Netflow does not show ingress on interface on DVS lower than 7.0

search cancel

book

calendar_today

VMware vSphere ESXi

Symptoms:
Netflow does not show ingress on interface on DVS lower than 7.0.

VMware vSphere ESXi 6.5
VMware vSphere ESXi 7.0.0
VMware vSphere ESXi 6.7

This is expected behavior for DVS lower than 7.0, the default behavior is single-direction sampling on egress only.

ESXi 6.5 U3 and ESXi 6.7 U2 and later, a DVS property was introduced to convert the sampling behavior to bi-directional, sampling packets on both ingress and egress.
DVS 7.0 (on ESX7.0) Netflow sampling behavior is changed from original single-direction sampling to bi-direction sampling by default. This cannot be changed to single-direction.

Workaround:
ESXi 6.5 U3 and ESXi 6.7 U2 and later, enable bi-directional sampling packets on both ingress and egress with these commands:

esxcfg-vswitch -l

DVS Name Num Ports Used Ports Configured Ports MTU Uplinks
65-DSwitch 5376 18 512 9000 vmnic5,vmnic4,vmnic9,vmnic8,vmnic7,vmnic6

net-dvs -l |grep ipfixbehavior

net-dvs -s "com.vmware.etherswitch.ipfixbehavior"=1 -p globalPropList 65-DSwitch

net-dvs -l |grep ipfixbehavior
com.vmware.etherswitch.ipfixbehavior = 0x 1. 0. 0. 0

net-dvs --persist

After saving it to local file, this property can keep persistent after rebooting.

Notes:

The DVS property configured on host directly is not known by vCenter. It may be overriden by VCenter in some case.This workaround is suggested for testing only.
Bi-direction sampling behavior may introduce more cost and affect the highest throughput on the hosts.
The downgrade is related to product traffic throughput and netflow sampling rate. As sampling rate value is bigger, the impact becomes lower. When the sampling rate is larger than 1000(almost 1/1000 packets sampled), no downgrade seen with the highest throughput.

thumb_up Yes

thumb_down No