Routing
Highlighted
Routing

JFlow, SFlow, Cflow Confusion on J-series Router

‎09-11-2009 09:40 AM

Hi,

 

we have some J series routers with JFlow licenses installed.  We configured :

 

show forwarding-options
sampling {
    input {
        family inet {
            rate 100;
        }
    }
    output {
        cflowd 172.20.20.17 {
            port 6343;
            source-address 10.162.5.1;
            version 5;
        }
        aggregate-export-interval 90;
    }
}

 

 

However, this seems to provide SFlow sampling and the router shows the JFlow license as unused.  What is the configuration to get JFlow running vs SFlow sampling or are they one in the same now?

 

Steven Naslund

Chicago IL

15 REPLIES 15
Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎09-11-2009 10:46 AM

Hi,

 

which sotware version is running on this device? From 9.5 you do not need a license or NetFlow (which is the same as J-Flow).  That is probably the reason why license is shown as inactive. NetFlow should work without any problems in this case. However you should either conigure "sampling" under interface hierarchie or write firewall filter with "then sample" and bind it to the interface.

 

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it. 

 

Kind Regards

Michael Pergament

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎09-11-2009 11:50 AM

We do have the filter on the interface to sample the traffic.  The question is that the configuration we provided seems to only deliver sampled (SFlow) traffic.  This is not the same as NetFlow which provides a more complete picture of the traffic flow.  The question is how is JFlow configured on the J series router.

 

Steven Naslund

Chicago IL

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎09-11-2009 12:00 PM
Hi,

J-series supports NetFlow only. No sFlow. Which collector are you using and why do you think that j-series sends sFlow?

Thanks!

Kind Regards
Michael Pergament
Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎09-11-2009 01:14 PM

It was our understanding that SFlow is sampled flow data as evidenced by the fact that the sampling is set to 100 meaning that 1 packet per hundred is forwarded to the flow collector.  JFlow or Netflow we thought was full flow analysis not just a traffic sample. 

 

We know that what we are getting is only a 1/100th sample of the actual data since our Scrutinizer server is showing 1/100th of the interface traffic which is what we would expect.  Our experience with Netflow is that is provides ALL of the flow data in an aggregated format and in that case the Scrutinizer server agrees with SNMP bandwidth data and shows 100 percent of all flows.

 

I would have to put a network analyzer inline to sample the data packet from the router to the netflow server but from the data collected, it sure looks a lot more like sflow than netflow.

 

Steven Naslund

Chicago IL

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎09-12-2009 01:41 AM

Hi,

 

sampling rate is independent (and configurable) from NetFlow or sFLow. sFlow is normally implemented on switches as it also reports on non-IP traffic which is not the case for NetFlow. Once again on J-series we implement NetFlow v5 or v8 which can be easily prooved with any NetFlow collector. Check also this articles:

 

http://www.networkworld.com/community/node/23739

http://goliath.ecnext.com/coms2/gi_0198-398729/Network-monitoring-NetFlow-vs-sFlow.html

 

Kind Regards

Michael Pergament 

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎09-14-2009 08:32 AM

You are correct.  The first article you provide talks about the fact that Netflow aggregates the packet data where SFlow sends samples.  In the configuration above, the router is sending a sample of one packet per hundred to the monitoring server.  Hence, this is an Sflow operation.  The question is how is aggregation of NetFlow configured on a J-series router.  All of the online examples we are seeing involve other router series with dedicated monitoring PICs. 

 

Our netflow collector can do Sflow or Netflow and shows the traffic to be 1 / 100th of the actual traffic which is what we would expect with the sampling configuration we have.   

 

 

Can someone provide an example of a J-series router providing complete Netflow data for an interface?

 

Steven Naslund

Chicago IL

 

 

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎09-14-2009 09:04 AM

I think we are confused here.  What we are trying to do is get the netflow data on ALL the flows through our interfaces.  All of the configuration we can find seem to be tied to sampling 1/100th or so of the interface traffic.  Does anyone have a J-series configuration that does this?  Everything we look at seems to be for other platforms with dedicated PICs for monitoring.

 

Steven Naslund

Chicago IL

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎09-14-2009 09:29 AM

Hi,

 

J-series does not have dedicated hardware (as M, MX or T-series) for NetFlow. Everything is done by the same CPU which does control plane and forwarding plane. Due to this fact it is not possible to get every packet for NetFlow processing without having large forwarding performance (>>50%) degradation.. Your configuration is just fine. You could also configure sampling rate < than 100 but in this case you would experience higher forwarding performance degradation than if you sample one out of 100 packets.

 

If you need to sample every interface then you just apply "sampling" statement under each interface.

 

Kind Regards

Michael Pergament

 

 

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎09-14-2009 09:54 AM

Understood, that is the issue we came up with as well.  The problem is that not a lot of Netflow monitoring tools know how to interpret the data if they are only seeing a sampling on the flows instead of complete data.  This makes them super inaccurate especially if you have lots of short lived flows.  An issue we are troubleshooting right now is suspected by the JTAC of being lots of short lived, small packet flows which is exactly the sort of thing that sampled netflow will not pick up.  We are running a higher rate of sampling for now to try to collect the data they want but can't run this all the time.  Unfortunately there is no kind of external probe that can pick data of a multilink PPP interface or anything like it.

 

Steven Naslund

Chicago IL

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎09-20-2009 02:40 AM

HI,

 

Which Free program do you recomend to use for NetFlow view?

 

I try SolarWinds and work  Ok, so any other free tool that should I try?

 

Any suggestions.

 

Cheers,

Miha

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎10-11-2009 04:20 PM

You are missing the below command

 

forwarding-options {
    sampling {     
        input {    
            family inet {
                rate 1000;
                run-length 0;
                max-packets-per-second 1000;
            }      

 

 

Make sure you enable sampling both output and input on the interface you are applying this too.You can define the "rate" and "max-packets-per-second" you want to run but pay close attention to run-length 0.Best bed leave it at "0"

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎03-08-2010 06:33 PM

Did you ever get an answer to this?  I want to get a very actuate tally of the network traffic that is moving through the interface on the J series, by ip, ASN etc. 

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎03-23-2010 08:02 AM

Miha, you might want to give Scrutinizer a try.  It is an excellent tool for NetFlow.

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎02-08-2011 11:54 AM

Steven,

 

Where you able to figure this out ? If so, what turned out to be the resolution. I am experiencing the same issue with sFLOW on a J2350 router. I have the sampling rate set fro 1, but it doesn't seem to be getting every packet sampled at on the collector side. If I check utilization on the interface in question using SNMP, there is a large disparity between SNMP and the J-flow gather utilization. The jFLOW statistics seems to be half of what we see using SNMP. The configuration I am using is almost identical to what was posted in previous posts.

 

I am waiting on JTAC to provide me with an answer, but that doesn't seem to be happening anytime soon. I was hoping you could share the resolution to your post.

 

Thanks,

Jaime

Highlighted
Routing

Re: JFlow, SFlow, Cflow Confusion on J-series Router

‎03-03-2017 01:23 PM

Any Response to this chain ??  

I am having a similar issue with the J series router  useing Junos 9.3 ... i am unable to collect the data on Solarwinds NTA... 

thanks, 

Feedback