Principles
- Capture and trace uplink, vmknic, and physical NIC packets
- Audit NSX infrastructure changes
- Output packet data for use by a protocol analyzer
- Capture and analyze traffic flows
- Mirror network traffic for analysis
- Perform a network health check
- Configure vSphere Distributed Switch alarms
References
- NSX Administration Guide
http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf
- vSphere Networking Guide
- vSphere Command-Line Interface Concepts and Examples
Capture and trace uplink, vmknic, and physical NIC packets
NSX Edge
Use the “debug interface” command to capture packets on an Edge.
Display packets on screen: debug packet display interface <intName> [expression]
- intName: vNic0 – vNic9
- expression: A tcmpdump expression, substituting “_” for spaces
- This command runs in the foreground – Ctrl+C to end
e.g. the following displays packets to/from vNic_0 from host 10.10.11.11 on port 80:
debug packet display interface vNic_0 host_10.10.11.11_and_port_80
Capture to pcap file: [no] debug packet capture <intName> expression]
- intName: vNic0 – vNic9
- expression: A tcpdump expression, substituting “_” for spaces
- This command runs in the background. Repeat the command with “no” at the start to end
- Use debug show files to list captured files e.g.
debug show files
-rw——- 1 0 Aug 7 09:33 tcpdump_vNic_0.0
- Use debug copy [ftp|scp] to transfer files from edge e.g.
debug copy scp admin@192.168.10.10:/ tcpdump_vNic_0.0
- Use debug remove <filename> to remove file from Edge e.g.
debug remove tcpdump_vNic_0.0
removed ‘/var/dumpfiles/data/tcpdump_vNic_0.0’
ESXi
Use the pktcap-uw command to capture packets on vmk and uplink interfaces
To capture packets on vmk interfaces: pktcap-uw –vmk <vmk> -o <output_file> e.g.
pktcap-uw –vmk vmk0 -o /var/tmp/vmk0.pcap
The name of the vmk is vmk0 The output file is /var/tmp/vmk0.pcap No server port specifed, select 62067 as the port Local CID 2 Listen on port 62067 Accept…Vsock connection from port 1029 cid 2 Dump: 27, broken : 0, drop: 0, file err: 0Join with dump thread failed. Destroying session 2 Dumped 27 packet to file /var/tmp/vmk0.pcap, dropped 0 packets. Done. |
To capture packets on uplink interfaces: pktcap-uw –uplink <vmknic> -o <out_file> e.g.
pktcap-uw –uplink vmnic0
The name of the uplink is vmnic0 No server port specifed, select 62402 as the port Output the packet info to console. Local CID 2 Listen on port 62402 Accept…Vsock connection from port 1039 cid 2 |
Audit NSX infrastructure changes
See 9.4 – Audit infrastructure changes
NSX Ticket Logger
Output packet data for use by a protocol analyser
See above
Capture and analyze traffic flows
See Objective 9.3 – Configure and collect data from network: Flow Monitoring
Mirror network traffic for analysis
- Mirror distributed port traffic to other distributed or physical switch ports
- Sends a copy of packets on one switch port (or an entire VLAN) to another switch port
Select vDS -> Configure -> Port mirroring
Port Mirroring options
Option | Description |
Distributed Port Mirroring | Mirror packets from several distributed ports to other distributed ports on the same host
Port -> Port |
Remote Mirroring Source | Mirror packets from several distributed ports to specific uplink ports on a host
VLAN -> Uplink |
Remote Mirroring Destination | Mirror packets from several VLANs to distributed ports
VLAN -> Port |
Encapsulated Remote Mirroring (L3) Source | Mirror packets from several distributed ports to remote agent’s IP addresses
VM traffic is mirrored through an IP tunnel Port -> IP |
Distributed Port Mirroring (legacy) | Mirror packets from several distributed ports to several distributed ports and/or uplink ports on the corresponding host
Port -> Uplink, Port -> Port |
Perform a network health check
- Helps to identify and troubleshoot configuration errors in a vSphere Distributed Switch.
- Runs regular health checks to (@ default 1m interval)
- Examine certain settings on the distributed and physical switches
- Identify common configuration errors
- At least 2 active physical NICs are required
Configuration Error | Health Check |
The VLAN trunk ranges configured on the distributed switch do not match the trunk ranges on the physical switch | Checks whether the VLAN settings on the distributed switch match the trunk port configuration on the connected physical switch ports |
The MTU settings on the physical network adapters, distributed switch, and physical switch ports do not match | Checks whether the physical access switch port MTU jumbo frame setting based on per VLAN matches the vSphere distributed switch MTU setting |
The teaming policy configured on the port groups does not match the policy on the physical switch port-channel | Checks whether the connected access ports of the physical switch that participate in an EtherChannel are paired with distributed ports whose teaming policy is IP hash |
Select vDS -> Action -> Settings -> Edit Health Check
Select required checks
View Health from vDS -> Monitor -> Health
Configure vSphere Distributed Switch alarms
Add Alarm definitions from vDS -> Monitor -> Alarm Definitions
Add Triggers
Add Actions