3 Replies Latest reply on Apr 4, 2018 8:24 PM by canero

    vRNI Query

    vmmed1 Novice

      In vRNI - I am just trying to find traffic from a particular IP address in the last 24 hours.

      For example:

       

      flow where Source IP Address = 12.68.2.77

       

      Even though I know from firewall logging that this traffic came into NSX - my vRNI query

      fails to see anything. Is my query malformed?

       

      Thank you.

        • 1. Re: vRNI Query
          smitmartijn Hot Shot
          vExpertVMware Employees

          Hi,

           

          Your query is valid and should produce results. Does your vRNI have flow data? If you only type in 'flows' - does that get results? The search bar should also auto-complete the available IP addresses. If that autocomplete doesn't show the IP, it's not in the vRNI database.

           

          If you do have flow information, maybe the IP address is translated somewhere out of reach of the flow info?

          • 2. Re: vRNI Query
            vmmed1 Novice

            I typed in simply "flow" and it returned 67000 flows. I think you may be right that flows are not enabled

            on some edges but are on others. How can I determine if flows are enabled? I am particularly interested

            in flows to the vServers of a particular edge/load balancer. Thank you.

            • 3. Re: vRNI Query
              canero Hot Shot

              VRNI data sources part, vDS switches are selected as well as physical switches individually per Vcenter. During the installation and initial configuration, the vDS switches are selected, so is it possible that some Edges are connected to another dVS as Edge vDS and these are not selected enabled for Netflow connection?

              • Enable Automatic NSX Edge Population (Use NSX central CLI instead of SSH) This option could provide additional details about edges

               

              Also based on Pools,  NSX Edge Load Balancer Transparent mode selection could be important, by default NSX edge creates another flow to the Pool Members using its own internal IP, so on VRNI filtering the source IP of the Load balancer may show additional flows for these non-transparent Pools.

               

              https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-140D726F-4E9C-49E1-AA74-416DA13ABC87.html

              Transparent indicates whether client IP addresses are visible to the backend servers. If Transparent is not selected (default value), backend servers see the traffic source IP as a Load balancer internal IP. If Transparent is selected, source IP is the real client IP and NSX Edge must be on the path of the server response. A typical design is to have the server default gateway be the NSX Edge.

              NSX_Transparent_Mode.png

              These  links could be helpful

              https://thewificable.com/2017/09/20/installing-vrealize-network-insight/

              VRNI_Select_vDS.png

               

              On the Accounts and Data Sources page click Add source again in the upper right-hand portion of the web page. Next you want to enter the NSX Manager as a data source. Follow the prompts to add the NSX Manager(s) to vRNI. Select the additional options:

              • Enabled NSX Controller (prompted for NSX Controller password)
              • Enable Automatic NSX Edge Population (Use NSX central CLI instead of SSH)
              • Enable IPFIX
              • Provide a nickname for the NSX Manager and click SUBMIT.