Cisco’s NetFlow technology is commonly used to monitor network traffic on a qualitative basis by analyzing traffic data collected by switches and other networking devices. With virtualization getting more and more widespread, and with VMware being the most common virtualization platform, we thought it would be a good idea to have a look at using NetFlow with VMware.
Although it makes obvious sense that Cisco networking equipment comes with the NetFlow technology built right into it, not everyone is aware that the virtual networking components within a Vmware-based virtual infrastructure also support that technology. Today, we’re going to be discussing the use of Cisco’s NetFlow technology alongside VMware to monitor virtual networks.
We’ll assume that if you’re reading this, you already know what VMware is and are familiar with its virtual networking components. On the other hand, we’ll also assume that you’re not that familiar with NetFlow so we’ll begin by exploring this technology and briefly explain how it works.
Our goal is not to make you experts but to give you enough background information to better appreciate the rest of our discussion. Next, we’ll discuss the NetFlow support that is built into VMware and have a quick look what monitoring features are available. And finally, since you need some sort of NetFlow collector and analyzer to make sense of the information gathered by your virtual networking devices, we’ll have a look at some of the best NetFlow tools that one can use with VMware.
Developed by Cisco Systems, the NetFlow technology was introduced on their routers to provide the ability to collect data about network traffic as it enters or exits an interface. This data can be analyzed by specialized applications to extract the source and destination of the traffic, its class of service, and, by extension, the probable causes of many networking issues.
A typical NetFlow monitoring setup consists of three main components:
- The flow exporter aggregates packets into flows and exports flow records towards one or more flow collectors. This is the component that is built into the networking devices.
- The flow collector is responsible for reception, storage and pre-processing of flow data received from a flow exporter. This component is typically part of a network monitoring tool.
- The flow analyzer, or flow analysis application, is used to analyze received flow data. Analysis can be used for traffic profiling, or for network troubleshooting. This component is usually combined with the collector although large NetFlow deployments can use separate collectors and analyzers.
RELATED READING: Best Real-Time Bandwidth Monitoring Utilities to Track Network Usage
How NetFlow Works
Networking devices that support NetFlow generate flow records and send them to a NetFlow collector. A flow, in this context, is a complete conversation in the IP sense. The device preparing flow records normally sends them to the collector when it determines that the flow is finished either through ageing–when there has not been any traffic within a specific timeout–or when it sees a TCP session termination.
The flow records contain various information and metrics about the flows such as the input and output interfaces, the start and finish timestamps of the flow, the number of bytes and packets it contains, the layer 3 headers, the source and destination IP address and port number, the IP protocol, and the TOS value. Flow records don’t contain the actual data that made up the flow, they only contain information about the flow. This constitutes an important security feature of this technology.
Except in large, multi-site environments, the flow collectors where the records are sent are also the flow analyzers. They use the information contained in flow records to present data about network traffic in a way that is useful to network administrators. Different NetFlow collectors and analyzers will have different ways of presenting data.
NetFlow Support in VMware
VMware vSphere 5 supports NetFlow v5 which, by the way, is one of the most common versions supported by network devices. The NetFlow capability built into the vSphere 5 platform provides visibility into various virtual infrastructure traffic flows such as:
- Intra-host virtual machine traffic (which is virtual machine–to–virtual machine traffic on the same host)
- Inter-host virtual machine traffic (which is virtual machine–to–virtual machine traffic on different hosts)
- Virtual machine to physical infrastructure traffic
The image below shows a distributed switch configured to send NetFlow records to a collector which, in turn, is connected to an external physical network switch. The blue dotted line with an arrow clearly shows that the NetFlow session is established to send flow records for the NetFlow collector for analysis.
The NetFlow capability on a distributed switch along with a NetFlow collector and analyzer such as those reviewed below helps monitor application flows and measures flow performance over time. It can also help with capacity planning and ensuring that network resources are used properly by the different applications, based on their specific needs.
Network administrators who want to monitor the performance of application flows running in their virtualized environment need to enable flow monitoring on a distributed switch. This can be done either at the port group level, at an individual port level or at the uplink level. When configuring NetFlow at the port level, administrators should select the NetFlow override tab, which will make sure that flows are monitored even if the port group–level NetFlow is disabled.
