IPFIX (Internet Protocol Flow Information Export) is a standard for the format and export of network flow information. When you enable IPFIX, all configured host transport nodes will send IPFIX messages to the IPFIX collectors using port 4739.

About this task

In the case of ESXi, NSX-T automatically opens port 4739. In the case of KVM, if firewall is not enabled, port 4739 is open, but if firewall is enabled, you must ensure that the port is open because NSX-T does not automatically open the port.

Prerequisites

  • Install at least one IPFIX collector.

  • Verify that the IPFIX collectors have network connectivity to the hypervisors.

  • Verify that any relevant firewalls, including ESXi firewall, allow traffic on the IPFIX collector ports.

Procedure

  1. From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
  2. Select Tools > IPFIX from the navigation panel.
  3. Click the Collectors tab if it is not already selected.
  4. Click Configure Collectors.
  5. Click Add and enter the collector IP Address and Port.

    You can add up to 8 collectors.

  6. (Optional) : In the Collection Options section, click Edit to specify the observation domain ID.

    The observation domain ID identifies which observation domain the network flows originated from. The default value is 0, which indicates no specific observation domain.

  7. Click the Switch IPFIX Profiles tab.
  8. Click Add to add a profile.

    Setting

    Description

    Active Timeout (seconds)

    The length of time after which a flow will time out, even if more packets associated with the flow are received. Default is 300.

    Idle Timeout (seconds)

    The length of time after which a flow will time out, if no more packets associated with the flow are received (ESXi only, KVM times out all flows based on active timeout). Default is 300.

    Max Flows

    The maximum flows cached on a bridge (KVM only, not configurable on ESXi). Default is 16384.

    Sampling Probability (%)

    The percentage of packets that will be sampled (approximately). Increasing this setting may have a performance impact on the hypervisors and collectors. If all hypervisors are sending more IPFIX packets to the collector, the collector may not be able to collect all packets. Setting the probability at the default value of 0.1% will keep the performance impact low.

  9. Click Applied To to apply the profile to one or more objects.

    The types of object are logical ports and logical switches.

Results

IPFIX on ESXi and KVM sample tunnel packets in different ways. On ESXi the tunnel packet is sampled as two records:

  • Outer packet record with some inner packet information

    • SrcAddr, DstAddr, SrcPort, DstPort, and Protocol refer to the outer packet.

    • Contains some enterprise entries to describe the inner packet.

  • Inner packet record

    • SrcAddr, DstAddr, SrcPort, DstPort, and Protocol refer to the inner packet.

On KVM the tunnel packet is sampled as one record:

  • The inner packet record with some outer tunnel information

    • SrcAddr, DstAddr, SrcPort, DstPort, and Protocol refer to the inner packet.

    • Contains some enterprise entries to describe the outer packet.