Skip to main content

Junos OS (Netflow)

Configuring Flow Sampling on Juniper Routers#

In this article we will look at how to configure Juniper MX, M, vMX and T Series Routers and NFX250 to export flow records using Netflow v9. The use of the version 9 flow template enables you to define a flow record template suitable for IPv4 traffic, IPv6 traffic, MPLS traffic, a combination of IPv4 and MPLS traffic, or peer AS billing traffic.

important

At the time of this writing we recommend using Netflow v9, rather than IPFIX, for flow export from Juniper devices. IPFIX records from Juniper include only total counters for bytes and packets, rather than the defacto standard delta counters. Most flow collection solutions will work better with delta values, which are provided by Juniper devices when using Netflow v9.

Let’s start by creating the sampling instance. Additional attributes will be associated with this instance.

user@router# set chassis fpc 0 sampling-instance ELASTIFLOW

Starting with Junos OS Release 15.1F2, by default, the software allocates one 1K IPv4 flow table. Up to 15 256K IPv4 flow tables, the former default, can be allocated using the following command:

user@router# set chassis fpc inline-services flow-table-size ipv4-flow-table-size 15

The maximum supported flow table size for a combination of both IPv4 and IPv6 is 15. For example, you can set the flow table size for IPv4 to 10 and set the size for IPv6 to 5.

user@router# set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 10
user@router# set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 5
note

The flow table size recommended by Juniper is 4 (i.e. 4 x 256K flows), which is 1 million flows. You can configure a larger size, however the system will issue a warning message.

To simplify the sizing of flow tables, the MX series supports a flex-flow-sizing option that doesn't require a manual sizing between IPv4 tables and IPv6 tables. Rather than using the flow-table-size command, the following configuration should be used.

user@router# set chassis fpc 0 inline-services flex-flow-sizing

The following command can be run a few times to determine if flows are being dropped, and to determine if any adjustments to the flow table sizes would be beneficial.

user@router# show services accounting errors inline-jflow fpc-slot 0 | match "Flow Creation Failures"
Flow Creation Failures: 1146233714
IPv4 Flow Creation Failures: 1111175982
IPv6 Flow Creation Failures: 35057732
user@router# show services accounting errors inline-jflow fpc-slot 0 | match "Flow Creation Failures"
Flow Creation Failures: 1146234132
IPv4 Flow Creation Failures: 1111176365
IPv6 Flow Creation Failures: 35057767

Configure the service to extended flow memory. This service provides more scale in flows for inline services sampling.

user@router# set chassis fpc 0 inline-services use-extended-flow-memory

Next the template configuration for both IPv4 (ipv4-template) and IPv6 (ipv6-template) templates can be added.

user@router# set services flow-monitoring version9 template ipv4 ipv4-template
user@router# set services flow-monitoring version9 template ipv6 ipv6-template

The flow-active-timeout and flow-inactive-timeout determine how frequently flow records will be sent for metered flows.

user@router# set services flow-monitoring version9 template ipv4 flow-active-timeout 60
user@router# set services flow-monitoring version9 template ipv4 flow-inactive-timeout 60
user@router# set services flow-monitoring version9 template ipv6 flow-active-timeout 60
user@router# set services flow-monitoring version9 template ipv6 flow-inactive-timeout 60

The ElastiFlow Unified Flow Collector uses the flow direction, whether the flow was sampled ingress or egress, for various features. The flow direction field contains the invalid value (0xFF) if you do not add flow-direction to the flow-key.

user@router# set services flow-monitoring version9 template ipv4 flow-key flow-direction
user@router# set services flow-monitoring version9 template ipv6 flow-key flow-direction

Adding vlan-id to the flow-key will include VLAN IDs in both the ingress and egress directions.

user@router# set services flow-monitoring version9 template ipv4 flow-key vlan-id
user@router# set services flow-monitoring version9 template ipv6 flow-key vlan-id

Next you need to set the rate at which packets will be sampled.

user@router# set forwarding-options sampling instance ELASTIFLOW input rate 128

At this point you need to specify where the flow records should be sent. This must be done for both of the templates configured above.

You must specify both the IP address and port number on which the ElastiFlow Unified Flow Collector is listening, as well as the flow record version.

user@router# set forwarding-options sampling instance ELASTIFLOW family inet output flow-server 192.0.2.11 port 9995
user@router# set forwarding-options sampling instance ELASTIFLOW family inet output flow-server 192.0.2.11 version9 template ipv4
user@router# set forwarding-options sampling instance ELASTIFLOW family inet6 output flow-server 192.0.2.11 port 9995
user@router# set forwarding-options sampling instance ELASTIFLOW family inet6 output flow-server 192.0.2.11 version9 template ipv6

Additionally you should specify the IP address from which the device will send the packets containing the flow records.

user@router# set forwarding-options sampling instance ELASTIFLOW family inet output inline-jflow source-address 192.0.2.222
user@router# set forwarding-options sampling instance ELASTIFLOW family inet6 output inline-jflow source-address 192.0.2.222

Finally, sampling must be enabled on each interface for which traffic should be observed. Both input and output (ingress and egress) directions can be enabled.

user@router# set interfaces xe-0/1/1 unit 110 family inet sampling input
user@router# set interfaces xe-0/1/1 unit 110 family inet sampling output

The configuration can now be committed.

user@router# commit
commit complete

The ElastiFlow Unified Flow Collector must first receive the template records from the Juniper device, after which it will be able to decode and process the version 9 records. After a few minutes you should begin to see data in the data platform to which the collector is configured to send it.