VMware Cloud Community
rajeevsrikant
Expert
Expert
Jump to solution

Network Insight - IPFIX/Netflow

To use Network Insight my understanding is as below

Need to enable IPFIX/Netflow in below components.

1 - For each VDS enable the Neflow & specify the collector IP Address as the Network Insight VM IP

2 - Enable Netflow for all the Distributed port group including port groups of the logical switch.

3 - Enable IPFIX under NSX flow monitoring

Let me know if my above understanding is right or should i need to consider any other points to use Network Insight.

Reply
0 Kudos
1 Solution

Accepted Solutions
chuckbell
VMware Employee
VMware Employee
Jump to solution

No. No need to enable flow monitoring ipfix for Network Insight

View solution in original post

Reply
0 Kudos
10 Replies
bayupw
Leadership
Leadership
Jump to solution

You don't need to manually enable VDS IPFIX in VDS, the vRNI UI will do it for you as long as the user has privilege to modify Distributed Switch & dvPortGroup

See the blog post here: vRealize Network Insight ( vRNI ) 3.0- How to Install & Configure - VMware Cloud Management

and doumentation here: https://www.vmware.com/support/pubs/vrealize-network-insight-pubs.html


NSX Flow Monitoring IPFIX is for DFW which provide DFW details such as firewall Rule ID, etc

VDS IPFIX provide flow details including VXLAN headers

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
rajeevsrikant
Expert
Expert
Jump to solution

Thanks.

So by adding vCenter as Data source to the network insight Proxy VM with the required privileges the netflow will be enabled to all the VDS & port groups which the vCenter is managing.

And by adding NSX Manager as the Data source all the components for NSX will be enabled for netflow so that the data collection will be enabled.

Let me know if my understanding is right.

Reply
0 Kudos
chuckbell
VMware Employee
VMware Employee
Jump to solution

Your first statement is correct. adding vCenter as a data source will enable netflow on the selected vds's.

Adding NSX manager as an endpoint collects data from the REST API of NSX but does not collect NSX flow information (most of that flow data is seen from the VDS as NSX-v uses the VDS). Adding the manager adds additional information including control plane2data plane and mgmt plane2data plane message channel health as well as many other visibility contracts of NSX components.

Reply
0 Kudos
rajeevsrikant
Expert
Expert
Jump to solution

Thanks.

I understood the point regarding adding the vCenter.

Regarding NSX Manager, I understood from your explanation that i need to add it to the Network Insight. But apart from that my understanding is that I do need to enable IPFIX under flow monitoring .

Let me know if my understanding is right.

Reply
0 Kudos
chuckbell
VMware Employee
VMware Employee
Jump to solution

No. No need to enable flow monitoring ipfix for Network Insight

Reply
0 Kudos
rajeevsrikant
Expert
Expert
Jump to solution

Thanks.

But how Network Insight is different from the Log Insight from Vmware.

What is the different between these 2 products & which product fits where.

Reply
0 Kudos
tmichaeli
VMware Employee
VMware Employee
Jump to solution

Log Insight (log management)

  • real time log/syslog management
  • hi-performance search across all logs
  • root cause analysis on unstructured log data
  • log view sharing tool, alert generator, machine learning-based intelligent grouping
  • troubleshooting across physical, virtual and cloud infrastructure

Network Insight (operation and security tool for SDDC)

  • 360 degree visibility and control for virtual and physical network
  • network assessment for east-west/north-south traffic
  • micro-segmentation planner with CVS/XML policy export capability
  • best practice configuration and compliance checker
  • network analytics based on snmp/netflow/ssh&cli

Two different tools. Based on the data sources, you can get view on the value they put on the table. LI is more log oriented operation. NI is more real data flow oriented analytics. Both have retention policy around 45 days for live data. LI is now included in NSX license. NI requires extra per socket license.

Find out on youtube more details.

rajeevsrikant
Expert
Expert
Jump to solution

Thanks

Reply
0 Kudos
Richard__R
Enthusiast
Enthusiast
Jump to solution

Just to doubly clarify - if I'm using some 3rd party Netflow collector then why would I NOT want to enable IPFIX export from NSX Manager on top of VDS netflow? I won't get the additional non-flow related data that vRNI is capturing via the NSX Manager API I understand but it seems to me that both the VDS netflow and IPFIX data would be useful...Also if I was using vRNI then we're saying that most of the flow data will come from the VDS (presumably this is also the case when not using it) but what is the delta there in terms of what would NOT be included? Thanks

Reply
0 Kudos
tmichaeli
VMware Employee
VMware Employee
Jump to solution

Sorry for late reply, I'm so often here.

IPFIX export from NSX Manager make sense. You flow collector should support VMware netflow extension which contain VM-ID, vNIC-ID and Rule-ID. These IDs names can be acquired from VC and NSXM DB. Avoiding duplicity, you would choose one (VDS) or the other (NSX IPFIX). With option one, you won't be able to see dropped flows. With option two you will miss vmkX flows such mgmt, vmotion, vtep-vtep etc...

From vRNI 3.5 there is support for NSX IPFIX. This mean deduplication of flow information between VDS and NSX IPFIX. The deny flows by DFW are depicted by "Dropped Flows" in the micro-segments dashboard. You may also filter Protected and Unprotected flows. Protected flows are flows matching rule which is not any-any-allow. Unprotected flows are those which has no ruleID and matching any-any-allow rule.

On the example bellow you can see flow (MySQL/3306) from overlay and matching NSX rule plus flow from underlay (VXLAN/4789) not matched by DFW firewall rule.
Screen Shot 2017-11-28 at 11.08.00.png

Screen Shot 2017-11-28 at 11.08.11.png

Reply
0 Kudos