This article will show a sample configuration and give some cavets of inline jflow monitoring using the ipfix format.
From the Junos 10.2 release notes:
Inline flow monitoring support (MX240, MX480, and MX960 only)—Adds the capability to support flow monitoring and sampling services inline in the data path, without the need for a services PIC, on MX Series Modular Port Concentrators (MPCs).
To configure inline flow monitoring, include the inline-jflow statement at the [edit forwarding-options sampling instance instance-name family inet output] hierarchy level. Inline sampling exclusively supports a new format called version-ipfix that uses UDP as the transport protocol. When you configure inline sampling, you must include the version-ipfix statement at the [edit forwarding-options sampling instance instance-name family inet output flow-server address] hierarchy level and also at the [edit services flow-monitoring] hierarchy level. The following operational commands include new inline fpc keywords to display inline configuration information: show services accounting errors, show services accounting flow, and show services accounting status.
Topology:
Smashing---3/0/0-xe-3/1/0---Mand---3/2/0-xe-3/3/0---(switch)---Vegas & Flow Collector
Configuration:
Smashing> show configuration
interfaces {
xe-3/0/0 {
unit 0 {
family inet {
address 1.0.0.1/30;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 1.0.0.2;
}
}
Mand> show configuration
chassis {
fpc 3 {
sampling-instance sample-ins1;
}
}
interfaces {
xe-3/1/0 {
unit 0 {
family inet {
sampling {
input;
}
address 1.0.0.2/30;
}
}
}
xe-3/2/0 {
vlan-tagging;
unit 2 {
vlan-id 2;
family inet {
address 42.0.0.1/30;
}
}
unit 11 {
vlan-id 11;
family inet {
address 11.0.0.1/30;
}
}
}
lo0 {
unit 0 {
family inet {
address 47.255.255.206/32;
}
}
}
}
forwarding-options {
sampling {
instance {
sample-ins1 {
input {
rate 1;
}
family inet {
output {
flow-server 42.0.0.2 {
port 2055;
version-ipfix {
template {
ipv4;
}
}
}
inline-jflow {
source-address 47.255.255.206;
flow-export-rate 400;
}
}
}
}
}
}
}
services {
flow-monitoring {
version-ipfix {
template ipv4 {
flow-active-timeout 60;
flow-inactive-timeout 60;
template-refresh-rate {
packets 1000;
seconds 10;
}
option-refresh-rate {
packets 1000;
seconds 10;
}
ipv4-template;
}
}
}
}
Vegas> show configuration
interfaces {
xe-0/3/0 {
vlan-tagging;
unit 11 {
vlan-id 11;
family inet {
address 11.0.0.2/30;
}
}
}
}
routing-options {
static {
route 1.0.0.1/32 next-hop 11.0.0.1;
}
}
Flow Collector is configured as 42.0.0.2/30 for VLAN 2.
Notice that FPC3 is a MPC and has the sampling instance configured. Traffic must be transiting the router to be accounted as a flow.
For more documentation on inline flow monitoring please see the juniper techpub link below.
http://www.juniper.net/techpubs/en_US/junos11.4/topics/task/configuration/inline-flow-monitoring.html
Outputs:
In the above setup, the flow is from Smashing to Vegas:
Smashing> traceroute 11.0.0.2 traceroute to 11.0.0.2 (11.0.0.2), 30 hops max, 40 byte packets 1 1.0.0.2 (1.0.0.2) 21.103 ms 0.313 ms 0.315 ms 2 11.0.0.2 (11.0.0.2) 0.295 ms 0.421 ms 0.295 ms This is seen as a flow: Mand> show services accounting flow inline-jflow fpc-slot 3 Flow information FPC Slot: 3 Flow packets: 6, Flow bytes: 240 Active flows: 6, Total flows: 6 Flows exported: 0, Flows packets exported: 0 Flows inactive timed out: 0, Flows active timed out: 0
Packets leave the interface toward the collector, which is being simulated for testing purposes:
Mand> monitor traffic interface xe-3/3/0.2 no-resolve size 9999 detail 13:34:42.458318 In IP (tos 0x0, ttl 255, id 58049, offset 0, flags [none], proto: UDP (17), length: 128) 47.255.255.206.33018 > 42.0.0.2.2055: UDP, length 100 13:34:42.458319 In IP (tos 0x0, ttl 255, id 58050, offset 0, flags [none], proto: UDP (17), length: 128) 47.255.255.206.33018 > 42.0.0.2.2055: UDP, length 100 13:34:42.458320 In IP (tos 0x0, ttl 255, id 58051, offset 0, flags [none], proto: UDP (17), length: 76) 47.255.255.206.4102 > 42.0.0.2.2055: UDP, length 48 13:34:42.458437 In IP (tos 0x0, ttl 255, id 58052, offset 0, flags [none], proto: UDP (17), length: 68) 47.255.255.206.4102 > 42.0.0.2.2055: UDP, length 40 13:34:42.458438 In IP (tos 0x0, ttl 255, id 58053, offset 0, flags [none], proto: UDP (17), length: 76) 47.255.255.206.4102 > 42.0.0.2.2055: UDP, length 48 13:34:42.458440 In IP (tos 0x0, ttl 255, id 58054, offset 0, flags [none], proto: UDP (17), length: 68) 47.255.255.206.4102 > 42.0.0.2.2055: UDP, length 40 13:34:42.458441 In IP (tos 0x0, ttl 255, id 58055, offset 0, flags [none], proto: UDP (17), length: 76) 47.255.255.206.4102 > 42.0.0.2.2055: UDP, length 48 13:34:42.458443 In IP (tos 0x0, ttl 255, id 58056, offset 0, flags [none], proto: UDP (17), length: 68) 47.255.255.206.4102 > 42.0.0.2.2055: UDP, length 40 13:34:42.458444 In IP (tos 0x0, ttl 255, id 58057, offset 0, flags [none], proto: UDP (17), length: 76) 47.255.255.206.4102 > 42.0.0.2.2055: UDP, length 48 13:34:42.458445 In IP (tos 0x0, ttl 255, id 58058, offset 0, flags [none], proto: UDP (17), length: 68) 47.255.255.206.4102 > 42.0.0.2.2055: UDP, length 40
Caveats:
From lab testing on 10.4R2, this feature is not supported in a virtual-router routing-instance. In addition, it is only supported in a VRF routing-instance if the collector-facing interface is in main instance.