Routing
Highlighted
Routing

IPFIX Sampling via Firewall Filter vs. IPFIX Sampling via Interface - Is there any difference?

‎01-17-2017 07:29 AM

Hello,

 

I have configured IPFIX on my MX960 via this guide:

https://www.juniper.net/techpubs/en_US/junos15.1/topics/task/configuration/services-ipfix-flow-templ...

 

And I have a question:

What is the difference between "applying" sampling to an interface and sampling via a firewall filter and then applying that filter to an interface?

Example:

 

set interfaces ae0 unit 0 family inet sampling input
set interfaces ae0 unit 0 family inet sampling output

vs.

 

set firewall family inet filter SAMPLE-ALL term 1 then sample
set firewall family inet filter SAMPLE-ALL term 1 then accept set interfaces ae0 unit 0 family inet filter input SAMPLE-ALL set interfaces ae0 unit 0 family inet filter output SAMPLE-ALL

Is there any difference between those two configurations?

 

The offical docs state the following:

https://www.juniper.net/techpubs/en_US/junos14.2/topics/usage-guidelines/services-configuring-traffi...

 

  • On the Routing Engine, using the sampled process. To select this method, use a filter (input or output) with a matching term that contains the then sample statement.
  • On the Monitoring Services, Adaptive Services, or Multiservices PIC.
  • On an inline data path without the need for a services Dense Port Concentrator (DPC). To do this inline active sampling, you define a sampling instance with specific properties. One Flexible PIC Concentrator (FPC) can support only one instance; for each instance, either services PIC-based sampling or inline sampling is supported per family. Inline sampling supports version 9 and IPFIX flow collection templates.

 

However, this explanation does not make any sense to me since in both cases ("firewall filter" and "family inet sampling") the sampled process on my routing engine seems to be very active.

1 REPLY 1
Highlighted
Routing
Solution
Accepted by topic author ka_ge
‎01-18-2017 05:36 AM

Re: IPFIX Sampling via Firewall Filter vs. IPFIX Sampling via Interface - Is there any difference?

‎01-17-2017 06:27 PM

Hi,

 

There is no difference in both the configurations that you have shown below. The usage of the two configurations differ:

 

1. For example, if you want to sample every family inet packet on the interface, you can just use "family inet sampling input/output" on the interface. It will mark every packet for sampling irrespective of the flow.

 

2. If you want to sample only specific type of IP traffic, for example, you want to sample traffic coming from specific source IP or from specific destination IP you can create a customized firewall filter and match that specific traffic type for sampling.

 

Hope this helps.

 

If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!

 

Thanks

Hope this helps

--------------------------------------------------------------------------------------------------------
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
--------------------------------------------------------------------------------------------------------