Port Spanning for multiple VLAN's on XG7100

Mael

I'm setting up Security Onion to monitor traffic on my network and needed some advice on the best way to get traffic from the various VLAN's to my monitoring port on the Security Onion VM. Here's an overview of my setup:

Physical Cabling

Cable Modem --> WAN (igc0) on XG7100 / LAN (ix1) ---> Unifi Switch Port 10

VLAN's
LAN - This is my trusted network segment. Certain hosts on this network can access the other VLAN's
GUEST - This supports my wireless guests. This VLAN can only talk to the internet.
IOT - IoT devices live here and this VLAN can only talk to the internet.
CAMERA - This is where my security cameras live. This VLAN cannot talk to the internet or other VLANs

Security Onion is running on a VM hosted on ESXi. I've created a new virtual switch running in promiscuous mode and assigned an open port from the host. I created a port mirror on the switch for port 10 and cabled that into the open port on the host assigned to the virtual switch.

With this setup I'm able to sniff all the traffic in and out of the LAN VLAN, but I can't see any traffic originating form the other VLAN's.

I'm trying to figure out the best approach to capturing the traffic from the other VLAN's and was hoping to do that with a spanning bridge on the XG7100. The bridge would include the GUEST, IOT and CAMERA VLANs as members and I would assign a newly created MIRROR VLAN tied to ETH7 as the span port for the bridge. ETH7 would then be cabled into another open port on the ESXi host and that port would be assigned to the same virtual switch as the port coming from the switch used to mirror port 10 LAN traffic.

I have a couple of questions:

1 - Will the approach work based on what I've posted above?
2 - Do I need to create firewall rules to permit all traffic from the GUEST, IOT and CAMERA VLAN to access the new MIRROR VLAN? I'm guessing the answer is yes, but wanted to confirm.
3 - By creating the bridge with the the three isolated VLANs will I need to create additional firewall rules to prevent traffic from one isolated VLAN from being able to access another isolated VLAN?

AndyRH

Maybe I am missing a step...
Trunk all of the VLANs to the 1 port on the switch and create tagged interfaces for the guest to listen to everything.

Mael

@andyrh - Interesting approach. I'm already trunking all the VLAN's through the LAN (ix1) ---> Unifi Switch Port 10 connection. Let me see what happens when I add additional tagged monitoring interfaces to the VM (one per VLAN).

Mael

It turns out the solution was pretty simple. I was able to route all VLAN traffic to the single monitoring interface on the VM by switching the VLAN for the monitoring interface from none to All (4095) on the ESXi virtual switch.

AndyRH

Much better than pushing it through the FW. Glad my wrong idea helped.