VMware Networking Community
gilgamed
Contributor
Contributor
‎09-04-2019 09:20 AM

Quantifying the Impact of NSX DFW IPFix Enabling

The system managers for the vSphere environment at this gig are concerned that if we enable IPFix

(vCenter/Networking and Security/Flow Monitoring/Config) - that it could cause a problem. Is

there anything I could point to allay their concerns? I really want the logging from the DFW.

Tags (1)
0 Kudos
3 Replies
Sreec
VMware Employee
VMware Employee
‎09-06-2019 10:13 AM

  There are two major issues with 24/7 logging approach

1. Amount of logs that we are going to received can be very high - eventually impacts storage space and need proper retention policy.

2.  If underlying network design is not proper,chances are high it can choke the network.

My way of approach is

a)Logging should be enabled for rules that is very much required or enable it when situation demands

b) Ensure that you calculate the storage consumption during the peak usage of application for a given period of time and size it accordingly.

c) Filter/Drop/Rate limit the logs - you could do this at Source (IPFIX) or at any solutions that is in the path till the flow reaches the destination with same/different retention policies.

Cheers,
Sree | VCIX-5X| VCAP-5X| VExpert 7x|Cisco Certified Specialist
Please KUDO helpful posts and mark the thread as solved if answered
0 Kudos
mauricioamorim
VMware Employee
VMware Employee
‎09-08-2019 02:50 PM

There is no correct answer here as environments differ a lot. I have setup NSX DFW IPFIX for quite a few customers and never got any perceivable impact, but this does not mean it cannot impact some environments. It is IPFIX, so some traffic will be added between each host and the IPFIX collector, but since IPFIX is not the actual traffic, this is usually not that relevant.

And this is different than logging that was mentioned. IPFIX is for knowing about flows going through the DFW and not for logging rules.

0 Kudos
Nick_Andreev
Expert
Expert
‎10-01-2019 11:24 PM

Hi gilgamed,

What are you using to collect IPFIX telemetry? For example, when using vRNI VMware observed up to ~5% overhead. From KB57894:

Q. What is the impact on ESX/Networking of enabling IPFIX on UPLINK ports?

A. We have been running IPFix at multiple customers without any issues. We have observed that until very high packet rates the performance impact on ESX is ~5%. The impact can depend on a lot of variables like number of sessions, rate of new session, length of sessions.

So I wouldn't be stressing too much about it.

---
If you found my answers helpful please consider marking them as helpful or correct.
VCIX-DCV, VCIX-NV, VCAP-CMA | vExpert '16, '17, '18
Blog: http://niktips.wordpress.com | Twitter: @nick_andreev_au
0 Kudos