Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 44. Configuring network devices to accept traffic from all MAC addresses
Network devices usually intercept and read packets that their controller is programmed to receive. You can configure the network devices to accept traffic from all MAC addresses in a virtual switch or at the port group level.
You can use this network mode to:
- Diagnose network connectivity issues
- Monitor network activity for security reasons
- Intercept private data-in-transit or intrusion in the network
You can enable this mode for any kind of network device, except InfiniBand.
44.1. Temporarily configuring a device to accept all traffic
You can use the ip utility to temporary configure a network device to accept all traffic regardless of the MAC addresses.
Procedure
Optional: Display the network interfaces to identify the one for which you want to receive all traffic:
ip address show
# ip address show 1: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether 98:fa:9b:a4:34:09 brd ff:ff:ff:ff:ff:ff ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow Modify the device to enable or disable this property:
To enable the
accept-all-mac-addressesmode forenp1s0:ip link set enp1s0 promisc on
# ip link set enp1s0 promisc onCopy to Clipboard Copied! Toggle word wrap Toggle overflow To disable the
accept-all-mac-addressesmode forenp1s0:ip link set enp1s0 promisc off
# ip link set enp1s0 promisc offCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify that the
accept-all-mac-addressesmode is enabled:ip link show enp1s0
# ip link show enp1s0 1: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000 link/ether 98:fa:9b:a4:34:09 brd ff:ff:ff:ff:ff:ffCopy to Clipboard Copied! Toggle word wrap Toggle overflow The
PROMISCflag in the device description indicates that the mode is enabled.
44.2. Permanently configuring a network device to accept all traffic using nmcli
You can use the nmcli utility to permanently configure a network device to accept all traffic regardless of the MAC addresses.
Procedure
Optional: Display the network interfaces to identify the one for which you want to receive all traffic:
ip address show
# ip address show 1: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether 98:fa:9b:a4:34:09 brd ff:ff:ff:ff:ff:ff ...Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can create a new connection, if you do not have any.
Modify the network device to enable or disable this property.
To enable the
ethernet.accept-all-mac-addressesmode forenp1s0:nmcli connection modify enp1s0 ethernet.accept-all-mac-addresses yes
# nmcli connection modify enp1s0 ethernet.accept-all-mac-addresses yesCopy to Clipboard Copied! Toggle word wrap Toggle overflow To disable the
accept-all-mac-addressesmode forenp1s0:nmcli connection modify enp1s0 ethernet.accept-all-mac-addresses no
# nmcli connection modify enp1s0 ethernet.accept-all-mac-addresses noCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Apply the changes, reactivate the connection:
nmcli connection up enp1s0
# nmcli connection up enp1s0Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify that the
ethernet.accept-all-mac-addressesmode is enabled:nmcli connection show enp1s0
# nmcli connection show enp1s0 ... 802-3-ethernet.accept-all-mac-addresses:1 (true)Copy to Clipboard Copied! Toggle word wrap Toggle overflow The
802-3-ethernet.accept-all-mac-addresses: trueindicates that the mode is enabled.
44.3. Permanently configuring a network device to accept all traffic using nmstatectl
Use the nmstatectl utility to configure a device to accept all traffic regardless of the MAC addresses through the Nmstate API. The Nmstate API ensures that, after setting the configuration, the result matches the configuration file. If anything fails, nmstatectl automatically rolls back the changes to avoid leaving the system in an incorrect state.
Prerequisites
-
The
nmstatepackage is installed. -
The
enp1s0.ymlfile that you used to configure the device is available.
Procedure
Edit the existing
enp1s0.ymlfile for theenp1s0connection and add the following content to it:Copy to Clipboard Copied! Toggle word wrap Toggle overflow These settings configure the
enp1s0device to accept all traffic.Apply the network settings:
nmstatectl apply ~/enp1s0.yml
# nmstatectl apply ~/enp1s0.ymlCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify that the
802-3-ethernet.accept-all-mac-addressesmode is enabled:Copy to Clipboard Copied! Toggle word wrap Toggle overflow The
802-3-ethernet.accept-all-mac-addresses: trueindicates that the mode is enabled.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}