14 analyzing traffic between virtual machines, 14 analyzing traffic between, Virtual machines – H3C Technologies H3C Intelligent Management Center User Manual
Page 363
353
14 Analyzing traffic between virtual machines
Virtual machines running on the same physical server can provide different types of services to network
users concurrently. Each virtual machine has a unique IP/MAC address, so all traffic passing through the
devices can be captured by the device supporting NetStream v5/v9, NetFlow v5/v9, or sFlow v5, and
sent to NTA for processing and analysis. However, because traffic between virtual machines is
forwarded internally by the vSwitches of the physical server without passing through the devices, traffic
cannot be captured and forwarded to NTA for processing and analysis.
To collect and analyze traffic between virtual machines, you create a virtual machine on the physical
server and deploy a probe server on the virtual machine. This chapter describes how to deploy the probe
server on a VMware virtual machine to collect and analyze traffic between virtual machines. By default,
the probe server deployed on a VMware virtual machine does not receive traffic between virtual
machines. To enable the probe server to capture traffic between virtual machines, you must modify the
settings of the virtual machine's network adapter.
To use NTA to analyze traffic between VMware virtual machines:
1.
Deploy a probe on the virtual machines.
In NTA, a probe is a probe server, which is an application that runs on a dedicated server. A
probe server acts as a network flow generator that transmits network flow data to the NTA server
that acts as a flow collector. Probe servers receive information forwarded to it from network
devices. NTA retrieves data from probe servers when the probe server is added to the NTA server
as a probe. Operators use probe servers when the devices in their network cannot generate
NetStream, NetFlow, or sFlow data. For instructions on deploying a probe on virtual machines,
see "
Deploying a probe on a virtual machine
."
2.
Configure the virtual machine's network adapters.
A virtual machine with a probe deployed needs two network adapters, one for collecting data and
the other for sending data to the NTA server. The two network adapters are added to different port
groups. To enable the probe to collect and analyze traffic between virtual machines, you must add
the network adapters to the correct port groups. By default, the probe deployed on a virtual
machine cannot receive packets transmitted between virtual machines. You must configure the port
group on which the network adapter for collecting traffic resides in order to operate in
promiscuous mode; then, all virtual machine network adapters in the port group operate in
promiscuous mode. A probe can capture data packets between virtual machines only when the
network adapters operate in promiscuous mode. For instructions on how to modify the network
configuration of a port group, see "
Setting the network configuration for a virtual machine network
In promiscuous mode, a virtual machine network adapter listens to all packets. In non-promiscuous
mode, it can listen only to traffic on its own MAC address. By default, virtual machine network
adapters are in non-promiscuous mode.
3.
Add the probe to NTA.
After you deploy a probe and modify port group configurations, you must configure the NTA
server to receive and process the network flow records from the probe. Use the Probe
Management feature in the Settings area to add probes to NTA. For more information on using
Probe Management to configure NTA to receive network flow data records from probe servers,
see "