The NetFlow configuration sample screen shown below demonstrates the various parameters that can be controlled during the NetFlow setup.
The Best NetFlow Tools To Use Alongside VMware
While any NetFlow collector and analyzer can be used as a destination within your VMware environment, not all of them are created equal. We’ve compiled this list of some of the very best NetFlow collectors and analyzers that can be used with VMware but also with any networking equipment supporting that technology.
SolarWinds is one of the best-known makers of network and system administration tools. Its flagship product, called the Network Performance Monitor is viewed by many as the best network bandwidth monitoring tools. Likewise, the SolarWinds NetFlow Traffic Analyzer—which, incidentally, installs on top of the Network Performance Monitor—is one of the best NetFlow collector and analyzer available today.
- FREE TRIAL: SolarWinds NetFlow Traffic Analyzer
- Download Link: https://www.solarwinds.com/network-bandwidth-analyzer-pack/registration
Some of the SolarWinds NetFlow Traffic Analyzer’s best features include:
- Monitoring Bandwidth use by application, by protocol, and by IP address group.
- Monitoring IPFIX, Cisco NetFlow, Juniper J-Flow, sFlow, and Huawei NetStream flow data allowing it to identify which devices, applications, and protocols are the highest bandwidth consumers.
- Collecting traffic data, correlating it into a usable format, and presenting it to the user through a web-based interface for monitoring network traffic.
- Identifying which applications and categories consume the most bandwidth for better network traffic visibility (including Cisco NBAR2 support).
The SolarWinds NetFlow Traffic Analyzer is an add-on to the Network Bandwidth Monitor. You can save by acquiring both at the same time as the SolarWinds Network Bandwidth Analyzer Pack. Prices for the bundle start at $4 910 for monitoring up to 100 elements and vary according to the number of monitored devices. While this may seem a bit expensive, keep in mind that you’re getting not one but two of the best monitoring tools available.
If you’d prefer to try the product before purchasing it, a free 30-day trial can be downloaded from SolarWinds.
2. The ManageEngine NetFlow Analyzer
The ManageEngine NetFlow Analyzer gives the network administrator a detailed view of network bandwidth utilization as well as traffic patterns. The product is controlled by a web-based interface and offers an impressive number of different views on your network.
You can, for instance, view traffic by application, by conversation, by protocol, and several more options. You can also set alerts to warn you of potential issues. For example, you can set a traffic threshold on a specific interface and be alerted whenever traffic exceeds it.
But most of the strength of the ManageEngine NetFlow Analyzer comes from its reports and dashboard. The tool comes with several very useful pre-built reports that are specifically tailored for specific purposes such as troubleshooting, capacity planning or billing. But you’re not stuck with built-in reports as the tool also allows administrators to create custom reports to their liking.
As for the tool’s dashboard we mentioned, it is just as impressive as its reports. It includes several pie charts with things such as top applications, top protocols or top conversations. It can also display a heat map with the status of the monitored interfaces. And as you might have guessed, dashboards can be customized to include only the information you find useful. The dashboard is also where alerts are displayed in the form of pop-ups. And for the on-the-go network administrator, there’s a smartphone app that will let you access the dashboard and reports.
The ManageEngine NetFlow Analyzer supports most flow technologies including NetFlow (of course), IPFIX, J-flow, NetStream and a few others. As a bonus, the too has excellent integration with Cisco devices, with support for adjusting traffic shaping and/or QoS policies right from the tool.
Like many competing products, the ManageEngine NetFlow Analyzer comes in two versions. The free version will be identical to the paid one for the first 30 days but it will then revert to monitoring only two interfaces of flows. While this is not much, it could be all that you need. If you want the paid version, licenses are available in several sizes from 100 to 2500 interfaces or flows with prices varying between about $600 to over $50K plus annual maintenance fees.
3. The PRTG Network Monitor
The PRTG Network Monitor from Paessler AG is an all-in-one solution whose primary purpose is monitoring bandwidth utilization. It’s also used to monitor the availability and health of different network resources. These features make it a useful tool for network administrators. The tool can monitor devices over multiple sites and it can monitor LAN, WAN, VPN and Cloud Services. Through the use of the appropriate sensor, it can also be used as a NetFlow collector and analyzer.
