What is IPFIX?

IPFIX is an IETF protocol for exporting flow information. A flow is defined as a set of packets transmitted in a specific timeslot, and sharing 5-tuple values - source IP address, source port, destination IP address, destination port, and protocol. The flow information may include properties such as timestamps, packets/bytes count, Input/output interfaces, TCP Flags, VXLAN ID, Encapsulated flow information and so on. This is often referred to as Netflow. However, IPFIX is the standard IETF protocol.

What flow information is exported by the VDS?

A VDS in vSphere environment can be configured to export flow information using IPFIX. Enable flow monitoring on all the port groups attached to the VDS. If packets arrive on port X of a VDS and exit from port Y, a corresponding flow record is emitted if flow monitoring is enabled on port Y. The direction of every flow record is set as "Egress".

How does vRealize Network Insight use IPFIX?

vRealize Network Insight uses VMware VDS IPFIX to collect network traffic data. Every session has two paths. For example: Session A↔C has A→C packets and C→A packets. To analyze the complete information of any session, IPFIX data about packets in both the directions is required. Refer following diagram where VM-A is connected to DVPG-A and is talking to VM-C. Here DVPG-A will only provide data about the C→A packets, and DVPG-Uplink will provide data about A→C packets. To get the complete information of A's traffic, IPFIX should be enabled on DVPG-A, DVPG-uplink.

How do I troubleshoot vRealize Network Insight Flow Collection?

  1. Please ensure that the specific VDS and its DVPGs and Uplink properties has Netflow monitoring Enabled and the collector IP address is that of vRealize Network Insight Collector.
  2. IPFIX Netflow packets getting dropped in between by a firewall (NSX, Virtual or Physical). Please ensure that the Netflow packets destined for UDP port 2055 on vRealize Network Insight Collector IP is allowed by any firewall that may be present in the route between ESXi Host and the vRealize Network Insight Collector.
  3. The ESXi host has ceased to send IPFIX Netflow packets. The ESXi host backs off sending the Netflow packets after some time if UDP port 2055 is not reachable. This may happen due to firewall dropping the packets.
  4. The vRealize Network Insight Collector is not reachable by ESXi Host due to network routing problem. Please ensure that the proper route exist between ESXi Host and the vRealize Network Insight Collector.

Which VMware KB articles should I be aware of, related to IPFIX?

VMware ESXi 6.0 Update 1: 2135956 .

When is a service considered shared?

Protocol Port
DNS 53
Bootpc 68
Kerberos 88
Pop3 110
sunrpc 111
NTP 123
map 143
Imap3 220
LDAP 389
IGMPv3Lite 465
syslog 514
Submission 587
syslog-conn 601
POP3S 995
NFS 2049
MSFT-GC 3268