One-way traffic with port mirror HP-2610 to Hyper-V

hphyper-vhyper-v-server-2012-r2network-monitoringnetworking

I have a Hyper-V box that has call recording for IP phones with the following connectivity:

  1. PBX on an access port (native vlan 42), plugs to port 22 on switch (it has no settings for VLANs, so we set native access vlan so all its traffic is on VLAN 42).
  2. Phones on hybrid port (native vlan 1 for workstations, tagged 42 for phones)
  3. Dedicated NIC on a Hyper-V machine for guest VMs
  4. Dedicated NIC on a Hyper-V machine for monitoring on port 21 on switch.
  5. Enabled port mirroring on Hyper-V

The HP ProCurve 2610-24 switch config is below:

mirror-port 21
vlan 1
  name "DEFAULT"
  untagged 1-17,19-21,23-28
  no untagged 18,22
exit
vlan 42
  name "VOICE"
  untagged 22
  tagged 1-20,23,26
exit
interface 22
  monitor
exit

I have enabled monitoring on Hyper-V host:

  1. On Hyper-V host, create a new virtual switch called Monitor, this physically connects to the dedicated monitoring NIC (create a separate switch for general traffic also).
  2. Enable extension Microsoft NDIS Capture.
  3. $portFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings"
  4. $portFeature.SettingData.MonitorMode = 2
  5. Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName Monitor -VMSwitchExtensionFeature $portFeature
  6. Create a new VM, add following virtual network adapters:
    1. NIC for general data traffic connected to guest virtual switch
    2. NIC for monitoring traffic connected to the monitor virtual switch
  7. Under the monitor virtual network adapter of the guest VM, go to Advanced Features, and set the port mirror mode to Destination.

When I run wire-shark on the guest monitoring VM, I am only ever seeing one-way traffic coming from the PBX (source) to the phone (destination), and not from phone to PBX.

In principle, since the PBX can send/receive the untagged data (presented on port 22), this should be presented verbatim on the port monitor port as an untagged data frame (for native VLAN 42), or am i barking up the wrong tree?

I have done the same Hyper-V setup but with Cisco and had no issues there that worked OK.

Not sure if this is something i have done wrong, something with Windows, or a HP issue. Pointers much appreciated.

Best Answer

The port mirroring was correct as per the above config (HP states on its 25xx and 26xx models that its monitoring retains VLAN tags regardless of whether the port being monitored is set to untagged - note, this is for port monitoring, not sure if this is different for vlan type on newer models as wasn't able to test on this firmware).

My initial step was with default monitoring setup to capture traffic on the VM:

// On Hyper-V host, create a new virtual switch called Monitor, this
// physically connects to the dedicated monitoring NIC (create a separate switch for general traffic also).
// Also Enable extension Microsoft NDIS Capture for this NIC.
$portFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings"
$portFeature.SettingData.MonitorMode = 2
Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName Monitor -VMSwitchExtensionFeature $portFeature
// final step i did through GUI => Under the monitor virtual network adapter
// of the guest VM, go to Advanced Features, and set the port mirror mode to Destination.

I could see i was getting all untagged frames that were coming out of the PBX (it has no notion of a tagged frame).

I then tried setting a trunk to the switch to received tagged 42 AND native vlan 42 Set-VMNetworkAdapterVlan -VMName MonitorVM -VMNetworkAdapterName Monitor -Trunk -Allowed VlanIdList 813 -NativeVlanId 42, and at that point saw i was no longer receiving the PBX data (untagged frames).

After reading online I found Hyper-V defines untagged (vlan disabled) as VLAN ID 0.

Setting the trunk to the VM to accept both tagged 42 and untagged frames (renaming the interface so i could target that only):

$a = Get-VMNetworkAdapter -vmname MonitorVM
$a[1] -NewName Monitor // referenced the monitor NIC, you will need to search array to check
Set-VMNetworkAdapterVlan -VMName MonitorVM -VMNetworkAdapterName Monitor -Trunk -Allowed VlanIdList 813 -NativeVlanId 0

I was then able to see two way traffic!