- Introduction
- Get Started
- play_arrow Apstra GUI
- play_arrow Blueprints and Dashboard
- play_arrow Analytics (Blueprints)
- Analytics Introduction
- play_arrow Dashboards
- play_arrow Anomalies
- play_arrow Widgets
- play_arrow Probes
- play_arrow Predefined Reports (Tech Preview)
- play_arrow Root Causes
- play_arrow Staged (Datacenter Blueprints)
- Blueprint-Wide Search
- play_arrow Physical
- play_arrow Build
- play_arrow Selection
- play_arrow Topology
- play_arrow Nodes
- Nodes (Datacenter)
- Unassign Device (Datacenter)
- Update Deploy Mode (Datacenter)
- Generic Systems vs. External Generic Systems
- Create Generic System
- Create External Generic System
- Create Access Switch
- Update Node Tag (Datacenter)
- Update Port Channel ID Range
- Update Hostname (Datacenter)
- Edit Generic System Name
- Edit Device Properties (Datacenter)
- View Node's Static Routes
- Delete Node
- play_arrow Links
- Links (Datacenter)
- Add Links to Leaf
- Add Links to Spine
- Add Links to Generic System
- Add Links to External Generic System
- Add Leaf Peer Links
- Add Link per Superspine (5-Stage)
- Form LAG
- Create Link in LAG
- Break LAG
- Update LAG Mode
- Update Link Tag (Datacenter)
- Update Link Speed
- Update Link Speed per Superspine (5-Stage)
- Mixed Link Speeds between Leaf and Spine
- Update Link Properties
- Delete Link (Datacenter)
- Export Cabling Map (Datacenter)
- Import Cabling Map (Datacenter)
- Edit Cabling Map (Datacenter)
- Fetch LLDP Data (Datacenter)
- play_arrow Interfaces
- play_arrow Racks
- play_arrow Pods
- play_arrow Planes
-
- play_arrow Virtual
- play_arrow Virtual Networks
- play_arrow Routing Zones
- Static Routes (Virtual)
- Protocol Sessions (Virtual)
- play_arrow Virtual Infrastructure
- play_arrow Statistics
-
- play_arrow Policies
- play_arrow Endpoints
- Security Policies
- Interface Policies
- Routing Policies
- Routing Zone (VRF) Constraints
- play_arrow Routing Zone Policy (4.2.0)
-
- play_arrow Data Center Interconnect (DCI)
- play_arrow Catalog
- play_arrow Logical Devices
- play_arrow Interface Maps
- play_arrow Property Sets
- play_arrow Configlets
- play_arrow AAA Servers
- play_arrow Tags
-
- play_arrow Tasks
- play_arrow Connectivity Templates
- Connectivity Templates Introduction
- play_arrow Primitives
- Primitive: Virtual Network (Single)
- Primitive: Virtual Network (Multiple)
- Primitive: IP Link
- Primitive: Static Route
- Primitive: Custom Static Route
- Primitive: BGP Peering (IP Endpoint)
- Primitive: BGP Peering (Generic System)
- Primitive: Dynamic BGP Peering
- Primitive: Routing Policy
- Primitive: Routing Zone Constraint
- User-defined
- Pre-defined
- Create Connectivity Template for Multiple VNs on Same Interface (Example)
- Create Connectivity Template for Layer 2 Connected External Router (Example)
- Update Connectivity Template Assignments
- Edit Connectivity Template
- Delete Connectivity Template
- play_arrow Fabric Settings (4.2.1)
- play_arrow Fabric Policy (4.2.1)
- play_arrow Severity Preferences (4.2.1)
-
- play_arrow Fabric Settings (4.2.0)
- play_arrow Fabric Policy (4.2.0)
- play_arrow Virtual Network Policy (4.2.0)
- play_arrow Anti-Affinity Policy (4.2.0)
- play_arrow Validation Policy (4.2.0)
-
- BGP Route Tagging
- play_arrow Staged (Freeform Blueprints)
- Freeform Introduction
- play_arrow Blueprints
- play_arrow Physical
- play_arrow Selection
- play_arrow Topology
- play_arrow Systems
