Talk about the "hybrid mode" of esxi virtual switch and port group

quite a lot Up Lord ESXi Virtual machine soft routing tutorial mentioned ESXi The security of virtual switch should be set “ Hybrid mode ”, But there is basically no detailed explanation of what is ” Hybrid mode ”, What situation should be opened “ Hybrid mode ” Of , Dig yourself a hole first , Write it when you come back tomorrow .

Fill the pit after playing ～( Almost a year later , Fill the pit again .)

stay vSphere virtual network 02 - Virtual switch in , I introduced vSphere Two kinds of virtual switches . Standards and distributed . About “ Hybrid mode ” The effective scope of , The two virtual switches are also different . Take the standard virtual switch as an example , Virtual switch level security has “ Hybrid mode ”, The port group of the virtual switch can inherit the security attributes of the virtual switch , You can also override this security attribute . And the distributed switch ” Hybrid mode “ It works at the port group and port level .PS: Two other security strategies “MAC Address change ” and “ Pseudo transmission ” and “ Hybrid mode ” It's the same thing . Refer to the official documentation   The security policy , stay 《 About vSphere network connections 》 In this document .

Explanation of hybrid patterns ：

Promiscuous mode clears any receive filtering performed by the virtual machine adapter , So that the client operating system receives all the traffic observed on the network . By default , The virtual machine adapter cannot run in hybrid mode .

Although promiscuous patterns are useful for tracking network activity , But it is an unsafe operation mode , Because any adapter in hybrid mode can access packets , This is true even if some packets are received only by specific network adapters . This means that the administrator or root user in the virtual machine can view the traffic sent to other clients or host operating systems .

notes ： Sometimes you may really need to configure a standard virtual switch or a distributed virtual switch to run in hybrid mode ( For example, when running network intrusion detection software or packet sniffer ).

A physical switch is a point-to-point device , It maintains a device connected to it MAC Address table . So it can only send data to the specified MAC Address the port to which the device is connected .

Virtual switches are the same in this regard .

When the virtual switch does not turn on hybrid mode by default , for instance , hypothesis vSwitch0 There are two port groups under the switch , Port Group 1 There are several Windows Virtual machines are used by employees in office , Port Group 2 Next Linux virtual machine , Administrators use it for some network analysis . When we are in the port group 2 Of Linux Install on virtual machine Wireshark And other packet capturing tools , You can only grab and send to this station Linux Virtual machine packets ( Point to point mentioned above ), And the port group cannot be grabbed 1 Medium Windows Packets between virtual machines or sent to Windows Virtual machine packets , in other words Wireshark At this time, you cannot capture packets remotely .

We can vSwitch0 Turn on hybrid mode , Or for the port group 2 Turn on hybrid mode . It is recommended to enable port groups , When granting permissions or security policies , It is generally recommended to follow the principle of minimization .

When the port group 2 When hybrid mode is turned on ,Linux Virtual machines can crawl vSwitch0 On all packets .

This means that the administrator or root user in the virtual machine can view the traffic sent to other clients or host operating systems .

A relatively easy description is , What hybrid mode does is to open the data traffic through this virtual switch to the virtual machines connected under the port group with hybrid mode enabled .( So if the entire virtual switch is in hybrid mode , All traffic of this virtual switch is open to all virtual machines under the virtual switch .)

If you want to try the above experiment , You can create an experimental environment according to this , Use Wireshark perhaps tcpdump stay Linux Try to crawl on the virtual machine Windows Virtual machine packets . Remember to restart the virtual machine after modifying the hybrid mode .