network stability.

Since this involves a vendor-provided IDS, engage the vendor's support team. They might have specific insights or configurations that need to be applied to ensure compatibility and stable operation.

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.