One of the more difficult places to monitor network traffic is between virtual machines on the same hypervisor. Organizations that have invested in hardware monitoring equipment have had no visibility. Gigamon recently announced the GigaVUE-VM virtual network tap, which ties in with its Traffic Visibility Fabric--an overarching term for the company's taps and management. However, GigaVUE-VM won't be available until the fourth quarter.
There are only a few ways to monitor network traffic to and from hosts on a hypervisor. IT can add probes to the hypervisor running as VMs and monitor traffic, but that requires buying lots of probes and having a way to de-duplicate the traffic and centralize the analysis and reporting. Alternatively, IT can just not bother and examine only what is occurring in and out of the hypervisor.
Gigamon isn't the first hardware tap vendor to provide virtual network tapping: Net Optics announced in February 2011 its Phantom Virtual Tap, which offers functions similar to those of GigaVUE-VM.
Gigamon's goal with GigaVUE-VM is to provide the basic functions necessary to select and forward frames to a physical GigaVUE appliance and to slice frames to a smaller size before forwarding to a physical tap for further processing. Gigamon wants to ensure that the GigaVUE-VM doesn't negatively affect the hypervisor's performance, with more complex functions better-suited to hardware.
One notable missing feature is Gigamon's time-stamping capabilities. In Gigamon's physical appliances, the taps can append a time stamp to the end of the frame before they're forwarded to the analysis engine. Some analysis tools can use the time stamp rather than their own or what is contained in the packet for timing analysis. Provided all of the tap clocks are synchronized, the additional time stamps should be more accurate and aid in troubleshooting. There are several issues with time stamping in hypervisors--namely, ensuring that the clock running in the VM is accurate and stable enough for sub-millisecond stamping.
Also missing is the ability to forward frames directly to a VM without first going to a physical appliance. Gigamon's initial offering is aimed at companies that have physical monitoring in place using its taps and want to augment the visibility within the hypervisor. One of the functions of the physical appliances is to de-duplicate and merge flows into a single output.
For example, if a GigaVUE tap sees traffic on a hypervisor, and that same traffic is also viewed by a physical tap, the duplicated flows should be detected and only one flow should be sent to the monitor. Otherwise, the resulting analysis will be inaccurate. However, there may be cases, particularly when applications are fully virtualized, where IT would want to forward from a virtual tap to a virtualized analysis engine and won't have access to a physical appliance, such as in a public cloud infrastructure-as-a-service deployment. Net Optics Phantom Virtual Tap can forward to virtual analysis appliances.
Initially, the GigaVUE-VM will be available only on VMware, but Gigamon plans to offer versions for Xen and Hyper-V. Gigamon is still adding features and putting the virtual tap through testing before the product launches in the fourth quarter. Pricing and final feature lists will be available closer to the release date.