You don't need to manually enable VDS IPFIX in VDS, the vRNI UI will do it for you as long as the user has privilege to modify Distributed Switch & dvPortGroup
See the blog post here: vRealize Network Insight ( vRNI ) 3.0- How to Install & Configure - VMware Cloud Management
and doumentation here: https://www.vmware.com/support/pubs/vrealize-network-insight-pubs.html
NSX Flow Monitoring IPFIX is for DFW which provide DFW details such as firewall Rule ID, etc
VDS IPFIX provide flow details including VXLAN headersBayu Wibowo | vExpert NSX, VCIX6-DCV/NV, Cisco Champion, AWS-SAA
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://nz.linkedin.com/in/bayupw | twitter @bayupw
So by adding vCenter as Data source to the network insight Proxy VM with the required privileges the netflow will be enabled to all the VDS & port groups which the vCenter is managing.
And by adding NSX Manager as the Data source all the components for NSX will be enabled for netflow so that the data collection will be enabled.
Let me know if my understanding is right.
Your first statement is correct. adding vCenter as a data source will enable netflow on the selected vds's.
Adding NSX manager as an endpoint collects data from the REST API of NSX but does not collect NSX flow information (most of that flow data is seen from the VDS as NSX-v uses the VDS). Adding the manager adds additional information including control plane2data plane and mgmt plane2data plane message channel health as well as many other visibility contracts of NSX components.
I understood the point regarding adding the vCenter.
Regarding NSX Manager, I understood from your explanation that i need to add it to the Network Insight. But apart from that my understanding is that I do need to enable IPFIX under flow monitoring .
Let me know if my understanding is right.
No. No need to enable flow monitoring ipfix for Network Insight
But how Network Insight is different from the Log Insight from Vmware.
What is the different between these 2 products & which product fits where.
1 person found this helpful
Log Insight (log management)
- real time log/syslog management
- hi-performance search across all logs
- root cause analysis on unstructured log data
- log view sharing tool, alert generator, machine learning-based intelligent grouping
- troubleshooting across physical, virtual and cloud infrastructure
Network Insight (operation and security tool for SDDC)
- 360 degree visibility and control for virtual and physical network
- network assessment for east-west/north-south traffic
- micro-segmentation planner with CVS/XML policy export capability
- best practice configuration and compliance checker
- network analytics based on snmp/netflow/ssh&cli
Two different tools. Based on the data sources, you can get view on the value they put on the table. LI is more log oriented operation. NI is more real data flow oriented analytics. Both have retention policy around 45 days for live data. LI is now included in NSX license. NI requires extra per socket license.
Find out on youtube more details.
Just to doubly clarify - if I'm using some 3rd party Netflow collector then why would I NOT want to enable IPFIX export from NSX Manager on top of VDS netflow? I won't get the additional non-flow related data that vRNI is capturing via the NSX Manager API I understand but it seems to me that both the VDS netflow and IPFIX data would be useful...Also if I was using vRNI then we're saying that most of the flow data will come from the VDS (presumably this is also the case when not using it) but what is the delta there in terms of what would NOT be included? Thanks
Sorry for late reply, I'm so often here.
IPFIX export from NSX Manager make sense. You flow collector should support VMware netflow extension which contain VM-ID, vNIC-ID and Rule-ID. These IDs names can be acquired from VC and NSXM DB. Avoiding duplicity, you would choose one (VDS) or the other (NSX IPFIX). With option one, you won't be able to see dropped flows. With option two you will miss vmkX flows such mgmt, vmotion, vtep-vtep etc...
From vRNI 3.5 there is support for NSX IPFIX. This mean deduplication of flow information between VDS and NSX IPFIX. The deny flows by DFW are depicted by "Dropped Flows" in the micro-segments dashboard. You may also filter Protected and Unprotected flows. Protected flows are flows matching rule which is not any-any-allow. Unprotected flows are those which has no ruleID and matching any-any-allow rule.