FusionHub / InControl2 - Traffic Reporting

This is relating to ticket #20090515 which contains some more information and further testing we carried out but I was directed here to make a feature request.

Feature Request:
Adjust the way that the FusionHub dashboard and IC2 report traffic so by default it refelcts only packets actually processed by the FH directly; if necessary provide an additional view that would reflect the traffic arriving at the FH interface due to promiscuous mode.

Information & Observations:
This issue occurs when you have promiscuous mode enabled in a vmWare environment for the port group you connect the FusionHub WAN to.

In our vmWare environment we host multiple FusionHubs for different customers, the WAN interfaces for these hubs are all connected to the same port group which provides them with public IP addresses.

We also have other VMs / appliances connected to this port group which require us to enable promiscuous mode for them to function.

We have observed is that in this scenario when monitoring traffic for the FusionHubs either directly via the dashboard, or IC2 they are reporting traffic volume and throughput as an aggregate, e.g. if there is 20Mbps of traffic in/out of FH1, FH2 would show 40Mbps of downstream traffic.

This also applies if there is traffic to/from another VM on the same port group where we see that traffic being reported by the FusionHub and IC2.

SNMP counters for the FusionHubs do not appear to be affected and report only traffic actually processed by the hub.

I have screenshots and graphs demonstrating this behaviour but seems as a new user I can only attach them one at at time.

Current workaround:
Disabling promiscuous mode on the vmWare side resolves this issue, however that is not really viable for us in many locations as we need it turned on - for example IDS/IPS sensors which need to see all traffic passing through the vSwitch.

Support have also told us that promiscuous mode is required for any FH where you have a L2 SF VPN in use, however in our testing we have found that only the LAN interface of the FH needs to be connected to a port group with promiscuous mode enabled to allow the L2 SF VPN to work.

2 Likes

Screenshot 1:

FH1 WAN from IC2, this is legitimate traffic from connected SF peers.

Screenshot 2:
FH2 WAN from IC2, as you can see it is showing an identical traffic pattern to FH1 however during this time period it had no connected SF peers.

Screenshot 3:
FH1 WAN from the following day, again this is legitimate traffic from connected SF peers, at ~10:45 we disabled promisc mode on the vmWare side.

Screenshot 4:
FH2 WAN, again this has no connected SF peers during the time period and from ~10:45 when we disable promisc. mode it no longer reports traffic.

Screenshot 5:
Showing IC2 reporting traffic for an FH connected to the same port group with promisc. mode enabled as a Linux VM which is downloading a large file