# Nutanix traffic capture options

## Nutanix Links, Terminology, and Facts

* [Flow Virtual Networking Guide](https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Flow-Virtual-Networking-Guide-vpc_2024_2:Nutanix-Flow-Virtual-Networking-Guide-vpc_2024_2) (pc.2024.2)
* [Flow Network Security Next-Gen Version 5.2.x Guide](https://portal.nutanix.com/page/documents/details?targetId=Nutanix-Flow-Network-Security-Guide-v5_2_0:Nutanix-Flow-Network-Security-Guide-v5_2_0)
* [Nutanix Bible - Network Controller](https://www.nutanixbible.com/5a-book-of-ahv-architecture.html?utm_source=chatgpt.com#network-controller)

Flow Virtual Networking, powered by Network Controller, is a software-defined networking solution that provides multi-tenant isolation, self-service provisioning, and IP address preservation using VPCs, subnets, and other virtual components that are separate from the physical network, for the AHV clusters.

The Network Controller is the networking component of Prism Central that manages and controls configuration, monitoring and optimization of network resources for Flow Virtual Networking VPCs and VLAN subnets. It provides programmability, automation, and centralized control for configuring and managing network flows.

Network Controller is necessary to use centralized VLAN management, Flow Virtual Networking and Flow Network Security Next Generation.

Subnet types and **Single Stack** and **Dual Stack** Nutanix networking categories:

* **VLAN Subnets**
  * Network Controller managed VLANs (NCVLANs). These can only be managed in Prism Central.
* **VLAN Basic Subnets**
  * Managed by the Acropolis leader of their Prism Element cluster. These are traditional AHV VLANs
* **Single Stack** – uses only NCVLAN subnets.
* **Dual Stack** – allows both NCVLAN subnets and VLAN Basic subnets.
  * Flow Network Security 4.2.0 and 4.2.1 are the last versions that support Dual Stack networking.
    * If your version is newer, Service Chaining 1.0 cannot be used to steer traffic.
  * To see your version navigate in Prism Central to *Admin Center → LCM → Prism Central Cluster.*

## Nutanix Traffic Steering Options

![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/v2scKz3tDHCbaCzgBoZa/Nutanix_vSensor_Deployment_Guide-2025_Nov_6-28.png)

Nutanix has two primary steering options currently documented by Vectra that can be used to direct traffic to the capture port of a vSensor.&#x20;

{% hint style="info" %}
**Please Note:**

As of v7.5 of Nutanix, **Service Insertion** is a new method that can be used for traffic steering.

Vectra and Nutanix are both working towards validation of this new method. This article will be updated in the future with Service Insertion specifics.

Service Insertion can all be configured in the Nutanix UI without requiring API calls. It is expected that this new method will become the default recommended traffic steering option in the future for customers who use NCVLAN subnets. Service Insertion is **NOT** supported by Nutanix for VLAN Basic subnets.
{% endhint %}

### Service Chaining 1.0

* Also known as 'Service Chain Insertion'.
* Uses a **Network Function Chain** to TAP (copy out of band) subnet traffic seen on a cluster to Vectra vSensors deployed on each node in the cluster.

**Advantages**

* Captures VM to VM traffic on the same node and any traffic that is seen on the cluster for the subnets that are mapped to it. In other words, you get E/W between VMs on the node and N/S in and out of the node for any mapped subnet.

**Disadvantages**

* Requires **Dual Stack** Nutanix networking.
* Does **NOT** support NCVLAN subnets and only supports VLAN Basic subnets.
* Configuration is more complicated.

{% hint style="info" %}
**Please Note:**

* A single network function chain (NFC) is required per Nutanix cluster in your environment.
* A Vectra vSensor should be deployed on each node of the cluster.
* Subnets will be mapped to each network function chain.
  * Any subnet that will be seen on a node in a cluster should be mapped to the NFC.
  * This means that a subnet should be mapped to multiple NFCs when you have more than one cluster in your environment that will see traffic from the same subnet.
* Traffic seen on any node that is in a mapped subnet will then be copied via the NFC to the Vectra vSensor capture port that was setup as a network function NIC.
  {% endhint %}

### Traffic Mirroring

* Uses **Traffic Mirroring Sessions** to map host (node) ports, bonded host ports, or VM interfaces to **Mirror Destination NICs** (Vectra vSensor capture ports). You get E/W between any VMs in the mirroring session, and N/S in and out of the node if you mirror a host port or bonded host port.

**Advantages**

* Can capture physical network traffic that is seen on a host port or bonded host port.
* Works in both **Dual Stack** and **Single Stack** Nutanix networking environments.
* Supports both NCVLAN subnets and VLAN Basic subnets.
* Configuration is simpler and fully done in the Prism Central UI.

**Disadvantages**

* By default, only supports 4 sources in a traffic mirroring session.
  * Nutanix support or professional services (PS) can raise the 4-source limit to as high as 50 if there is sufficient headroom in the environment.
  * **Please engage Nutanix support or PS to request increases to the 4-source limit.**
* Managing traffic mirroring sessions can become burdensome.
  * You must specify every source specifically and cannot just map a subnet to a vSensor capture port. For large numbers of VMs it can become complicated to properly map all VMs.

{% hint style="info" %}
**Please Note:**

* A traffic mirror destination NIC can also only be used as a destination in one traffic mirroring session.
* A host port or bonded host port does not support mirroring to a remote host. This means that the vSensor must be on the same node (AHV host) as the source host/bonded port.
  * See Traffic Mirroring Sessions 1 and 2 in the diagram above.
* VM interfaces can be mirrored to a remote host. This means that the vSensor can be on a different node (AHV host) than the source VM.
  * See Traffic Mirroring Session 3 in the diagram above.
* For more details on [Traffic Mirroring](https://portal.nutanix.com/page/documents/details?targetId=Prism-Central-Guide-vpc_7_3:mul-traffic-mirror-pc-c.html), please see the link.
  {% endhint %}