Configuring Flow Aggregation on MX, M and T Series Routers and NFX250 to Use Version 5 or Version 8 cflowd
To enable the collection of cflowd version 5 or version 8 flow
formats, include the flow-server statement:
flow-server hostname { aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; } autonomous-system-type (origin | peer); (local-dump | no-local-dump); port port-number; version format; }
You can include this statement at the following hierarchy levels:
[edit forwarding-options sampling family (inet | inet6 | mpls) output][edit forwarding-options sampling instance instance-name output][edit forwarding-options accounting name output cflowd hostname]
You must configure the family inet statement on logical
interface unit 0 on the monitoring interface, as in the
following example:
[edit interfaces]
sp-3/0/0 {
unit 0 {
family inet {
...
}
}
}
Boot images for monitoring services interfaces are specified
at the [edit chassis images pic] hierarchy level. You must
enable the NTP client to make the cflowd feature operable, by including
the following configuration:
[edit system] ntp { boot-server ntp.example.com; server 172.17.28.5; } processes { ntp enable; }
You can also configure cflowd version 5 for flow-monitoring
applications by including the cflowd statement at the [edit forwarding-options monitoring name family
inet output] hierarchy level:
cflowd hostname { port port-number; }
The following restrictions apply to cflowd flow formats:
You can configure up to one version 5 and one version 8 flow format at the
[edit forwarding-options accounting name output]hierarchy level.You can configure up to eight version 5 or one version 8 flow format at the
[edit forwarding-options sampling family (inet | inet6 | mpls) output]hierarchy level for Routing Engine-based sampling by including theflow-serverstatement. In contrast, PIC-based sampling allows you to specify one cflowd version 5 server and one version 8 server simultaneously. However, the two cflowd servers must have different IP addresses.You can configure up to eight version 5 flow formats at the
[edit forwarding-options monitoring name output]hierarchy level. Version 8 flow formats and aggregation are not supported for flow-monitoring applications.Outbound Routing Engine traffic is not sampled. A firewall filter is applied as output on the egress interface, which samples packets and exports the data. For transit traffic, egress sampling works correctly. For internal traffic, the next hop is installed in the Packet Forwarding Engine but sampled packets are not exported.
Flows are created on the monitoring PIC only after the route record resynchronization operation is complete, which is 60 seconds after the PIC comes up. Any packets sent to the PIC are dropped until the synchronization process is complete.
The configuration includes a proprietary v5 extension template for supporting 4-byte AS information in flow records. Its template version is set to 500, indicating it to be proprietary. All other fields remain the same; the source AS and destination AS are each 4 bytes long, rather than 2 bytes as in the traditional v5 template. This option is available at the
[edit forwarding-options sampling family inet output flow-server server-name version]hierarchy level.
In the cflowd statement, specify the name or identifier
of the host that collects the flow aggregates. You must also include
the User Datagram Protocol (UDP) port number on the host and the version,
which gives the format of the exported cflowd aggregates. To collect
cflowd records in a log file before exporting, include the local-dump statement.
You can specify both host (cflowd) sampling and port mirroring in the same configuration; however, only one action takes effect at any one time. Port mirroring takes precedence. For more information, see Configuring Port Mirroring on M, T MX, ACX, and PTX Series Routers.
For cflowd version 8 only, you can specify aggregation of specific
types of traffic by including the aggregation statement.
This conserves memory and bandwidth by enabling cflowd to export targeted
flows rather than all aggregated traffic. To specify a flow type,
include the aggregation statement:
aggregation { autonomous-system; destination-prefix; protocol-port; source-destination-prefix { caida-compliant; } source-prefix; }
You can include this statement at the following hierarchy levels:
[edit forwarding-options sampling family (inet | inet6 | mpls) output flow-server hostname][edit forwarding-options accounting name output cflowd hostname]
The autonomous-system statement configures aggregation
by the AS number; this statement might require setting the separate
cflowd autonomous-system-type statement to include either origin or peer AS numbers. The origin option specifies to use the origin AS of the packet source address
in the Source Autonomous System cflowd field. The peer option
specifies to use the peer AS through which the packet passed in the
Source Autonomous System cflowd field. By default, cflowd exports
the origin AS number.
The destination-prefix statement configures aggregation
by the destination prefix only.
The protocol-port statement configures aggregation
by the protocol and port number; requires setting the separate cflowd port statement.
The source-destination-prefix statement configures
aggregation by the source and destination prefix. Version 2.1b1 of
CAIDA’s cflowd application does not record source and destination
mask length values in compliance with CAIDA’s cflowd
Configuration Guide, dated August 30, 1999. If you configure
the caida-compliant statement, the Junos OS complies with
Version 2.1b1 of cflowd. If you do not include the caida-compliant statement in the configuration, the Junos OS records source and
destination mask length values in compliance with the cflowd
Configuration Guide.
The source-prefix statement configures aggregation
by the source prefix only.
Collection of sampled packets in a local ASCII file is not affected
by the cflowd statement.
The following commands enable Routing Engine- and PIC-based
sampling at the set forwarding options sampling hierarchy
level:
set input rate rateset input run-length lengthset family inet output flow-server flowcollector port udp portset family inet output flow-server flowcollector no-local-dumpset family inet output flow-server flowcollector version <5/8>
The following commands enable Routing Engine- and PIC-based
sampling at the set interfaces hierarchy level:
interface to be sampled unit unit family inet filter input/output filtername
The following commands enable Routing Engine- and PIC-based
sampling at the set firewall family hierarchy level:
set inet filter filtername term 1 then count filternameingset inet filter filtername term 1 then sampleset inet filter filtername term 1 then accept
The following command enables PIC-based sampling at the set forwarding options sampling hierarchy level:
set family inet output interface sp-*/*/* source address source address
The following example shows a PIC-based flow aggregation configuration using version 5:
family inet {
output {
flow-inactive-timeout 15;
flow-active-timeout 60;
flow-server 203.0.113.165 {
port 9996;
version 5;
}
interface sp-2/2/0 {
engine-id 4;
source-address 203.0.113.126;
}
}
The following example shows an Routing Engine-based flow aggregation configuration using version 5:
family inet {
output {
flow-inactive-timeout 15;
flow-active-timeout 60;
flow-server 203.0.113.165 {
port 9996;
source-address 203.0.113.126;
version 5;
}
}