New 5.1 Distributed Switch Features Part 3 – Port Mirror and NetFlow Enhancements
In Part 3 of this series, we’ll look at some more “Network Guru” wish list items being fulfilled in the form of Port Mirroring and NetFlow Enhancements. All of the technology presented here has been verified and “tinkered with” in the Wahl Network lab on VMware ESXi 5.1.0 build 613838 (beta).
This deep dive series will go into all of the awesome goodies that are baked into the newly released vSphere Distributed Switch (vDS) in version 5.1. I’ve broken the posts up into 4 different parts so that you can sample them at your leisure without having to run through a 40 mile long post. Here are the links to the entire series:
- New 5.1 Distributed Switch Features Part 1 – Network Health Check
- New 5.1 Distributed Switch Features Part 2 – Configuration Backups and Rollbacks
- New 5.1 Distributed Switch Features Part 3 – Port Mirror and NetFlow Enhancements
- New 5.1 Distributed Switch Features Part 4 – LACP, SR-IOV, Elastic Ports, and More
Without further ado, let’s get started.
Although Port Mirroring is not new to 5.1, some of the features that are now available are. For those new to port mirroring, it gives you the opportunity to mirror traffic from one port to another. It’s often used in a few specific applications, such as call recording VoIP traffic or sniffing / monitoring normal network traffic. One limitation prior to 5.1 was that port mirroring was somewhat limited in what could be captured. You basically had the option of doing a few different configurations:
- Mirroring to an analyzer on a VM in the same host
- Mirroring to an external physical analyzer connected directly to the uplink port of the host
- Mirroring to an external physical analyzer connected to a physical switch where the host is also connected
In vDS 5.1, you now have some more cool tricks available in the form of RSPAN and ERSPAN (mirroring via GRE tunnel). For those new to this concept:
The Cisco ERSPAN feature allows you to monitor traffic on one or more ports or more VLANs, and send the monitored traffic to one or more destination ports. ERSPAN sends traffic to a network analyzer such as a Switch Probe device or other Remote Monitoring (RMON) probe. ERSPAN supports source ports, source VLANs, and destination ports on different routers, which provides remote monitoring of multiple routers across a network.
Here is a diagram from a vSphere perspective.
Most interesting to me is the ability to do a dvport to an IP Address with encapsulated remote mirroring. The full chart of options is below.
Another neat upgrade in vDS 5.1 is the introduction to IPFIX (IP Flow Information Export). For those that follow this space, you may also know it as NetFlow version 10 or an “IETF Standardized NetFlow 9″. This reminds me of the introduction of LLDP advertisements to the vDS in an earlier revision, and is a good step forward towards supporting more environments that aren’t running Cisco specific protocols.
With this change, you can now use templates to define the NetFlow reocrds that can be collected by the vDS and sent across to the collector tool. I would imagine that this will open up a lot of innovation from 3rd party vendors that want to tweak things to their liking. I’ve seen some really great applications taking advantage of the NetFlow feature in the vDS, such as the Xangati VI dashboard, which uses the flows to monitor the flows in your environment without having to resort to host level service VMs to proxy traffic.
These particular improvements bring about some much needed flexibility to the network team’s side of things, as often I’ve seen the lack of RSPAN require a Nexus 1000v implementation to tie into more NX_OS like features. It will be interesting to see how enabling customers to use a newer rev of NetFlow comes into play in the market – hopefully more vendors take advantage of this feature!