Re: [j-nsp] Netflow / JFlow questions
Its not possible on an M... Its one or the other, IPv4 or MPLS... http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/configuring-active-flow-monitoring-using-version-9.html You can define a version 9 flow record template suitable for IPv4 traffic, MPLS traffic, or a combination of the two. However, you can sample packets from only one type of family (inet or mpls) at the same time. From: Chris Evans chrisccnpsp...@gmail.com To: juniper-nsp@puck.nether.net Sent: Tue, August 31, 2010 8:01:44 PM Subject: [j-nsp] Netflow / JFlow questions Have a few questions for some folks who have implemented JFlow.. I have a working jflow setup with basic ipv4 and ingress collection on a m7i with a services pic and also on a MX platform with the MS-DPC blade. #1 - Is egress netflow supported? It appears that only ingress is supported. #2 - Why do all examples that I can find say to use a firewall filter to sample traffic, I have successfully used the 'set interface xx-x/x/x unit xx family inet sample' command. This appears to be the new way of doing it. #3 - In my lab I have a MPLS VPN setup and am trying to netflow interfaces within the VRF. As it appears the device can only do ingress netflow I also need to sample the mpls interface. Does anyone have an example of how to gather netflow stats from both the vrf and mpls pe p interfaces? Thanks Chris ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Netflow / JFlow questions
Stefan, I tried to implement egress jflow but didn't get any exports and Brian states its not supported. I honestly believe its going to come down to an architecture limitation with the Juniper devices. As frames have to be sampled/marked so that the PFE will copy them to a services interface, I doubt that egress can be sampled due to the frame flow in the device. I believe with the TRIO chipset Juniper finally got a clue and started to put these services inline within the ASIC, which other vendors have done for years now. The ASIC can now handle these services and provide the full feature set that I would expect from a device of this class. Hopefully if what I read is true, then it means we don't need these PICS for services, tunnel interfaces, etc.. anymore. As for the filter or sample command, I personally REALLY dislike how Juniper implements filters to be used for services. IMHO filters should be for filtering traffic only, not to integrate services. My main concern is human error. If I have a firewall filter in place to deny traffic and someone goes in and modifies the filter to insert port-monitoring, sampling, etc.. there are chances that they will screw the change up, which could cause a partial or even full outage. This is why I prefer the 'sample' command as its a seperate configuration point to introduce services. I'm working with the SE in the background on this, unfortunately it takes forever to get an answer sometimes.. Thanks guys! Chris On Wed, Sep 1, 2010 at 5:02 AM, Brian Spade bitkr...@gmail.com wrote: Hi, On Tue, Aug 31, 2010 at 6:01 PM, Chris Evans chrisccnpsp...@gmail.comwrote: Have a few questions for some folks who have implemented JFlow.. I have a working jflow setup with basic ipv4 and ingress collection on a m7i with a services pic and also on a MX platform with the MS-DPC blade. #1 - Is egress netflow supported? It appears that only ingress is supported. No, but I know Juniper has this as an enhancement request. #2 - Why do all examples that I can find say to use a firewall filter to sample traffic, I have successfully used the 'set interface xx-x/x/x unit xx family inet sample' command. This appears to be the new way of doing it. Either way will work fine. #3 - In my lab I have a MPLS VPN setup and am trying to netflow interfaces within the VRF. As it appears the device can only do ingress netflow I also need to sample the mpls interface. Does anyone have an example of how to gather netflow stats from both the vrf and mpls pe p interfaces? Not sure, maybe someone else can answer. /bs ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Netflow / JFlow questions
Hi, On Tue, Aug 31, 2010 at 6:01 PM, Chris Evans chrisccnpsp...@gmail.comwrote: Have a few questions for some folks who have implemented JFlow.. I have a working jflow setup with basic ipv4 and ingress collection on a m7i with a services pic and also on a MX platform with the MS-DPC blade. #1 - Is egress netflow supported? It appears that only ingress is supported. No, but I know Juniper has this as an enhancement request. #2 - Why do all examples that I can find say to use a firewall filter to sample traffic, I have successfully used the 'set interface xx-x/x/x unit xx family inet sample' command. This appears to be the new way of doing it. Either way will work fine. #3 - In my lab I have a MPLS VPN setup and am trying to netflow interfaces within the VRF. As it appears the device can only do ingress netflow I also need to sample the mpls interface. Does anyone have an example of how to gather netflow stats from both the vrf and mpls pe p interfaces? Not sure, maybe someone else can answer. /bs ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Netflow / JFlow questions
Hrm.. That documentation is very wishy/washy, like usual. ARGH so frustrating to always deal with Juniper vague documentation.. If I can configure both templates, then what does it exactly mean that I cannot sample at the same time? It it documented anywhere that the M cannot do what I'm asking?? I'm guessing the answer is no? On Tue, Aug 31, 2010 at 10:33 PM, Derick Winkworth dwinkwo...@att.netwrote: Its not possible on an M... Its one or the other, IPv4 or MPLS... http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/configuring-active-flow-monitoring-using-version-9.html You can define a version 9 flow record template suitable for IPv4 traffic, MPLS traffic, or a combination of the two. However, you can sample packets from only one type of family (inet or mpls) at the same time. From: Chris Evans chrisccnpsp...@gmail.com To: juniper-nsp@puck.nether.net Sent: Tue, August 31, 2010 8:01:44 PM Subject: [j-nsp] Netflow / JFlow questions Have a few questions for some folks who have implemented JFlow.. I have a working jflow setup with basic ipv4 and ingress collection on a m7i with a services pic and also on a MX platform with the MS-DPC blade. #1 - Is egress netflow supported? It appears that only ingress is supported. #2 - Why do all examples that I can find say to use a firewall filter to sample traffic, I have successfully used the 'set interface xx-x/x/x unit xx family inet sample' command. This appears to be the new way of doing it. #3 - In my lab I have a MPLS VPN setup and am trying to netflow interfaces within the VRF. As it appears the device can only do ingress netflow I also need to sample the mpls interface. Does anyone have an example of how to gather netflow stats from both the vrf and mpls pe p interfaces? Thanks Chris ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Netflow / JFlow questions
-Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Chris Evans Sent: Tuesday, August 31, 2010 9:02 PM To: juniper-nsp@puck.nether.net Subject: [j-nsp] Netflow / JFlow questions Have a few questions for some folks who have implemented JFlow.. I have a working jflow setup with basic ipv4 and ingress collection on a m7i with a services pic and also on a MX platform with the MS-DPC blade. #1 - Is egress netflow supported? It appears that only ingress is supported. Yes, egress netflow is supported - it's either a factor of turning on an output firewall filter with an action of 'then sample' or enabling sampling on output on the interface. #2 - Why do all examples that I can find say to use a firewall filter to sample traffic, I have successfully used the 'set interface xx-x/x/x unit xx family inet sample' command. This appears to be the new way of doing it. Enabling sampling on the interface is not the new way of doing it. It's been supported either way for quite some time; which one to choose really depends on your needs. For many environments that want only need to monitor certain applications, I typically suggest enabling sampling within a firewall filter because this really enables the sampling to scale. On the other hand, for those customer environments that want to look at everything I would generally suggest enabling sampling on the interface. #3 - In my lab I have a MPLS VPN setup and am trying to netflow interfaces within the VRF. As it appears the device can only do ingress netflow I also need to sample the mpls interface. Does anyone have an example of how to gather netflow stats from both the vrf and mpls pe p interfaces? Again, you can do egress netflow so you shouldn't need to do the above. But if you did want to monitor an MPLS enabled interface, you are going to probably need Netflow v9 coupled with a customized template for sampling. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Netflow / JFlow questions
You can configure a single template to export either IPv4 or MPLS flow data with. However, when you actually configure sampling to send packets to the service-pic (or ms-dpc), you can not simultaneously sample and send both mpls and ipv4 packets to the pic/dpc. So its either or. Either you are sampling on the CE/VRF side (IPv4) or the core side (MPLS). From: Chris Evans chrisccnpsp...@gmail.com To: Derick Winkworth dwinkwo...@att.net Cc: juniper-nsp@puck.nether.net Sent: Wed, September 1, 2010 8:48:53 AM Subject: Re: [j-nsp] Netflow / JFlow questions Hrm.. That documentation is very wishy/washy, like usual. ARGH so frustrating to always deal with Juniper vague documentation.. If I can configure both templates, then what does it exactly mean that I cannot sample at the same time? It it documented anywhere that the M cannot do what I'm asking?? I'm guessing the answer is no? On Tue, Aug 31, 2010 at 10:33 PM, Derick Winkworth dwinkwo...@att.net wrote: Its not possible on an M... Its one or the other, IPv4 or MPLS... http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/configuring-active-flow-monitoring-using-version-9.html You can define a version 9 flow record template suitable for IPv4 traffic, MPLS traffic, or a combination of the two. However, you can sample packets from only one type of family (inet or mpls) at the same time. From: Chris Evans chrisccnpsp...@gmail.com To: juniper-nsp@puck.nether.net Sent: Tue, August 31, 2010 8:01:44 PM Subject: [j-nsp] Netflow / JFlow questions Have a few questions for some folks who have implemented JFlow.. I have a working jflow setup with basic ipv4 and ingress collection on a m7i with a services pic and also on a MX platform with the MS-DPC blade. #1 - Is egress netflow supported? It appears that only ingress is supported. #2 - Why do all examples that I can find say to use a firewall filter to sample traffic, I have successfully used the 'set interface xx-x/x/x unit xx family inet sample' command. This appears to be the new way of doing it. #3 - In my lab I have a MPLS VPN setup and am trying to netflow interfaces within the VRF. As it appears the device can only do ingress netflow I also need to sample the mpls interface. Does anyone have an example of how to gather netflow stats from both the vrf and mpls pe p interfaces? Thanks Chris ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Netflow / JFlow questions
Have a few questions for some folks who have implemented JFlow.. I have a working jflow setup with basic ipv4 and ingress collection on a m7i with a services pic and also on a MX platform with the MS-DPC blade. #1 - Is egress netflow supported? It appears that only ingress is supported. #2 - Why do all examples that I can find say to use a firewall filter to sample traffic, I have successfully used the 'set interface xx-x/x/x unit xx family inet sample' command. This appears to be the new way of doing it. #3 - In my lab I have a MPLS VPN setup and am trying to netflow interfaces within the VRF. As it appears the device can only do ingress netflow I also need to sample the mpls interface. Does anyone have an example of how to gather netflow stats from both the vrf and mpls pe p interfaces? Thanks Chris ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
