In this article we will look at how to configure Juniper MX, M, vMX and T Series Routers and NFX250 to export flow records using Netflow v9. The use of the version 9 flow template enables you to define a flow record template suitable for IPv4 traffic, IPv6 traffic, MPLS traffic, a combination of IPv4 and MPLS traffic, or peer AS billing traffic.
At the time of this writing we recommend using Netflow v9, rather than IPFIX, for flow export from Juniper devices. IPFIX records from Juniper include only total counters for bytes and packets, rather than the defacto standard delta counters. Most flow collection solutions will work better with delta values, which are provided by Juniper devices when using Netflow v9.
Let’s start by creating the sampling instance. Additional attributes will be associated with this instance.
Starting with Junos OS Release 15.1F2, by default, the software allocates one 1K IPv4 flow table. Up to 15 256K IPv4 flow tables, the former default, can be allocated using the following command:
The maximum supported flow table size for a combination of both IPv4 and IPv6 is 15. For example, you can set the flow table size for IPv4 to 10 and set the size for IPv6 to 5.
The flow table size recommended by Juniper is 4 (i.e. 4 x 256K flows), which is 1 million flows. You can configure a larger size, however the system will issue a warning message.
To simplify the sizing of flow tables, the MX series supports a
flex-flow-sizing option that doesn't require a manual sizing between IPv4 tables and IPv6 tables. Rather than using the
flow-table-size command, the following configuration should be used.
The following command can be run a few times to determine if flows are being dropped, and to determine if any adjustments to the flow table sizes would be beneficial.
Configure the service to extended flow memory. This service provides more scale in flows for inline services sampling.
Next the template configuration for both IPv4 (
ipv4-template) and IPv6 (
ipv6-template) templates can be added.
flow-inactive-timeout determine how frequently flow records will be sent for metered flows.
The ElastiFlow Unified Flow Collector uses the flow direction, whether the flow was sampled ingress or egress, for various features. The flow direction field contains the invalid value (
0xFF) if you do not add
flow-direction to the
vlan-id to the
flow-key will include VLAN IDs in both the ingress and egress directions.
Next you need to set the rate at which packets will be sampled.
At this point you need to specify where the flow records should be sent. This must be done for both of the templates configured above.
You must specify both the IP address and port number on which the ElastiFlow Unified Flow Collector is listening, as well as the flow record version.
Additionally you should specify the IP address from which the device will send the packets containing the flow records.
Finally, sampling must be enabled on each interface for which traffic should be observed. Both
output (ingress and egress) directions can be enabled.
The configuration can now be committed.
The ElastiFlow Unified Flow Collector must first receive the template records from the Juniper device, after which it will be able to decode and process the version 9 records. After a few minutes you should begin to see data in the data platform to which the collector is configured to send it.