To use Network Insight my understanding is as below
Need to enable IPFIX/Netflow in below components.
1 - For each VDS enable the Neflow & specify the collector IP Address as the Network Insight VM IP
2 - Enable Netflow for all the Distributed port group including port groups of the logical switch.
3 - Enable IPFIX under NSX flow monitoring
Let me know if my above understanding is right or should i need to consider any other points to use Network Insight.
You don't need to manually enable VDS IPFIX in VDS, the vRNI UI will do it for you as long as the user has privilege to modify Distributed Switch & dvPortGroup
See the blog post here: vRealize Network Insight ( vRNI ) 3.0- How to Install & Configure - VMware Cloud Management
and doumentation here: https://www.vmware.com/support/pubs/vrealize-network-insight-pubs.html
NSX Flow Monitoring IPFIX is for DFW which provide DFW details such as firewall Rule ID, etc
VDS IPFIX provide flow details including VXLAN headers
So by adding vCenter as Data source to the network insight Proxy VM with the required privileges the netflow will be enabled to all the VDS & port groups which the vCenter is managing.
And by adding NSX Manager as the Data source all the components for NSX will be enabled for netflow so that the data collection will be enabled.
Let me know if my understanding is right.
Your first statement is correct. adding vCenter as a data source will enable netflow on the selected vds's.
Adding NSX manager as an endpoint collects data from the REST API of NSX but does not collect NSX flow information (most of that flow data is seen from the VDS as NSX-v uses the VDS). Adding the manager adds additional information including control plane2data plane and mgmt plane2data plane message channel health as well as many other visibility contracts of NSX components.
I understood the point regarding adding the vCenter.
Regarding NSX Manager, I understood from your explanation that i need to add it to the Network Insight. But apart from that my understanding is that I do need to enable IPFIX under flow monitoring .
Let me know if my understanding is right.
No. No need to enable flow monitoring ipfix for Network Insight
But how Network Insight is different from the Log Insight from Vmware.
What is the different between these 2 products & which product fits where.
Log Insight (log management)
Network Insight (operation and security tool for SDDC)
Two different tools. Based on the data sources, you can get view on the value they put on the table. LI is more log oriented operation. NI is more real data flow oriented analytics. Both have retention policy around 45 days for live data. LI is now included in NSX license. NI requires extra per socket license.
Find out on youtube more details.
Just to doubly clarify - if I'm using some 3rd party Netflow collector then why would I NOT want to enable IPFIX export from NSX Manager on top of VDS netflow? I won't get the additional non-flow related data that vRNI is capturing via the NSX Manager API I understand but it seems to me that both the VDS netflow and IPFIX data would be useful...Also if I was using vRNI then we're saying that most of the flow data will come from the VDS (presumably this is also the case when not using it) but what is the delta there in terms of what would NOT be included? Thanks
Sorry for late reply, I'm so often here.
IPFIX export from NSX Manager make sense. You flow collector should support VMware netflow extension which contain VM-ID, vNIC-ID and Rule-ID. These IDs names can be acquired from VC and NSXM DB. Avoiding duplicity, you would choose one (VDS) or the other (NSX IPFIX). With option one, you won't be able to see dropped flows. With option two you will miss vmkX flows such mgmt, vmotion, vtep-vtep etc...
From vRNI 3.5 there is support for NSX IPFIX. This mean deduplication of flow information between VDS and NSX IPFIX. The deny flows by DFW are depicted by "Dropped Flows" in the micro-segments dashboard. You may also filter Protected and Unprotected flows. Protected flows are flows matching rule which is not any-any-allow. Unprotected flows are those which has no ruleID and matching any-any-allow rule.
On the example bellow you can see flow (MySQL/3306) from overlay and matching NSX rule plus flow from underlay (VXLAN/4789) not matched by DFW firewall rule.