NSX Traceflow


NSX Trace flow:

  • Troubleshooting virtual environment is challenging & also quite interesting.
  • Trace flow is one of the tools which was introduced from NSX for vSphere 6.2 used for troubleshooting & planning.
  • It allows to inject packet into the network & monitor its flow across the network.
  • The traffic can be injected at the vNIC level for the VM without the need to touch the operating system or logging to the VM.
  • One of key benefits using Trace flow is that it can be used even when the VM is down.
  • The output of trace flow indicates the hops that was traversed for the traffic from source to destination.
  • It also indicates whether the packet is delivered to the destination or not (Whether DFW is blocking the traffic or not)


Trace Flow Use cases:

  • Trouble shooting network failures to see the exact path that traffic takes
  • Performance monitoring to see link utilization
  • Network planning to see how a network will behave when it is in production

Following traffic are supported by Trace flow

  1. Layer 2 unicast
  2. Layer 3 unicast
  3. Layer 2 broadcast
  4. Layer 2 multicast

Note: The source for any trace flow should be always the vNIC of the VM. The destination could be any device in NSX overlay or underlay.


Using Trace flow:

  • Login to vCenter & navigate through Networking & Security -> Tools -> Tracefllow
  • Its required to select the source VM vNIC & the destination VM vNIC (refer below screenshot)
  • Under advanced options choose the protocol of the choice from the drop down. (Supported protocols are TCP, UDP & ICMP)
  • In this example we have selected Protocol “TCP”
  • Destination Port TCP 22 is selected in this example

Click on “Trace” to initiate the trace between the source & the destination.

  • The simulated traffic is initiated between the source & destination VMs vNIC.
  • The complete traffic flow including the vNIC, firewall , ESXi host is visible.
  • It is easily identified whether the packet is delivered or not.

  • To identify which firewall policy is hit or followed, just click on the firewall & it shows the Rule ID which allowed or blocked the traffic.

 Trace flow is a very simple & easy tool for troubleshooting virtual network infrastructure.

Posted in NSX

Leave a Reply