You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by David Merrill <da...@otelco.com> on 2018/09/28 18:47:51 UTC
TAP/SPAN...
We’ve got a client who would like to ship a copy of all packets that pass through their virtual router to an appliance (that we’d place on their VLAN).
I’ve searched a bit (I’d hoped to see some mention of it in the users list) and haven’t found specific references to TAP/SPAN related to CloudStack, is there a convention for such things? I’m a (tiny) little out of my depth, is this the kind of thing that I might find (if it existed) here:
* http://docs.cloudstack.apache.org/en/4.11.1.0/adminguide/networking.html?highlight=network%20service%20providers
At the very least is something like this (a kind of roll-your-own SPAN) possible on the virtual router?
* https://networkhop.wordpress.com/2016/04/27/port-mirroring-with-iptables/
I wish this had come up at the collab in Montreal (having JUST been there earlier this week), but so it goes.
Thanks for any consideration/feedback,
David
David Merrill
Senior Systems Engineer,
Managed and Private/Hybrid Cloud Services
OTELCO
92 Oak Street, Portland ME 04101
office 207.772.5678<callto:207.772.5678>
www.otelco.com<http://www.otelco.com>/business/managed-services
Confidentiality Message
The information contained in this e-mail transmission may be confidential and legally privileged. If you are not the intended recipient, you are notified that any dissemination, distribution, copying or other use of this information, including attachments, is prohibited. If you received this message in error, please call me at 207.772.5678<callto:207.772.5678> so this error can be corrected.
Re: TAP/SPAN...
Posted by Andrija Panic <an...@gmail.com>.
Any changes inside VR are not persistent, so next restart - you loose all
customisation. Now, if that VR rules works, you COULD technically pull some
magic with Jenkins job and some python scripting to connect to the VR and
determine if needed rules are in place, and if not, to aplly them...(some
of my colleagues done that long time ago...) but it's a messy solution and
not really recommend.
Cheers
On Fri, Oct 12, 2018, 22:19 David Merrill <da...@otelco.com> wrote:
> I'd hoped I could simply "mirror the VLAN" to a specific interface on the
> switch, but Dell Support says I cannot pull this off with the switches we
> have in place.
>
> So, I'm back to considering mucking with the client's virtual router.
>
> What this site suggests:
>
> *
> https://networkhop.wordpress.com/2016/04/27/port-mirroring-with-iptables/
>
> seems reasonable (in principle):
>
> iptables -t mangle -I PREROUTING -j TEE –gateway a.b.c.d
> iptables -t mangle -I POSTROUTING -j TEE –gateway a.b.c.d
>
> and easy enough to undo (in principle).
>
> Downsides include:
>
> 1. Overhead associated with duplicating packets
> 2. Redoing it should the router need to be recreated (presuming that any
> edits wouldn't stick).
>
> Surely I can't be the only one to have considered doing something like
> this, maybe folks run some a 3rd-party virtual appliance to get this kind
> of thing done?
>
> David Merrill
> Senior Systems Engineer,
> Managed and Private/Hybrid Cloud Services
> OTELCO
> 92 Oak Street, Portland ME 04101
> office 207.772.5678 <callto:207.772.5678>
> www.otelco.com <http://www.otelco.com>/business/managed-services
>
> On 9/28/18, 3:09 PM, "Simon Weller" <sw...@ena.com.INVALID> wrote:
>
> David,
>
> So I assume the customer is in an isolated network between the VR and
> their VMs?
>
> If so, just SPAN that vlan to another port on your switch and tap it
> there.
> ________________________________
> From: David Merrill <da...@otelco.com>
> Sent: Friday, September 28, 2018 2:01 PM
> To: users@cloudstack.apache.org
> Subject: Re: TAP/SPAN...
>
> XenServer 6.5
>
> Thanks,
> David
>
> David Merrill
> Senior Systems Engineer,
> Managed and Private/Hybrid Cloud Services
> OTELCO
> 92 Oak Street, Portland ME 04101
> office 207.772.5678 <callto:207.772.5678>
> www.otelco.com<http://www.otelco.com> <http://www.otelco.com
> >/business/managed-services
>
>
>
> Confidentiality Message
> The information contained in this e-mail transmission may be
> confidential and legally privileged. If you are not the intended recipient,
> you are notified that any dissemination, distribution, copying or other use
> of this information, including attachments, is prohibited. If you received
> this message in error, please call me at 207.772.5678 <callto:207.772.5678>
> so this error can be corrected.
