menu
FlowTraq > Uncategorized > Configuring J-Flow Export on Juniper SRX-Series Routers

Configuring J-Flow Export on Juniper SRX-Series Routers

Dr. John Murphy
By | July 10, 2014


Facebooktwitterlinkedin

Configuring j-flow Export on Juniper SRX Devices

Using Junos 12.1×46

This document focuses on configuring Juniper J Series and SRX Series devices for J-Flow v9, which is based on the RFC3954 (IPFIX) flow export standard (via UDP) and as such is consumable by any IPFIX-capable flow collector, including FlowTraq. J-Flow v9 exporting requires Junos OS 10.4 or later; this document is based on Junos 12.1. The following procedure provides an example of the J-Flow configuration for version 9:

The following commands correspond to nested templates, so that

# set services flow-monitoring version9 template IPV4-JFLOW-TEMPLATE ipv4-template

is equivalent to defining the structure,

services {
flow-monitoring {
version9 {
template IPV4-JFLOW-TEMPLATE {
ipv4-template;
}
}
}
}

The first step in configuring the J-Flow v9 export is to set the template:

# set services flow-monitoring version9 template IPV4-JFLOW-TEMPLATE ipv4-template

The next step is to configure sampling. Sampling rate is the number of packets (X:1) to sample. Junos allows the user to specifically select additional samples to follow a sampled packet, the run-length. So, if rate is 10 and run-length is 3, then the flow output would be based on 4-packet sequences such that the overall sampling rate is 10:4 — out of every 10 packets, 4 would be selected, and those 4 would be sequential. For full-fidelity recording, then, rate is set to 1, and run-length to 0.

# set forwarding-options sampling input rate 1
# set forwarding-options sampling input run-length 0

NOTE: J-Flow v9 is based on a sampled-packet system. Flows are built using only a portion of the observed network traffic, according to sampling rules. When sampling is enabled, J-Flow should not be treated as a full-fidelity flow stream — individual flows may be missing from the record, or have incorrect packet and byte counts and session lengths. This enables a Juniper device to monitor more traffic without impacting performance, but once information is lost due to sampling selection it cannot be recovered. Nevertheless, this analysis comes at a computational cost which must be considered when

Next, configure the external flow collector (here, 10.0.0.100) and its UDP port address (the default NetFlow port is used here, as a convenience) and attach the previously defined flow template.

# set forwarding-options sampling family inet output flow-server 10.0.0.100 port 2055
# set forwarding-options sampling family inet output flow-server 10.0.0.100 version9 template IPV4-JFLOW-TEMPLATE

Note that this is equivalent to defining, in two commands, the structure:

forwarding-options {
sampling {
input {
rate 1;
run-length 0;
}
family inet {
output {
flow-server 10.0.0.100 {
port 2055;
version9 {
template {
IPV4-JFLOW-TEMPLATE;
}
}
}
}
}
}
}

(For a full description of the flow-server command, see Juniper’s documentation)

Configure the inline-jflow, so that the sampling and the J-Flow service thread are implemented in the forwarding engine. The source address determines the address to use for generating monitored packets, and will appear as the Exporter IP address.

# set forwarding-options sampling family inet output inline-jflow source-address 10.0.0.10

Configure the sampling filter on an interface (or interfaces) in the direction to be monitored. “input” corresponds to Ingress traffic on other devices, and “output” to Egress. Per common convention, monitoring all Ingress interfaces covers all traversing packets exactly once.

user@host# set interfaces ge-0/0/14 unit 0 family inet sampling input
user@host# set interfaces ge-0/0/14 unit 0 family inet address 2.2.2.1/24

At this point, your Juniper device should be exporting J-Flow datagrams to your flow collector. J-Flow v9 is a template-based format (like NetFlow 9) and it may take 5-15 minutes for the first flows to appear. If traffic fails to arrive at your collector, there are a few things to check:

First, make sure that your J-Flow collector is listening on the correct port (UDP 2055 above) and that any firewalls in between (particularly on the host running the collector) allow the J-Flow packets to pass.

Second, verify the flow of session records using a packet capture utility such as Wireshark or TCPdump. (J-Flow datagrams will appear as CFLOW in Wireshark) Verify the destination IP address and port. If they are correct, Log back into your Juniper device and verify that the correct interfaces are being monitored.

If none of the above troubleshooting methods yielded an obvious error, contact your vendor’s support if J-Flows are not being sent. If they are being sent but not received, contact FlowTraq technical support.


Ready to experience FlowTraq for yourself?

Request a product demonstration or start your free trial now! Your security will never be the same.