- Systems Introduction (Freeform)
- Create Internal System (Freeform)
- Create External System (Freeform)
- Update Config Template Assignment (Freeform)
- Update System Name (Freeform)
- Update Hostname (Freeform)
- Update Device Profile Assignment (Freeform)
- Update System ID Assignment (Freeform)
- Update Deploy Mode (Freeform)
- Update System Tag Assignment (Freeform)
- Delete System (Freeform)
- Device Context (Freeform)
- play_arrow Links
-
- play_arrow Resource Management
- Resource Management Introduction (Freeform)
- play_arrow Blueprint Resources
- play_arrow Allocation Groups
- play_arrow Local Pools
- play_arrow Catalog
- play_arrow Config Templates
- play_arrow Device Profiles
- play_arrow Property Sets
- play_arrow Tags
-
- play_arrow Tasks
- play_arrow Uncommitted (Blueprints)
- play_arrow Active (Datacenter Blueprints)
- play_arrow Time Voyager (Blueprints)
- play_arrow Devices
- Device Configuration Lifecycle
- play_arrow Managed Devices
- play_arrow System Agents
- play_arrow Pristine Config
- play_arrow Telemetry
- play_arrow Apstra ZTP
- Apstra ZTP Introduction
- Create User Profile for Communicating with ZTP Server
- Download and Deploy Apstra ZTP Server VM
- Configure Static Management IP Address for Apstra ZTP Server
- Replace SSL Certificate for Apstra ZTP Server GUI
- Configure Credentials for Apstra ZTP Server GUI
- Create Vendor-specific Custom Configuration
- Configure Apstra Server Connection Details
- Configure DHCP Server for Apstra ZTP
- ztp.json Keys
- Configure ztp.json with Configurator
- Configure ztp.json with CLI
- Onboard Devices with Apstra ZTP
- Check ZTP Status of Devices and Services
- Reset Apstra ZTP GUI Admin Password
- play_arrow Device Profiles
- play_arrow Design
- play_arrow Logical Devices
- play_arrow Interface Maps
- play_arrow Rack Types
- play_arrow Templates
- play_arrow Config Templates
- play_arrow Configlets (Datacenter)
- play_arrow Property Sets (Datacenter)
- play_arrow TCP/UDP Ports
- play_arrow Tags
-
- play_arrow Resources
- play_arrow External Systems (RBAC Providers)
- play_arrow Providers
- play_arrow Provider Role Mapping
-
- play_arrow Platform
- play_arrow User / Role Management
- play_arrow Security
- Syslog Configuration (Platform)
- Receivers (Platform)
- Global Statistics (Platform)
- Event Log (Audit Log)
- play_arrow Apstra VM Clusters
- play_arrow Developers
- play_arrow Technical Support
- Check Apstra Versions and Patent Numbers
-
- Favorites & User
- play_arrow Apstra Server Management
- Apstra Server Introduction
- Monitor Apstra Server via CLI
- Restart Apstra Server
- Reset Apstra Server VM Password
- Reinstall Apstra Server
- Apstra Database Overview
- Back up Apstra Database
- Restore Apstra Database
- Reset Apstra Database
- Migrate Apstra Database
- Replace SSL Certificate on Apstra Server with Signed One
- Replace SSL Certificate on Apstra Server with Self-Signed One
- Change Apstra Server Hostname
- Apstra CLI Utility
- play_arrow Guides
- play_arrow References
- play_arrow Feature Matrix
- play_arrow Devices
- play_arrow Analytics
- play_arrow Predefined Dashboards (Analytics)
- play_arrow Predefined Probes (Analytics)
- Probe: BGP Monitoring
- Probe: Bandwidth Utilization
- Probe: Critical Services: Utilization, Trending, Alerting
- Probe: Device Environmental Checks
- Probe: Device System Health
- Probe: Device Telemetry Health
- Probe: Device Traffic
