point and click network troubleshooting for vmware...
TRANSCRIPT
Point and Click Network Troubleshooting for VMware Virtual Machines
OVERCOMING THE COMPLEXITIES OF CONFIGURING SPAN
AND ERSPAN PORTS WITHIN VSPHERE
Virtual Machines are mission critical to enterprise data centers and Virtual Infrastructure (VI) admins
need fast access to troubleshooting data. A great way to get that data is to access packets being
generated by VMs in the vSphere Hypervisor and forwarding them to an analyzer (whether that
be a security, compliance, or troubleshooting tool). However, access to VM packet data requires
configuration within both the hypervisor and the network. VI admins do not have the ownership or
cross domain expertise needed to steer traffic across the network to their tool of choice. So, they
need support from their networking team. This adds to the time it takes to solve problems, resulting in
slow responses to what are often critical issues.
Technically, traffic steering of “packet copies” requires the configuration of SPAN, ERSPAN, vNIC,
Subnets, Port Groups, VXLANs, vDS, DVS, and IP-FIX, from within vSphere. SPAN/ERSPAN traffic
needs to be-redirected across the network and that requires similar programming of VLANs, QOS,
and uplinks, etc. While vCenter can help with hypervisor configurations, it does not have the full end-
to-end view required to efficiently handle steering traffic across the network.
While some vendors have developed configuration scripts that can steer traffic to their tool on a
per VM basis (using API calls through vCenter), these tools are mostly network unaware and do not
offer the ability to filter, pre-process, or program the network. Furthermore, these scripts are often
proprietary, and not universal in solving the multi-tool, multi-department requirements. None are
designed with any consideration to the impact they have on the network, and the disruption packet
steering can have on production traffic.
What at first appears to be a simple task is actually pretty involved.
VMware vSphere is the leading data-
center hypervisor. By abstracting
workload from hardware it enables
the Software Defined Data Center,
giving business agility with private,
public, and hybrid cloud.
“This plug-in greatly reduces the
complexity of configuring SPAN/
ERSPAN. This simplifies trouble-
shooting, analyzing, and capturing
Virtual Machine network behaviors
for security monitoring and applica-
tion performance. And with the Big
Mon Fabric, there is no disruption to
the production network.”
Prashant Ghandi, Chief Product
Officer, Big Switch Networks
SOLUTIONS OVERVIEW
POINT AND CLICK NETWORK TROUBLESHOOTING FOR VIRTUAL MACHINES | 1
Big Mon Fabric is an out-of-band
networking monitoring network,
where traffic from vSphere hosts
can be copied and forwarded non-
disruptively to any tool of choice.
Big Switch offers this solution, on
industry standard, Broadcom based
switches. The Big Mon controller
includes a vCenter plug in for
configuring SPAN/ERSPAN with a
simple to use interface.
PAGE 2
SOLUTIONS OVERVIEW
THE BIG MON VMWARE TRAFFIC MONITORING SOLUTION
The Big Monitoring Fabric, offered via the Big Mon controller, provides an integrated, point and click
graphical interface, that VI admins can use to steer packet copies from the VM to a broad number of
analytic tools. Traffic is safely re-directed across the Big Mon Fabric switches, out-of-band, to avoid
any disruption to the production network.
Convenient search capabilities within the Big Mon controller GUI let the user quickly find the VM’s
they need to enable (or disable) packet copies from. Then, with user-friendly names, like WireShark,
ExtraHop. etc., they can pick the tool they want to send that traffic to. The Big Mon controller
configures the SPAN/ERSPAN copies end to end. The Big Mon Fabric controller, via the VMware
plug-in, pulls the necessary vSphere host data for configuring both the hypervisor and fabric re-direct
settings. Further, the controller has the intelligence to know whether to SPAN, from a dedicated server
NIC or to ERSPAN, the packet copies over a shared NIC with the production network. In all cases the
packet copies are then re-directed through the Big Mon Fabric, at which point the traffic being copied
is fully out-of-band from the production network.
