[j-nsp] IPFIX on ACX7100
Eduardo Lopes de Haro
eharo at juniper.net
Sun Feb 11 09:44:33 EST 2024
Hi Simon,
IPFIX is supported since 23.1R1 code so it’s better to use 23.2R1-Sx Junos image.
Here are some step-by-step:
Forwarding-options configuration
The input statement under forwarding-options sampling hierarchy defines the sampling rate and other device specific parameters
[edit forwarding-options sampling instance <inst-name>]
input {
rate <number>;
}
Sampling Instance configuration
The sampling instances configured under “forwarding-options sampling” hierarchy are associated to one or many FPCs under chassis hierarchy. Each FPC can be associated ONLY with one sampling instance.
[edit chassis] {
fpc <fpc-slot-number> {
sampling-instance <sampling-instance-name>;
}
}
The families to be sampled are also configured under “forwarding-options” hierarchy
[edit forwarding-options sampling instance <inst-name>] {
family <inet/inet6> {
output {
flow-server <collector-ip-address> {
port <port-no>;
version-ipfix/V9 {
template <template-name>;
}
DSCP <dscp-value>
}
inline-jflow {
source-address <source-ip-address>;
}
}
}
}
Firewall configuration
A firewall filter is created to apply to the logical interfaces being sampled. The filter will have “sample” and “accept” actions configured.
[edit firewall family <family-name>]
filter <filter-name> {
term <term-name> {
then {
sample;
accept;
}
}
}
Enable sampling on interface
The filter created above is applied to Logical interface we want to sample traffic
[edit interfaces]
Interface-name {
unit logical-unit-number {
family <family-name> {
filter {
input <filter-name>; (Ingress sampling)
output <filter-name>; (Egress sampling)
}
}
}
}
Template Configuration
The templates and template attributes are configured under “services” hierarchy
[edit services flow-monitoring] {
version-ipfix/V9 template <template-name> {
<family>-template; (where family can be ipv4 or ipv6)
template-refresh-rate {
packets;
seconds;
}
options-refresh-rate {
packets;
seconds;
}
}
}
To monitor the service you could use “show services accounting” commands…
--
Eduardo Haro
Juniper Business Use Only
From: juniper-nsp <juniper-nsp-bounces at puck.nether.net> on behalf of Simon Lockhart via juniper-nsp <juniper-nsp at puck.nether.net>
Date: Sunday, 11 February 2024 at 07:33
To: juniper-nsp at puck.nether.net <juniper-nsp at puck.nether.net>
Subject: [j-nsp] IPFIX on ACX7100
[External Email. Be cautious of content]
All,
Has anyone had any success configuring IPFIX flow sampling/export on ACX7100?
I've got it working successfully on MX204, but we've got a use case in the
network where we've used an ACX7100 as Internet edge, and looking to extend
flow monitoring to it.
It's currently running 22.4R2-S1.8-EVO, but I've also tried on 23.2R1.15-EVO
in the lab, with the same results.
I've tried both firewall filter 'sample' action, and also interface based
'sample', but it says both are unsupported on ACX7100.
The Juniper documentation implies it should just work, but there doesn't
appear to be any ACX specific configuration advice.
Many thanks in advance,
Simon
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!HogZDOja2Fcu6h5cwyAelfPskKJXbr7UIYDOIpPMwQ6C5KVT8-mnMybKqw2UXl8lsvi6Vq0gA_q9UHjNqMrImWU$<https://urldefense.com/v3/__https:/puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!HogZDOja2Fcu6h5cwyAelfPskKJXbr7UIYDOIpPMwQ6C5KVT8-mnMybKqw2UXl8lsvi6Vq0gA_q9UHjNqMrImWU$>
More information about the juniper-nsp
mailing list