Installing this product is quick and easy. After running the installer, the auto-discovery process discovers devices and sets up sensors. Paessler claims you could start monitoring within two minutes os starting the installation. While this might be a slight overstatement, we were impressed by the ease and speed of installation. Although the server runs on Windows only, the user interface is web-based and can be accessed from any browser. In addition, there’s a mobile app that you can install on your smartphone or tablet.
The PRTG Network Monitor can monitor pretty much anything, thanks to its sensor-based architecture. You can think of sensors as add-ons that are built right into the product, each having a specific purpose. There are sensors for HTTP and SMTP/POP3 (e-mail). As we revealed before, there’s aven a NetFlow Sensor. There are also hardware-specific sensors for switches, routers, and servers. In all, the tool has over 200 different predefined sensors.
The PRTG Network Monitor offers a selection of user interfaces. You have the choice of an Ajax-based web interface or a Windows enterprise console as well as mobile apps for Android and iOS. A nice feature of the mobile apps is that they can get alerts through push notification. Standard SMS or email notifications are also available.
The PRTG Network Monitor is offered in two versions. There’s a free version which is full-featured but will limit your monitoring ability to 100 sensors with each monitored parameter counting as one sensor. For example, to monitor each port of a 48-port switch, you’ll need 48 sensors. For more than 100 sensors, you need to purchase a license. They start at $1 600 for 500 sensors. You can also get a free, sensor-unlimited and full-featured 30-day trial version.
Scrutinizer from Plixer is another great NetFlow analyzer. It is actually much more than that and many view it as a full monitoring and incident response system. With its ability to monitor different flow types such as NetFlow, J-flow, NetStream, sFlow, and IPFIX, you’re not limited to monitoring only VMware equipment.
With its hierarchical design, Scrutinizer offers streamlined and efficient data collection and allows you to start small and easily scale way up to many million flows per second. The network is often first blamed whenever something goes wrong, With this tool, one can quickly find the real cause of most any network issues. The tool works in both physical and virtual environments and comes with advanced reporting features.
Scrutinizer comes in four license tiers that go from the basic free version to the full-fledged SCR level which can scale up to over 10 million flows per second. The free version is limited to 10 thousand flows per second and it will only keep raw flow data for 5 hours but it should be more than enough to troubleshoot network issues. You can also try any license tier for 30 days after which it will revert back to the free version.
5. nProbe and ntopng
nProbe and ntopng are powerful and somewhat advanced but somewhat complicated open-source tools. Ntopng is a web-based traffic analysis tool for monitoring networks based on flow data while nProbe is a NetFlow and IPFIX exporter and collector. Together, they make for a very flexible analysis package. If you’ve administered Linux networks before, you might be familiar with ntop in which case you’ll be reassured to learn that ntopng is the next-generation GUI version of that ageless tool.
There’s a free community version of ntopng and you can also purchase enterprise versions. They can be expensive but they are free to educational and non-profit organizations. As for nProbe, you can try it for free but it is limited to a total of 25 000 exported flows. To go beyond that, you’ll need to purchase a license.
Like most modern network analysis tools, ntopng features a web-based user interface which can present data by traffic-such as top talkers, flows, hosts, devices, and interfaces. It has a mix of charts, tables, and graphs. most featuring drill-down options that let you explore in greater depth. The interface is quite flexible and allows for a lot of customization.
FlowScan is sort of a visualization tool that you can use to analyze NetFlow data and report on it. It can produce visual graphs which are generated in near-real-time and that show you what’s happening on your network. The tool can be deployed on GNU/Linux- or BSD-based system. It uses several other packages in order to correctly collect and process flows. For instance, Cflowd is used as the flow collector. FlowScan is actually a Perl script that makes up the bulk of the software package. This component is responsible for loading and executing reports. One last major component is RRDtool, a popular tool for storing data in round-robin databases and plotting that data on graphs, which is used to store flow information and produce useful graphs.
Network administrators often find that they have either collected too little or too much data. Flow profiling as provided by FlowScan offers a pragmatic compromise between such extremes in data collection. Because flows aggregate data collected as packets travel across a given port or interface, they can be used as sort of an abbreviation for series of packets travelling between endpoints of interest. But this feature alone is insufficient for reliable continuous use: additional software tools are needed to define, parse, and analyze these flows. Those additional tools are included with FlowScan.