Juniper first started with Jflow support, similar and compatible to Cisco Netflow standard, and later added support for vendor-neutral IPFIX. Flow export in Juniper terminology refers to inline active flow monitoring. This feature is implemented directly on the data plane thus avoiding the need for dedicated flow processing hardware, which was necessary with older hardware and software versions. Version 9 and IPFIX templates are currently supported on newer platforms.
Since Junos is hierarchy oriented operating system, flow monitoring configuration may be divided into several mandatory parts:
- In [edit services flow-monitoring] hierarchy templates for inline flow monitoring are configured.
- In [edit services sampling] hierarchy sampling instance is configured along with the sampling rate in which the template defined in the [edit services flow-monitoring] hierarchy is referenced. Additionally, destination and port number is specified for flow export.
- In [edit chassis] hierarchy sampling instance is referenced and bounded to the specific FPC module installed in the chassis. This does not apply to particular models (MX80 and MX104) where instead of FPC, FEB module is bounded since there is only one packet forwarding engine.
Template configuration in [edit services flow-monitoring] hierarchy is shown in the following snippet:
[edit services]
flow-monitoring {
version-ipfix {
template IPv4-example {
flow-active-timeout 300;
flow-inactive-timeout 15;
template-refresh-rate {
seconds 30;
}
option-refresh-rate {
seconds 30;
}
ipv4-template;
}
template IPv6-example {
flow-active-timeout 300;
flow-inactive-timeout 15;
template-refresh-rate {
seconds 30;
}
option-refresh-rate {
seconds 30;
}
ipv6-template;
}
}
}
Under both IPv4 and IPv6 template, separate flow timeout and template parameters may be specified. It is important to highlight that instead of version-ipfix, version9 could have been added to support flow export format in accordance with Netflow version 9 standard.
Sampling instance configuration in [edit forwarding-options] hierarchy is further provided:
[edit services]
sampling {
instance {
IPFIX-INSTANCE {
input {
rate 1;
}
family inet {
output {
flow-server 192.168.1.1 {
port 4444;
version-ipfix {
template {
IPv4-example;
}
}
}
inline-jflow {
source-address 172.17.1.1;
}
}
}
family inet6 {
output {
flow-server 192.168.1.1 {
port 4444;
version-ipfix {
template {
IPv6-example;
}
}
}
inline-jflow {
source-address 172.17.1.1;
}
}
}
}
}
}
Instance IPFIX-INSTANCE contains specifics regarding the sampling rate of the packets. Flow export destination and port are included for both IPv4 and IPv6 flows. Furthermore, templates defined in [edit services flow-monitoring] are referenced.
Further configuration is needed to associate sampling instance IPFIX-INSTANCE with particular hardware. The example is shown in the following snippet:
[edit chassis]
fpc 0 {
sampling-instance IPFIX-INSTANCE;
}
In the case of MX80 and MX104, configuration is provided, respectively:
[edit chassis]
tfeb {
slot 0 {
sampling-instance IPFIX;
}
}
[edit chassis]
afeb {
slot 0 {
sampling-instance IPFIX;
}
}
Once the sampling and flow export parameters are defined, sampling may be activated on specific interfaces using one of two ways – sampling input/output or firewall.
Sampling input/output refers to the sampling export from the designated interface for specific address family according to the configuration example below:
[edit interface ge-1/0/0]
unit 0 {
family inet {
sampling {
input;
output;
}
}
family inet6 {
sampling {
input;
output;
}
}
}
Previous configuration states that interface ge-1/0/0 has sampling of input and output IPv4 and IPv6 traffic. This, however, is appropriate configuration if there is a need to export all incoming or outgoing traffic without the need for granularity.
Other approach assumes the definition of the firewall filter which has action "sample" of the matching traffic. Configuration example is provided:
[edit firewall]
firewall {
filter FLOW-FILTER {
term allow-any {
then {
sample;
accept;
}
}
}
[edit interface ge-1/0/0]
unit 0 {
family inet {
filter {
input FLOW-FILTER;
input FLOW-FILTER;
}
}
}
Interface sampling approach is adequate for use cases in which all inbound or outbound flows on interface should be exported. On the other hand, usage of firewall filter facilitates more granular matching of flows that need to be exported, in comparison to the previous approach, only a subset of flows on the specific interface.
Like always, don't forget to commit…
Flow export configuration on Cisco network devices
The topics in our previous posts were mainly related to flow optimization and configuration in terms of achieving optimal results on the flow collector side. Next couple posts will help demystifying flow export configuration problem for two mayor vendors – Cisco and Juniper.
https://www.netvizura.com/blog/flow-export-configuration-on-cisco-network-devices