We're trialling vRNI, have it setup and have told NSX to sling flow data at it. However, if we analyze the last seven days of data since it was put in place we're seeing:
Which seems a bit.......excessive! Looking at that Internet / North-South traffic we're seeing it all appears to be classed as UDP on destination port 0(!) and from source and dest ip's that aren't in our range:
All we can think is it's a failure to classify traffic properly. We've got NSX shipping the IPFIX data to another flow analysis system for ingestion and that's not showing the same, it seems quite happy so I think the issue is with vRNI personally.
Has anyone else hit anything similar?