What is IPFIX?
IPFIX is an IETF protocol for exporting flow information. A flow is defined as a set of packets transmitted in a specific time slot that shares the same 5 tuple values source: IP address, source port, destination IP address, destination port, and protocol. The flow information may include properties such as timestamps, packets/bytes count, input/output interfaces, TCP Flags, VXLAN Id, Encapsulated flow information.
What flow information does the VDS export?
A VDS in vSphere environment can be configured to export flow information using IPFIX. Enable flow monitoring on all the port groups attached to the VDS. If packets arrive on port X of a VDS and exit from port Y, a corresponding flow record is emitted, if flow monitoring is enabled on port Y. The direction of every flow record is set to Egress.
How does vRealize Network Insight use IPFIX?
vRealize Network Insight uses VMware VDS IPFIX to collect network traffic data. Every session has two paths.
For example: Session A↔C has A→C packets and C→A packets.
To analyze the complete information of any session, IPFIX data about packets in both the directions is required.
In the preceding diagram, VM-A is connected to DVPG-A and is talking to VM-C. Here, DVPG-A only provides data about the C→A packets, and DVPG-Uplink provides data about A→C packets. To get the complete information of A’s traffic, IPFIX should be enabled on DVPG-A and DVPG-uplink.
Can we change Netflow / IPFIX Sampling rate ?
vRNI does not support changing sampling rate. For micro segment discovery and planning, sampling rate should be kept default value
How to troubleshoot issues with IPFIX during flow collection
To troubleshoot issues with IPFIX during flow collection:
- Ensure that Netflow monitoring is enabled in the VDS and its DVPGs and Uplink properties and the collector IP address is the same as that of the vRealize Network Insight Proxy.
- Verify if the IPFIX Netflow packets are getting dropped in between by a firewall (NSX, Virtual or Physical).
Ensure that Netflow packets destined for port 2055 on the vRealize Network Insight Proxy IP is allowed by any firewall that is present in the route between the ESXi host and vRealize Network Insight Proxy.
- Verify if the ESXi host fails to send IPFIX Netflow packets.
The ESXi host stops sending the Netflow packets after some time if port 2055 is not reachable. This may happen when firewall drops the packets.
- vRealize Network Insight Proxy is not reachable by the ESXi host due to network routing problem.
Verify and ensure that a proper route exists between vRealize Network Insight Proxy and the ESXi host.