Management
Management

IPFIX configuration QFX10K

‎06-19-2019 04:27 AM

Hi,

I've tried using a few variants of the IPFIX template found here:
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/services-ipfix-flow-temp...

Guide is quite bad imho, the flow-collector (Elastisearch doesn't recieve any packet, verified with TCP-dump)

 

This is the configuration I have right now, any tips on how to get it working?:


Template:
set chassis fpc 0 sampling-instance IPFIX-INSTANCE
set services flow-monitoring version-ipfix template IPFIX-TEMPLATE template-refresh-rate seconds 15
set services flow-monitoring version-ipfix template IPFIX-TEMPLATE option-refresh-rate seconds 25
set services flow-monitoring version-ipfix template IPFIX-TEMPLATE ipv4-template

Instance:
set forwarding-options sampling instance IPFIX-INSTANCE input rate 10
set forwarding-options sampling instance IPFIX-INSTANCE input run-length 0
set forwarding-options sampling instance IPFIX-INSTANCE family inet output flow-server 192.168.16.78 port 4739
set forwarding-options sampling instance IPFIX-INSTANCE family inet output flow-server 192.168.16.78 source-address 192.168.16.75
set forwarding-options sampling instance IPFIX-INSTANCE family inet output flow-server 192.168.16.78 version-ipfix template IPFIX-TEMPLATE
set forwarding-options sampling instance IPFIX-INSTANCE family inet output inline-jflow source-address 192.168.16.75


This is the IRB that is supposed to source the FLOW export to the collector:
set routing-instances FLOW type virtual-router
set routing-instances FLOW interface irb.1022
set interfaces irb unit 1022 description FLOW
set interfaces irb unit 1022 family inet address 192.168.16.75/29 arp 192.168.16.74 l2-interface ae0.0
set interfaces irb unit 1022 family inet address 192.168.16.75/29 arp 192.168.16.74 mac 44:ec:ce:a9:27:08
set interfaces irb unit 1022 family inet address 192.168.16.75/29 vrrp-group 1 virtual-address 192.168.16.73
set interfaces irb unit 1022 family inet address 192.168.16.75/29 vrrp-group 1 priority 120
set interfaces irb unit 1022 family inet address 192.168.16.75/29 vrrp-group 1 accept-data
set interfaces irb unit 1022 family inet address 192.168.16.75/29 vrrp-group 1 authentication-type md5
set interfaces irb unit 1022 family inet address 192.168.16.75/29 vrrp-group 1 authentication-key "**SECRET**"

 

I tried adding "sampling commands" to a few busy IRBs (don't know if this is needed when chassis fpc 0 is set in instance):
set routing-instances Transit type virtual-router
set routing-instances Transit interface irb.3000
set interfaces irb unit 3000 family inet sampling input
set interfaces irb unit 3000 family inet sampling output
set interfaces irb unit 3000 family inet address 10.0.0.5/29 vrrp-group 1 virtual-address 10.0.0.6
set interfaces irb unit 3000 family inet address 10.0.0.5/29 vrrp-group 1 priority 120
set interfaces irb unit 3000 family inet address 10.0.0.5/29 vrrp-group 1 accept-data
set interfaces irb unit 3000 family inet address 10.0.0.5/29 vrrp-group 1 authentication-type md5
set interfaces irb unit 3000 family inet address 10.0.0.5/29 vrrp-group 1 authentication-key "**SECRET**"

set routing-instances Infra type virtual-router
set routing-instances Infra interface irb.3010
set interfaces irb unit 3010 description Infra-LINKNET
set interfaces irb unit 3010 family inet sampling input
set interfaces irb unit 3010 family inet sampling output
set interfaces irb unit 3010 family inet address 10.0.0.85/29 vrrp-group 1 virtual-address 10.0.0.86
set interfaces irb unit 3010 family inet address 10.0.0.85/29 vrrp-group 1 priority 120
set interfaces irb unit 3010 family inet address 10.0.0.85/29 vrrp-group 1 accept-data
set interfaces irb unit 3010 family inet address 10.0.0.85/29 vrrp-group 1 authentication-type md5
set interfaces irb unit 3010 family inet address 10.0.0.85/29 vrrp-group 1 authentication-key "**SECRET**"


In addition there are working VLANs and AE interfaces connecting the irb configurations to the interface configuration (ommitted).

4 REPLIES 4
Management

Re: IPFIX configuration QFX10K

‎06-19-2019 04:41 AM

show services accounting flow inline-jflow fpc-slot 0
Flow information
FPC Slot: 0
Flow Packets: 0, Flow Bytes: 0
Active Flows: 0, Total Flows: 0
Flows Exported: 0, Flow Packets Exported: 1772
Flows Inactive Timed Out: 0, Flows Active Timed Out: 0

IPv4 Flows:
IPv4 Flow Packets: 0, IPv4 Flow Bytes: 0
IPv4 Active Flows: 0, IPv4 Total Flows: 0
IPv4 Flows Exported: 0
IPv4 Flows Inactive Timed Out: 0, IPv4 Flows Active Timed Out: 0

IPv6 Flows:
IPv6 Flow Packets: 0, IPv6 Flow Bytes: 0
IPv6 Active Flows: 0, IPv6 Total Flows: 0
IPv6 Flows Exported: 0
IPv6 Flows Inactive Timed Out: 0, IPv6 Flows Active Timed Out: 0

Management

Re: IPFIX configuration QFX10K

‎06-19-2019 05:07 AM

Hello,

What is the JUNOS version? 

Jflow IPFIX is supported from 17.4R1 (QFX10002)/R2 (8/16) on Ethernet interfaces

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-not...

BUT - Jflow IPFIX support on IRB is JUNOS roadmap item. Please contact Your nearest friendly Juniper Systems Engineer for dates.

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Management

Re: IPFIX configuration QFX10K

‎06-19-2019 05:11 AM

Thanks aarseniev!

 

Whats my best options on 17.3R3-S3.3 (other than JFlow IPFIX) ?

I either need to sample from the IRBs or from physical interfaces + AEs with family ethernet-switching.

Management

Re: IPFIX configuration QFX10K

‎06-19-2019 05:56 AM

Hello,

Sflow is supported on QFX10K since 15.1X53

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/qfx-series/...

Page 64

HTH

Thx
Alex

 

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !