[j-nsp] Netflow Export - MX running 10.x

Chris Evans chrisccnpspam2 at gmail.com
Fri Sep 17 14:16:07 EDT 2010 

Hit me up with questions, glad to help.. I've run through a few challenges
with jFlow on the platforms and have come up with some knowledge about
caveats and such.



Simplistic configuration using v9 netflow, can you use filters if you want
to. I don’t like filters as there is a chance to break real firewall filters
by combining services. This does not include using ‘sampling instances’  You
can do that, but you need to define the instance under the FPC. This is set
under ‘chassis fpc #’ and then define the corresponding instance under the
‘forwarding-options’ configuration.



To do v9 netflow/jflow it requires that you have a MS-DPC module. If you
want to do v5, remove the services Config and version9 and code version 5.
Please also make sure that your timers are set properly. I do not know what
export timers you are looking for. You can do sampled netflow on juniper
devices if doing version 5 or lower and a higher rate of sampling. There is
a max packets/sec limit however.



*Interfaces to sample:*

ntfuser at MX480-LAB-RE1# show interfaces

xe-4/0/0 {

    unit 0 {

        family inet {

            sampling {

                input; *ß Ingress netflow*

                output; *ß Egress netflow (caveat, this doesn’t work using
multicast traffic)*

            }



*Services interface that will do the sampling:*

ntfuser at MX480-LAB-RE1# show interfaces

sp-3/0/0 {

    unit 0 {

        family inet;

    }

}



*Forwarding options to configure sampling rate and export destination. *

ntfuser at MX480-LAB-RE1# show forwarding-options

sampling {

    input {

        rate 1; *ß 1 equals 1:1 sampling, adjust higher if doing sampled
netflow/jflow.*

        run-length 0;

    }

    family inet {

        output {

            flow-server 204.151.176.36 {

                port 9995;

                version9 {

                    template {

                        FLOWv9;

                    }

                }

            }

            interface sp-3/0/0 {

                source-address *<Source IP of jflow traffic to collector>;*

            }

        }

    }

}



*jFlow v9 template*

ntfuser at MX480-LAB-RE1# show services *ß This is needed to do v9 jFlow*

flow-monitoring {

    version9 {

        template FLOWv9 {

            ipv4-template;


On Fri, Sep 17, 2010 at 1:03 PM, Chris Evans <chrisccnpspam2 at gmail.com>wrote:

> No problem. I live a primary Cisco world too.  Once I get back to the
> office I will post the config.
> > Thanks - do you have sample config or docs on this? Sorry, still a bit
> lost
> > - converting from Cisco world which appears to be a lot different ;)
> >
> >
> >
> > From: Chris Evans [mailto:chrisccnpspam2 at gmail.com]
> > Sent: September-17-10 12:31 PM
> > To: Paul Stewart
> > Cc: juniper-nsp at puck.nether.net
> > Subject: Re: [j-nsp] Netflow Export - MX running 10.x
> >
> >
> >
> > My opinion. Don't waste time on firewall filters. Use the sampling
> command
> > under family inet instead.
> >
> >> Hi there..
> >>
> >>
> >>
> >> I'm working with an MX480 running 10.0R3.10 trying to get Netflow 5
> >> exporting up and running.... been reading some of the docs from Juniper
> > and
> >> must be reading the wrong info because what they talk about I don't see
> ;)
> >>
> >>
> >>
> >> First, firewall filter:
> >>
> >>
> >>
> >> filter cflowd {
> >>
> >> term sampled_packets {
> >>
> >> from {
> >>
> >> source-address {
> >>
> >> 0.0.0.0/0;
> >>
> >> }
> >>
> >> }
> >>
> >> then accept;
> >>
> >> }
> >>
> >> term other {
> >>
> >> then accept;
> >>
> >> }
> >>
> >> }
> >>
> >>
> >>
> >>
> >>
> >> Then forwarding options:
> >>
> >>
> >>
> >> sampling {
> >>
> >> input {
> >>
> >> rate 1;
> >>
> >> run-length 0;
> >>
> >> max-packets-per-second 7000;
> >>
> >> }
> >>
> >> family inet {
> >>
> >> output {
> >>
> >> flow-server xx.xxx.xx.2 {
> >>
> >> port 5000;
> >>
> >> source-address xx.xx.xxx.59;
> >>
> >> version 5;
> >>
> >> }
> >>
> >> }
> >>
> >> }
> >>
> >> }
> >>
> >>
> >>
> >>
> >>
> >> When I apply this as input on an interface I see nothing hitting the
> > netflow
> >> system.... the docs talk about "sampling output" instead of "sampling
> > family
> >> inet" but I have no option for "sampling output"
> >>
> >>
> >>
> >> Confused I am ;) Doesn't take much ... (oh, and yes I want 1:1 sampling
> at
> >> this point simply because the traffic levels will allow it in the short
> >> term)
> >>
> >>
> >>
> >> Paul
> >>
> >>
> >>
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>

More information about the juniper-nsp mailing list