- Probe: Drain Traffic Anomaly
- Probe: ECMP Imbalance (External Interfaces)
- Probe: ECMP Imbalance (Fabric Interfaces)
- Probe: ECMP Imbalance (Spine to Superspine Interfaces)
- Probe: ESI Imbalance
- Probe: EVPN Host Flapping
- Probe: EVPN VXLAN Type-3 Route Validation
- Probe: EVPN VXLAN Type-5 Route Validation
- Probe: External Routes
- Probe: Hot/Cold Interface Counters (Fabric Interfaces)
- Probe: Hot/Cold Interface Counters (Specific Interfaces)
- Probe: Hot/Cold Interface Counters (Spine to Superspine Interfaces)
- Probe: Hypervisor and Fabric LAG Config Mismatch Probe (Virtual Infra)
- Hypervisor and Fabric VLAN Config Mismatch Probe (Virtual Infra)
- Probe: Hypervisor MTU Mismatch Probe (Virtual Infra - NSX-T Only)
- Probe: Hypervisor MTU Threshold Check Probe (Virtual Infra)
- Probe: Hypervisor Missing LLDP Config Probe (Virtual Infra)
- Probe: Hypervisor Redundancy Checks Probe (Virtual Infra)
- Probe: Interface Flapping (Fabric Interfaces)
- Probe: Interface Flapping (Specific Interfaces)
- Probe: Interface Flapping (Specific Interfaces)
- Probe: Interface Policy 802.1x
- Probe: LAG Imbalance
- Probe: Leafs Hosting Critical Services: Utilization, Trending, Alerting
- Probe: Link Fault Tolerance in Leaf and Access LAGs
- Probe: MLAG Imbalance
- Probe: Multiagent Detector
- Probe: Optical Transceivers
- Probe: Packet Discard Percentage
- Probe: Spine Fault Tolerance
- Probe: Total East/West Traffic
- Probe: VMs without Fabric Configured VLANs Probe (Virtual Infra)
- Probe: VXLAN Flood List Validation
- play_arrow Probe Processors (Analytics)
- Processor: Accumulate
- Processor: Average
- Processor: Comparison
- Processor: EVPN Type 3
- Processor: EVPN Type 5
- Processor: Extensible Service Data Collector
- Processor: Generic Graph Collector
- Processor: Generic Service Data Collector
- Processor: Interface Counters
- Processor: Logical Operator
- Processor: Match Count
- Processor: Match Percentage
- Processor: Match String
- Processor: Max
- Processor: Min
- Processor: Periodic Average
- Processor: Range
- Processor: Ratio
- Processor: Service Data Collector
- Processor: Set Comparison
- Processor: Set Count
- Processor: Standard Deviation
- Processor: State
- Processor: Subtract
- Processor: Sum
- Processor: System Utilization
- Processor: Time in State
- Processor: Traffic Monitor
- Processor: Union
- Processor: VXLAN Floodlist
- Configlet Examples (Design)
- play_arrow Apstra CLI Commands
- Apstra EVPN Support Addendum
- Apstra Server Configuration File
- Graph
- Juniper Apstra Technology Preview
-
Network Flows
This
Configure the UDP Input
Question: Can the Apstra Flow collector’s port be changed?
Answer: The collector receives packets containing flow records using UDP. Table 1 lists the three configurable parameters:
UDP Parameters | Description |
---|---|
EF_FLOW_SERVER_UDP_PORT | The UDP port the Apstra Flow collector listens to for NetFlow/IPFIX/sFlow packets. |
EF_FLOW_SERVER_UDP_IP | The IP addresses the UDP socket is bound to on the Apstra Flow collector. |
EF_FLOW_SERVER_UDP_READ_BUFFER_MAX_SIZE | The UDP receive buffer for the system. If this value exceeds the
maximum allowed buffer size ( net.core.rmem_max ) on
Linux, the maximum allowed size is used. |
Flow Records Not Received
Problem
Flow exporters are configured to output IPFIX, sFlow, or NetFlow, but one or more flow exporters’ data does not appear in the Apstra Flow dashboards.
