Tag Archives: NetFlow Logic

SDDC Network Monitoring

Thank you Sasha Velednitsky and Hsien-chung Woo from NetFlow Logic for contributing this post!

Monitoring Network Metadata in Real Time

Network devices are rich source of information about the network’s traffic, in the form of NetFlow, sFlow, or IPFIX formats. This metadata is voluminous and most valuable for operational and security purposes.

You get the best insights when the data are captured and analyzed in real time. This is where the data processing engine in NetFlow Integrator comes in. It can process hundreds of thousands of these records per second. Users can apply a myriad of solutions to understand the health and robustness of their networks, as well as the imminence of security threats. The results of NetFlow Integrator processing and analytics are then visually displayed via vRealize Log Insight.

Most network management tools use LLDP or CDP protocols (designed for topology discovery) to reveal network device connectivity, and do not identify the actual network traffic. On the other hand, NetFlow Integrator’s analytics are based on real network traffic. A useful analogy: if you are driving within a city, a city map will be helpful. However, it is much better to have both a map and a depiction of the traffic congestion, so you can navigate more efficiently.

SDDC Monitoring

One of the biggest operational concerns for IT Operations and SDDC Administrators is the lack of visibility between the virtual and physical networking layers — how to trace and troubleshoot connectivity issues. Typically, SDDC management tools monitor virtual network devices, such as vSphere Distributed Switch (VDS), Distributed Logical Routing, Distributed Firewall, Edge Services Gateway, and others. What if a performance degradation or outage is caused by physical device failures or overloading?

How do we know where virtual network traffic is encapsulated, and how it traverses the physical network?

Legacy tools break down at the virtual to physical boundary. Lacking correlation between logical and physical networks leads to longer time to resolution, and unacceptable outage time frames for many customers.

For complete visibility you need to collect and analyze flows from both virtual and physical devices. Luckily, most vendors support some sort of flow generation technology (Cisco  – NetFlow, Juniper – jFlow, Dell, HP, Arista, Brocade – sFlow, VDS – IPFIX).

Configure all of your flow-capable exporters, such as Top of Rack switches, core and aggregation switches, routers, and virtual switches (e.g. as VDS or Open vSwitch) to send NetFlow/sFlow/IPFIX to NetFlow Integrator for visibility of virtual and physical networks.

Network Counters

NetFlow Integrator accepts network flow data, applies algorithms to the data to extract the information needed to address desired use cases, converts the processed data to syslog, then sends that useful information to other systems for visualization. The granularity of these counters is configurable.

Network bandwidth is typically consumed by a relatively small number of users or applications. With NetFlow Integrator and Log Insight, SDDC administrators can identify which applications are using the most network bandwidth. Log Insight dashboards, shown below, provide this information by source IP, destination IP, ports and protocols.

1 2 3

Micro-segmentation enables organizations to divide SDDC logically into segments, and to implement security groups and firewall rules down to workload levels.

East-West network traffic patterns by application ports and protocols enable administrators to plan and implement micro-segmentation using VMware NSX.

As NetFlow Integrator receives flow information from physical network devices, it reports network bandwidth consumption by each physical network device interface. The following counters are provided:

  • Traffic In Rate (Bytes/sec)
  • Traffic Out Rate (Bytes/sec)
  • Relative load %
  • Packets In Rate (Packets/sec)
  • Packets Out Rate (Packets/sec)
  • Relative Packets Rate %

Virtual traffic is encapsulated at Virtual Tunnel End Point (VTEP). For each VTEP the following counters are provided:

  • Traffic In Rate (Bytes/sec)
  • Traffic Out Rate (Bytes/sec)
  • Packets In Rate (Packets/sec)
  • Packets Out Rate (Packets/sec)
  • Flow count

Advanced Analytics

Application performance and availability could also be impacted by a variety of factors, such as DDoS attacks. Sophisticated DDoS attacks are notoriously difficult to detect on a timely basis and to defend against. Traditional perimeter-based technologies such as firewalls and intrusion detection systems (IDSs) do not provide comprehensive DDoS protection. Solutions positioned inline must be deployed at each endpoint, and are vulnerable in case of a volumetric attack. Typically, solutions require systems to run in a “learning” mode, passively monitoring traffic patterns to understand normal behavior and establishing a baseline profile. The baseline is later used to detect anomalous network activity, which could be a DDoS attack. The building of these baselines takes days or weeks, and any change in the infrastructure makes a baseline obsolete, resulting in many false positives.

