Routing

last person joined: 4 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  J-Flow on MX104

    Posted 03-23-2015 04:12

    Hi guys,

     

    I am trying to get a basic J-Flow configuration working on an MX104.

     

    set firewall family inet filter sample-in term default then sample
    set firewall family inet filter sample-in term default then accept

    set interfaces ae0 unit 10 family inet filter input sample-in

    set forwarding-options sampling input family inet rate 1
    set forwarding-options sampling output flow-server 192.168.0.11 port 2055
    set forwarding-options sampling output flow-server 192.168.0.11 version 5

    commit

     

    [edit firewall family inet filter sample-in term default then]
    'sample'
    Requires forwarding-options sampling or packet-capture config
    error: configuration check-out failed: (statements constraint check failed)

     

    Can anyone see what is causing the problem?

     

    Thanks



  • 2.  RE: J-Flow on MX104

     
    Posted 03-23-2015 04:40

    I would suggest you use inline-jflow, especially with the MX104:

     

    http://www.juniper.net/documentation/en_US/junos14.2/topics/task/configuration/inline-flow-monitoring.html

     

    Inline services are hardware-based and do not rely on the RE for processing, which is a good thing, as it can do "line-rate" sampling.

     



  • 3.  RE: J-Flow on MX104

    Posted 03-23-2015 05:05

    Am I right in thinking the collector must support IPFIX for inline-jflow?

     

    My collector only supports the older J-Flow 5.

     

    Can I use "legacy" J-Flow on the MX?

     

    Thanks



  • 4.  RE: J-Flow on MX104

     
    Posted 03-23-2015 05:24

    To be quite honest, I'm not sure if the inline-jflow supports version 5 flow records, but I tend to agree with you.  If someone could 100% confirm, that would be great.

     

    As for your question about how to enable the RE-based sampling, it looks to me like you have the minimum config in there, as this is what's in some of our MXes:

     

    set forwarding-options sampling sample-once
    set forwarding-options sampling input rate 1
    set forwarding-options sampling input max-packets-per-second 7000
    set forwarding-options sampling family inet output flow-inactive-timeout 60
    set forwarding-options sampling family inet output flow-active-timeout 60
    set forwarding-options sampling family inet output flow-server x.x.x.x port 2055
    set forwarding-options sampling family inet output flow-server x.x.x.x source-address y.y.y.y
    set forwarding-options sampling family inet output flow-server x.x.x.x version 5

     

    And we're doing firewall filter sampling on the devices with this configuration, as opposed to interface-based sampling.  Unfortunately, I don't have access to an MX104 to test out your config.  



  • 5.  RE: J-Flow on MX104

    Posted 03-23-2015 09:46

    Thanks for that. The RE-based config you provided is working fine.

     

    I did try an inline-jflow example but got a strange error…

     

    set chassis fpc 0 sampling-instance SAMPLING
    set chassis fpc 0 inline-services flow-table-size ipv4-flow-table-size 8

    set services flow-monitoring version-ipfix template TEMPLATEv4 flow-active-timeout 150
    set services flow-monitoring version-ipfix template TEMPLATEv4 flow-inactive-timeout 100
    set services flow-monitoring version-ipfix template TEMPLATEv4 template-refresh-rate seconds 10
    set services flow-monitoring version-ipfix template TEMPLATEv4 option-refresh-rate seconds 10
    set services flow-monitoring version-ipfix template TEMPLATEv4 ipv4-template

    set forwarding-options sampling instance SAMPLING input rate 1
    set forwarding-options sampling instance SAMPLING family inet output flow-server x.x.x.x port 2055
    set forwarding-options sampling instance SAMPLING family inet output flow-server x.x.x.x version-ipfix template TEMPLATEv4
    set forwarding-options sampling instance SAMPLING family inet output inline-jflow source-address y.y.y.y

     

    commit

     

    [edit chassis fpc 0]
    'sampling-instance SAMPLING'
    Associate sampling instance with afeb
    error: configuration check-out failed

     

    Any suggestions? Thanks



  • 6.  RE: J-Flow on MX104

     
    Posted 03-23-2015 09:49

    For MX80 and MX104, you have to associate the instance with the TFEB, not an FPC:

     

    set chassis tfeb slot 0 sampling-instance <instance-name>

     

    Keep in mind that setting the flow-table-size will cause the TFEB (or FPC in MX240 and above) to reboot.



  • 7.  RE: J-Flow on MX104

    Posted 03-23-2015 10:15

    It seems tfeb is not an option on the MX104.

     

    I did try:

     

    set chassis afeb slot 0 sampling-instance SAMPLING
    set chassis afeb slot 0 inline-services flow-table-size ipv4-flow-table-size 7

     

    It has now saved the configuration but no packets arriving at collector 😞



  • 8.  RE: J-Flow on MX104

     
    Posted 03-23-2015 10:38

    Shows you how much I know about the MX104...

     

    You might want to try using the interface-based sampling rather than filter-based to see if that helps:

     

    set interfaces <interface> unit 0 family inet sampling input

     

     



  • 9.  RE: J-Flow on MX104

    Posted 03-28-2015 16:08

    I found the answer here:

     

    http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/inline-flow-monitoring.html

     

    “Flow records and templates cannot be exported if the flow collector is reachable through any management interface.”

     

    My flow collector was reachable via fxp0 which is fine for RE-based sampling but is not supported with inline-jflow.