>
>
> On 9/28/18, 2:54 PM, "Simon Weller" <sw...@ena.com.INVALID> wrote:
>
> What hypervisor are you using?
>
>
> If you're using KVM, you could add a vlan VIF into the bridge in
> question and then dump that traffic somewhere via a replicated span on your
> switch.
>
>
> - Si
>
>
> ________________________________
> From: David Merrill <da...@otelco.com>
> Sent: Friday, September 28, 2018 1:47 PM
> To: users@cloudstack.apache.org
> Subject: TAP/SPAN...
>
> We’ve got a client who would like to ship a copy of all packets
> that pass through their virtual router to an appliance (that we’d place on
> their VLAN).
>
> I’ve searched a bit (I’d hoped to see some mention of it in the
> users list) and haven’t found specific references to TAP/SPAN related to
> CloudStack, is there a convention for such things? I’m a (tiny) little out
> of my depth, is this the kind of thing that I might find (if it existed)
> here:
>
> *
> http://docs.cloudstack.apache.org/en/4.11.1.0/adminguide/networking.html?highlight=network%20service%20providers
>
> At the very least is something like this (a kind of roll-your-own
> SPAN) possible on the virtual router?
>
> *
> https://networkhop.wordpress.com/2016/04/27/port-mirroring-with-iptables/
>
> I wish this had come up at the collab in Montreal (having JUST
> been there earlier this week), but so it goes.
>
> Thanks for any consideration/feedback,
> David
>
> David Merrill
> Senior Systems Engineer,
> Managed and Private/Hybrid Cloud Services
> OTELCO
> 92 Oak Street, Portland ME 04101
> office 207.772.5678<callto:207.772.5678>
> www.otelco.com<http://www.otelco.com>/business/managed-services
>
>
>
>
>
>
Re: TAP/SPAN...
Posted by David Merrill <da...@otelco.com>.
I'd hoped I could simply "mirror the VLAN" to a specific interface on the switch, but Dell Support says I cannot pull this off with the switches we have in place.
So, I'm back to considering mucking with the client's virtual router.
What this site suggests:
* https://networkhop.wordpress.com/2016/04/27/port-mirroring-with-iptables/
seems reasonable (in principle):
iptables -t mangle -I PREROUTING -j TEE –gateway a.b.c.d
iptables -t mangle -I POSTROUTING -j TEE –gateway a.b.c.d
and easy enough to undo (in principle).
Downsides include:
1. Overhead associated with duplicating packets
2. Redoing it should the router need to be recreated (presuming that any edits wouldn't stick).
Surely I can't be the only one to have considered doing something like this, maybe folks run some a 3rd-party virtual appliance to get this kind of thing done?
David Merrill
Senior Systems Engineer,
Managed and Private/Hybrid Cloud Services
OTELCO
92 Oak Street, Portland ME 04101
office 207.772.5678 <callto:207.772.5678>
www.otelco.com <http://www.otelco.com>/business/managed-services
On 9/28/18, 3:09 PM, "Simon Weller" <sw...@ena.com.INVALID> wrote:
David,
So I assume the customer is in an isolated network between the VR and their VMs?
If so, just SPAN that vlan to another port on your switch and tap it there.
________________________________
From: David Merrill <da...@otelco.com>
Sent: Friday, September 28, 2018 2:01 PM
To: users@cloudstack.apache.org
Subject: Re: TAP/SPAN...
XenServer 6.5
Thanks,
David
David Merrill
Senior Systems Engineer,
Managed and Private/Hybrid Cloud Services
OTELCO
92 Oak Street, Portland ME 04101
office 207.772.5678 <callto:207.772.5678>
www.otelco.com<http://www.otelco.com> <http://www.otelco.com>/business/managed-services
Confidentiality Message
The information contained in this e-mail transmission may be confidential and legally privileged. If you are not the intended recipient, you are notified that any dissemination, distribution, copying or other use of this information, including attachments, is prohibited. If you received this message in error, please call me at 207.772.5678 <callto:207.772.5678> so this error can be corrected.
On 9/28/18, 2:54 PM, "Simon Weller" <sw...@ena.com.INVALID> wrote:
What hypervisor are you using?
