IPFIX
What is IPFIX?
IPFIX is an IETF protocol for exporting flow
information. A flow is defined as a set of packets transmitted in a specific
timeslot, and sharing 5-tuple values - source IP address, source port, destination
IP address, destination port, and protocol. The flow information may include
properties such as timestamps, packets/bytes count, Input/output interfaces, TCP
Flags, VXLAN ID, Encapsulated flow information and so on. This is often referred to
as Netflow. However, IPFIX is the standard IETF protocol.
What flow information is exported by
the VDS?
A VDS in vSphere environment can be
configured to export flow information using IPFIX. Enable flow monitoring on all the
port groups attached to the VDS. If packets arrive on port X of a VDS and exit from
port Y, a corresponding flow record is emitted if flow monitoring is enabled on port
Y. The direction of every flow record is set as "Egress".
How does VMware Aria
Operations for Networks use IPFIX?
VMware Aria
Operations for Networks
use IPFIX?VMware Aria
Operations for Networks
uses VMware VDS IPFIX to collect network traffic data.
Every session has two paths. For example: Session A↔C has A→C packets and C→A
packets. To analyze the complete information of any session, IPFIX data about
packets in both the directions is required. Refer following diagram where VM-A is
connected to DVPG-A and is talking to VM-C. Here DVPG-A will only provide data about
the C→A packets, and DVPG-Uplink will provide data about A→C packets. To get the
complete information of A's traffic, IPFIX should be enabled on DVPG-A, DVPG-uplink. How do I troubleshoot VMware Aria
Operations for Networks Flow
Collection?
VMware Aria
Operations for Networks
Flow
Collection?- Please ensure that the specific VDS and its DVPGs and Uplink properties has Netflow monitoringEnabledand the collector IP address is that ofVMware Aria Operations for Networkscollector.
- IPFIX Netflow packets getting dropped in between by a firewall (NSX, Virtual or Physical). Please ensure that the Netflow packets destined for UDP port 2055 onVMware Aria Operations for Networkscollector IP is allowed by any firewall that may be present in the route between ESXi Host and theVMware Aria Operations for NetworksCollector.
- The ESXi host has ceased to send IPFIX Netflow packets. The ESXi host backs off sending the Netflow packets after some time if UDP port 2055 is not reachable. This may happen due to firewall dropping the packets.
- TheVMware Aria Operations for Networkscollector is not reachable by ESXi Host due to network routing problem. Please ensure that the proper route exist between ESXi Host and theVMware Aria Operations for Networkscollector.
Which VMware KB articles should I be
aware of, related to IPFIX?
VMware ESXi 6.0 Update 1: 2135956
.
When is a service considered
shared?
Protocol | Port |
|---|---|
DNS | 53 |
Bootpc | 68 |
Kerberos | 88 |
Pop3 | 110 |
sunrpc | 111 |
NTP | 123 |
map | 143 |
Imap3 | 220 |
SMTP | 25 |
LDAP | 389 |
IGMPv3Lite | 465 |
syslog | 514 |
Submission | 587 |
syslog-conn | 601 |
LDAPS | 636 |
IMAPS | 993 |
POP3S | 995 |
NFS | 2049 |
MSFT-GC | 3268 |
MSFT-GC-SSL | 3269 |