Hey Habr! In early July, Solarwinds announced the release β 2020.2. One of the innovations in the Network Traffic Analyzer (NTA) module is support for recognition of IPFIX traffic from VMware VDS.
Analyzing traffic in a virtual switch environment is important to understand the distribution of load on a virtual infrastructure. By analyzing traffic, you can also detect virtual machine migrations. In this article, we will talk about the IPFIX export settings on the side of the VMware virtual switch and about Solarwinds' capabilities to work with it. And at the end of the article there will be a link to the Solarwinds online demo (access without registration and this is not a figure of speech). Details under the cut.
For correct recognition of traffic from VDS, you first need to configure a connection through the vCenter interface, and only then analyze traffic and display traffic exchange points received from hypervisors. Optionally, the switch can be configured to receive all IPFIX entries from a single VDS bound IP address, but in most cases it is more informative to see the data extracted from the traffic received from each hypervisor. The traffic that comes in will represent connections from or to virtual machines located on hypervisors.
Another available configuration option is to export only internal data streams. This option excludes flows that are processed on the external physical switch and prevents duplicate traffic entries for connections to and from the VDS. But it is more useful to disable this option and watch all the streams that are visible in the VDS.
Configuring traffic from VDS
Let's start by adding a vCenter instance to Solarwinds. The NTA will then have information about the configuration of the virtualization platform.
Go to the "Manage Nodes" menu, then "Settings" and select "Add Node". After that, enter the IP address or FQDN of the vCenter instance and select "VMware, Hyper-V, or Nutanix entities" as the polling method.
Go to the add host dialog, add the vCenter instance credentials and test them to complete the setup.
The initial polling of the vCenter instance will take some time, typically 10-20 minutes. You need to wait for completion, and only then enable IPFIX export to VDS.
After configuring vCenter monitoring and obtaining inventory data on the virtualization platform configuration, enable the export of IPFIX records on the switch. The fastest way to do this is through the vSphere client. Let's go to the "Networking" tab, select VDS and on the "Configure" tab we will find the current settings for NetFlow. VMware uses the term "NetFlow" to refer to stream export, but the actual protocol that is used is IPFIX.
To enable flow export, select "Settings" from the "Actions" menu at the top and navigate to "Edit NetFlow".
In this dialog box, enter the IP address of the collector, which is also an Orion instance. By default, port 2055 is usually used. We recommend that you leave the Switch IP Address field empty, which will result in streaming records received specifically from hypervisors. This will give flexibility in further filtering the data flow from hypervisors.
Leave the "Process internal flows only" field disabled, which will allow you to see all communications, both internal and external.
Once you enable stream export for VDS, you will need to enable it for distributed port groups that you want to receive data from as well. The easiest way to do this is to right-click on the VDS navigation bar and select "Distributed Port Group" and then "Manage Distributed Port Groups".
A dialog box will open in which you need to check the "Monitoring" box and click "Next".
In the next step, you can select specific or all port groups.
In the next step, switch NetFlow to "Enabled".
When flow export is enabled on VDS and distributed portgroups, you will see flow entries for hypervisors begin to flow into the NTA instance.
Hypervisors can be seen in the list of flow data sources on the Manage Flow Sources page in NTA. Switch to "Nodes".
You can see the results of the settings . Pay attention to the possibility of falling through to the node level, interaction protocol, etc.
Integration with other Solarwinds modules in one interface allows you to conduct investigations in various sections: see which users logged into the virtual machine, server performance , and applications on it, see connected network devices and much more. For example, if your network infrastructure uses the NBAR2 protocol, Solarwinds NTA can successfully recognize traffic from , or .
The main goal of the article is to show the ease of setting up monitoring in Solarwinds and the completeness of the data collected. In Solarwinds there is a chance to see the full picture of what is happening. If you want a presentation of the solution or check everything for yourself, leave a request in or call.
On HabrΓ© we also have an article about .
Subscribe to our .
Source: habr.com