[j-nsp] Netflow / JFlow questions

Chris Evans chrisccnpspam2 at gmail.com
Wed Sep 1 09:00:28 EDT 2010 

Stefan,

I tried to implement egress jflow but didn't get any exports and Brian
states its not supported. I honestly believe its going to come down to an
architecture limitation with the Juniper devices. As frames have to be
sampled/marked so that the PFE will copy them to a services interface, I
doubt that egress can be sampled due to the frame flow in the device.

I believe with the TRIO chipset Juniper finally got a clue and started to
put these services inline within the ASIC, which other vendors have done for
years now. The ASIC can now handle these services and provide the full
feature set that I would expect from a device of this class. Hopefully if
what I read is true, then it means we don't need these PICS for services,
tunnel interfaces, etc.. anymore.

As for the filter or sample command, I personally REALLY dislike how Juniper
implements filters to be used for services. IMHO filters should be for
filtering traffic only, not to integrate services. My main concern is human
error. If I have a firewall filter in place to deny traffic and someone goes
in and modifies the filter to insert port-monitoring, sampling, etc.. there
are chances that they will screw the change up, which could cause a partial
or even full outage. This is why I prefer the 'sample' command as its a
seperate configuration point to introduce services.

I'm working with the SE in the background on this, unfortunately it takes
forever to get an answer sometimes..

Thanks guys!

Chris


On Wed, Sep 1, 2010 at 5:02 AM, Brian Spade <bitkraft at gmail.com> wrote:

> Hi,
>
>  On Tue, Aug 31, 2010 at 6:01 PM, Chris Evans <chrisccnpspam2 at gmail.com>wrote:
>
>> Have a few questions for some folks who have implemented JFlow..
>>
>> I have a working jflow setup with basic ipv4 and ingress collection on a
>> m7i
>> with a services pic and also on a MX platform with the MS-DPC blade.
>>
>> #1 - Is egress netflow supported? It appears that only ingress is
>> supported.
>>
>
> No, but I know Juniper has this as an enhancement request.
>
>
>> #2 - Why do all examples that I can find say to use a firewall filter to
>> sample traffic, I have successfully used the 'set interface xx-x/x/x unit
>> xx
>> family inet sample' command. This appears to be the new way of doing it.
>>
>
> Either way will work fine.
>
>
>> #3 - In my lab I have a MPLS VPN setup and am trying to netflow interfaces
>> within the VRF. As it appears the device can only do ingress netflow I
>> also
>> need to sample the mpls interface. Does anyone have an example of how to
>> gather netflow stats from both the vrf and mpls pe <> p interfaces?
>>
>
> Not sure, maybe someone else can answer.
>
> /bs
>

More information about the juniper-nsp mailing list