This document focuses on configuring Juniper J Series and SRX Series devices for J-Flow v9, which is based on the RFC3954 (IPFIX) flow export standard (via UDP) and as such is consumable by any IPFIX-capable flow collector, including FlowTraq. J-Flow v9 exporting requires Junos OS 10.4 or later; this document is based on Junos 12.1. The following procedure provides an example of the J-Flow configuration for version 9:
The following commands correspond to nested templates, so that
is equivalent to defining the structure,
The first step in configuring the J-Flow v9 export is to set the template:
The next step is to configure sampling. Sampling rate is the number of packets (X:1) to sample. Junos allows the user to specifically select additional samples to follow a sampled packet, the run-length. So, if rate is 10 and run-length is 3, then the flow output would be based on 4-packet sequences such that the overall sampling rate is 10:4 — out of every 10 packets, 4 would be selected, and those 4 would be sequential. For full-fidelity recording, then, rate is set to 1, and run-length to 0.
NOTE: J-Flow v9 is based on a sampled-packet system. Flows are built using only a portion of the observed network traffic, according to sampling rules. When sampling is enabled, J-Flow should not be treated as a full-fidelity flow stream — individual flows may be missing from the record, or have incorrect packet and byte counts and session lengths. This enables a Juniper device to monitor more traffic without impacting performance, but once information is lost due to sampling selection it cannot be recovered. Nevertheless, this analysis comes at a computational cost which must be considered when
Next, configure the external flow collector (here, 10.0.0.100) and its UDP port address (the default NetFlow port is used here, as a convenience) and attach the previously defined flow template.
Note that this is equivalent to defining, in two commands, the structure:
(For a full description of the flow-server command, see Juniper’s documentation)
Configure the inline-jflow, so that the sampling and the J-Flow service thread are implemented in the forwarding engine. The source address determines the address to use for generating monitored packets, and will appear as the Exporter IP address.
Configure the sampling filter on an interface (or interfaces) in the direction to be monitored. “input” corresponds to Ingress traffic on other devices, and “output” to Egress. Per common convention, monitoring all Ingress interfaces covers all traversing packets exactly once.
At this point, your Juniper device should be exporting J-Flow datagrams to your flow collector. J-Flow v9 is a template-based format (like NetFlow 9) and it may take 5-15 minutes for the first flows to appear. If traffic fails to arrive at your collector, there are a few things to check:
First, make sure that your J-Flow collector is listening on the correct port (UDP 2055 above) and that any firewalls in between (particularly on the host running the collector) allow the J-Flow packets to pass.
Second, verify the flow of session records using a packet capture utility such as Wireshark or TCPdump. (J-Flow datagrams will appear as CFLOW in Wireshark) Verify the destination IP address and port. If they are correct, Log back into your Juniper device and verify that the correct interfaces are being monitored.
If none of the above troubleshooting methods yielded an obvious error, contact your vendor’s support if J-Flows are not being sent. If they are being sent but not received, contact FlowTraq technical support.