In contrast to systems relying on the baselines, NetFlow Logic’s Anomaly Detection – Traffic solution is based on flow information analysis. Thus it is not susceptible to volumetric flood attacks. Additionally, since it does not rely on baseline data collection, NetFlow Logic’s anomalous traffic detection solution can be operational 15-20 minutes after deployment.


NetFlow Logic’s solution is based on statistical and machine learning methods and consists of several components, each analyzing network metadata from a different perspective. Results of these analyses are combined and a final event reporting decision is made. The result of this “collective mind” approach is the reduction of false positives.

NetFlow Logic Integrator for vRealize Operations Insight

NetFlow Logic extends both vRealize Operations and vRealize Log Insight capability. It is an analytics engine for network flow data (NetFlow, IPFIX, sFlow, etc.). It has Log Insight Content Pack and vRealize Operations Management Pack.

The installation has a few stages.

  1. Install and configure NetFlow Integrator.
  2. Configure vSphere, NSX & physical switch to send netflow, sFlow, IPFIX, etc.
  3. Install Log Insight content pack
  4. Install vRealize Operations management pack

The manual is pretty straightforward, so I will only add items that I hope complement it.

Stage 1: NetFlow Integrator

Download it from NetFlow download page. There are actually 3 softwares you need to download:

  1. NetFlow Integrator 2.4.
    • I recommend you use the Windows version. I used the VM form factor, which needs manual Linux command lines.
    • The VM only takes 2 vCPU, 4 GB RAM and 1 network
  2. NFI Updater
    • This small component is installed on top of NFI. It provides NFI with information such as GEOIP, Reputation, etc
  3. NFI Operations Analytics.
    1. This provides the vRealize Operations Insight integration. So there are multiple products to install once you unzip the files.
    2. TP2 Package means this package of software is still in Tech Preview 2. The folks are working closely with VMware team.

I installed the VM appliance. It needs some Linux command lines. Installation of the NFI Updater is also via CLI, as shown below.

NFI 17

Once installed, it’s time to configure it. There are a few things to do

  • Input and Output
  • vSphere and NSX integration
  • Top of Rack
  • Additional NFI modules (optional)

To configure input and output, it’s a matter of specifying the port. Add 9995 (netflow) and 6343 (sflow) and 2055 (IPFIX). I have to add 6343 because Arista uses sflow

NFI config input

Next is the Output. To configure the Log Insight integration, you just need to fill the dialog box below. NetFlow already knows Log Insight, as you can see it has a drop down for it!

NFI Log Insight

You need to configure the vSphere and NSX integration. The current version is limited to 1 vCenter per NFI. If you have multiple vCenter, install another NFI. Multiple NFI can point to the same Log Insight.

NFI 19

To configure the Top of Rack switch, you just need to specify their IP address.


To get the vRealize Operations integration, change the output method from the default 0 to 2.


Stage 2: vSphere, NSX & Physical Switch

There are many articles on how to configure netflow in vSphere Distributed Switch and in physical switches. An example for Cisco is here, and for Arista is here.

In vCenter, the default collector port for NFI is 9995. You specify the NFI IP address (not hostname). In my example below, it is

NFI 31

To configure IPFIX in NSX, go to the Flow Monitoring and key in the NFI IP address. I use port 2055.


On the physical switch, here is how to configure Cisco for SNMP v3

Cisco SNMP v3

Stage 3: Log Insight

The Content Pack is not yet made available in Log Insight marketplace. Just upload it manually as per the screenshot below.

NFI 20

Once uploaded, here is what you get

NFI 21

You get additional information about the traffic.

NFI Log Insight 2

And who is talking to who in your network…

NFI Log Insight 3

You can drill down to see the details

MFI 40

Stage 4: vRealize Operations

The Management Pack installation is similar to typical Management Pack. The only thing you need to do is provide the URL

NFI vR Ops

You also need to enable the collection of IP Address

NFI vR Ops 2