Configure NetFlow - VMware on an ESX Server

This area will help fast track you in planning, setting up and managing NetFlow in your environment. NetFlow is an embedded instrumentation within Cisco IOS Software to characterize network operation.

Network specialists of various levels within an organization need to be able to report on traffic traversing sites, key links and data centers without deploying probes. They use CySight powered by unique NetFlow Auditor methods of scalable collection, retention and Predictive AI Baslining to capture and analyze every NetFlow record with aggregation options and small footprint real-time and long-term storage. From Telco to SME you will recognize the superior reliability and performance of the CySight NetFlow Auditing solutions, as well as the management benefits offered.

Configure NetFlow - VMware on an ESX Server

Enabling NetFlow on Virtual Switches

How to Activate NetFlow Support in ESX Server 3.5

Enter the commands needed to activate NetFlow using the service console on the ESX Server host. You can enter the commands over an SSH connection or directly at the ESX Server host.

Take the following steps to activate NetFlow:

1 Prepare ESX Server for NetFlow configuration.

Make sure the VMkernel TCP/IP stack is properly configured and that a VMkernel virtual interface
(vmknic) exists on the network where your collector is located.

The ESX Server implementation of NetFlow uses the ESX Server TCP/IP stack to send NetFlow packets on the network.

2 Load the NetFlow module.
Enter the following command:
vmkload_mod netflow
You see the following response from the system:
Using /usr/lib/vmware/vmkmod/netflow
Module load of netflow succeeded.

3 Confirm that the NetFlow module is loaded.
Enter the following command:
vmkload_mod -l | grep netflow
You see a response from the system similar to the following:
netflow 0xc2e000 0x6000 0x2bf53a0 0x1000 16 Yes

4 Configure NetFlow
Use the application called net-netflow for the remaining configuration steps. The application is located in /usr/lib/vmware/bin/ and takes multiple parameters, as shown in the following example:
net-netflow -e <vswitchname> <collectorhostname:port>
The minimum parameters required include:
  1. Names of the virtual switches where NetFlow will be activated
  2. Host IP address and port number of the NetFlow collector/analyzer
Limitations of NetFlow in ESX Server 3.5

NetFlow export is supported on ESX Sever 3.5 only as an experimental feature. Additionally, ESX Sever 3.5 exports flows in the NetFlow Version 5 format, with the following information missing (the corresponding fields have a value of zero):
  1. IP address of next hop router (“nexthop” in the specification)
  2. Autonomous system number of the source, either origin or peer (“src_as” in the specification)
  3. Autonomous system number of the destination, either origin or peer (“dst_as” in the specification)
  4. Source address prefix mask bits (“src_mask” in the specification)
  5. Destination address prefix mask bits (“dst_mask” in the specification)
The lack of any of these fields should not cause problems with any of the major collectors.
The idle timeout and active timeout are respectively statically set to 15 seconds and 5 minutes. Currently these values are not changeable.

There is no way to dynamically change the set of virtual switches where NetFlow is enabled. To make a change, you must kill the previous net-netflow process and launch a new one.

There is no sampling mode available on this version of ESX Server.

This implementation should not be used to do strict traffic accounting. Although the implementation is generally quite accurate, memory pressure conditions and network congestion may result in dropped flows, without any way to retrieve them.

In order to enable and configure NetFlow, you must use the service console directly. With ESX Server 3.5, there is no support for configuring or managing NetFlow using VirtualCenter or the remote command line interface. This means NetFlow is not supported in ESX Server 3i environments.

Cautions on Using NetFlow in ESX Server 3.5
  1. Do not launch more than one instance of net-netflow.
  2. Do not launch two net-netflow instances at the same time. Although in theory this should be safe, the configuration has not been tested. It may lead to unexpected behavior.
  3. Do not delete a virtual switch that has NetFlow activated.
  4. Deleting a virtual switch with NetFlow activated may cause ESX Server to become unstable.
Top

Return to “NetFlow”