vRNI flows show IP address 240.240.240.240
Article ID: 324472
Updated On:
Products
VMware Aria Operations for Networks
Issue/Introduction
This article provides information on the significance of the unknown IP address 240.240.240.240 in the environment when you are viewing the vRNI flows.
Environment
VMware vRealize Network Insight 6.x
VMware vRealize Network Insight 3.x
VMware vRealize Network Insight 5.x
VMware vRealize Network Insight 2.x
VMware vRealize Network Insight 3.x
VMware vRealize Network Insight 5.x
VMware vRealize Network Insight 2.x
Cause
240.240.240.240 is a place holder IP address in vRealize Network Insight (vRNI) if certain global limits are reached for traffic between the local network and the upstream or external network. This is to limit the number of flows in the system, since publicly exposed services could result in a very large number of flows and would result in increased system load.
For all the flows that have been replaced with this placeholder IP, all the metrics are aggregated on the corresponding flow with this IP address, so there is no loss of statistics at an aggregate level.
For all the flows that have been replaced with this placeholder IP, all the metrics are aggregated on the corresponding flow with this IP address, so there is no loss of statistics at an aggregate level.
Resolution
There are several global limits in vRealize Network Insight that can cause traffic to be aggregated into the 240.240.240.240 place holder IP address.
Limit on the number of allowed incoming internet flows:
Value: 5000 client IPs per server IP address
Duration: Total calculated over a rolling 15 day period
The placeholder IP is used if there is a very large number of IP addresses (> 5000) hitting a particular IP on the internal network. All further incoming IP addresses (i.e., the 5001th and onwards) accessing the service endpoint will be replaced with 240.240.240.240.
Limit on the number of blocked incoming internet flows:
Value: 50 blocked client IPs per server IP address
Duration: Total calculated over a rolling 15 day period
Similar to the limit above, the placeholder IP is used if more than 50 client IP addresses attempt to access a server on the internal network, but the traffic is blocked.
Limit on the total number of allowed incoming flows:
Value: 500,000 flows
Duration: Total calculated over a rolling 15 day period
If there are more than 500K unique allowed flows that originate from outside of the network, flows in excess of 500K would have the client IP aggregated. A unique flow is determined by source IP, destination IP, and destination port. Multiple traffic events with this combination are considered part of this flow signature.
Limit on the total number of denied incoming flows:
Value: 100,000 flows
Duration: Total calculated over a rolling 15 day period
As in the limit above, if there more than 100K unique incoming flows that are denied, the client IP is aggregated using the placeholder IP address.
Limit on the number of allowed incoming internet flows:
Value: 5000 client IPs per server IP address
Duration: Total calculated over a rolling 15 day period
The placeholder IP is used if there is a very large number of IP addresses (> 5000) hitting a particular IP on the internal network. All further incoming IP addresses (i.e., the 5001th and onwards) accessing the service endpoint will be replaced with 240.240.240.240.
Limit on the number of blocked incoming internet flows:
Value: 50 blocked client IPs per server IP address
Duration: Total calculated over a rolling 15 day period
Similar to the limit above, the placeholder IP is used if more than 50 client IP addresses attempt to access a server on the internal network, but the traffic is blocked.
Limit on the total number of allowed incoming flows:
Value: 500,000 flows
Duration: Total calculated over a rolling 15 day period
If there are more than 500K unique allowed flows that originate from outside of the network, flows in excess of 500K would have the client IP aggregated. A unique flow is determined by source IP, destination IP, and destination port. Multiple traffic events with this combination are considered part of this flow signature.
Limit on the total number of denied incoming flows:
Value: 100,000 flows
Duration: Total calculated over a rolling 15 day period
As in the limit above, if there more than 100K unique incoming flows that are denied, the client IP is aggregated using the placeholder IP address.
Feedback
Yes
No
Powered by
