netflow:junipermx
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
netflow:junipermx [2023/05/31 16:32] – created veera | netflow:junipermx [2023/06/21 16:50] (current) – [Default Flow table size] veera | ||
---|---|---|---|
Line 2: | Line 2: | ||
+ | Here is a minimal configuration for Juniper MX Netflow/ | ||
- | Configure | + | |
+ | The setup | ||
+ | |||
+ | * Trisul Network Analytics is installed on IP '' | ||
+ | * The router IP is '' | ||
+ | * We want to enable IPFIX , alternately you can use Netflow-v9 | ||
+ | * Sample rate is 1024 | ||
+ | * Enable ingress/ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Step 1: Attach sampler trisul_sampling to FPC ===== | ||
+ | |||
+ | FPC(Flexible PIC Concentrator) is a part of the packet forwarding engine. Previously you needed a dedicated MS-MIC or MS-PIC cards. | ||
+ | |||
+ | |||
+ | < | ||
+ | set chassis fpc 0 sampling-instance trisul_sampling | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Step 2: Configure | ||
+ | |||
+ | Create a sampler named trisul_sampling and set it to 1024, add the flow server IP | ||
< | < | ||
set forwarding-options sampling instance trisul_sampling input rate 1024 | set forwarding-options sampling instance trisul_sampling input rate 1024 | ||
set forwarding-options sampling instance trisul_sampling family inet output flow-server 10.10.100.100 port 2055 | set forwarding-options sampling instance trisul_sampling family inet output flow-server 10.10.100.100 port 2055 | ||
- | set forwarding-options sampling instance trisul_sampling family inet output flow-server 10.10.100.100 | + | set forwarding-options sampling instance trisul_sampling family inet output flow-server 10.10.100.100 |
+ | set forwarding-options sampling instance trisul_sampling family inet output inline-jflow source-address 20.20.200.200 | ||
</ | </ | ||
- | Configure the Template | + | ===== Step 3: Configure the Template |
+ | |||
+ | |||
+ | Name of template is '' | ||
- | Name of template is trisul_template | ||
< | < | ||
- | set services flow-monitoring | + | set services flow-monitoring |
- | set services flow-monitoring | + | set services flow-monitoring |
- | set services flow-monitoring | + | set services flow-monitoring |
- | set services flow-monitoring | + | set services flow-monitoring |
- | set services flow-monitoring | + | set services flow-monitoring |
- | set services flow-monitoring version9 template trisul_template flow-key flow-direction | + | |
</ | </ | ||
- | Attach sampler trisul_sampling to FPC | ||
+ | ===== Step 4: Enable each interface ===== | ||
+ | |||
+ | This samples directly on interface | ||
+ | |||
+ | |||
< | < | ||
- | set chassis fpc 0 sampling-instance trisul_sampling | + | set interfaces ge-0/0/0 unit 0 family inet sampling |
+ | set interfaces ge-0/0/0 unit 0 family inet sampling output | ||
</ | </ | ||
+ | ===== Default Flow table size ===== | ||
- | Create | + | By default MX has a very small flow table size of 1K, this can be observed by Trisul as a very slow netflow records / second rate. Go to " |
+ | |||
+ | Use the following command | ||
+ | |||
+ | <code bash> | ||
+ | set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 4 | ||
+ | set chassis fpc 0 inline-services flow-table-size ipv6-flow-table-size 1 | ||
- | < | ||
- | set firewall family inet filter sample term sample then count sampled | ||
- | set firewall family inet filter sample term sample then sample | ||
- | set firewall family inet filter sample term sample then accept | ||
- | set interfaces ge-0/0/0 unit 0 family inet filter input sample | ||
- | set interfaces ge-0/0/0 unit 0 family inet filter output sample | ||
</ | </ | ||
+ | |||
+ | |||
+ | The flow table is used by the FPC to do JFlow (Netflow), due to the low default limit of 1K, the table fills up quickly and most of the new flows are not able to be counted. This results in very low JFlow/ | ||
+ | |||
+ | You can also try to use flex-flow-sizing , this is supposed to automatically scale the flow table. But there are some reports online it does not work as expected on MX204 ((https:// | ||
+ | |||
+ | |||
+ | Perhaps at some point Juniper MX will release with sensible default for '' | ||
+ | |||
+ | ====== Useful debugging ====== | ||
+ | |||
+ | |||
+ | Use the flow errors status commands | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | run show services accounting flow inline-jflow fpc-slot 0 | ||
+ | run show services accounting errors inline-jflow fpc-slot 0 | ||
+ | run show services accounting status inline-jflow fpc-slot 0 | ||
+ | </ | ||
+ | |||
+ | |||
+ | ====== References ====== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | |||
netflow/junipermx.1685530960.txt.gz · Last modified: 2023/05/31 16:32 by veera