The value of this approach, especially within VMware ESX environments, is how easy it is to “point”
traffic from a port group, ESX host, or even Virtual Machine, to a monitoring tool. The complexities of
the virtual and physical switch networks are hidden from the user, while still ‘known’ by the Big Mon
Fabric Controller. The user accesses the controller via an RBAC interface and is presented with a list of
vCenter attributes from which they can forward traffic.
Selected traffic is copied from within the VMware server using either SPAN (Switch Port Analyzer)
if there is a dedicated NIC to the Big Mon Fabric switch, or ERSPAN (Extended Remote Switch Port
Analyzer) if there is shared NIC interface with the production network. The controller has topology
awareness inclusive of the server connections and knows which mode of SPAN to configure.
SPAN
Top of Rack Switches
Virtual Switch
BIG MON Controllers
vCenter
VMware plug in
App Perf Mgmt Tool
Sec Ops Mgmt Tool
ComplianceMgmt Tool
BIG MON SERVICE NODES • Header Stripping
• De-duplication• Packet Slicing/Masking• Netflow Generation
Centralized Tools
Caption: SPAN copies traffic out through a dedicated vSphere NIC, directly to the Big Mon Fabric.
C
M
Y
CM
MY
CY
CMY
K
diagram-1.pdf 1 5/24/18 9:12 PM
SPAN copies traffic out through a dedicated vSphere NIC directly to the Big Mon Fabric.
C
M
Y
CM
MY
CY
CMY
K
diagram-2.pdf 1 5/24/18 9:12 PM
The above shows several virtual machines were SPAN has been configured and is active.
This is a Big Mon Fabric controller interface view.
Copyright 2018 Big Switch Networks, Inc. All rights reserved. Big Switch Networks, Big Cloud Fabric, Big Tap, Switch Light OS, and Switch Light vSwitch are trademarks or registered trademarks of Big Switch Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Big Switch Networks assumes no responsibility for any inaccuracies in this document. Big Switch Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Headquarters
3965 Freedom Circle, Suite
300, Santa Clara, CA 95054
+1.650.322.6510 TEL
+1.800.653.0565 TOLL FREE
www.bigswitch.com
THE BIG MON VMWARE MONITORING WORKFLOW
The Big Switch Network is taking care of the following (behind the scenes):
1. Discovery of ESX servers, port groups, vNICS, and Virtual Machines, via vCenter API’s
2. Discovery of the Big Mon physical fabric, including the ports connected to the ESX server
nodes via LLDP
3. Obtaining auto-intelligence, based on the network server to switch cabling, of whether SPAN
or ERSPAN can be used
4. Policy definitions from within the Big Mon Controller and the type of monitoring postures
to apply when packet capture is selected
5. Point and click interface on directing packet copies from a VM, or a group of VM’s, from
anywhere within vCenter cluster, to any analytics tool that has also been discovered
6. Error messaging if the SPAN and ERSPAN requests do not match the policy definitions,
specifically when selecting SPAN or ERSPAN
SOLUTION BENEFITS
• Point and click configuration of SPAN and ERSPAN for rapid Virtual Machine
troubleshooting and remediation
• Out-of-band, scale out monitoring fabric for non-disruptive traffic analytics
• Intelligent processing and filtering of traffic data for preventing over subscription
to the analytic tools
• Applicable across all analytics tools with data reductions that minimize the need
for large tool appliances
• SDN driven with X86 appliances and industry standard data center 1RU
multi-terabit switches
CONCLUSION
Virtual Infrastructure operations teams need a point and click interface to copy network packet
data from their vSphere/ESX hypervisor servers over to a myriad of different troubleshooting tools—
and all within a moment’s notice. Moreover, they need to ensure that there is no impact to the
network, that packet data is copied securely, and that by replicating network data they have not
created a security risk.
Big Monitoring Fabric, via the controller integration with vCenter, offers an interface in which any
authenticated operations technician can program these copy sessions across multiple servers,
tools, and user communities, without disruption. This is commonly referred to as a VMware plug-in
for Big Mon controller and leverages the rich intelligence API integration between vCenter and the
Big Mon Controller.
SOLUTIONS OVERVIEW