Go Network flow monitoring with Open VSwitch

With network virtualization, the software switches (such as Open VSwitch) on the servers act like the edge switches. So, to gain insights into the network flow behavior, it becomes important to has some sort of flow monitoring technique t o Analyze the traffic through these switches. NetFlow and SFlow are the "most widely used flow monitoring approaches." To monitor the flows, the switches need to be configured to export and send the traffic data to an analyzer (eg SolarWinds Real-time NetFlow Analyzer and Inmon sflowtrend). The analyzer listens on a particular port for the flow statistics data sent from the switches. In this article, I'll explain how to configure a to OVS send the flow statistics to a analyzer for monitoring.

SFlow:
To begin, lets start of the Inmon Sflowtrend Analyzer (or any other SFlow analyzer) on a host (H1). By default, the Sflowtrend listens on port 6343. On the server (H2) running the open vswitch, we need to use to ovs-vsctl configure the OVS as follows:

$ COLLECTOR_IP=192.168.0.121

$ COLLECTOR_PORT=6343

$ AGENT=eth1

$ HEADER=128

$ SAMPLING=512

$ POLLING=10

COLLECTOR_IP: IP of host h1 where the analyzer is running and listening on port COLLECTOR_PORT .
AGENT: Network interface on the host h2 which connects to the network on which host H1 is running.
HEADER: Size (in bytes) of the packet header to be analyzed.
SAMPLING: Specifies the sampling rate. Every nth packet'll be a sampled (with some deviation).
POLLING: Polling time period in seconds.
Configure the OVS bridge ‘ovsbr1‘ (replace with the name of the OVS Bridge on your Setup):

$ SFLOWUUID=`sudoovs-vsctl -- --id[email protected] create sflow \

agent=${AGENT}  target=\"${COLLECTOR_IP}:${COLLECTOR_PORT}\" \

header=${HEADER} sampling=${SAMPLING} polling=${POLLING} \

-- setbridge virbr0 [email protected]`

Or

$ sudoovs-vsctl -- --id[email protected] create sflow agent=${AGENT}  \

target=\"${COLLECTOR_IP}:${COLLECTOR_PORT}\" header=${HEADER} \

sampling=${SAMPLING} polling=${POLLING} \

-- setbridge ovsbr1 [email protected]

Now, you should is able to see on the SFlow Analyzer the statistics for the traffic going through this OVS bridge.
To stop the switch from sending these statistics and remove this configuration, do:

$ sudoovs-vsctl remove bridge ovsbr1 sflow $SFLOWUUID

Or to remove all the SFlow configurations from the bridge:

$ sudoovs-vsctl -- clear Bridge ovsbr1 sflow

You can also see the list of SFlow configurations using:

$ sudoovs-vsctl list sflow

NetFlow:
Similarly, start a NetFlow collector on a host ( h1 ) and configure the OVS bridge on as h2 follows:

$ COLLECTOR_IP=192.168.0.121

$ COLLECTOR_PORT=6343

$ TIMEOUT=10

$ sudoovs-vsctl -- set Bridge ovsbr1 [email protected] --   --id[email protected]  \

create   NetFlow   targets=\"${COLLECTOR_IP}:${COLLECTOR_PORT}\" \

active-timeout=${TIMEOUT}

Verify that is getting the NetFlow statistics on the analyzer. To Deconfigure NetFlow on ovsbr1 , do:

$ sudoovs-vsctl clear Bridge ovsbr1 netflow

You can also change the timeout once the NetFlow have been configured by using:

$ sudoovs-vsctl set NetFlow ovsbr1 active_timeout=20

cheers!

Credits:
1. Ovs-vsctl Documentation
2. Open VSwitch Config-cookbook