Jump to content
Welcome to our new Citrix community!
  • 0

Open vSwitch not passing all traffic from PIF to VIF


Jacob Chapman

Question

I'm using Citrix Hypervisor and running a networking security monitoring tool (Nozomi Networks Guardian) within it.  Guardian has a monitoring interface (we'll call pif1) which is bridged to a physical interface (we'll call vif1).  The issue is that vif1 is not receiving all traffic (it picks up some but not all).

 

I'm having an identical issue to this person.

I've successfully implemented promiscuous mode on the pif and vif and saw no improvements:.

I've also tried changing network backend from Open vSwitch to the old Bridge backend with no effect.

 

I am 90% sure the issue is with the Open vSwitch / Bridge technical functionality.  I've deployed Guardian in 6 other hypervisors (VMWare Fusion, VMWare Workstation, VMWare ESXi, KVM in Linux Ubuntu, and Proxmox) so I'm well versed in the typical setup.  

 

I ran into a very similar issue in KVM in Linux Ubuntu (which uses Macvtap) and the fix in that situation was to change the virtual networking from bridge mode passthrough mode, which essentially connects the virtual interface directly to the physical interface without any manipulation or analysis of the traffic.  But I can't find a similar setting in Citrix Hypervisor - anybody know of one?

 

Even in promiscuous mode, there must be something very technical that prevents certain traffic from being forwarded to the vif but I can't figure out what.  Would appreciate any and all ideas!

 

Screenshots of my existing configuration attached.  I've also posted a comparison of what Guardian picks up in Workstation vs. Citrix Hypervisor, using the same traffic and identical setup, to demonstrate the issue.

Bridge Configuration.png

Guardian in Citrix (Left) vs Guardian in Workstation (Right).png

Network Backend Configuration.png

PIF Configuration.png

VIF Configuration.png

PIF1 and VIF1 Mapping.png

Link to comment

2 answers to this question

Recommended Posts

  • 0

I finally got this working.  PCI passthrough was indeed necessary for the software I'm using to pick up all network traffic properly (not bridging through the virtual switch).  Doing so requires enabling IOMMU and using the legacy linux bridge backend networking (instead of the default Open vSwitch backend networking).  Here's a quick write-up of the steps I made:

 

1. Switch network backend to linux bridge
    command in Citrix Hypervisor shell is: ex-switch-network-backend bridge

 

2. Reboot Citrix Hypervisor
    confirm it worked by running command: xe host-list params=software-version
    The result should include "network_backend: bridge;"

 

3. Ensure VT-D and IOMMU is enabled in hypervisor 
    command in Citrix Hypervisor shell is: /opt/xensource/libexec/xen-cmdline --set-xen iommu=1

 

4. Look up PCI details for NIC controller
    command in Citrix Hypervisor shell is: lspci
    Write down the address of the NIC (e.g. 02:02.0)
    Your VM must have the drivers to support the ethernet controller you're passing through to it.  If it doesn't, it will see the ethernet controller but won't process nay of the traffic.

    In my case, the VM did have a driver for Intel e1000 ethernet controller, which is what I was passing through to it. 

 

5. Hide the NIC controller from the Citrix Hypervisor management VM (Dom0) itself
    command in Citrix Hypervisor shell is: /opt/xensource/libexec/xen-cmdline --set-dom0 "xen-pciback.hide=(**PCI ADDRESS HERE**)"
    command example: /opt/xensource/libexec/xen-cmdline --set-dom0 "xen-pciback.hide=(02:02.0)"

 

6. Reboot Citrix Hypervisor
    confirm it worked by running command: dmesg | grep pciback
    result should include "xen-pciback.hide=**PCI ADDRESS**"

 

7. Get the UUID of the Guardian VM
    command in Citrix Hypervisor shell is: xe vm-list
    Write down the uuid of the Guardian VM

 

8. Pass through the NIC Ethernet controller directly to the Guardian VM
    command in Citrix Hypervisor shell is: xe vm-param-set other-config:pci=0/0000:**PCI ADDRESS HERE** uuid=**VM UUID HERE**
    command example: xe vm-param-set other-config:pci=0/0000:02:02.0 uuid=77daaa0d-393a-12aa-5875-07ab9f55c715
    confirm it worked by running command: xe vm-param-list uuid=**VM UUID HERE**
    The other-config: section should show a value of pci=0/0000:*PCI ADDRESS HERE**

 

Boot up the VM.  If everything worked, the VM will directly see the ethernet NIC which the hypervisor had access to, instead of a virtual interface which the hypervisor was forwarding the traffic to through a virtual switch.
    

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...