Monday, January 24, 2011

Netflow on Juniper Router

On Juniper Router's if you want to sample all traffic, you don't really need a firewall filter, you can use the following simple form:

    ge-0/0/0 {
        unit 0 {
            family inet {
                sampling {
                    input;
                }
            }
        }
    }
Packet sampling can also be done by defining a firewall filter to accept and sample specific traffic, applying that rule to the interface and then configuring the sampling forwarding option. just like...
forwarding-options {
     sampling {
         input {
             family inet {
                 rate 100; /* packet sampling rate */
             }
         }
         output {
             cflowd <flow collector IP address> {
                 port 9991; /* port number */
                 source-address <source IP>;
                 version 5;  /* netflow version number */
             }
             flow-active-timeout 60; /*the tool you're using may want something different */
             }
         }
}

These settings are per-interface:
interfaces {
   <interface> {
    family inet {
   sampling {
    input;
   }
   ...
    }
    ...
      }
     ...
  }
Note: If you want to use Jflow on M Series routers you will have to buy specialised hardware (AS/MS PIC or you can buy an M7i with embedded AS PIC).

One can use Jflow on the RE, but personally its don't reccomend as you could flood out routing updates etc. Hardware wise you'd probably be best off with one of the new MultiService PICs (PE-MS-100-1 would fit). More info about the MS PICs can be found here: http://www.juniper.net/us/en/local/pdf/datasheets/1000199-en.pdf

With regards to licencing you will need a licence (S-ACCT) for use with AS or MS PICs.

No comments:

Post a Comment