Traffic analysis in a virtual switch environment is important for understanding the load balancing of a virtual infrastructure. By analyzing traffic, you can also detect the migration of virtual machines. In this article, we will talk about IPFIX export settings on the side of the VMware virtual switch and the Solarwinds capabilities to work with it. And at the end of the article there will be a link to the Solarwinds online demo (access without registration and this is not a figure of speech). Details under the cut.
For the correct recognition of traffic from VDS, you first need to configure the connection through the vCenter interface, and only then analyze the traffic and display traffic exchange points received from hypervisors. If desired, the switch can be configured to receive all IPFIX records from one IP address bound to VDS, but, in most cases, it is more informative to see the data retrieved from the traffic received from each hypervisor. The traffic that arrives will represent connections from or to virtual machines located on hypervisors.
Another available configuration option is to export only internal data streams. This option eliminates flows that are processed on an external physical switch and prevents duplicate traffic records for connections from and to VDS. But it’s more useful to disable this option and observe all the streams that are visible in VDS.
Configure traffic from VDS
Let’s start by adding a vCenter instance to Solarwinds. After that, the NTA will have the configuration information for the virtualization platform.
Go to the “Manage Nodes” menu, then “Settings” and select “Add Node”. After that, enter the IP address or fully qualified domain name of the vCenter instance and select “VMware, Hyper-V, or Nutanix entities” as the polling method.
Go to the Add Host dialog box, add the credentials of the vCenter instance, and test them to complete the setup.
For some time, the initial survey of the vCenter instance will be performed, usually 10-20 minutes. You need to wait for completion, and only then enable IPFIX export to VDS.
After setting up vCenter monitoring and obtaining inventory data on the configuration of the virtualization platform, we will enable the export of IPFIX records on the switch. The fastest way to do this is through the vSphere client. Go to the “Networking” tab, select VDS and on the “Configure” tab we find the current settings for NetFlow. VMware uses the term “NetFlow” to mean stream export, but the actual protocol that is used is IPFIX.
To enable stream export, select “Settings” in the “Actions” menu at the top and go to “Edit NetFlow”.
In this dialog box, enter the IP address of the collector, which is also an Orion instance. By default, port 2055 is usually used. We recommend that you leave the “Switch IP Address” field blank, which will result in streaming records received from hypervisors. This will provide flexibility in further filtering the data stream from hypervisors.
Leave the “Process internal flows only” field disabled, which allows you to see all communications: both internal and external.
As soon as you enable stream export for VDS, you will need to enable it also for distributed port groups from which you want to receive data. The easiest way to do this is to right-click on the VDS navigation bar and select “Distributed Port Group” and then “Manage Distributed Port Groups”.
A dialog box will open in which you need to select the “Monitoring” checkbox and click “Next”.
In the next step, you can select specific or all port groups.
In the next step, switch NetFlow to “Enabled”.
When stream export is enabled on VDS and distributed port groups, you will see that stream records for hypervisors begin to flow into the NTA instance.
Hypervisors can be seen in the list of stream data sources on the Manage Flow Sources page in the NTA. Switch to Nodes.
The settings you can see at the demo stand. Pay attention to the possibility of failing at the node level, interaction protocol, etc.
Integration with other Solarwinds modules in one interface allows investigating in various sections: see which users logged into the virtual machine, server performance (see demo), and applications on it, see related network devices and much more. For example, if your network infrastructure uses the NBAR2 protocol, Solarwinds NTA can successfully recognize traffic from Zoom, Teams or Webex.
The main goal of the article is to show the simplicity of monitoring setup in Solarwinds and the completeness of the data collected. Solarwinds has a chance to see the full picture of what is happening. If you want to present a solution or check everything at home – leave a request in feedback form or call.
On Habré we also have an article about free Solarwinds solutions.
Subscribe to our Facebook group.