IPFIX (Internet Protocol Flow Information Export) is a standard for the format and export of network flow information. You can configure IPFIX for switches and firewalls. For switches, network flow at VIFs (virtual interfaces) and pNICs (physical NICs) is exported. For firewalls, network flow that is managed by the distributed firewall component is exported.
This feature is compliant with the standards specified in RFC 7011 and RFC 7012.
When you enable IPFIX, all configured host transport nodes will send IPFIX messages to the IPFIX collectors using port 4739. In the case of ESXi, NSX-T Data Center automatically opens port 4739. In the case of KVM, if firewall is not enabled, port 4739 is open, but if firewall is enabled, you must ensure that the port is open because NSX-T Data Center does not automatically open the port.
IPFIX on ESXi and KVM sample tunnel packets in different ways. On ESXi the tunnel packet is sampled as two records:
- Outer packet record with some inner packet information
- SrcAddr, DstAddr, SrcPort, DstPort, and Protocol refer to the outer packet.
- Contains some enterprise entries to describe the inner packet.
- Inner packet record
- SrcAddr, DstAddr, SrcPort, DstPort, and Protocol refer to the inner packet.
On KVM the tunnel packet is sampled as one record:
- Inner packet record with some outer tunnel information
- SrcAddr, DstAddr, SrcPort, DstPort, and Protocol refer to the inner packet.
- Contains some enterprise entries to describe the outer packet.