We are deploying QRadar VFlow collector for a customer who has a VMWare ESXi cluster with around 29 ESXi hosts, each having its 2 VSwitches but they are all managed from a central console.
We have a single VFlow license and it appears that it is clearly insufficient since a VFlow can connect to only 4 vswitches (of which only 3 can be used for data). However, since each host may have 2-3 vswitches (which means atleast a total of around 60 vswitches), do we then need 20 vflow servers to collect vflow data?
Appreciate if someone can comment on how deployments have been done for large virtualization environments? It does not seem reasonable to require 20 VFlow devices (both in terms of resources and licenses) to capture flow data from the virtual infrastructure. In my case the customer is not using Distributed switch.
Also Vflows be captured by a Vflow collector on a separate ESXi host that the one where the vswitch resides?