[转]Network flow monitoring with Open vSwitch

With network virtualization, the software switches (such as Open vSwitch) on the servers act like the edge switches. So, to gain insights into the network flow behavior, it becomes important to have some sort of flow monitoring technique to analyze the traffic through these switches. NetFlow and sFlow are the two most widely used flow monitoring approaches. To monitor the flows, the switches need to be configured to export and send the traffic data to an analyzer (eg SolarWinds Real-Time NetFlow Analyzer and InMon sFlowTrend). The analyzer listens on a a particular port for the flow statistics data sent from the switches. In this article, I will explain how to configure an OVS to send the flow statistics to an analyzer for monitoring.

sFlow:
To begin, lets start the InMon sFlowTrend analyzer (or any other sFlow analyzer) on a host (h1). By default, sFlowTrend listens on port 6343. On the server (h2) running the open vswitch, we need to use ovs-vsctl to configure the OVS as follows:

$ COLLECTOR_IP=192.168.0.121

$ COLLECTOR_PORT=6343

$ AGENT=eth1

$ HEADER=128

$ SAMPLING=512

$ POLLING=10

COLLECTOR_IP : IP of host h1 where the analyzer is running and listening on port COLLECTOR_PORT.
AGENT : network interface on the host h2 which connects to the network on which host h1 is running.
HEADER : size (in bytes) of the packet header to be analyzed.
SAMPLING : specifies the sampling rate. Every nth packet will be sampled (with some deviation).
POLLING : polling time period in seconds.
Configure the OVS bridge 'ovsbr1' (replace with the name of the OVS bridge on your setup):

$ SFLOWUUID=`sudo ovs-vsctl -- --id=@sflow create sflow \

agent=${AGENT}  target=\"${COLLECTOR_IP}:${COLLECTOR_PORT}\" \

header=${HEADER} sampling=${SAMPLING} polling=${POLLING} \

-- set bridge virbr0 sflow=@sflow`

or

$ sudo ovs-vsctl -- --id=@sflow create sflow agent=${AGENT}  \

target=\"${COLLECTOR_IP}:${COLLECTOR_PORT}\" header=${HEADER} \

sampling=${SAMPLING} polling=${POLLING} \

-- set bridge ovsbr1 sflow=@sflow

Now, you should be able to see on the sFlow analyzer the statistics for the traffic going through this OVS bridge.
To stop the switch from sending these statistics and remove this configuration, do:

$ sudo ovs-vsctl remove bridge ovsbr1 sflow $SFLOWUUID

or to remove all the sFlow configurations from the bridge:

$ sudo ovs-vsctl -- clear Bridge ovsbr1 sflow

You can also see the list of sFlow configurations using:

$ sudo ovs-vsctl list sflow

NetFlow:
Similarly, start a NetFlow collector on a host (h1) and configure the OVS bridge on h2 as follows:

$ COLLECTOR_IP=192.168.0.121

$ COLLECTOR_PORT=6343

$ TIMEOUT=10

$ sudo ovs-vsctl -- set Bridge ovsbr1 netflow=@nf --   --id=@nf  \

create   NetFlow   targets=\"${COLLECTOR_IP}:${COLLECTOR_PORT}\" \

active-timeout=${TIMEOUT}

Verify that you are getting the NetFlow statistics on the analyzer. To deconfigure NetFlow on ovsbr1, do:

$ sudo ovs-vsctl clear Bridge ovsbr1 netflow

You can also change the timeout once the NetFlow has been configured by using:

$ sudo ovs-vsctl set NetFlow ovsbr1 active_timeout=20

Cheers!

Credits:
1. ovs-vsctl documentation
2. Open vSwitch config-cookbook