Forcing a Virtual Adapter to Use Promiscuous Mode

VMware ESX Server 2.0

Features | Documentation | Knowledge Base | Discussion Forums

For security reasons, guest operating systems are not normally allowed to set their virtual Ethernet adapters to use promiscuous mode.

In some circumstances, you may need to use the virtual Ethernet adapters in promiscuous mode. To enable this use, you must set the PromiscuousAllowed configuration variable to yes. To do so, follow these steps.

Check the Edit Configuration page of the VMware Management Interface to determine what network the virtual Ethernet adapter is using. For this example, assume that the Networking section of the page shows the adapter is using vmnic0.
Log in to the server's service console and enter the following command:
echo "PromiscuousAllowed yes" > /proc/vmware/net/vmnic0/config
This allows the guest operating systems in all virtual machines using vmnic0 to enable promiscuous mode.
If the adapter is using a different network, such as vmnet_0, make the appropriate substitution in the command.
Take the appropriate steps in the guest operating system to enable promiscuous mode on the virtual network adapter.

You may want to allow only some adapters on a particular network to use promiscuous mode. In that case, you can selectively disable promiscuous mode based on the MAC address of the virtual machine's Ethernet adapter. To do so, follow these steps.

Connect to the virtual machine with the remote console and use the appropriate guest operating system tools to determine the MAC address of the virtual Ethernet adapter.
Log in to the service console and enter the following command:
echo "PromiscuousAllowed no" > /proc/vmware/net/vmnic0/<MACAddress>
In place of <MACAddress>, substitute the virtual Ethernet adapter's MAC address in the standard format 00:05:69:XX:YY:ZZ. If the adapter is using a different network, such as vmnet_0, make the appropriate substitution in the command.

Sharing Network Adapters and Virtual Networks

In many ESX Server configurations, there is a clear distinction between networking resources used by the virtual machines and those used by the service console. This may be important for security reasons, for example — isolating the management network from the network used by applications in the virtual machines.

However, there may be times when you want to share resources, including physical network adapters and virtual networks.

This technical note provides instructions on sharing in both directions — making the virtual machines' resources available to the service console and allowing virtual machines to share the network adapter used by the service console.

This sharing is made possible by the vmxnet_console driver, which is installed with the service console.

Caution: We recommend that only advanced users make these configuration changes. The steps below are easier for someone who is familiar with administering a Linux system.

Note: If you accidentally bring down the local loopback interface while you are reconfiguring network devices, the VMware Management Interface does not function properly. To bring it back up, use the command ifconfig lo up.

Allowing the Service Console to Use the Virtual Machines' Devices

All network adapters used by virtual machines (that is, assigned to the VMkernel) and virtual networks can be made accessible to the service console. Virtual networks — identified as vmnet_<n> on the Edit Configuration page of the VMware Management Interface — provide high-speed connections among virtual machines on the same physical server.

To give the service console access to VMkernel network adapters and virtual networks, you must install the vmxnet_console module. When you install it, you provide a list of VMkernel network adapters and virtual networks that the vmxnet_console module should attach to. For example, if the VMkernel had an adapter named vmnic1 and a virtual network named vmnet_0 and you wanted to provide access to them from the service console, you would use the following command to install the vmxnet_console module.

insmod vmxnet_console devName=vmnic1;vmnet_0

The devName parameter is a comma-separated list of names of VMkernel network adapters and virtual networks.

When you install the module, it adds the appropriate number of eth<n> devices on the service console in the order that you list the VMkernel network adapter and virtual network names after the devName parameter. In the example above, if the service console already had a network adapter named eth0, when you load vmxnet_console with vmnic1 and vmnet_0; vmnic1 is seen as eth1 on the service console and vmnet_0 is seen as eth2.

Once the eth<n> devices are created on the service console, you can bring the interfaces up in the normal manner. For example, if you want the service console to use IP address 10.2.0.4 for the network accessed via the vmnic1 adapter, use the following command:

ifconfig eth1 up 10.2.0.4

If you want an easy way to see which eth<n> devices are added by the insmod command, you can add the tagName parameter to the insmod command, as shown in this example:

insmod vmxnet_console devName=vmnic1;vmnet0 tagName=<tag>

In this case the vmxnet_console module adds the names of each of the eth<n> devices that it created to /var/log/messages. Each message begins with the string <tag>.

To figure out the names of the devices that were added, use this command:

grep <tag> /var/log/messages

Starting Shared VMkernel Network Adapters and Virtual Networks when the Service Console Boots

There are two ways you can configure the service console to start VMkernel network adapters when the service console boots. The simpler case involves sharing a network adapter other than eth0. Sharing eth0 is more complicated and is described later.

