[j-nsp] Using the FXP for flow sources

Tyler Christiansen tyler at adap.tv
Thu Aug 21 14:03:35 EDT 2014 

Yeah.  Maybe the SRX3600 (and all high-end SRX) is a bit different, but I'm
pretty sure when we tested the SRX550 (branch) it was handled by the RE.

I just checked an SRX1400 ("high end"/data center), and the RE is
definitely handling the flow traffic.  This may be due to the way I have it
configured (source address is loopback address).  Or the SRX1400 and
SRX3600 may just handle things differently.  The SRX platform is
(unfortunately) a bit of a crapshoot as far as features and architecture go.

--tc


On Thu, Aug 21, 2014 at 10:55 AM, Scott Granados <scott at granados-llc.net>
wrote:

> So the interesting thing is I had opened a ticket to ask this same
> question and I got a totally opposite answer.:)
>
> I guess the best thing to do here is after hours today test out the config
> and see how it goes.  Else spin up another 3600 in the lab and give it a
> run through.  Your answer makes a lot more sense to me but that’s me.  I
> also appreciate the impact of sampling on the RE.  That makes sense since
> the work isn’t punted to the PFE like in the case of the MX hardware.
>
>
> On Aug 21, 2014, at 1:53 PM, Tyler Christiansen <tyler at adap.tv> wrote:
>
> No problem.
>
> Just keep in mind that with the RE processing flow data, you can quickly
> kill your RE if your sampling rate is too low.  1:1 sampling with the MX
> isn't as problematic since it's processed by the PFE.
>
> --tc
>
>
> On Thu, Aug 21, 2014 at 10:47 AM, Scott Granados <scott at granados-llc.net>
> wrote:
>
>> This makes sense to me.  Thanks for such a good response I really feel
>> like I have a better bead on this now.
>>
>> Thanks
>> Scott
>>
>> On Aug 21, 2014, at 1:43 PM, Tyler Christiansen <tyler at adap.tv> wrote:
>>
>> This is platform-dependent.  Some platforms (definitely EX, probably SRX)
>> use the RE for processing flow data--so you can use fxp0.  Other platforms
>> (MX) use the PFE, which is why fxp0 is not a valid interface.
>>
>> I did some testing on this a few months ago to confirm that EX switches
>> (at least 3200, 3300, 4200, 4500, and 4550) use RE and MX uses PFE.  I
>> think I tested our SRX550, too, and saw that it used RE.  I honestly don't
>> recall the results of the SRX test, though.
>>
>> You can find out pretty easily--if you enable it and you can see flow
>> traffic using tcpdump on the SRX (or monitor traffic), it's handled by the
>> RE.  If you _don't_ see flow data (but you know it's actually being sent),
>> it's handled by the PFE.
>>
>> --tc
>>
>>
>> On Thu, Aug 21, 2014 at 10:09 AM, Scott Granados <scott at granados-llc.net>
>> wrote:
>>
>>> Hi,
>>>         So I’m still a bit confused on what can or can’t be used in the
>>> flow monitoring processes.  In this case I have an SRX 3600 with a routing
>>> instance.  I found a config example that illustrates how to enable flow
>>> sampling in this type of environment.  It specifically mentions that you
>>> use a source IP with in the global routing table and not the instance.  In
>>> my case the only interface I have in the global instance is fxp0.0
>>> (management).  I have read in the case of the MX you can’t use the
>>> management interface asa flow source.  I haven’t been able to find anything
>>> regarding the SRX.  Is FXP0 a valid source for flow monitoring or do I need
>>> to create another interface, maybe a loopback, with in the global
>>> instance?  Also, is there a good document that details better the
>>> limitations of flow monitoring on the SRX.  I’ve found some bits and pieces
>>> but nothing centralized.  Any pointers would be most appreciated.
>>>
>>> Thanks
>>> Scott
>>>
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>>
>> --
>>
>> *Tyler Christiansen | Technical Operations*
>> tyler <http://adap.tv/>@adap.tv <http://adap.tv/> | www.adap.tv
>> *m :* 864.346.4095
>>
>>
>>
>
>
> --
>
> *Tyler Christiansen | Technical Operations*
> tyler <http://adap.tv/>@adap.tv <http://adap.tv/> | www.adap.tv
> *m :* 864.346.4095
>
>
>


-- 

*Tyler Christiansen | Technical Operations*
tyler <http://adap.tv/>@adap.tv <http://adap.tv/> | www.adap.tv
*m :* 864.346.4095

More information about the juniper-nsp mailing list