[j-nsp] Netflow + OriginAS in logical systems

Sat Sep 26 08:11:43 EDT 2009

Hi Andree,

Normally I would say you might be missing the "routing-options route-record"
feature, give it a try. But the following page seems quite negative about it:

http://www.juniper.net/techpubs/software/junos/junos94/swconfig-routing/overview_1.html

Having the "route-record" feature under the [logical-systems routing-options]
stanza would help select the right rpd from which data should be copied from
in case of a logical system.  

Also, if my interpretation of the following page is correct, it makes a pretty
bold statement speaking about restrictions of logical systems "Generalized MPLS
(GMPLS), IP Security (IPSec), point-to-multipoint label-switched paths (LSPs),
port mirroring, and sampling are not supported": 

http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/feature-guide/logical-systems-overview-solutions.html

If there is not a better answer, i can point you to a workaround in case
you are in the need of an IP accounting solution: the pmacct project (free,
open-source) recently integrated into a single daemon both a NetFlow collector
and a Quagga-based BGP daemon: the idea would be you can let your logical
system(s) send NetFLow data and iBGP peer with it; then stitching the two
information together (NetFlow+BGP) is done at the collector (OK, with the
secondary advantage of having readily available AS-PATH, Local Preference,
MED, Communities, etc.). 

This was presented earlier in September 09 (by myself) at an UKNOF meeting;
in case anybody reading is interested this is the link:

http://www.pmacct.net/lucente_pmacct_uknof14.pdf

Cheers,
Paolo

On Fri, Sep 25, 2009 at 06:52:49PM +0200, Andree Toonk wrote:
> Hi all,
> 
> I'm trying to use cflow on our MX480s within a logical system but ran into an issue with AS resolution.
> I wonder if others have used cflow in a logical system and were able to get this working.
> 
> The logical system has full BGP routing from 3 separate upstreams ISP's Exporting netflow works fine, however the AS resolution doesn't seem to work correct. 
> All flows are reporting AS 0, except for those ASN's that are directly connected to the Master instance.
> So it seems that while the flows are coming from the logical-system TX,  it tries to determine the ASns for the flows using the routing table in the master instance. Resulting in many flows with AS 0.
> 
> Is any of you aware of a way I can use cflow in this logical-system, with proper AS resolution? Or is this just a limitation of sampling & logical-systems?
> This is the configuration we used:
> 
> In master:
> forwarding-options {
>     sampling {
>         input {
>             family inet {
>                 rate 100;
>             }
>         }
>         output {
>             cflowd x.x.x.x
>                 port 23456;
>                 version 5;
>                 autonomous-system-type origin;
>             }
>         }
>     }
> }
> 
> firewall {
>     filter all {
>         term all {
>             then {
>                 sample;
>                 accept;
>             }
>         }
>     }
> }
> 
> 
> Then on the interface towards one of our upstreams, in logical system:
> 
> interfaces {
>     ge-0/1/0 {
>         unit 0 {
>             family inet {
>                 filter {
>                     input all;
>                     output all;
>                 }
>                 address x.x.x.x/30;
>             }
>         }
>     }
> }
> 
> Thanks,
>  Andree
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp