What do the numbers in the Traffic Distribution Pin represent?

The percentage gives an overview of the traffic distribution based on flow analysis.

Table 1.

Traffic

Description

East-West (EW)

East-West traffic as the percentage of the traffic of the total group

Switched (% of EW)

Switched traffic as the percentage of East-West traffic

Routed (% of EW)

Routed traffic as the percentage (%) of East-West traffic

Within Host (% of VM-VM)

Traffic with source and destination on same host as percentage of virtual machine to virtual machine traffic

VM to VM (% of EW)

Virtual machine to virtual machine traffic as percentage of East-West traffic

Internet

Internet traffic as percentage of the traffic of the total group

How are ports aggregated in flows?

Port aggregation is built in to aggregate the ephemeral port flows - like dynamic FTP, Oracle, MS-RPC etc. This helps in reducing the number of flows in system and provide an aggregated view for large number of flows that are essentially for the same service. The mechanism to do this is as follows:

  • For first three days of noticing a destination_ip , we will aggregate dst ports on that IP in buckets of 10K and start building a port-profile for that IP.

  • Once three days are over - and we have built a profile that can be used with confidence - we will start aggregating port ranges where the port density is high (in other words - reflect ephemeral port opening pattern). The ranges themselves will be dynamic in size - 100, 1,000, 10,000 and will be created depend on how many ports are being opened and how widespread they are in the given range of aggregation.

  • This will enable high-port flows to be reported with no aggregation where there is no bulk port open activity happening; and also let dynamic aggregation to be applied where such activity is happening.

  • The profile is continually updated in a time-decayed manner to account for new ports opening up or older ones being not used any more.

What does the 240.240.240.240 IP address signify in vRealize Network Insight?

240.240.240.240 is a place holder IP address in vRealize Network Insight. This IP address is used if there are very large number of IP addresses (> 5000) hitting some particular IP. All further incoming Internet IPs (5001th onwards) with this placeholder IP 240.240.240.240 can be replaced for that service end point.

This is to limit the number of flows in the system, as publicly exposed service that log each internet client individually could result in very large number of flows - which would result in increased system load.

For all the flows that have been replaced with this placeholder IP, all the metrics are aggregated on the corresponding flow with this IP address, so there is no loss of statistics at an aggregate level.

All the destination IP for the flows reported in the flows view are shown as originating from 240.240.240.240 are actually being hit by large count of internet IP ( > 5000).