10 Replies Latest reply on Nov 28, 2017 2:14 AM by tmichaeli

    Network Insight - IPFIX/Netflow

    rajeevsrikant Expert
    vExpertCommunity Warriors

      To use Network Insight my understanding is as below

      Need to enable IPFIX/Netflow in below components.

      1 - For each VDS enable the Neflow & specify the collector IP Address as the Network Insight VM IP

      2 - Enable Netflow for all the Distributed port group including port groups of the logical switch.

      3 - Enable IPFIX under NSX flow monitoring


      Let me know if my above understanding is right or should i need to consider any other points to use Network Insight.

        • 1. Re: Network Insight - IPFIX/Netflow
          Bayu Wibowo Master
          Community WarriorsUser Moderators

          You don't need to manually enable VDS IPFIX in VDS, the vRNI UI will do it for you as long as the user has privilege to modify Distributed Switch & dvPortGroup

          See the blog post here: vRealize Network Insight ( vRNI ) 3.0- How to Install & Configure - VMware Cloud Management

          and doumentation here: https://www.vmware.com/support/pubs/vrealize-network-insight-pubs.html

          NSX Flow Monitoring IPFIX is for DFW which provide DFW details such as firewall Rule ID, etc

          VDS IPFIX provide flow details including VXLAN headers

          Bayu Wibowo | vExpert NSX, VCIX6-DCV/NV, Cisco Champion, AWS-SAA
          Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
          https://nz.linkedin.com/in/bayupw | twitter @bayupw
          • 2. Re: Network Insight - IPFIX/Netflow
            rajeevsrikant Expert
            vExpertCommunity Warriors


            So by adding vCenter as Data source to the network insight Proxy VM with the required privileges the netflow will be enabled to all the VDS & port groups which the vCenter is managing.

            And by adding NSX Manager as the Data source all the components for NSX will be enabled for netflow so that the data collection will be enabled.


            Let me know if my understanding is right.

            • 3. Re: Network Insight - IPFIX/Netflow
              chuckbell Enthusiast
              VMware Employees

              Your first statement is correct. adding vCenter as a data source will enable netflow on the selected vds's.

              Adding NSX manager as an endpoint collects data from the REST API of NSX but does not collect NSX flow information (most of that flow data is seen from the VDS as NSX-v uses the VDS). Adding the manager adds additional information including control plane2data plane and mgmt plane2data plane message channel health as well as many other visibility contracts of NSX components.

              • 4. Re: Network Insight - IPFIX/Netflow
                rajeevsrikant Expert
                Community WarriorsvExpert


                I understood the point regarding adding the vCenter.

                Regarding NSX Manager, I understood from your explanation that i need to add it to the Network Insight. But apart from that my understanding is that I do need to enable IPFIX under flow monitoring .

                Let me know if my understanding is right.

                • 5. Re: Network Insight - IPFIX/Netflow
                  chuckbell Enthusiast
                  VMware Employees

                  No. No need to enable flow monitoring ipfix for Network Insight

                  • 6. Re: Network Insight - IPFIX/Netflow
                    rajeevsrikant Expert
                    vExpertCommunity Warriors


                    But how Network Insight is different from the Log Insight from Vmware.

                    What is the different between these 2 products & which product fits where.

                    • 7. Re: Network Insight - IPFIX/Netflow
                      tmichaeli Novice
                      VMware Employees

                      Log Insight (log management)

                      • real time log/syslog management
                      • hi-performance search across all logs
                      • root cause analysis on unstructured log data
                      • log view sharing tool, alert generator, machine learning-based intelligent grouping
                      • troubleshooting across physical, virtual and cloud infrastructure


                      Network Insight (operation and security tool for SDDC)

                      • 360 degree visibility and control for virtual and physical network
                      • network assessment for east-west/north-south traffic
                      • micro-segmentation planner with CVS/XML policy export capability
                      • best practice configuration and compliance checker
                      • network analytics based on snmp/netflow/ssh&cli


                      Two different tools. Based on the data sources, you can get view on the value they put on the table. LI is more log oriented operation. NI is more real data flow oriented analytics. Both have retention policy around 45 days for live data. LI is now included in NSX license. NI requires extra per socket license.


                      Find out on youtube more details.

                      1 person found this helpful
                      • 9. Re: Network Insight - IPFIX/Netflow
                        Richard__R Enthusiast

                        Just to doubly clarify - if I'm using some 3rd party Netflow collector then why would I NOT want to enable IPFIX export from NSX Manager on top of VDS netflow? I won't get the additional non-flow related data that vRNI is capturing via the NSX Manager API I understand but it seems to me that both the VDS netflow and IPFIX data would be useful...Also if I was using vRNI then we're saying that most of the flow data will come from the VDS (presumably this is also the case when not using it) but what is the delta there in terms of what would NOT be included? Thanks

                        • 10. Re: Network Insight - IPFIX/Netflow
                          tmichaeli Novice
                          VMware Employees

                          Sorry for late reply, I'm so often here.


                          IPFIX export from NSX Manager make sense. You flow collector should support VMware netflow extension which contain VM-ID, vNIC-ID and Rule-ID. These IDs names can be acquired from VC and NSXM DB. Avoiding duplicity, you would choose one (VDS) or the other (NSX IPFIX). With option one, you won't be able to see dropped flows. With option two you will miss vmkX flows such mgmt, vmotion, vtep-vtep etc...


                          From vRNI 3.5 there is support for NSX IPFIX. This mean deduplication of flow information between VDS and NSX IPFIX. The deny flows by DFW are depicted by "Dropped Flows" in the micro-segments dashboard. You may also filter Protected and Unprotected flows. Protected flows are flows matching rule which is not any-any-allow. Unprotected flows are those which has no ruleID and matching any-any-allow rule.


                          On the example bellow you can see flow (MySQL/3306) from overlay and matching NSX rule plus flow from underlay (VXLAN/4789) not matched by DFW firewall rule.
                          Screen Shot 2017-11-28 at 11.08.00.png

                          Screen Shot 2017-11-28 at 11.08.11.png