Prerequisites for OVS Mirroring

This section is only applicable if you are using OVS Mirroring as your traffic acquisition method. The following items are required to deploy a UCT-V OVS agent:

  • An existing OpenStack cloud environment should be available with admin project and login credentials to create a monitoring domain.
  • A user with OVS access is required to enable OVS-Mirror. The user can be an admin or can be a user with a custom role that has the permissions and the ability to list projects.

OpenStack Cloud Environment Requirements

  • ML2 mechanism driver: Open vSwitch.
  • You must have the following role privileges as shown in the table for the respective files to enable OVS mirroring:
  • File

    Command

    /etc/nova/policy.json

    "os_compute_api:os-hypervisors": "role:gigamon",
    "os_compute_api:servers:detail:get_all_tenants": "role:gigamon",
    "os_compute_api:servers:index:get_all_tenants": "role:gigamon",
    "os_compute_api:servers:allow_all_filters”:“role:gigamon",
    “os_compute_api:os-extended-server-attributes”:“role:gigamon”

    /etc/keystone/policy.json

    "identity:list_projects": "role:admin or role:gigamon",
    "identity:list_user_projects": "role:admin or role:gigamon or rule:owner",
    "identity:list_users": "role:admin or role:gigamon"

    /etc/neutron/policy.json

    "context_is_advsvc":  "role:advsvc or role:gigamon",
    "get_subnet": "rule:admin_or_owner or rule:shared or role:gigamon",
    "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc”,
    "update_floatingip": "rule:admin_or_owner or role:gigamon",
    "get_floatingip": "rule:admin_or_owner or role:gigamon",
    "get_security_groups": "rule:admin_or_owner or role:gigamon",
    "get_security_group": "rule:admin_or_owner or or role:gigamon",
    "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
    "get_port:binding:vif_details”:“rule:admin_only or rule:context_is_gigamon”

If the OpenStack CLI command openstack hypervisor list does not return a reachable IP for the hypervisors that are being monitored, you must manually enter a reachable IP for each hypervisor in OpenStack CLI using project properties. For each hypervisor you will need to add a key value pair property in the following format:
  • key: value
  • key: must be in the form gigamon-hv-<hypervisorID>
  • value: reachable IP for hypervisor
  • For example: openstack project set --property gigamon-hv-1=1.2.3.4 project-name