Enabling NetFlow on Virtual Switches ESX Server 3.5



Similar documents
Symantec Event Collector for Cisco NetFlow version 3.7 Quick Reference

Using esxtop to Troubleshoot Performance Problems

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

UltraFlow -Cisco Netflow tools-

Virtual Networking Features of the VMware vnetwork Distributed Switch and Cisco Nexus 1000V Series Switches

Performance of VMware vcenter (VC) Operations in a ROBO Environment TECHNICAL WHITE PAPER

NetFlow Aggregation. Feature Overview. Aggregation Cache Schemes

VirtualCenter Database Maintenance VirtualCenter 2.0.x and Microsoft SQL Server

EMIST Network Traffic Digesting (NTD) Tool Manual (Version I)

ACE Management Server Deployment Guide VMware ACE 2.0

Configuring Multiple ACE Management Servers VMware ACE 2.0

Appendix A Remote Network Monitoring

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

VMware Virtual Desktop Manager User Authentication Guide

Configuration Maximums VMware Infrastructure 3

Using AnywhereUSB to Connect USB Devices

Running VirtualCenter in a Virtual Machine

Web Services for Management Perl Library VMware ESX Server 3.5, VMware ESX Server 3i version 3.5, and VMware VirtualCenter 2.5

Integration with Active Directory

Performance Characteristics of VMFS and RDM VMware ESX Server 3.0.1

SonicOS 5.8: NetFlow Reporting

Using VMware ESX Server With Hitachi Data Systems NSC or USP Storage ESX Server 3.0.2

Guest Operating System. Installation Guide

NetFlow v9 Export Format

Using VMware ESX Server with IBM System Storage SAN Volume Controller ESX Server 3.0.2

VirtualCenter Database Performance for Microsoft SQL Server 2005 VirtualCenter 2.5

W H I T E P A P E R. Understanding VMware Consolidated Backup

What s New in VMware vsphere 5.5 Networking

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

SAN Conceptual and Design Basics

VMware ESX Server Q VLAN Solutions W H I T E P A P E R

vsphere Networking ESXi 5.0 vcenter Server 5.0 EN

Monitoring VMware ESX Virtual Switches

vsphere Networking vsphere 5.5 ESXi 5.5 vcenter Server 5.5 EN

LogLogic Cisco NetFlow Log Configuration Guide

Virtual Machine Encryption Basics

W H I T E P A P E R. Optimized Backup and Recovery for VMware Infrastructure with EMC Avamar

vsphere Networking vsphere 6.0 ESXi 6.0 vcenter Server 6.0 EN

VMware vsphere 5.0 Evaluation Guide

StarWind iscsi SAN Software: Using StarWind with VMware ESX Server

Cisco IOS NetFlow Version 9 Flow-Record Format

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

Netflow Collection with AlienVault Alienvault 2013

VMware Consolidated Backup

Lab Characterizing Network Applications

Configuring NetFlow Switching

Multipathing Configuration for Software iscsi Using Port Binding

SolarWinds Technical Reference

CISCO IOS NETFLOW AND SECURITY

Storage Protocol Comparison White Paper TECHNICAL MARKETING DOCUMENTATION

Migrating a Windows PC to Run in VMware Fusion VMware Fusion 2.0

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Integrated Citrix Servers

Legacy Host Licensing with vcenter Server 4.x ESX 3.x/ESXi 3.5 and vcenter Server 4.x

What s New in VMware vsphere 5.0 Networking TECHNICAL MARKETING DOCUMENTATION

Oracle Database Scalability in VMware ESX VMware ESX 3.5

W H I T E P A P E R. Best Practices for Building Virtual Appliances

Getting Started with ESXi Embedded


Cisco IOS Flexible NetFlow Technology

Performance Evaluation of VMXNET3 Virtual Network Device VMware vsphere 4 build

How to Create a Virtual Switch in VMware ESXi

Managing Remote Access

Scrutinizer. Getting Started Guide. A message from Plixer International:

Configuring NetFlow Data Export (NDE)

