Are you in the process of setting up VMware IPFIX support?  Keep this post in mind as when you have an IP address assigned to a Virtual Distributed Switch (VDS) reporting to a NetFlow or IPFIX Collector, all of the VMs (ESX hosts) show up as unique instance numbers but, all from the same IP address.  Imagine having 100 VMs all showing up as the same IP address in your flow collector.  Confusion can ensue.

Note: you might want to read Part 1 of this post: VDS NetFlow Support.


You can sometimes lessen the confusion by removing the IP address assigned to the VDS.  With this change you end up with flows coming from the different IP addresses assigned to the individual ESX servers however, there is another issue.  Since the Observation Domain ID is not properly formatted, this creates another Virtual Distributed Switch problem.   Thankfully, these issues are solvable but, we need VMware to get involved.

VM SNMP is Broken

Getting back to what I said above “all of the VMs show up as unique instances numbers”.  The instance could easily be associated with the VM however, this brings us to the 2nd problem.  SNMP unfortunately doesn’t work in ESX Server version 5.1.  Hence, it very difficult to determine which of ~100 VMs is the one you want to see the traffic from.   In fact, the customer said it “wasn’t worth the trouble”.

VMware could export an Option Template

To solve the problem, VMware could export a host name to instance IPFIX option template.  This addition would allow IPFIX reporting vendors to align the flows exported with the correct VM. Without knowing their software architecture, this seems like a simple approach to solve a frustrating problem.

VMware Options Template

Good NetFlow and IPFIX Samaritans

We have reached out to the few contacts we have at VMware to try and help resolve the above issues and we hope to hear back from them soon. In the mean time, we wanted to make this information public because when our customers call with questions regarding how the VM IPFIX data looks within our IPFIX collector, we have to explain all of the above.  We don’t want our VMware customers to think the problem is all because of our lack of effort.

VMware IPFIX Support

I want to believe that since VMware switched from supporting NetFlow to IPFIX that they have plans to export some exciting new metrics.  Perhaps even details such as latency, retransmits, packet loss, HTTP Host, URLs etc. like other companies such as Cisco, Citrix, Dell, etc. are in the horizon.  Time will tell.

A Decent Work Around

One way to get around the above issues is to get away from the native VMware IPFIX support and install something like Yaf on each virtual server.  Yaf exports IPFIX will all the same metrics plus a few dozen performance metrics that most people want (e.g. round trip time).  Reach out to our team if you need help setting this up.

Thomas

Thomas

Thomas Pore is the Director of IT and Field Engineering at Plixer. He developed and leads, the Malware Incident Response and Advanced NetFlow Training programs which are being offered in cities across the USA. He is also an adjunct professor at the local community college and teaches ethical hacking. Thomas travels the globe meeting with customers and trying improve the Scrutinizer network incident response system. He helps clients optimize threat detection strategies and aids in the configuration of custom incident response solutions. He has a Bachelor of Science in Computer Science from Dickinson College.

Related