Configuring Inline Active Flow Monitoring to Use IPFIX Flow Templates on MX, vMX and T Series Routers, EX Series Switches, NFX Series Devices, and SRX Series Firewalls
Use of IPFIX allows you to define a flow record template suitable for IPv4 traffic or IPv6 traffic. Templates are transmitted to the collector periodically, and the collector does not affect the router configuration. You can define template refresh rate, flow active timeout and inactive timeout.
If flow records are being sent for multiple protocol families (for example, for IPv4 and IPv6), each protocol family flow has a unique Observation Domain ID. The following sections contain additional information:
Starting with Junos OS Release 17.3R1, IPFIX flow templates are supported on QFX10002 switches.
Starting with Junos OS Release 17.4R1, IPFIX flow templates are supported on QFX10008 and QFX10016 switches.
Starting with Junos OS Release 19.4R1, IPFIX flow templates are supported on SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, vSRX Virtual Firewall, and vSRX3.0 devices.
Starting with Junos OS Release 20.1R1, IPFIX flow templates are supported on SRX300, SRX320, SRX340, SRX345, and SRX550HM devices.
Starting with Junos OS Release 20.4R1, IPFIX flow templates are supported on NFX150, NFX250 NextGen, and NFX350 devices.
Configuring the IPFIX Template Properties
To define the IPFIX templates, include the following statements at the [edit
services flow-monitoring version-ipfix] hierarchy level:
[edit services flow-monitoring version-ipfix] template template-name { options-template-id template-id observation-domain-id flow-active-timeout seconds; flow-inactive-timeout seconds; option-refresh-rate packets packets seconds seconds; template-refresh-rate packets packets seconds seconds; (ipv4-template | ipv6-template); }
The following details apply to the configuration statements:
-
You assign each template a unique name by including the
template template-namestatement. -
You then specify each template for the appropriate type of traffic by including the
ipv4-templateoripv6-template. -
Within the template definition, you can optionally include values for the
flow-active-timeoutandflow-inactive-timeoutstatements. These statements have specific default and range values when they are used in template definitions; the default is 60 seconds and the range is from 10 through 600 seconds. -
You can also include settings for the
option-refresh-rateandtemplate-refresh-ratestatements within a template definition. For both of these properties, you can include a timer value (in seconds) or a packet count (in number of packets). For thesecondsoption, the default value is 600 and the range is from 10 through 600. For thepacketsoption, the default value is 4800 and the range is from 1 through 480,000. -
To filter IPv6 traffic on a media interface, the following configuration is supported:
interfaces interface-name { unit 0 { family inet6 { sampling { input; output; } } } }
Restrictions
The following restrictions apply to IPFIX templates:
-
Outbound Routing Engine traffic is not sampled. A firewall filter is applied as output on the egress interface, which samples packets and exports the data. For transit traffic, egress sampling works correctly. For internal traffic, the next hop is installed in the Packet Forwarding Engine but sampled packets are not exported.
-
Flows are created only after the route record resynchronization operation is complete, which takes 120 seconds.
-
The VLAN ID field is updated when a new flow record is created and so, any change in VLAN ID after the record has been created might not be updated in the record.
Customizing Template ID, Observation Domain ID, and Source ID for IPFIX flow Templates
Starting in Junos OS Release 14.1, you can define an IPFIX flow record template suitable for IPv4 traffic, IPv6 traffic, MPLS traffic, a combination of IPv4 and MPLS traffic, or peer AS billing traffic. Templates and the fields included in the template are transmitted to the collector periodically, and the collector need not be aware of the router configuration. You can specify the unique identifier for the version 9 and IPFIX templates. The identifier of a template is locally unique within a combination of a transport session and an observation domain. Template IDs 0 through 255 are reserved for template sets, options template sets, and other sets for future use. Template IDs of data sets are numbered from 256 through 65535. Typically, this information element or field in the template is used to define the characteristics or properties of other information elements in a template. After a restart of the export process of templates is performed, you can reassign template IDs.
This functionality to configure template ID, options template ID, observation domain ID, and source ID is supported on all routers with MPCs.
The corresponding data sets and option data sets contain the value of the template IDs and options template IDs respectively in the set ID field. This method enables the collector to match a data record with a template record.
For more information about specifying the source ID, observation domain ID, template ID, and options template ID for version 9 and IPFIX flows, see Configuring Observation Domain ID and Source ID for Version 9 and IPFIX Flows and Configuring Template ID and Options Template ID for Version 9 and IPFIX Flows.
IPFIX Templates
For information about the definitions of the fields included in IPFIX IPv4 and IPv6 templates, see IPFIX and Version 9 Templates.
