AlienVault® USM Anywhere™

Configure Windows Server 2012 R2 or Windows Server 2016 Hyper-V Virtual Machines for Port Mirroring

Complete the two following tasks to set up port mirroring on a Windows Server 2012 R2 or Windows Server 2016 Hyper-V host.

Important: Before you configure port mirroring on a Windows Server 2012 R2 VM, make sure that the Microsoft packet sniffing tool hotfix is applied.

Configure the Virtual Machine to Capture Mirrored Traffic

To configure the virtual machine you want to use to capture mirrored traffic

  1. Open the Microsoft Hyper-V Manager and right-click the machine that you want to use to capture mirrored traffic.
  2. Select Settings.
  3. Expand the associated network adapter and select Advanced Features.
  4. Scroll to the Port mirroring section and set the Mirroring mode to Destination.

    Configuring the virtual machine to capture mirrored traffic

  5. Click Apply and OK.

Configure the Mirror Port

To configure the mirror port

  1. Open the Windows PowerShell console.
  2. Enter the following:
  3. $a = Get-VMSystemSwitchExtensionPortFeature -FeatureId 776e0ba7-94a1-41c8-8f28-951f524251b5

     

    $a.SettingData.MonitorMode = 2

     

    add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName <virtual_switch_name> -VMSwitchExtensionFeature $a

Important: Be aware that, if you enable promiscuous mode for a physical port, it directs all the traffic received on that port towards the virtual machine destination.

Additional Configurations for Port Mirroring Setup from VLAN Traffic

If your environment uses a Virtual LAN to route traffic, you will also need to configure Hyper-V to accept packets from the designated VLAN ID range.

To set up VLAN port mirroring

  1. In Hyper-V Guest, create a Network Interface Controller (NIC) designated "management" with the following PowerShell command

    Add-VMNetworkAdapter -VMName <VirtualMachineName> -Name "Management"

  2. Add the port you will use as a mirror

    Add-VMNetworkAdapter -Vmname <VirtualMachineName> -name "Mirror"

    If you have multiple NICs you are mirroring, repeate this step for each NIC.

  3. Add the VLAN ID ranges that will be mirrored

    Set-VMNetworkAdapterVlan -VMName VIRTUALMACHINENAME -VMNetworkAdapterName "mirror" -trunk -allowedvlanidlist <VLAN-ID-Range> -nativevlanid <VLAN-ID-Range>

Important: The NIC needs to be created, named, and tagged with VLAN ID ranges as a guest in Hyper-V. If the NIC is not named and tagged properly, it can create errors in the guest system.

Related Video Content

To view other related training videos, click here.