Prerequisites for OVS Mirroring

This section is only applicable if you wish to use OVS Mirroring as your traffic acquisition method. The following items are required to deploy a UCT-V OVS agent:

  • An existing OpenStack cloud environment should be available with admin project and login credentials to create a monitoring domain.
  • A user with OVS access is required to enable OVS-Mirror. The user can be an admin or can be a user with a custom role that has the permissions and the ability to list projects.
  • A working GigaVUE-FM with latest build.

OVS-Mirror Requirements

Operating System

OVS Versions

OpenStack Version

Operating System Version

Ubuntu

2.9.8, 2.13.8

4.0.2, 5.5.1

20.04

Red Hat OpenStack platform

2.15.5

16.2, 17.1

Red Hat Enterprise Linux 8.4, Red Hat Enterprise Linux 9.2 (Plow)

OpenStack Cloud Environment Requirements

  • ML2 mechanism driver: Open vSwitch.
  • You must have the following role privileges as shown in the table for the respective files to enable OVS mirroring:

  • File

    		 Command

    /etc/nova/policy.json

    		 
    "os_compute_api:os-hypervisors": "role:gigamon",
"os_compute_api:servers:detail:get_all_tenants": "role:gigamon",
"os_compute_api:servers:index:get_all_tenants": "role:gigamon",
    "os_compute_api:servers:allow_all_filters”:“role:gigamon",
    “os_compute_api:os-extended-server-attributes”:“role:gigamon”

    /etc/keystone/policy.json

    		 
    "identity:list_projects": "role:admin or role:gigamon",
"identity:list_user_projects": "role:admin or role:gigamon or rule:owner",
"identity:list_users": "role:admin or role:gigamon"

    /etc/neutron/policy.json

    		 
    "context_is_advsvc":  "role:advsvc or role:gigamon",
"get_subnet": "rule:admin_or_owner or rule:shared or role:gigamon",
"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc”,
"update_floatingip": "rule:admin_or_owner or role:gigamon",
"get_floatingip": "rule:admin_or_owner or role:gigamon",
"get_security_groups": "rule:admin_or_owner or role:gigamon",
"get_security_group": "rule:admin_or_owner or or role:gigamon",
"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner",
    "get_port:binding:vif_details”:“rule:admin_only or rule:context_is_gigamon”
  • Here are the APIs and commands required for OVS mirroring

    • OpenStack CLI command

    		 Supported API/Action Description

    openstack hypervisor list

    GET /os-hypervisors

    Should list all hypervisors in the domain.

    openstack server list --all -- host <hostname>

    GET /servers

    Should list all the servers on a specified host

    openstack server list-all

    GET /servers

    Should list servers of all projects in the domain.

    openstack project list

    GET /v3/projects

    Should list all projects in the domain.

    openstack project list - user <user with custom role>

    GET /v3/projects

    Should list all projects that a specified user (user specified in GigaVUE‑FM config) is associated with

    openstack user show <userName>

    GET /v3/users

    Should list all users by username

    openstack subnet list

    GET /subnets

    Should list all subnets for all projects in the domain.

    openstack network list

    GET /network

    Should list all networks for all projects in the domain.

    openstack floating ip list

    GET /floatingips

    Should list all floating ips for all projects in the domain.

    openstack floating ip set-port <portid> <floating ip>

    PUT /floatingips/{floatingip_ID}

    Used to attach floating ip to fabric nodes.

    openstack security group list

    GET /security-groups

    Should list security groups for all projects in the domain

    openstack security group show <security group id>

    GET /security-groups/{security_group_id}

    Should list details of specified security group

    openstack port list

    GET /ports

    Should list ports for all projects in the domain

    openstack port show <portID>

    GET /ports/{portID}

    Should list port details including bridge name.

    openstack server create

    POST /servers

    Launch fabric nodes

    openstack server <action> <serverName>

    POST /servers/{server_id}/action

    stop/start/reboot fabric nodes

    openstack server delete <serverName>

    DELETE /servers/{serverID}

    Delete fabric nodes

    openstack server set

    PUT /servers/{serverID}/metadata

    Update visibility node metadata

    openstack flavor list

    GET /flavors

    Get list of flavors

    openstack availability zone list

    GET /os-availability-zone

    Get list of availability zones

    openstack keypair list

    GET /os-keypairs

    Get list of keypairs
If the OpenStack CLI command openstack hypervisor list does not return a reachable IP for the hypervisors that are being monitored, you must manually enter a reachable IP for each hypervisor in OpenStack CLI using project properties. For each hypervisor you will need to add a key value pair property in the following format:
  • key: value
  • key: must be in the form gigamon-hv-<hypervisorID>
  • value: reachable IP for hypervisor

    • For example: openstack project set --property gigamon-hv-1=1.2.3.4 project-name