There can be several reasons for this:
- The packets carrying the expected flow records are not arriving at the system running the flow collector.
- The packets carrying the expected flow records are not arriving on a UDP port on which the collector is not listening.
- The Linux firewall is blocking the packets from reaching the collector.
Solution
Verify the packets are arriving.
Use tcpdump
to verify that the packets carrying the expected flow
records are arriving at the interface where the collector is listening. For example,
if the collector is listening on UDP port 2055
(EF_FLOW_SERVER_UDP_PORT
) the following tcpdump
command shows the incoming
packets to this port:
sudo tcpdump "udp port 2055
To see packets from a specific exporter, you can also specify the exporter's IP
address. For example, if packets are expected from 192.0.2.11
, use
the following command:
sudo tcpdump "src 192.0.2.11 and udp port 2055"
You might need to specify the interface on which tcpdump
observes the incoming packet. You can do this by specifying the
-i
option in the tcpdump
command. For
example:
sudo tcpdump -i eth0 "src 192.0.2.11 and udp port 2055"
If you do not receive any packets, this can mean that:
- The device is not sending the packets.
- The packets are being sent to the wrong place.
- The packets are being blocked along the way, e.g. by a firewall
You will need to troubleshoot and fix this issue before proceeding.
Verify the collector is receiving the packets.
Verify that the collector is receiving the packets from the operating system, by
running the collector with debug
(EF_LOGGER_LEVEL
) set to debug
. A message should appear indicating
when the packets were received and from which IP addresses the packets were
sent.
If you have verified that the packets are arriving at the system, but you do not see any messages in the collector's logs, the packets are likely being blocked by the Linux firewall. You can temporarily disable the Linux firewall to confirm this. If after doing this the logs indicate that packets are received, you will need to reconfigure the Linux firewall to allow the traffic to reach the collector.
Unsupported sFlow Structure
The log indicates that the Apstra Flow collector cannot process an sFlow record because it has enterprise-specific information that is not supported. For example:
{"level":"error","ts":"2023-06-09T02:50:20.427Z","logger":"flow_processor","caller":"flowprocessor/flow.go:75","msg":"failed to process record","code":"processor/process-record-error","reason":"sFlow v5: could not decode samples: flow struct not supported - enterprise: 25506, format: 1003","stacktrace":"g
Problem: The collector received an sFlow structure it does not recognize. This is usually due to a vendor sending its own enterprise-specific structure.
Solution: To add support for a specific sFlow Structure, contact Juniper support. You will need to supply a PCAP of the records that contain the structure and documentation from the vendor about the contents of the structure.
Netflow v9/IPFIX Template Not Received
Problem: The Apstra Flow collector’s log displays the error: Could not
decode flowsets: template not yet received
. This error applies to both
NetFlow v9 and IPFIX templates.
The Apstra Flow collector indicates a message similar to the following:
error netflow9/netflow9.go:59 netflow v9: could not decode flowsets: template not yet received from 10.1.1.1 for session: 27856, observation domain: 33312, template ID 260
Solution:
In most cases, waiting allows the issue to resolve itself. You'll usually see these messages when starting the collector, however these messages should stop after the needed templates are received. Devices usually send templates every few minutes, although some may take 15-30 minutes. This interval is usually configurable, but may vary by vendor and model.
If waiting does not solve the problem, contact your Juniper sales representative. To investigate your issues, we'll need a PCAP of the incoming records from the device in question. The PCAP will need to be long enough to include templates.
In the following example, tcpdump
is configured to capture incoming
packets to port 2055
from 192.0.2.11
and write
them to a file named netflow.pcap
.
sudo tcpdump "src 192.0.2.11 and udp port 2055" -w netflow.pcap -vvv
Bidirectional Flow Support
Question: How does Apstra Flow handle a flow exporter that supports bidirectional flow records (RFC 5103), where two directions of traffic are expressed in a single record?
Answer: The collector produces two unidirectional records, one for each direction. This allows the bidirectional flow records to be processed and analyzed in the same manner as unidirectional flows.