Micro-segmentation Top Pairs Monitor (10264 / 20264)
This Module reports top Host Pairs network conversations. A network conversion is a series of data exchanges between two hosts, over the same protocol (TCP or UDP) and through the same server destination port. The number of exchanged bytes packets and flows are summed up.

Server Destination Port

Source port of client hosts is not reported, and ignored while consolidating client-server communications. Destination ports of server hosts are reported. The Module determines which host is a client and which is a server as follows: a server sends more traffic (bytes) than a client. This logic can be overridden by specifying port numbers in the “List of known server destination port numbers” parameter. A well-known list of destination ports is packaged with the Module, and could be modified by customers if needed.

Deduplication

VDS: As flows reported from each host, the Module deduplicates IPFIX flows to report accurate byte count.
Physical network devices: optionally the Module can report host pairs only from authoritative router/switch. Authoritative network device is determined as follows. The Module sums up bytes, packets, and connections between two hosts over data collection interval (parameter, default = 30 sec), reported by each flow exporter. An exporter with most connections for each host pair is considered authoritative, and host pair conversations reported by all other exporters are discarded.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 5 sec, max = 86400 sec, default = 300 sec
N – number of reported host pairs
The number of top host pairs reported per NetFlow exporter
min = 0, max = 1000000, default = 50, 0 means “to report all pairs”
List of known server destination port numbers
List of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one sending more traffic than receiving
e.g. 53, 80, 443. A list of well-known ports is preloaded
Enable (1) or disable (0) reporting by server port
If set to 1, enable traffic reporting by destination port. If set to 0, dest_port field will be omitted
default = 1
Enable (1) or disable (0) reporting by authoritative exporters only
If set to 1 (deduplication enabled), the Module reports flows only from authoritative exporters
default = 0
Enable (1) or disable (0) reporting VM MoRef
If set to 1, enable reporting VM MoRef. If set to 0, src_vm_id and dest_vm_id fields will be omitted
default = 0
Enable (1) or disable (0) reporting VM UUID
If set to 1, enable reporting VM UUID. If set to 0, src_vm_uuid and dest_vm_uuid fields will be omitted
default = 0
Enable (1) or disable (0) reporting VM vCenter UUID
If set to 1, enable reporting VM vCenter UUID. If set to 0, src_vm_vc_id and dest_vm_vc_id fields will be omitted
default = 0
Enable (1) or disable (0) reporting VM vNIC key
If set to 1, enable reporting VM vNIC key. If set to 0, src_vm_vnic_key and dest_vm_vnic_key fields will be omitted
default = 0
Enable (1) or disable (0) reporting Distributed Switch port group name
If set to 1, enable reporting port group names for VMs. If set to 0, src_pg_name and dest_pg_name fields will be omitted
default = 0
List of vCenter VMs
List of records {VDS IPv4 address, VM IPv4 address, VM IPv6 address, VDS Port ID, vNIC key, Port Group name, VM name, VM MoRef, VM instance UUID, vCenter UUID}
This watch list is populated by External Data Feeder for NFO Agent by connecting to one or several vCenters

Input

IPFIX, NetFlow v5/v9, sFlow(1) . (1) NetFlow and sFlow support is required as VSS traffic could be collected only from ToRs or other network devices.

Required NetFlow Fields

Information Element (IE)
IE id
IE size, B
Description
sourceIPv4Address or sourceIPv6Address
8 or 27
4 or 16
The IPv4 or Ipv6 source address in the IP packet header
destinationIPv4Address or destinationIPv6Address
12 or 28
4 or 16
The Ipv4 or Ipv6 destination address in the IP packet header
ingressInterface
10
2 or 4
The index of the IP interface where packets of this Flow are being received.
egressInterface
14
2 or 4
The index of the IP interface where packets of this Flow are being sent.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20264"
exp_ip
NetFlow exporter Ipv4 address
<Ipv4_address>
protocol
Transport Protocol (TCP = 6, UDP = 17)
<number>
dest_ip
Server IP address
<Ipv4_address>
dest_ip6
Server Ipv6 address
<Ipv6_address>
[dest_host]
Server host name
<string>, included when FQDN is on
[dest_vm_name]
Server VM name
<string>, included when server IP is a known VM
[dest_vm_id]
Server VM MoRef
<string>, included when server IP is a known VM and
[dest_vm_uuid]
Server VM UUID
<string>, included when server IP is a known VM and
[dest_vm_vc_id]
Server VM vCenter UUID
<string>, included when server IP is a known VM and
[dest_vm_vnic_key]
Server VM vNIC key
<number>, included when server IP is a known VM and
[dest_pg_name]
Server VM Port Group name
<string>, included when server IP is a known VM and
[dest_port](2)
Server port number
<number>
src_ip
Client IP address
<Ipv4_address>
src_ip6
Client IPv6 address
<Ipv6_address>
[src_host]
Client host name
<string>, included when FQDN is on
[src_vm_name]
Client VM name
<string>, included when client IP is a known VM
[src_vm_id]
Client VM MoRef
<string>, included when client IP is a known VM and
[src_vm_uuid]
Client VM UUID
<string>, included when client IP is a known VM and
[src_vm_vc_id]
Client VM vCenter UUID
<string>, included when client IP is a known VM and
[src_vm_vnic_key]
Client VM vNIC key
<number>, included when client IP is a known VM and
[src_pg_name]
Client VM Port Group name
<string>, included when server IP is a known VM and
packets_in
Packets from client to server
<number>
bytes_in
Layer 3 bytes from client to server
<number>
packets_out
Packets from server to client
<number>
bytes_out
Layer 3 bytes from server to client
<number>
bytes
Layer 3 bytes in both directions
<number>
flow_count
Number of flows
<number>
percent_of_total
Percent of Total (bytes) (Client + Server)
<decimal>, e.g. 25.444% is 25.444
t_int
Observation time interval, msec
<number>
(2) Server destination port is optional
Last modified 1yr ago