Controversy | Which of the Three Methods for Network Traffic Mirroring in Virtualized Environments is Best?

The following content comes from community discussions. Feel free to click to read the original text and engage with peers on this topic.

How to plan and build network traffic mirroring in a virtualized environment?

Currently, the company is building related systems based on network traffic mirroring, such as npm, bpc, and database SQL statement auditing, and has initially set up a type switch network.However, in the virtualized platform, some virtual machines may interact within the physical machine’s virtual switch, making it impossible to obtain traffic mirroring from the physical switch.We have learned about the following three methods for network traffic mirroring in virtualized environments:1. Using the port mirroring feature of VMware VDS distributed switch2. Installing third-party virtual machines on each host to collect the network traffic of the virtual machines within that host3. Installing a third-party agent on the virtual machines that need traffic mirroring to collect their own network trafficAll three methods will transmit the mirrored traffic to the type network through separate network cards that distinguish business network cards.I currently lean towards the first option, but I have concerns about whether VMware’s port mirroring feature will affect the overall performance of the host machine.I would like to consult with seniors in the financial industry about the pros and cons of the three options. Which method are you using? Have you encountered any pitfalls during implementation?

(@linjh, System Engineer at a Securities Company)

@Zhao Hai, Technical Manager:

First of all, if it is a physical switch, it is generally recommended to use dedicated port mirroring devices to mirror the traffic on the switch, and then use specialized software to analyze the mirrored traffic.This is a relatively common and mature practice, and there are many specific products available.

In a virtualized environment, the first option is fundamentally consistent with the approach in a physical environment. From this perspective, its maturity and stability should not be a concern. As for performance, as long as the network card configuration and traffic analysis are done well, there should not be significant performance issues. This is because it does not involve real-time scanning of business data packets but rather processes the mirrored traffic packets. The only difference is that hardware resources are not completely independent. The mirroring itself relies on the mechanism of the virtual switch, and if the physical switch can handle this well, the virtual switch should not have major issues either.

@Li Rongjie, Network Engineer at China Merchants Bank:

I personally think the three options need to consider the following points:

1. It relies on the interfaces and functions provided by VDS itself, which I have not used in practice, so it may not be comprehensive.

2. Installing on the host will add some overhead to the host itself, and it also needs to be compatible with the virtualization technology used to obtain the virtual machine traffic. On the other hand, if the host crashes, whether the virtual machines on it can still collect data needs to be considered in advance.

3. Installing on the virtual machine itself will impose a significant workload on the virtual machine. It is recommended to integrate it into the image to reduce the workload of system colleagues. The resource consumption of the agent itself needs to be evaluated.

@Huang Jiang, Technical Support at a Bank:

Our bank adopts the second option.

The virtualized traffic collection solution consists of three parts: FM centralized management platform, VM virtualization collection probe, and traffic processing engine.

There are two components in the link communication deployment, including management-level link communication and tunneling link communication.

Management-level link communication: used for FM to install and configure VMs.

Tunneling link communication: used for VM to collect virtual machine traffic and forward it to HC through tunneling encapsulation.

Installation is simple, control is convenient, and it requires the use of IP addresses.

Currently, it has a minimal impact on server performance.

@Zhang Peng, Technical Director at China Financial Electronic Company:

I have not practiced this specifically, so I can only share my thoughts.

Based on the description of the problem, if all three methods can meet user needs, I prefer the third option. The reason is that it only collects traffic from the virtual machines that need to be monitored, which is more targeted, reduces interference from irrelevant information, and lessens the overall pressure caused by collecting unrelated traffic.

I think the first option should be used cautiously. Although VDS simulates most of the functions of a switch, it still differs from traditional switches. Traffic mirroring should ideally use dedicated devices, such as TAP devices. There are also similar vTAP solutions in SDN solutions.

@yjy031, Data Center Network Engineer:

This issue is also a concern for us. Let me share some of my views. First, VMware is not the only choice for virtualization; relying solely on it may have certain limitations in the future. Secondly, both the second and third options have vendor solutions, and they have feedback mechanisms that theoretically should not impact business operations. If resources are not too tight, the overhead should be manageable.

Currently, we have not resolved this issue, so we try to let access traffic cross switches and mirror traffic through switches. For traffic within a single host, the network switch indeed cannot mirror it; this can only be addressed with third-party dedicated solutions. Personally, I prefer the last two options and recommend purchasing mature products from the market that have been validated by other organizations.

@chinesezzqiang, Information Technology Manager:

I recommend adopting the first option for the following reasons:

1. The consumption of virtualized traffic mirroring on physical host performance is very low;2. It is recommended that the virtualized environment have an independent mirroring network;3. Actual testing is needed, as this option is not widely used;4. You can refer to third-party traffic performance monitoring devices.

