NSX and VDS both support IPFix (Netflow 10) to export IP flow information to a IPFix collector. IPFix can be enabled on vSphere Distributed Switch (VDS) and in NSX under Flow Monitoring.
Then what is the difference/benefit of using IPFix export from NSX as apposed to VDS IPFix export?
In a nutshell
- NSX IPFix (under Flow Monitoring) will provide details “only” on DFW firewall actions and rule-id in addition to five tuples for the flow
- VDS IPFix will provide more details about the flow, five tuples plus VXLAN headers
Also notice that there is some overlap in the information that is received.
The information contained in NSX/DFW IPFix flow is
- Source MAC/IP/Transport Port
- Destination MAC/IP/Transport Port
- Protocol Identifier
- ICMP and Ether Type
- Flow Start Second
- Flow End Second
- Packet Delta Count
- Firewall Event
- Flow Direction
- Rule-ID
- VM UUID
- vNIC Index
- etc.
The information contained in VDS IPFix/Netflow flow is lot more than DFW/NSX flow and generally contain IPV4/ICMP/VXLAN related flow stats
Enabling IPFix for VXLAN Traffic
It is two steps process
- Configure NetFlow Collector on the VDS (one prepared for NSX – backing the NSX Transport Zone)
- Enable NetFlow Monitoring on the VXLAN dvPortGroup
IPFix for NSX Distributed Firewall (DFW)
NSX DFW implements stateful tracking of flows. IPFix can be used to export data about the status of a flow. The tracked events include flow creation, flow denial, flow update and flow tear-down.
Enabling IPFix For NSX DFW
- Under NSX (Network and Security) select Flow Monitoring and enable flow collection
- In Observation DomainID, type a 32-bit identifier (valid range 0-65535) that identifies the firewall exporter to the flow collector
- In Active Flow Export Timeout, type the time (in minutes) after which active flows are to be exported to the flow collector
- In Collector IPs type the IP address and UDP port of the flow collector
meet NSX 