Today I was involved in a deployment of a new MSSP service. The provider is running a virtual sensor (ubuntu machine) in a vm. The box collects SNMP Trap data as well as SPAN (Switched Port Analyzer) traffic from the corporate user network. The services uses a backend SIEM service Alienvault. The most important lesson came from the interaction with VMware.

For the first time, I did some network implementation with vSphere. Since this system acts as a Network Intrusion Detection Systems (IDS) the vSwitch need to process promiscuous traffic . Apparently the vSwitch itself needs to the security setting to allow Promiscuous traffic. Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs. All guest operating systems would receive all the traffic observed on the wire. The sensor vm was only seeing broadcast / udp traffic before the feature was permitted on the vSwitch. I ensured the vSwitch was isolated to the vms that needed to share the traffic. I understand this is not exciting information to learn but the experience today was real work work on the platform which I am excited to gain more exposure.

I did spend some time listening / watching some of the VCP65-DCV (vsphere 6.7) on ittvpro this evening. The introductory video covered concepts which I generally understood, shared resource (Disk , CPU, Network) some the file types and their significance.

Lastly this morning , I was reviewing some of CCIE material covering EIGRP. Revisiting the classic implementation and the named version with address families. I did learn that after Cisco IOS 15.4. This is important to have the upgrade if the environment is 10/40 Gbps or higher since the Wide Metrics should be implemented. Classic Metric is not able to distinguish larger than 10Gbp links. The material also discussed the important that to effectively manipulate the routes with the Cost function , to offset the delay since this is generally and easier change to make when compared to the bandwidth.