If you're using KVM, you could add a vlan VIF into the bridge in question and then dump that traffic somewhere via a replicated span on your switch.
- Si
________________________________
From: David Merrill <da...@otelco.com>
Sent: Friday, September 28, 2018 1:47 PM
To: users@cloudstack.apache.org
Subject: TAP/SPAN...
We’ve got a client who would like to ship a copy of all packets that pass through their virtual router to an appliance (that we’d place on their VLAN).
I’ve searched a bit (I’d hoped to see some mention of it in the users list) and haven’t found specific references to TAP/SPAN related to CloudStack, is there a convention for such things? I’m a (tiny) little out of my depth, is this the kind of thing that I might find (if it existed) here:
* http://docs.cloudstack.apache.org/en/4.11.1.0/adminguide/networking.html?highlight=network%20service%20providers
At the very least is something like this (a kind of roll-your-own SPAN) possible on the virtual router?
* https://networkhop.wordpress.com/2016/04/27/port-mirroring-with-iptables/
I wish this had come up at the collab in Montreal (having JUST been there earlier this week), but so it goes.
Thanks for any consideration/feedback,
David
David Merrill
Senior Systems Engineer,
Managed and Private/Hybrid Cloud Services
OTELCO
92 Oak Street, Portland ME 04101
office 207.772.5678<callto:207.772.5678>
www.otelco.com<http://www.otelco.com>/business/managed-services
Re: TAP/SPAN...
Posted by Simon Weller <sw...@ena.com.INVALID>.
David,
So I assume the customer is in an isolated network between the VR and their VMs?
If so, just SPAN that vlan to another port on your switch and tap it there.
________________________________
From: David Merrill <da...@otelco.com>
Sent: Friday, September 28, 2018 2:01 PM
To: users@cloudstack.apache.org
Subject: Re: TAP/SPAN...
XenServer 6.5
Thanks,
David
David Merrill
Senior Systems Engineer,
Managed and Private/Hybrid Cloud Services
OTELCO
92 Oak Street, Portland ME 04101
office 207.772.5678 <callto:207.772.5678>
www.otelco.com<http://www.otelco.com> <http://www.otelco.com>/business/managed-services
Confidentiality Message
The information contained in this e-mail transmission may be confidential and legally privileged. If you are not the intended recipient, you are notified that any dissemination, distribution, copying or other use of this information, including attachments, is prohibited. If you received this message in error, please call me at 207.772.5678 <callto:207.772.5678> so this error can be corrected.
On 9/28/18, 2:54 PM, "Simon Weller" <sw...@ena.com.INVALID> wrote:
What hypervisor are you using?
If you're using KVM, you could add a vlan VIF into the bridge in question and then dump that traffic somewhere via a replicated span on your switch.
- Si
________________________________
From: David Merrill <da...@otelco.com>
Sent: Friday, September 28, 2018 1:47 PM
To: users@cloudstack.apache.org
Subject: TAP/SPAN...
We’ve got a client who would like to ship a copy of all packets that pass through their virtual router to an appliance (that we’d place on their VLAN).
I’ve searched a bit (I’d hoped to see some mention of it in the users list) and haven’t found specific references to TAP/SPAN related to CloudStack, is there a convention for such things? I’m a (tiny) little out of my depth, is this the kind of thing that I might find (if it existed) here:
* http://docs.cloudstack.apache.org/en/4.11.1.0/adminguide/networking.html?highlight=network%20service%20providers
At the very least is something like this (a kind of roll-your-own SPAN) possible on the virtual router?
* https://networkhop.wordpress.com/2016/04/27/port-mirroring-with-iptables/
I wish this had come up at the collab in Montreal (having JUST been there earlier this week), but so it goes.
Thanks for any consideration/feedback,
David
David Merrill
Senior Systems Engineer,
Managed and Private/Hybrid Cloud Services
OTELCO
92 Oak Street, Portland ME 04101
office 207.772.5678<callto:207.772.5678>
www.otelco.com<http://www.otelco.com>/business/managed-services
Confidentiality Message
The information contained in this e-mail transmission may be confidential and legally privileged. If you are not the intended recipient, you are notified that any dissemination, distribution, copying or other use of this information, including attachments, is prohibited. If you received this message in error, please call me at 207.772.5678<callto:207.772.5678> so this error can be corrected.
Re: TAP/SPAN...
