Junos OS

Hello,

As a part of my MSc thesis I have to implement my own jflow/netflow collector. I couldn't use any existing one, because it's all about some very-specific processing of incoming data in the realtime. So far, my collector has been tested only against availabe software packets generators. Of course, finally application will work with a real hardware - about 3-4 Juniper routers. I have very serious concerns about performance of my collector when it will gather packets in the real, production environment. I'd like to configure routers in order to reduce amount of UDP packets sent to collector, but still I need to have complete information about network traffic on each logical router interface. (Currently, I am interested only how many bytes have been uploaded/downloaded over particular interface.) Every _one minute_, application invokes process that analyzes gathered packets - it entails, that every one minute collector must have complete statistics about traffic observed in the last minute. Is it any smart trick I can use in routers configuration to force them to store as many information (flows) as it is possible on their site, and also collector having the complete information about traffic every one minute?

How do you think, how often packets comes to collector when we consider typicall small LAN with aproximately 3 routers? I think that my collector is able to handle load when UDP packets comes with 5ms interval, but if this interval is smaller (4,3,2,1,...) it may drop some of them 😞

Below is my current, basis configuration - could you please give me some hints how to tune it, to achieve what I was writing about?

Any help is appreciated!

Thank you in advance,

Piotr

lab@187# run show configuration interfaces ge-0/0/0   
vlan-tagging;
unit 0 {
    vlan-id 5;
    family inet {
        filter {
            input sample-in;
        }
        address 10.1.0.1/8;
    }
}

[edit]
lab@187# run show configuration firewall 
family inet {
    filter sample-in {
        term default {
            then {
                sample;
                accept;
            }
        }
    }
}
filter all {
    term all {
        then {
            sample;
            accept;
        }
    }
}

[edit]
lab@187# run show configuration forwarding-options 
sampling {
    input {
        rate 1;
    }
    family inet {
        output {
            flow-server 10.1.0.5 {
                port 9995;
                version 5;
            }
        }
    }
}

Hi Piotr,

In short, not really.  Netflow is not stored on the router at all, so you can't really buffer flow packets.

Is your thesis specific to Netflow, or are you just interested in bytes passed through the router(s) on a specific interface?  If it is the latter, simple SNMP querying of interface counters would probably be more appropriate and would be much better suited to your 1 minute sampling model.

It is hard to give definitive measurements of how often flow records will be generated as it will vary from LAN to LAN, but remember you will only see 1 packet for every session that occurs, so if you use your 5ms example, that would be 200 sessions/second which is a fairly large amount of traffic/users - obviously, divide that by the number of routers, even 65 sessions/second is a lot.

Your configuration looks fine, but the firewall filter "all" isn't being used.

Hope this helps

Hi dfex, 

Thank you very much for help. I really appreciate it.

You said that I don't need 'all' firewall filter. I thought (I am junos-newbie) that I have to configure 'all' filter as the last on filters list. Otherwise, packets which doesn't match first (and only one) filter will be dropped. Isn't that?

I tried to tune netflow configuration (Junos 10.4) using flow-inactive-timeout and flow-active-timeout in the following way:

lab@j183# run show configuration forwarding-options 
sampling {
    input {
        rate 1;
    }
    family inet {
        output {
            flow-inactive-timeout 15;
            flow-active-timeout 60;
            flow-server 10.1.0.5 {
                port 2055;
                version 5;
            }
        }
    }
}

 (I set this parameters to the lowest possible values).

Unfortunately, it doesn't help at all. I experimented with sending ~54MB file between interfaces, and flow packet arrived to my collector 30-40second after transfer had been finished. So it doesn't fit my 1-minute sampling model at all (as you suggested). 

I experimented with SNMP as you advised. There is IF-MIB::ifInOctets (.1.3.6.1.2.1.2.2.1.10) MIB available, and it gives me value of bytes transferred. However, there is a serious issue for which I cannot find workaround. 

What I need, is amount of traffic transferred every one minute, for example:

1st minute - 2922MB

2nd minute - 192MB and so on...

Most probably (as i googled), there is no other way to reset this counter as resetting whole router.

So every minute I'would have to subtract last counter value from new counter value - and it would be statistics from last minute.

It's fine; the worst thing is, that this counter (possible often) will reach the maximum value which can be stored on 32 bytes (probably it's version/router-dependent), and then I'will be unable to compute amount of transferred data within this minute. If I knew, that counter will be resetted every time it reach 2^31-1, it will be possible to compute new value every time, but I suspect that it is router-dependent. 

Could you please suggest me some solution?

Thank you very much

Piotr

Piotr,

I think you are getting confused between terms and filters - The "all" filter you have configured isn't applied anywhere, so it won't be ever be used.  In your "sample-in" filter, you only have a single term with no conditions and it includes "then accept" so no traffic will be dropped. 

When you are creating a firewall filter, often you need to have the last term as accept, but not a separate filter.  I hope that makes sense.

With regards to your application, you're going about it in slightly the wrong way ; )

The Netflow packet includes two timestamp fields, one from the start of the flow and one at the end.  You should use these fields to calculate what traffic passed in your 1 minute window, not the local collector's time.  This will not account or flows that start inside the first minute and end in the second minute (or later) though.

With regards to the SNMP counters, you are correct you don't reset the counter on the router, you use simple maths on the values you retrieve.

Eg: Take a reading at 0 seconds, assign that as startValue take another reading at 60 seconds, assign that as endValue, now for that minute, throughputValue = endValue - startValue.  Now make startValue = endValue and run another capture at 120 seconds - endValue will keep increasing, but startValue will be the value from the previous minute so the difference will always be the throughput.

The IF-MIB::ifInOctets is standard across routers, and should always roll over at the same point.  The number is quite large though, so again simple logic in your application should check if endValue < startValue, then the counter must have rolled, so subtract start value from 2^31-1 and then add endValue.  The only condition this won't allow for is if the router restarts, you'll have one reading that is way out of bounds, but the next reading will be correct.

If you want more information on this sort of thing, have a look at the source of an application like MRTG - it works using this exact method.

dfex,

Thank you very much. I've implemented gathering statistics as you suggested and it seems that everything works fine.

And yes, you were right, I was confused between terms and filters 🙂

Thanks again,

Piotr