Micro-segmentation Top Pairs Monitor (10264 / 20264)
This Module reports top Host Pairs network conversations. A network conversion is a series of data exchanges between two hosts, over the same protocol (TCP or UDP) and through the same server destination port. The number of exchanged bytes packets and flows are summed up.
Server Destination Port
Source port of client hosts is not reported, and ignored while consolidating client-server communications. Destination ports of server hosts are reported. The Module determines which host is a client and which is a server as follows: a server sends more traffic (bytes) than a client. This logic can be overridden by specifying port numbers in the “List of known server destination port numbers” parameter. A well-known list of destination ports is packaged with the Module, and could be modified by customers if needed.
Deduplication
VDS: As flows reported from each host, the Module deduplicates IPFIX flows to report accurate byte count.
Physical network devices: optionally the Module can report host pairs only from authoritative router/switch. Authoritative network device is determined as follows. The Module sums up bytes, packets, and connections between two hosts over data collection interval (parameter, default = 30 sec), reported by each flow exporter. An exporter with most connections for each host pair is considered authoritative, and host pair conversations reported by all other exporters are discarded.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 5 sec, max = 86400 sec, default = 300 sec |
| N – number of reported host pairs | The number of top host pairs reported per NetFlow exporter | min = 0, max = 1000000, default = 50, 0 means “to report all pairs” |
| List of known server destination port numbers | List of server destination ports to be used to determine which host is a client and which is a server. If the list is empty, the server is the one with a smaller port number | e.g. 53, 80, 443. A list of well-known ports is preloaded |
| Enable (1) or disable (0) reporting by server port | If set to 1, enable traffic reporting by destination port. If set to 0, dest_port field will be omitted | default = 1 |
| Enable (1) or disable (0) reporting by authoritative exporters only | If set to 1 (deduplication enabled), the Module reports flows only from authoritative exporters | default = 0 |
| Enable (1) or disable (0) reporting VM MoRef | If set to 1, enable reporting VM MoRef. If set to 0, src_vm_id and dest_vm_id fields will be omitted | default = 0 |
| Enable (1) or disable (0) reporting VM UUID | If set to 1, enable reporting VM UUID. If set to 0, src_vm_uuid and dest_vm_uuid fields will be omitted | default = 0 |
| Enable (1) or disable (0) reporting VM vCenter UUID | If set to 1, enable reporting VM vCenter UUID. If set to 0, src_vm_vc_id and dest_vm_vc_id fields will be omitted | default = 0 |
| Enable (1) or disable (0) reporting VM vNIC key | If set to 1, enable reporting VM vNIC key. If set to 0, src_vm_vnic_key and dest_vm_vnic_key fields will be omitted | default = 0 |
| Enable (1) or disable (0) reporting Distributed Switch port group name | If set to 1, enable reporting port group names for VMs. If set to 0, src_pg_name and dest_pg_name fields will be omitted | default = 0 |
| List of vCenter VMs | List of records {VDS IPv4 address, VM IPv4 address, VM IPv6 address, VDS Port ID, vNIC key, Port Group name, VM name, VM MoRef, VM instance UUID, vCenter UUID} | This watch list is populated by External Data Feeder for NFO Agent by connecting to one or several vCenters |
Input
IPFIX, NetFlow v5/v9, sFlow(1) .
(1) NetFlow and sFlow support is required as VSS traffic could be collected only from ToRs or other network devices.
Required NetFlow Fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| sourceIPv4Address or sourceIPv6Address | 8 or 27 | 4 or 16 | The IPv4 or Ipv6 source address in the IP packet header |
| destinationIPv4Address or destinationIPv6Address | 12 or 28 | 4 or 16 | The Ipv4 or Ipv6 destination address in the IP packet header |
| ingressInterface | 10 | 2 or 4 | The index of the IP interface where packets of this Flow are being received. |
| egressInterface | 14 | 2 or 4 | The index of the IP interface where packets of this Flow are being sent. |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20264" |
| exp_ip | NetFlow exporter Ipv4 address | <Ipv4_address> |
| protocol | Transport Protocol (TCP = 6, UDP = 17) | <number> |
| dest_ip | Server IP address | <Ipv4_address> |
| dest_ip6 | Server Ipv6 address | <Ipv6_address> |
| [dest_host] | Server host name | <string>, included when FQDN is on |
| [dest_vm_name] | Server VM name | <string>, included when server IP is a known VM |
| [dest_vm_id] | Server VM MoRef | <string>, included when server IP is a known VM and |
| [dest_vm_uuid] | Server VM UUID | <string>, included when server IP is a known VM and |
| [dest_vm_vc_id] | Server VM vCenter UUID | <string>, included when server IP is a known VM and |
| [dest_vm_vnic_key] | Server VM vNIC key | <number>, included when server IP is a known VM and |
| [dest_pg_name] | Server VM Port Group name | <string>, included when server IP is a known VM and |
| [dest_port](2) | Server port number | <number> |
| src_ip | Client IP address | <Ipv4_address> |
| src_ip6 | Client IPv6 address | <Ipv6_address> |
| [src_host] | Client host name | <string>, included when FQDN is on |
| [src_vm_name] | Client VM name | <string>, included when client IP is a known VM |
| [src_vm_id] | Client VM MoRef | <string>, included when client IP is a known VM and |
| [src_vm_uuid] | Client VM UUID | <string>, included when client IP is a known VM and |
| [src_vm_vc_id] | Client VM vCenter UUID | <string>, included when client IP is a known VM and |
| [src_vm_vnic_key] | Client VM vNIC key | <number>, included when client IP is a known VM and |
| [src_pg_name] | Client VM Port Group name | <string>, included when server IP is a known VM and |
| packets_in | Packets from client to server | <number> |
| bytes_in | Layer 3 bytes from client to server | <number> |
| packets_out | Packets from server to client | <number> |
| bytes_out | Layer 3 bytes from server to client | <number> |
| bytes | Layer 3 bytes in both directions | <number> |
| flow_count | Number of flows | <number> |
| percent_of_total | Percent of Total (bytes) (Client + Server) | <decimal>, e.g. 25.444% is 25.444 |
| t_int | Observation time interval, msec | <number> |
(2) Server destination port is optional