Configuring a SPAN or mirror port on Open vSwitch

2 Replies

This howto describes how to configure a mirror port on your Open vSwitch. The goal is to install a new guest to act as IDS/IPS system. This guest is configured with 2 virtual network interfaces. The first interface will have an IP address and will be used to manage the guest. The other interfaces will be connected to the mirror port on Open vSwitch. This means that it will see all mirrored traffic.

My setup

Host OS : Ubuntu Quantal Quetzal 12.04 with libvirtd
Networking : The virtual machines are all connected to a OpenvSwitch bridge and are using RFC 1918 ip addresses. Since I only have a single external IP, my host runs a firewall that NATs certain ports towards the virtual machines.

XML configuration of guest

This is a copy of the interface declarations in the config file.

<interface type='bridge'>
 <mac address='52:54:bb:bb:11:11'/>
 <source bridge='ovsbr0'/>
 <virtualport type='openvswitch'>
 </virtualport>
 <model type='virtio'/>
</interface>
<interface type='bridge'>
 <mac address='52:54:bb:bb:11:12'/>
 <source bridge='ovsbr0'/>
 <virtualport type='openvswitch'>
 </virtualport>
 <model type='virtio'/>
</interface>

Since the MAC address has to be unique, we can use that as an identifier to configure the mirror port on Open vSwitch.

Configuring the mirror port on Open vSwitch

This script should be named ‘qemu’ and should be placed in ‘/var/libvirt/hooks’.

#!/bin/bash
# Written by Thomas Elsen
# You can use this at your own risk.
#
# The following to variables should be set before using the script.
# MAC containts the mac address from the interface that will receive
# all mirrored traffic.
MAC="52:54:bb:bb:11:12"
#GUEST should point to the name of the guest
GUEST="ids"

if [ $1 = $GUEST ];
then
        if [ $2 = 'started' ];
        then
                IFACE=`ifconfig | grep $MAC | awk '{print $1;}'`
                ovs-vsctl clear bridge ovsbr0 mirrors
                ovs-vsctl -- --id=@m create mirror name=mirror0 -- add bridge ovsbr0 mirrors @m -- --id=@capt get Port $IFACE -- set mirror mirror0 output_port=@capt select_all=1
                exit 0
        fi
fi

echo "Nothing to do : $1 $2" | logger
exit 0

After installing the script, make sure to set the 2 variables to the right values and give it the right permissions.

# chmod 755 /etc/libvirt/hooks/qemu

Using the above script will make sure that the mirror port is created when the guest is started. To make sure that libvirtd will use this new script, we have to restart it.

# /etc/init.d/libvirt-bin restart

Next step

In the next article I’ll use this new guest to run snort. Snort is an Open Source IDS sensor.

Related posts:

  1. Switch your KVM from regular bridge to Open vSwitch This howto focusses on the steps that you have to...
  2. Creating a KVM virtual machine using CLI This tutorial explains how to create a new KVM virtual...
  3. Updating Snort Rules using Pulled Pork In this previous post, I explained how to install Snort...
  4. New LVM pool in existing volume group These commands show how you can create a new LVM...

2 thoughts on “Configuring a SPAN or mirror port on Open vSwitch

  1. Pingback: Howto install Snort | The A to Z of IT

  2. Pingback: Xenserver, Open vSwitch, and port mirroring – James Timberlake

Leave a Reply

Your email address will not be published. Required fields are marked *