Posted by David Merrill <da...@otelco.com>.
XenServer 6.5
Thanks,
David
David Merrill
Senior Systems Engineer,
Managed and Private/Hybrid Cloud Services
OTELCO
92 Oak Street, Portland ME 04101
office 207.772.5678 <callto:207.772.5678>
www.otelco.com <http://www.otelco.com>/business/managed-services
Confidentiality Message
The information contained in this e-mail transmission may be confidential and legally privileged. If you are not the intended recipient, you are notified that any dissemination, distribution, copying or other use of this information, including attachments, is prohibited. If you received this message in error, please call me at 207.772.5678 <callto:207.772.5678> so this error can be corrected.
On 9/28/18, 2:54 PM, "Simon Weller" <sw...@ena.com.INVALID> wrote:
What hypervisor are you using?
If you're using KVM, you could add a vlan VIF into the bridge in question and then dump that traffic somewhere via a replicated span on your switch.
- Si
________________________________
From: David Merrill <da...@otelco.com>
Sent: Friday, September 28, 2018 1:47 PM
To: users@cloudstack.apache.org
Subject: TAP/SPAN...
We’ve got a client who would like to ship a copy of all packets that pass through their virtual router to an appliance (that we’d place on their VLAN).
I’ve searched a bit (I’d hoped to see some mention of it in the users list) and haven’t found specific references to TAP/SPAN related to CloudStack, is there a convention for such things? I’m a (tiny) little out of my depth, is this the kind of thing that I might find (if it existed) here:
* http://docs.cloudstack.apache.org/en/4.11.1.0/adminguide/networking.html?highlight=network%20service%20providers
At the very least is something like this (a kind of roll-your-own SPAN) possible on the virtual router?
* https://networkhop.wordpress.com/2016/04/27/port-mirroring-with-iptables/
I wish this had come up at the collab in Montreal (having JUST been there earlier this week), but so it goes.
Thanks for any consideration/feedback,
David
David Merrill
Senior Systems Engineer,
Managed and Private/Hybrid Cloud Services
OTELCO
92 Oak Street, Portland ME 04101
office 207.772.5678<callto:207.772.5678>
www.otelco.com<http://www.otelco.com>/business/managed-services
Confidentiality Message
The information contained in this e-mail transmission may be confidential and legally privileged. If you are not the intended recipient, you are notified that any dissemination, distribution, copying or other use of this information, including attachments, is prohibited. If you received this message in error, please call me at 207.772.5678<callto:207.772.5678> so this error can be corrected.
Re: TAP/SPAN...
Posted by Simon Weller <sw...@ena.com.INVALID>.
What hypervisor are you using?
If you're using KVM, you could add a vlan VIF into the bridge in question and then dump that traffic somewhere via a replicated span on your switch.
- Si
________________________________
From: David Merrill <da...@otelco.com>
Sent: Friday, September 28, 2018 1:47 PM
To: users@cloudstack.apache.org
Subject: TAP/SPAN...
We’ve got a client who would like to ship a copy of all packets that pass through their virtual router to an appliance (that we’d place on their VLAN).
I’ve searched a bit (I’d hoped to see some mention of it in the users list) and haven’t found specific references to TAP/SPAN related to CloudStack, is there a convention for such things? I’m a (tiny) little out of my depth, is this the kind of thing that I might find (if it existed) here:
* http://docs.cloudstack.apache.org/en/4.11.1.0/adminguide/networking.html?highlight=network%20service%20providers
At the very least is something like this (a kind of roll-your-own SPAN) possible on the virtual router?
* https://networkhop.wordpress.com/2016/04/27/port-mirroring-with-iptables/
I wish this had come up at the collab in Montreal (having JUST been there earlier this week), but so it goes.
Thanks for any consideration/feedback,
David
David Merrill
Senior Systems Engineer,
Managed and Private/Hybrid Cloud Services
OTELCO
92 Oak Street, Portland ME 04101
office 207.772.5678<callto:207.772.5678>
www.otelco.com<http://www.otelco.com>/business/managed-services
Confidentiality Message
The information contained in this e-mail transmission may be confidential and legally privileged. If you are not the intended recipient, you are notified that any dissemination, distribution, copying or other use of this information, including attachments, is prohibited. If you received this message in error, please call me at 207.772.5678<callto:207.772.5678> so this error can be corrected.