NetFlow is a mechanism to analyze network traffic flow and volume to determine where traffic is coming from, where it is going to, and how much traffic is being generated. NetFlow-enabled routers export traffic statistics as NetFlow records which are then collected by a NetFlow collector.
Traffic flows are defined as the combination of source and destination IP addresses, source and destination TCP or UDP ports, IP, and IP Type of Service (ToS). Network devices that support NetFlow, tracks and report information on the traffic flows, and send this information to a NetFlow collector. Using the data collected, network admins gain detailed insight into the types and amount of traffic flows across the network.
Netflow was originally developed by Cisco and has become a de-facto industry standard for analysing network traffic. VMware introduced Netflow for vDS in vSphere v5.
Note: Netflow is only supported with vDS and not standard switches.
There are various versions of NetFlow ranging from from v1 to v10. VMware uses the IPFIX version of NetFlow, which is version 10, and stands for “Internet Protocol Flow Information eXport.”
Why to use Netflow?
Configuring NetFlow on your virtual switch, you gain deeper visibility on traffic flow in your infrastructure. Using Netflow you will be able to monitor:
- VM to VM traffic on the same host
- VM to VM traffic on different hosts
- VM to devices outside the virtual environment.
How to configure NetFlow
Configuring Netflow is a two step process i.e configuring Netflow collector and configuring Netflow on distributed switch. There are number of free open-source Netflow Collectors as well as commercially available ones as well. One such good tool is ManageEngine NetFlow Analyzer which is available as free download for 30 day evaluation and can be downloaded from here
In my lab I installed windows version of ManageEngine NetFlow analyzer. Now its time to configure Netflow on distributed switch level. To configure Netflow on vDS, login to vSphere Web Client and follow below steps
Select vDS and navigate to Manage > Settings > Netflow and click on Edit button to enter details of Netflow collector.
You need following details:
- IP Address: This is the IP of the NetFlow Collector where the traffic information
- Port: This is the port used by the NetFlow Collector. It is typically UDP port 2055
but can vary depending on the vendor collecting the data.
- Switch IP Address: By default each ESXi host will export NetFlow data by using their own management address, because of this you will see multiple sources of traffic in your NetFlow analyzer. By assigning an IP address here, the NetFlow Collector will treat the vDS as one single entity. It does not need to be a valid, routable IP, but is merely used as an identifier.
There are also a number of advanced settings that can be used/tweaked if desired:
Active flow export timeout in seconds: The amount of time that must pass before the switch fragments the flow and ships it off to the collector. This avoids sending a large quantity of data after a particularly long flow occurs.
Idle flow export timeout in seconds: Similar to the active flow timeout, but for flows that have entered an idle state. Think of this as the cleanup necessary to ensure that an idle flow gets shipped off to the collector in a timely fashion.
Sampling rate: This determines the Nth packet to collect. By default, the value is 0, meaning to collect all packets. If you set the value to something other than 0, it will
collect every Nth packet. For example, 3 would only collect every third packet.
Process internal flows only: By default vDS exports data about all traffic passing internally on vDS or passing to or from physical network. If you have NetFlow enabled on your physical network devices it could be unnecessary to send information about flows which are passing on physical network layer also, as those are already seen and reported by other network devices.
Selecting “Process internal flows only” setting ensures that vDS will export data only about flows which is switched directly by itself and not passed to physical network layer.
Configuring Netflow on indivdual portgroup
Once vDS is configured, you can configure Netflow on individual port group also to see more granluar details of traffic on portgroup basis.
Follow below setps to enable NetFlow on a specific distributed port group:
Select the distributed port group where you want to enable NetFlow and navigate to Manage > Settings > Properties and click on Edit button. (This can also be accomplished by right-clicking the distributed port group and selecting Edit Settings)
Select Monitoring and from dropdown menu select Enabled.
Click OK to save the changes to the distributed port group.
Inspecting NetFlow data
Once you have your NetFlow analyzer and distributed switch properly set you should eventually have some data about network traffic taking place in your virtual infrastructure as shown below.
Graphic thanks to Tomi Hakala.
Sources and Inspirations
I hope you find this post informational. Feel free to share this on social media if it is worth sharing. Be sociable 🙂