Configuration Maximums VMware vsphere 4.1

Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data

Ethernet-based Storage Configuration

NetFlow Analytics for Splunk

Installing and Configuring vcenter Multi-Hypervisor Manager

Introduction to Cisco IOS Flexible NetFlow

SolarWinds Technical Reference

Migrating to vcloud Automation Center 6.1

Unified network traffic monitoring for physical and VMware environments

Performance Analysis Methods ESX Server 3

Ready Time Observations

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Solution Brief Availability and Recovery Options: Microsoft Exchange Solutions on VMware

vcloud Director User's Guide

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Troubleshooting Procedures for Cisco TelePresence Video Communication Server

Using SolarWinds Orion for Cisco Assessments

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Basic System Administration ESX Server and Virtual Center 2.0.1

Active Fabric Manager (AFM) Plug-in for VMware vcenter Virtual Distributed Switch (VDS) CLI Guide

Administrator Guide VMware vcenter Server Heartbeat 6.3 Update 1

VMware vcenter Update Manager Administration Guide

Apache CloudStack 4.x (incubating) Network Setup: excerpt from Installation Guide. Revised February 28, :32 pm Pacific

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

VMware vcenter Configuration Manager SQL Migration Helper Tool User's Guide vcenter Configuration Manager 5.6

Improving Scalability for Citrix Presentation Server

Virtual Managment Appliance Setup Guide

ESX 4 Patch Management Guide ESX 4.0

Installing and Configuring vcenter Support Assistant

VMware vcenter Configuration Manager and VMware vcenter Application Discovery Manager Integration Guide

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

ESX Server 3 Configuration Guide Update 2 and later for ESX Server 3.5 and VirtualCenter 2.5

Transcription:

Technical Note Enabling NetFlow on Virtual Switches ESX Server 3.5 NetFlow is a general networking tool with multiple uses, including network monitoring and profiling, billing, intrusion detection and prevention, networking forensics, and SOX compliance. NetFlow sends aggregated networking flow data to a third party collector (an appliance or server). The collector and analyzer report on various information such as the current top flows consuming the most bandwidth in a particular virtual switch, which IP addresses are behaving irregularly, and the number of bytes a particular virtual machine has sent and received in the past 24 hours. NetFlow is a mature technology, developed by Cisco, that is widely supported by third party collectors. NetFlow enables visibility into virtual machine traffic in a virtualized server farm. ESX Sever 3.5 NetFlow Experimental Support NetFlow support in ESX Server 3.5 is experimental and supports only a limited set of the standard NetFlow features commonly found on physical switches today. Although the activation of NetFlow should not create stability issues, overall performance of the ESX Server host may be affected. ESX Server 3.5 supports only a subset of the NetFlow Version 5 specification. Details about the limitations of the ESX Server implementation are described in Limitations of NetFlow in ESX Server 3.5 on page 4. How to Activate NetFlow Support in ESX Server 3.5 Enter the commands needed to activate NetFlow using the service console on the ESX Server host. You can enter the commands over an SSH connection or directly at the ESX Server host. Take the following steps to activate NetFlow: 1 Prepare ESX Server for NetFlow configuration. Make sure the VMkernel TCP/IP stack is properly configured and that a VMkernel virtual interface (vmknic) exists on the network where your collector is located. The ESX Server implementation of NetFlow uses the ESX Server TCP/IP stack to send NetFlow packets on the network. 2 Load the NetFlow module. Enter the following command: vmkload_mod netflow You see the following response from the system: Using /usr/lib/vmware/vmkmod/netflow Module load of netflow succeeded. Copyright 2007 VMware, Inc. All rights reserved. 1

