Network Traffic Analysis in virtual networks

Over the years, network administrators have come up with many feasible methods to analyze and solve physical network faults, such as using SNMP and NetFlow for data collection or using protocol analyzer to view original network frames and data packets. But now we are in the virtual network era. Can these methods work? The good news is that the existing network traffic analysis policies can still be used in virtual networks, but there are some small differences.

Virtual networks are not that distinctive

The working principle of the virtual network is basically the same as that of the physical network. In many cases, the name of the network device has changed. For example:

◆ Network interface card NIC) is now called "virtual network interface card" vNIC)

◆ A vSwitch is now called a "vSwitch ). The working principle of a vSwitch is very similar to that of a physical switch, but it does not have common configuration functions such as displaying a MAC address ).

◆ Multiple vswitches can be created on each host. ports on a vSwitch are usually divided into multiple port groups for specific purposes, such as production or management.

◆ In a virtual environment, VLAN is fully supported. The switch port can be used as the access port or relay port, just as in a physical switch.

◆ Physical hosts carrying vswitches are connected to physical networks through real physical server NICs and cables, which are called "Uplink" in virtual infrastructure ".

◆ Features such as hybrid mode, NICteaming multi-nic access) and load balancing are also available in virtual environments.

These functions have changed:

◆ Tree Generation Protocol is no longer required

◆ Network traffic cannot flow from one vswitch to another vswitch on the same host.

◆ The port group is in the virtual network, but does not exist in the physical network. This may be similar to Cisco SmartPort)

◆ You cannot see the vswitch or physical cable connected to the vNIC, and you cannot see flashing lights in the wiring room for most servers)

Virtual Network Traffic Analysis using SNMP and NetFlow

As in physical network infrastructure, when analyzing network traffic in the virtual world, you need to use SNMP or NetFlow to collect data from multiple points across the infrastructure, the data is then analyzed using network performance management and monitoring tools. Common network performance monitoring tools include What's Up Gold and Solarwinds Orion. Common NetFlow collectors and analyzers include Plixer Scrutinizer and Solarwinds NetFlow Traffic Analyzer.

Of course, you can still use the element manager such as HP OpenView to monitor the Internet Control Message Protocol ICMP), but it is best to perform a certain utilization rate and error check first.

Figure 1: Enable NetFlow in vSphere

If you are using a version earlier than vSphere5, you will not be able to use NetFlow to monitor virtual infrastructure. However, when you deploy vSphere5 and assume that you are using the vSphere distributed switch version), you can enable NetFlow v5 in the port group on a single dvPort distributed virtual port) or uplink.

After this operation, you can monitor the following content:

◆ Traffic from VM on the same host to VM on the same host)

◆ VM traffic between hosts different VM traffic from VM to VM on the host)

◆ Traffic from virtual machines to physical infrastructure

SNMP can only provide you with basic statistics on sent and received network traffic and errors, while NetFlow can provide IP address pairs and protocols to show you more detailed information. In other words, you can see the highest traffic user and who is sending the traffic. For example, through SNMP, you may see that a network interface has reached the maximum throughput capacity, but that's all. Through NetFlow, you can see that HTTP is occupying 95% of the interface utilization, and a user's computer is searching through DNS) loading the rock concert video. Of course, these methods cannot show you the situation in the data packet or allow you to decode any data. In vSphere 5 Network Feature-NetFlow, you will find more trustable information about VMware's vSphere 5 Netflow deployment.

 

Figure 2: Xangati for vSphere

One of the best vSphere network performance monitoring and troubleshooting tools is Xangati for vSphere free) and Xangati Management Dashboard. Both versions use NetFlow to collect virtual infrastructure data and combine other traditional performance metrics of vCenter to provide vSphere infrastructure with powerful performance monitoring and troubleshooting tools. The free version of this tool can only monitor one host, while the Management Dashboard allows you to monitor multiple hosts and virtual networks simultaneously from a single interface.

Note that if you are using Hyper-V instead of vSphere, Microsoft has announced that it is in Windows Server 2012 Hyper-V, this scalable vswitch supports adding an open-source Hyper-V sFlow proxy, which can be monitored through the sFlow collector, such as the InMon sFlowTrend tool.

Virtual Network Traffic Analysis by data packet Decoding

What if you want to perform packet decoding from the virtual network? To perform in-depth packet detection DPI on the physical network, you need to connect the protocol analyzer such as the analyzer running on the laptop) to the switch port, and then configure SPAN or RSPAN, if the traffic is on different vswitches, the traffic is mapped from a single vswitch port, multiple ports, or the entire VLAN.

Currently, most data center servers are virtualized and many traffic does not even pass through the physical network. Therefore, the traditional packet capture method is only applicable in some situations, for example, you can analyze the Internet connection or the connection to the iSCSI SAN.

Before vSphere, with the virtual infrastructure, you run the protocol analyzer on the virtual machine, create a new port group, and configure it as a hybrid mode to send all packets to all ports ), then, transfer the virtual machine you want to analyze to the port group. For security reasons, you do not want to enable the hybrid mode in the production port group ). For more information, see my other article "using network packet analyzer in VMware vSphere Virtual Network" if you are still using vSphere 4. x or you have vSphere 5 but no distributed vswitch. This article applies to you ).

In vSphere Enterprise Plus, Port Mirroring allows you to quickly and easily mirror any dvPort to another port, or you can select a VLAN to encapsulate these image packets, this can be done by selecting the "encapsulation VLAN" box when configuring the Distributed Virtual Switch Port image.

When enabled, the port image provides the following visibility:

◆ Traffic from VM on the same host to VM on the same host)

◆ VM traffic between hosts different VM traffic from VM to VM on the host)

Figure 3: configure the vSphere 5 port Image

For more information about how to configure the vSphere port image, see vSphere 5 network function: Port image. If you are a Hyper-V user, note that in Hyper-V 3, Port Mirroring is a new feature of a scalable switch.

When your server is virtualized, it is no big difference between analyzing and solving network faults and executing the same tasks on the physical server of the physical network. Depending on the detailed information you need, you have two different methods to achieve this. NetFlow is the best choice for High-level traffic analysis and bottleneck identification. If you want to perform in-depth data packet analysis in the virtual infrastructure, you can use the port mirroring method of the protocol analyzer.