I¹ve figured it out: ovs-vsctl -- --id=@p get port vif104.1 -- --id=@m create mirror name=m0 select-all=true output-port=@p -- set bridge xenbr1 mirrors=@m
I¹ll need to switch from using port vif104.1 to using vifname, but other than that this works perfectly. The best part is that it uses the xenbr1 network that xen manages, so I shouldn¹t have to adjust src-port or dst-port as other VMs reboot. On 4/18/16, 7:28 PM, "Ben Pfaff" <b...@ovn.org> wrote: >On Mon, Apr 18, 2016 at 10:42:21PM +0000, Tarren, Jacob A. >(LARC-B703)[LITES II] wrote: >> Hello! >> >> I've just started experimenting with OpenVSwitch on Xen, and so far I >>like it, but I'm running into an issue setting up port mirroring and >>promiscuous mode. >> >> I'm trying to get all traffic on a network within my Xen server to be >>mirrored to a specific VM so I can practice with an IDS. I've >>determined that the VM I want my IDS on is connected via vif104.1, and I >>think I should run this command to create a mirror over the whole >>network: >> >> ovs-vsctl --set Bridge xenbr1 mirrors=@m -- -- id=@vif93.0 get Port >>vif93.0 -- --id=@vif78.3 get Port vif78.3 -- --id=@vif72.0 get Port >>vif72.0 -- --id=@79.1 get Port vif79.1 -- --id=@tap93.0 get Port tap93.0 >>-- --id=@xenbr1 get Port xenbr1 -- --id=@vif62.3 get Port vif62.3 -- >>--id=@tap62.3 get Port tap62.3 -- --id=@eth1 get Port eth1 -- >>--id=@vif104.1 get Port vif104.1 -- -- --id=@m create Mirror >>name=xenbr1-everything-mirror >>select-dst-port=@vif93.0,@vif78.3,@vif72.0,@vif79.1,@tap93.0,@xenbr1,@vif >>62.3,@vif103.1,@tap62.3,@eth1 >>select-src-port=@vif93.0,@vif78.3,@vif72.0,@vif79.1,@tap93.0,@xenbr1,@vif >>62.3,@vif103.1,@tap62.3,@eth1 output-port=@vif104.1 >> >> After running that, I should set the vif of that network on my IDS >>(vif104.1) into promiscuous mode with: >> xe vif-param-set uuid=<uuid_of_vif> other-config:promiscuous="true" >> >> Unfortunately, when I try running the ovs-vsctl command I get: >> ovs-vsctl: unrecognized option `--set' >> I think this is because I'm specifying multiple dst-ports and src-ports >>but I'm not sure. > >"set" is a command, not an option, so there's no --. _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
