IPFIX (Internet Protocol Flow Information Export) is a standard for the format and export of network flow information. You can configure IPFIX for switches and firewalls. For switches, network flow at VIFs (virtual interfaces) and pNICs (physical NICs) is exported. For firewalls, network flow that is managed by the distributed firewall component is exported.
When you enable IPFIX, all configured host transport nodes will send IPFIX messages to the IPFIX collectors using port 4739. In the case of ESXi, NSX-T automatically opens port 4739. In the case of KVM, if firewall is not enabled, port 4739 is open, but if firewall is enabled, you must ensure that the port is open because NSX-T does not automatically open the port.
IPFIX on ESXi and KVM sample tunnel packets in different ways. On ESXi the tunnel packet is sampled as two records:
Outer packet record with some inner packet information
SrcAddr, DstAddr, SrcPort, DstPort, and Protocol refer to the outer packet.
Contains some enterprise entries to describe the inner packet.
Inner packet record
SrcAddr, DstAddr, SrcPort, DstPort, and Protocol refer to the inner packet.
Install at least one IPFIX collector.
Verify that the IPFIX collectors have network connectivity to the hypervisors.
Verify that any relevant firewalls, including ESXi firewall, allow traffic on the IPFIX collector ports.
- From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
- Select from the navigation panel.
- To configure switch IPFIX, click the Switch IPFIX Collectors tab.
- Click Configure Collectors.
- Click Add and enter the collector IP Address and Port.
You can add up to 8 collectors.
- (Optional) In the Collection Options section, click Edit to specify the observation domain ID.
The observation domain ID identifies which observation domain the network flows originated from. The default value is 0, which indicates no specific observation domain.
- Click Save.