3 Confirm that the NetFlow module is loaded. Enter the following command: vmkload_mod -l grep netflow You see a response from the system similar to the following: netflow 0xc2e000 0x6000 0x2bf53a0 0x1000 16 Yes 4 Configure NetFlow Use the application called net-netflow for the remaining configuration steps. The application is located in /usr/lib/vmware/bin/ and takes multiple parameters, as shown in the following example: net-netflow -e <vswitchname> <collectorhostname:port> The minimum parameters required include: Names of the virtual switches where NetFlow will be activated Host IP address and port number of the NetFlow collector/analyzer NOTE Multiple virtual switch names can be provided at one time, separated by commas. NOTE If the port number is not provided, port 2055 is the default. Configuration Examples Use the vmkload_app wrapper to execute the net-netflow command. The vmkload_app wrapper is also in /usr/lib/vmware/bin/. The following examples show how to enter the commands for specific configurations. Example 1 To enable NetFlow on vswitch0 and send NetFlow data to 10.6.125.84 on port 4242, enter the following command on one line with no line break: /usr/lib/vmware/bin/vmkload_app -i vmktcp /usr/lib/vmware/bin/net-netflow -e vswitch0 10.6.125.84:4242 Example 2 To enable NetFlow on the virtual switches named vswitch0, prod1, and test2 and send NetFlow data to 10.6.125.84 on port 4242, enter the following command on one line with no line break: /usr/lib/vmware/bin/vmkload_app -i vmktcp /usr/lib/vmware/bin/net-netflow -e vswitch0,prod1,test2 10.6.125.84:4242 NOTE vmkload_mod and vmkload_app are unsupported commands in ESX Server. Do not try to use them for other purposes. Detailed Configuration Notes If a virtual switch name does not exist, or registration with one of the virtual switches fails, net-netflow prints an error and exits immediately. Because NetFlow Version 5 uses UDP as the transfer protocol, no point to point connection is initiated with the collector and net-netflow cannot immediately detect if it is not able to contact the collector. In such a case, net-netflow continues to run but periodically and asynchronously prints messages about the loss of its UDP packets. NOTE NetFlow analysis begins as soon as net-netflow is started. NetFlow quickly starts to send packets through the VMkernel stack. Copyright 2007 VMware, Inc. All rights reserved. 2

To deactivate NetFlow, halt net-netflow by sending it a signal. To do so, press Ctrl C if the instance is in the foreground of the current command prompt or enter a kill command for its corresponding PID. When you kill net-netflow, all the virtual switches registered for NetFlow are automatically unregistered and exporting of NetFlow export packets promptly stops. NOTE This implies that in order to change the set of virtual switches on which NetFlow is enabled, you must first kill the current net-netflow process instance, then initiate a new instance specifying a new set of virtual switches. This completely resets the exporting process and does not cause issues with any of the collectors VMware tested. You may find it impractical to monopolize the service console for net-netflow. To run net-netflow as a daemon, add the -S parameter to vmkload_app as shown in the following example, which you enter on one line with no line break: /usr/lib/vmware/bin/vmkload_app -S -i vmktcp /usr/lib/vmware/bin/net-netflow -e vswitch0 nf-collector1.mycompany.com:4242 This command launches net-netflow in the background, and you can use or terminate the command console session without affecting the net-netflow process. To halt NetFlow when net-netflow is running as a daemon, you must enter a kill command for its corresponding PID. Additional Configuration Options The net-netflow application has several option parameters. -e <vswitch1[,vswitch2[,...]]> The list of virtual switches on which NetFlow should be activated, as shown in Configuration Examples on page 2. -h Prints usage a quick way to retrieve usage information. -v Verbose. Causes net-netflow to output a brief summary of the flows sent on the network. This output may be useful for debugging purposes. This option may have slight performance impact if used on a busy network. -s <v> The net-netflow program periodically polls the VMkernel for flows to export. The default polling period is 1 second (1000ms). If you see a ʺMaximum purgatory size reachedʺ message in the VMkernel log, you have reached the maximum flow queue limit. In this situation, some flows may be dropped. Lowering the polling period may solve this problem. For example, -s 100 changes the polling period to 100ms. -p Use an alternate method of recording the port IDs in flow records. In ESX Server, it is possible to run multiple virtual switches on the same host. The NetFlow specification and current collectors do not deal well with the fact that one source IP address does not necessarily correlate to a single virtual switch. NetFlow on ESX Server embeds the virtual switch ID into the enginetype and engineid fields of the header of each NetFlow export packet. (Flows from different virtual switches are always sent in separate packets.) Most collectors ignore these fields. In this case, interfaces on different virtual switches that have the same local ID are merged or aggregated into a single interface by the collector, mixing their flows together. If your collector shows this behavior, you can use this option to change the way source port IDs and destination port IDs are encoded. Copyright 2007 VMware, Inc. All rights reserved. 3

