In our previous post , we discussed how traditional methods of capturing east-west traffic in the datacenter have become more and more limited due to virtualization. Connecting a TAP to your network or using a SPAN port in order to capture network traffic using a network packet broker is no longer possible in many cases.
With this in mind, we presented ways to capture full network traffic, including virtual machine traffic, to monitor network performance in a VMware environment. In many cases, however, full network monitoring is not needed. Just knowing who talks to who and how much data is sent between them may be enough for your network visibility needs. In this post, we will explore a different approach to network visibility into the east-west traffic in a virtualized datacenter–gathering statistical data on network flows using NetFlow.
What is NetFlow
NetFlow is a network protocol that was originally developed by Cisco to analyze network traffic. It analyzes packets that are sent over the network and groups them into “flows” which are more or less based on the protocol, access points, source and destination IP addresses, and ports. For each of these flows, NetFlow aggregates basic information on them such as the number of bytes, packets, which TCP headers were sent, etc.
The NetFlow protocol is designed to be as efficient as possible in terms of network bandwidth. It can group many packets into a single flow and also has support for sampling packets meaning it will only analyze 1 out of every X packets that it captures. The NetFlow data is then sent over the network wrapped in UDP packets, each packet with up to 30 flows in it, to a NetFlow Collector. NetFlow Collectors are the components that process the NetFlow packets and decode them so that they can be analyzed.
The most common versions of NetFlow used today are versions 5 and 9. There is also the IPFIX protocol which is based on NetFlow version 9, but is no longer a proprietary Cisco protocol, but an IETF standard. NetFlow is supported by most network routers and also some network switches, and it can also be sent by VMware.
NetFlow in VMware
VMware was built to support the generation of NetFlow traffic from your VMs. This can make it very easy to gain full network visibility into your VMware environment quickly and easily. In the VMware UI and documentation it is called NetFlow, but what VMware actually sends is IPFIX, so make sure your collector supports it. From our experience, enabling NetFlow in VMware has no measurable impact on the performance of the servers, and can be safely enabled without risk.
Note that in order to enable NetFlow support in your environment, you must be using vSphere Distributed Switches (vDS). If you are using standard switches, you cannot generate NetFlow using VMware. You could, however, use promiscuous mode network capture like we discussed in our previous post and then use a tool such as pmacct to generate NetFlow from that traffic.