Virtualization is wonderful. It is green, it saves space, and it saves money.
There is a flip side to all this goodness. While highly efficient, virtualization creates a major problem for network engineers managing the performance and service level of the network. That problem is a lack of data access for monitoring and debugging. To date, virtualized environments have been veritable “black holes” from a network engineering perspective.
In vSphere 5.0, VMware greatly enhanced their vNetwork Distributed Switch (VDS) with NetFlow support and Port Mirroring – the ability to SPAN encrypted virtual traffic to the physical world, and decrypts it. It allows monitoring in a virtual environment, both intra-host and inter-host.
What does this mean?
Network engineers can now use existing network monitoring and security tools in virtualized environments.
With this new feature, monitoring tools now have visibility into both the physical and virtual. Monitoring can be set up at Ingress or Egress to the VM. If you want to monitor traffic going out of a virtual machine towards the VDS, it’s Ingress traffic.
There’s a really nice blog on the VMware site that offers how-to information on setting up the vDS: http://blogs.vmware.com/networking/2011/08/vsphere-5-new-networking-features-port-mirroring.html.
There’s also a nice video that shows Wireshark monitoring VM-VM traffic using the vDS: http://www.ntpro.nl/blog/archives/1825-Video-How-to-setup-a-vSphere-5-Port-Mirror.html
Monitoring Optimization for Virtual Switches
While network engineers have been struggling to get visibility into virtualized data centers, the need for monitoring, compliance and security has actually increased. Anue Systems offers a network monitoring switch, the Net Tool Optimizer (NTO), which provides improved network visibility by aggregating data for network performance and security tools. VMware’s new port mirroring functionality allows the Anue NTO to combine both physical and virtual data for a holistic network view.
Let’s have a look at how this might work.
Configuring the Anue control panel to aggregate input from the VDS
This is the main diagram. I set up a VDS network port (P03).
Click Image to enlarge
Then I configure the VDS network port.
I can set up specific filter criteria
Just like in physical networks, filtering is important. The NTO’s sophisticated filtering capabilities make it possible to deliver just the data needed for analysis to network tools.
One problem we see with port mirroring in a virtual switch is the generation of redundant packets. The NTO offers line-rate packet de-duplication, which is the ideal solution to this problem. The NTO also provides packet trimming, which helps enhance security by removing unnecessary payload before delivering data to security and monitoring tools.
So, with virtualization now “Business as Usual”, we have a holistic view of the physical and virtual, and a way to get just the right data to the right monitoring, debugging and security tools.