When you use the -p option, the port IDs written in each flow record (the srcport and dstport fields of each flow record) are modified using the virtual switch s ID. The virtual switch s ID is stored in the seven most significant bytes (MSBs) of these fields, along with the original port ID located in the nine least significant bytes (LSBs). This is summarized in the following table (p = port ID; v = virtual switch ID): Bit 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 ID v v v v v v v p p p p p p p p p For example, if the source port of a flow is located on interface 13 of virtual switch 2, the srcport is filled as shown in the following table: Bit 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 ID 0 0 0 0 0 1 1 0 0 0 0 0 1 1 0 1 The interface appears as interface 1549 in your collector. This option provides a way to generate unique port IDs per ESX Server host while still offering the possibility of retrieving information identifying the specific virtual machine referred to in each ID. Limitations of NetFlow in ESX Server 3.5 NetFlow export is supported on ESX Sever 3.5 only as an experimental feature. Additionally, ESX Sever 3.5 exports flows in the NetFlow Version 5 format, with the following information missing (the corresponding fields have a value of zero): IP address of next hop router ( nexthop in the specification) Autonomous system number of the source, either origin or peer ( src_as in the specification) Autonomous system number of the destination, either origin or peer ( dst_as in the specification) Source address prefix mask bits ( src_mask in the specification) Destination address prefix mask bits ( dst_mask in the specification) The lack of any of these fields should not cause problems with any of the major collectors. The idle timeout and active timeout are respectively statically set to 15 seconds and 5 minutes. Currently these values are not changeable. There is no way to dynamically change the set of virtual switches where NetFlow is enabled. To make a change, you must kill the previous net-netflow process and launch a new one. There is no sampling mode available on this version of ESX Server. This implementation should not be used to do strict traffic accounting. Although the implementation is generally quite accurate, memory pressure conditions and network congestion may result in dropped flows, without any way to retrieve them. In order to enable and configure NetFlow, you must use the service console directly. With ESX Sever 3.5, there is no support for configuring or managing NetFlow using VirtualCenter or the remote command line interface. This means NetFlow is not supported in ESX Server 3i environments. Copyright 2007 VMware, Inc. All rights reserved. 4

Cautions on Using NetFlow in ESX Server 3.5 Do not launch more than one instance of net-netflow. Do not launch two net-netflow instances at the same time. Although in theory this should be safe, the configuration has not been tested. It may lead to unexpected behavior. Do not delete a virtual switch that has NetFlow activated. Deleting a virtual switch with NetFlow activated may cause ESX Server to become unstable. VMware, Inc. 3401 Hillview Ave., Palo Alto, CA 94304 www.vmware.com Copyright 2007 VMware, Inc. All rights reserved. Protected by one or more of U.S. Patent Nos. 6,397,242, 6,496,847, 6,704,925, 6,711,672, 6,725,289, 6,735,601, 6,785,886, 6,789,156, 6,795,966, 6,880,022, 6,944,699, 6,961,806, 6,961,941, 7,069,413, 7,082,598, 7,089,377, 7,111,086, 7,111,145, 7,117,481, 7,149, 843, 7,155,558, 7,222,221, 7,260,815, 7,260,820, 7,269,683, 7,275,136, 7,277,998, 7,277,999, 7,278,030, and 7,281,102; patents pending. VMware, the VMware boxes logo and design, Virtual SMP and VMotion are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Linux is a registered trademark of Linus Torvalds. All other marks and names mentioned herein may be trademarks of their respective companies. Revision 20071108 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information