@Pan Yansheng, System Engineer:

I have not encountered a situation where I need to mirror all virtual machine network traffic for monitoring in my work. However, I have experienced a case where a virtual machine was infected and sent packets, causing the entire physical machine’s port to become congested and unmanageable, leading to the failure of all virtual machines on that physical machine. Considering this need and some previous technical exchanges with VMware, I would like to share some of my thoughts.

Installing third-party virtual machines on each host to collect the internal virtual machine network traffic is somewhat wasteful in terms of resources. Each host needs to install and debug a set of collection systems, which not only requires allocating certain resources to run the third-party virtual machine but also complicates management if there are many hosts.Installing a third-party agent on each virtual machine should be better than the second option.Since I have not used it, I can only refer to other similar deployment methods. Generally, third-party agents consume relatively little system resources and are stable. Once deployed, they can uniformly collect information, making them a good choice in terms of cost and management.However, third-party agents sometimes encounter issues due to problems with individual virtual machine systems, such as services failing to start or agents becoming unresponsive, or being restricted by certain security software.The first option,I remember VMware has a network virtualization feature called NSX. It is a paid feature that can achieve detailed management and security protection of virtual machine networks, avoiding situations where a single virtual machine’s network packets cause congestion in the physical port, leading to all virtual machines becoming non-operational. This would require restarting the entire physical machine to resolve. It should also be able to implement more detailed port mirroring functions. I believe the advantages are that it is a native VMware product, which should be better in terms of compatibility and maturity, while the downsides are that it is complex to deploy and relatively expensive. However, I still prefer to adopt this method. If funds and technical resources are tight, then I think using the third-party agent method is also a good option. You can mirror based on the importance of different virtual machines, installing agents for critical business operations, while auxiliary and testing operations can simply mirror a physical interface through the physical switch to capture data.

Feel free to click at the end of the articleto read the original textand discuss in the communityIf you find this article useful, pleaseshare itor click“Looking”, so more peers can see it

Related Articles:

  • Understanding how the financial industry conducts cloud environment network traffic collection project design, implementation, and operation and maintenance in one article

  • How to design the system solution for network traffic collection projects in the financial industry cloud environment? What specific design content is there?

    http://www.talkwithtrend.com/Question/427839

  • How to solve monitoring challenges in network traffic collection projects in the financial industry cloud environment?

    http://www.talkwithtrend.com/Question/427849

Welcome to follow the community “Network” technology theme which will continuously update quality materials and articles. Address:

http://www.talkwithtrend.com/Topic/785

Download the twt community client APP

Join more peers

Experts are always available to answer your difficult questions

Easily subscribe to various technical topics

Browse and download the latest articles and materials

Controversy | Which of the Three Methods for Network Traffic Mirroring in Virtualized Environments is Best?

Controversy | Which of the Three Methods for Network Traffic Mirroring in Virtualized Environments is Best?

Long press to recognize the QR code to download

Or search for “twt” in the app store

Long press the QR code to follow the public account

Controversy | Which of the Three Methods for Network Traffic Mirroring in Virtualized Environments is Best?

*The content published by this public account only represents the author’s views and does not represent the community’s position.

Related posts

  1. Exploring Vulnerabilities in the VMware Workstation Renderer
  2. Disassembly of MSI GK600 W Keyboard: A Look at Traditional Card Manufacturers
  3. Implementing File System Interfaces in C#
  4. Practices of SDP in Networking
  5. How to Solve Backup Time Issues with Large Virtualization Capacity?
  6. Getting Started With IoT Projects in 10 Minutes
  7. Avaota A1: Allwinner T527 Linux Mainline Released!
  8. 35 Java Code Performance Optimization Tips for Android Developers
  9. Complex Embedded Software and Systems for Multi-domain Integration | CNCC2021
  10. Micro Robots with Logic Computing Capabilities
  11. The Drawbacks of Excessive Global Variables in Microcontroller Projects
  12. Basic Principles and Detection Principles of Hall Current Sensors
  13. Interpretation of Group Standards by China Electrical Engineering Society: Hardware-in-the-loop Testing Specification for Grid-connected Performance of Energy Storage System Inverters
  14. 5 Major Challenges in Implementing Industrial IoT
  15. Creating a Soulmate for Your LCD Touch Screen: A DIY Guide
  16. Simple Configuration of Clash in Kali
  17. A Simple Analysis of the Differences Between STM32 and 51 Microcontrollers
  18. Development of Smart Night Clothes for Dogs Based on LilyPad Arduino
  19. Understanding The Three Stages Of Vehicle Networking

Leave a Comment