Verification
The following show commands are supported for IPFIX:
-
show services accounting flow inline-jflow fpc-slot fpc-slot -
show services accounting errors inline-jflow fpc-slot fpc-slot -
show services accounting status inline-jflow fpc-slot fpc-slot
Example: Configuring IPFIX Flow Templates and Flow Sampling
The following example shows an IPFIX template configuration:
services {
flow-monitoring {
version-ipfix {
template ipv4 {
flow-active-timeout 60;
flow-inactive-timeout 70;
template-refresh-rate seconds 30;
option-refresh-rate seconds 30;
ipv4-template;
}
}
}
}
chassis;
fpc 0 {
sampling-instance s1;
}
The following example applies the IPFIX template to enable sampling of traffic for billing:
forwarding-options {
sampling {
instance {
s1 {
input {
rate 10;
}
family inet {
output {
flow-server 192.0.2.2 {
port 2055;
version-ipfix {
template {
ipv4;
}
}
}
inline-jflow {
source-address 198.51.100.1;
}
}
}
}
}
}
}
Example: Configuring Inline Active Flow Monitoring Version 9 Flow Templates and Flow Sampling
The following example shows inline Active Flow Monitoring version 9 IPv4 template configuration:
services {
flow-monitoring {
version9 {
template ipv4-v9 {
flow-active-timeout 60;
flow-inactive-timeout 15;
template-refresh-rate {
packets 1000;
}
option-refresh-rate {
seconds 100;
}
ipv4-template;
}
}
}
}
The following example shows inline Active Flow Monitoring version 9 IPv6 template configuration:
services {
flow-monitoring {
version9 {
template ipv6-v9 {
flow-active-timeout 60;
flow-inactive-timeout 15;
template-refresh-rate {
packets 1000;
}
option-refresh-rate {
seconds 100;
}
Ipv6-template;
}
}
}
}
The following example shows inline Active Flow Monitoring version 9 IPv4 sampling traffic and export configuration:
forwarding-options {
sampling {
traceoptions {
file testsample size 1g world-readable;
flag all;
}
instance {
sample-ins1 {
input {
rate 1;
run-length 0;
}
family inet {
output {
flow-server 10.207.18.113 {
port 2055;
version9 {
template {
ipv4-v9;
}
}
}
inline-jflow {
source-address 10.207.18.232;
flow-export-rate 2;
}
}
}
}
}
}
}
The following example shows inline Active Flow Monitoring version 9 IPv6 sampling traffic and export configuration:
forwarding-options {
sampling {
traceoptions {
file testsample size 1g world-readable;
flag all;
}
instance {
sample-ins1 {
input {
rate 1;
run-length 0;
}
family inet {
output {
flow-server 2001::2 {
port 4739;
version9 {
template {
ipv6-v9;
}
}
}
inline-jflow {
source-address 2001::1;
flow-export-rate 2;
}
}
}
}
}
}
}
The following example shows inline Active Flow Monitoring version 9 sampling interface binding (using interface):
interfaces {
ge-0/0/0 {
unit 0 {
family inet { // 'inet6' for IPv6 protocol
sampling {
input;
output;
}
}
}
}
The following example shows inline Active Flow Monitoring version 9 sampling interface binding with firewall filter (using filters):
firewall {
family inet { // 'inet6' for IPv6 protocol
filter ipv4_sample {
term default {
then {
accept;
sample;
}
}
}
}
Example: Configuring IPFIX Flow Templates and Flow Sampling
The following example shows IPFIX IPv4 template configuration:
flow-monitoring {
version-ipfix {
template ipv4-ipfix {
flow-active-timeout 60;
flow-inactive-timeout 60;
template-refresh-rate {
packets 1000;
seconds 30;
}
option-refresh-rate {
packets 500;
seconds 60;
}
ipv4-template;
}
}
}
The following example shows IPFIX IPv6 template configuration:
flow-monitoring {
version-ipfix {
template ipv6-ipfix {
flow-active-timeout 60;
flow-inactive-timeout 60;
template-refresh-rate {
packets 1000;
seconds 30;
}
option-refresh-rate {
packets 500;
seconds 60;
}
Ipv6-template;
}
}
}
The following example shows IPFIX IPv4 sampling traffic and export configuration:
forwarding-options {
sampling {
traceoptions {
file testsample size 1g world-readable;
flag all;
}
instance {
sample-ins1 {
input {
rate 1;
run-length 0;
}
family inet {
output {
flow-server 10.207.18.113 {
port 4739;
version-ipfix {
template {
ipv4-ipfix;
}
}
}
inline-jflow {
source-address 10.207.18.232;
flow-export-rate 2;
}
}
}
}
}
}
}
The following example shows IPFIX IPv6 sampling traffic and export configuration:
forwarding-options {
sampling {
traceoptions {
file testsample size 1g world-readable;
flag all;
}
instance {
sample-ins1 {
input {
rate 1;
run-length 0;
}
family inet {
output {
flow-server 2001::2 {
port 4739;
version9 {
template {
ipv6-ipfix;
}
}
}
inline-jflow {
source-address 2001::1;
flow-export-rate 2;
}
}
}
}
}
}
}
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.