What do the numbers in the Traffic Distribution Pin represent?
|East-West (EW)||East-West traffic as the percentage of the traffic of the total group|
|Switched (% of EW)||Switched traffic as the percentage of East-West traffic|
|Routed (% of EW)||Routed traffic as the percentage (%) of East-West traffic|
|Within Host (% of VM-VM)||Traffic with source and destination on same host as percentage of virtual machine to virtual machine traffic|
|VM to VM (% of EW)||Virtual machine to virtual machine traffic as percentage of East-West traffic|
|Internet||Internet traffic as percentage of the traffic of the total group|
How are ports aggregated in flows?
For first three days of noticing a destination_ip , we will aggregate dst ports on that IP in buckets of 10K and start building a port-profile for that IP.
- Once three days are over - and we have built a profile that can be used with confidence - we will start aggregating port ranges where the port density is high (in other words - reflect ephemeral port opening pattern). The ranges themselves will be dynamic in size - 100, 1,000, 10,000 and will be created depend on how many ports are being opened and how widespread they are in the given range of aggregation.
- This will enable high-port flows to be reported with no aggregation where there is no bulk port open activity happening; and also let dynamic aggregation to be applied where such activity is happening.
The profile is continually updated in a time-decayed manner to account for new ports opening up or older ones being not used any more.
What does the 240.240.240.240 IP address signify in vRealize Network Insight?
240.240.240.240 is a place holder IP address in vRealize Network Insight. This IP address is used if there are very large number of IP addresses (> 5000) hitting some particular IP. All further incoming Internet IPs (5001th onwards) with this placeholder IP 240.240.240.240 can be replaced for that service end point.
This is to limit the number of flows in the system, as publicly exposed service that log each internet client individually could result in very large number of flows - which would result in increased system load.
For all the flows that have been replaced with this placeholder IP, all the metrics are aggregated on the corresponding flow with this IP address, so there is no loss of statistics at an aggregate level.
All the destination IP for the flows reported in the flows view are shown as originating from 240.240.240.240 are actually being hit by large count of internet IP ( > 5000).