Open vSwitch NetFlow

Open vSwitch NetFlow, IPFIX, and sFlow support is all about visibility into your virtual switch infrastructure. Enabling NetFlow on your OpenvSwitch allows you to monitor traffic that is coming in and out of the vSwitch and also traffic between VMs. Given the numerous benefits associated with IP flow technology, virtual switch NetFlow support not only significantly improves  your ability to secure virtual environments, but also provides an analysis, diagnosis and problem solving platform for your virtual network activities.

In case you are not familiar with IP flow technology; NetFlow, IPFIX and sFlow are protocols that collect information about network traffic. These protocols are presently supported on a wide range of network appliances across multiple vendors. On virtual switches, NetFlow is fairly new thinking in terms of how long IP flow has been around. However, for the past few years we’ve seen an increase in its implementation for the purpose of virtual infrastructure traffic analysis and monitoring.

A basic list of information elements that are exported in NetFlow or IPFIX includes source IP address, destination IP address, source port, destination port, protocol, bandwidth utilization, AS numbers, class of service, etc. Therefore, in a virtual environment context, NetFlow reveals who, what, when, where, and how traffic is flowing through the virtual network. Using the NetFlow and IPFIX analyzer, you should be able visualize details and analyze:

• VM to VM traffic on the same host
• VM to VM traffic on different hosts
• VM to devices outside the virtual environment

Moreover, you should be able to:

• Keep a history of the collected traffic statistics
• Generate reports and schedule them to be emailed on a regular basis
• Perform behavior analysis on the collected open virtual switch traffic
• Detect potential Cyber threats

Suppose the IP address of your NetFlow and sFlow collector is 10.10.10.10 and is listening on port 2055.  Let’s quickly show how to enable OpenvSwitch IPFIX, Open vSwitch NetFlow, and OpenvSwitch sFlow.

IPFIX: Configure bridge br0 to send one IPFIX flow record per packet sample to UDP port 2055 on host 10.10.10.10, with Observation Domain ID 123 and Observation Point ID 456

ovs−vsctl − − set Bridge br0 ipfix=@i −− −−id=@i create IPFIX targets=\”10.10.10.10:2055\” obs_domain_id=123 obs_point_id=456

NETFLOW: Configure bridge br0 to send NetFlow records to UDP port 2055 on host 10.10.10.10, with an active timeout of 60 seconds

ovs−vsctl − − set Bridge br0 netflow=@nf −− −−id=@nf create NetFlow targets=\”10.10.10.10:2055\” active−timeout=60

The active-timeout must be set to 60 seconds since your NetFlow analyzer expects flow records to sent in one minute intervals.

SFLOW: Configure bridge br0 to send sFlow records to a collector on 10.10.10.10 at port 2055, using eth1´s IP address as the source, with specific sampling parameters

ovs−vsctl – -id=@s create sFlow agent=eth1 target=\”10.10.10.10:2055\” header=128 sampling=64 polling=10 \ −− set Bridge br0 sflow=@s

Open vSwitch is supported on several virtual platforms including XenServer 6.0 and the Xen Cloud Platform. Also, it is integrated into virtual management systems such as openQRM, OpenStack, and oVirt. You should be able to find packages for Ubuntu, Debian, and Fedora.

April 2016 update: Support for IPFIX.

For more information on OpenvSwitch NetFlow configuration, please visit the Open vSwitch website or give us a call.