Continuing with the example from the previous section, you can append the following lines to /etc/rc.d/rc.local:

insmod vmxnet_console devName=vmnic1,vmnet0 ifconfig eth1 up 10.2.0.4 ifconfig eth2 up 63.93.12.47

Another method is to set up the files /etc/sysconfig/network-scripts/ifcfg-eth1 and /etc/sysconfig/network-scripts/ifcfg-eth2 with the appropriate network information. And be sure the ONBOOT= line is ONBOOT=yes. The ifcfg-eth1 file for this example would be

DEVICE=eth1 BOOTPROTO=static BROADCAST=10.255.255.255 IPADDR=10.2.0.4 NETMASK=255.0.0.0 NETWORK=10.0.0.0 ONBOOT=yes

In this case, the lines you add to /etc/rc.d/rc.local would be:

insmod vmxnet_console devName=vmnic1;vmnet0 ifup eth1 ifup eth2

Sharing the Service Console's Network Adapter with Virtual Machines

Caution: If you intend to share the adapter that is eth0 on the service console, be careful as you implement the following steps. In order to configure ESX Server initially, you need to have a network connection. Once the initial configuration is set, you make several changes. At one point in the process, there is no network connection to the service console, and you must work directly at the server.

When you first install and configure ESX Server, the VMkernel is not loaded, so the service console needs to control the network adapter that is eth0. When you configure ESX Server, assign the adapter that is eth0 to the service console.

Once you have completely configured ESX Server properly and rebooted the machine, the VMkernel is loaded. At that point, you need to take the following steps:

Edit /etc/modules.conf and comment out the line that refers to alias eth0.
If the original line is
alias eth0 e100edit it to be
# alias eth0 e100
This disables eth0 on the service console when it boots.
Use the VMware Management Interface to reconfigure the server. Log in as root and go to http://<hostname>/pcidivy, then click the Edit link for the configuration you want to change. Find the table row that lists the Ethernet controller assigned to the console and click the radio button in the Virtual Machine column to reassign it.
Click Save Configuration, then reboot the machine when prompted.
When the machine reboots, no network adapter is assigned to the service console, so you must do this step at the server.
Add the appropriate lines to /etc/rc.d/rc.local. For example, if eth0 is the only network adapter that you intend to share between the VMkernel and the service console, and if it is named vmnic0 in the VMkernel, you add the lines
insmod vmxnet_console devName=vmnic0 ifup eth0
If you are unsure what name the VMkernel has assigned to the network adapter that formerly was eth0 in the service console, you can determine its name using the findnic program (see The VMkernel Network Card Locator).
The next time you reboot the system, the network adapter is shared by the service console and the virtual machines.
To begin sharing the network adapter without rebooting the system, you can manually issue the same commands you added to /etc/rc.d/rc.local. insmod vmxnet_console devName=vmnic0 ifup eth0

NIC Teaming

NIC teaming enables you to group logically together physical network interface cards (NICs) to form one single virtual teaming device, called a bond. By binding all these NICs together, you can ensure network connectivity to the server and improve network performance. This feature also provides traffic load balancing and redundant NIC operation if a network connection fails.

To use NIC teaming, you must have multiple physical NICs assigned to NIC teaming. You can then combine your virtual NICs into a team, called a bond. Each bond comprises at least one, up to ten virtual NICs. You may create up to ten bonds, from bond0 through bond9, for each ESX Server.

Creating a Bond

You create a bond by adding virtual NICs to the bond. There are several constraints regarding virtual NICs and bonds:

You can add a virtual NIC to a bond only if the virtual NIC is not in use.
You can remove a virtual NIC from a bond only if the bond is not in use.
Log into the VMware Management Interface and click the Options tab.
Click Network Connections.
For each virtual NIC, choose the appropriate bond. In the preceding figure, both virtual NICs comprise bond4.
The drop-down list only lists the available bonds. (In 2.0, the available bonds are either unused, or belong to a powered-off or suspended virtual machine.) If a bond is not listed, then it is currently in use, in a powered-on virtual machine.
Note: If you edit a bond that is assigned to a suspended virtual machine, your changes will not take effect until that virtual machine is powered off, then powered on again.
Click OK.

Once a virtual NIC is assigned to a bond, this virtual NIC becomes unavailable. You will no longer see this virtual NIC in the drop-down list of Ethernet adapters in the virtual machine configuration page.

Removing a Virtual NIC From a Bond

You can remove a virtual NIC from a bond only when the bond is not in use.

Log into the VMware Management Interface and click the Options tab.
Click Network Connections.
For each virtual NIC, choose None.
The drop-down list only lists the available bonds. (In 2.0, the available bonds are either unused, or belong to a powered-off or suspended virtual machine.) If a bond is not listed, then it is currently in use, in a powered-on virtual machine.
Click OK.

Troubleshooting

If, while booting your virtual machine, you see an error message stating that the Ethernet device cannot be detected, then check the following:

Network Connections page — Be sure that the correct virtual NICs are assigned to a bond
VM Configuration page — Be sure the correct bond is selected for the specified Ethernet device and that the selected vmnic is not already assigned to a bond device or already in use.

Make the appropriate change(s), then reboot your virtual machine to see if the error message persists.

Prev Contents Last Next

VMware ESX Server 2.0

Support Resources