Inband Flow Analyzer (IFA) 2.0 Probe for Real-Time Flow Monitoring

Inband Flow Analyzer 2.0 Overview

Inband Flow Analyzer 2.0 (IFA 2.0) is a feature that you can use to monitor and analyze packets as they enter and exit the network. As the network administrator, you can use this feature to collect data related to the paths the packets take through the network and how long the packets spend at each hop. This data provides an indication of excessive latency and possible congestion. This feature helps you to get insights about complex networks by collecting per-hop flow data on the data plane.

IFA uses probe packets to collect network-wide flow data. IFA samples the flow of interest and generates probe packets. These packets are representative of the original flow, possessing the same characteristics as the original flow. This means that IFA packets traverse the same path in the network and the same queues in the networking element as the original packet would. As a result, IFA probe packets traverse the same network path as the original flow, experiencing similar latency and congestion.

You can use Inband Flow Analyzer 2.0 (IFA 2.0) to collect flow data information such as:

• Residence time (latency)
• Per-hop latency
• Per-hop ingress port number
• Per-hop egress port number
• Received packet timestamp value
• Queue ID
• Congestion notification
• Egress port speed

IFA 2.0 is defined in the IETF draft titled Inband Flow Analyzer, draft-kumar-ippm-ifa-02.

Benefits

• IFA probe packets traverse the same network path as the original flow, helping you to monitor the network for faults and performance issues.
• Monitors live traffic and thus helps to perform packet-level latency analysis and queue-congestion monitoring to optimize the network performance.

Inband Flow Analyzer Process

IFA uses the following processing nodes (as shown in Figure 1) to monitor and analyze flows:

• IFA initiator node (also known as ingress node)
• IFA transit node
• IFA terminating node (also known as egress node)

IFA 2.0 supports processing both Layer 3 (L3) and VXLAN flows, but you can't configure IFA for both L3 and VXLAN flows on the same device. The flow-type options are mutually exclusive. You use the flow-type configuration statement to set the flow type of interest —either L3 or VXLAN. You configure the flow-type statement only for the IFA initiator and IFA terminating nodes (generally leaf nodes). For an IFA transit node (generally a spine node), you don't need to configure the flow-type statement.

Figure 1: IFA Processing

Table 1 summarizes the different functions that the IFA processing nodes perform:

IFA Probe Packet Headers

An IFA 2.0 probe packet contains the following:

• IFA Header
• IFA Metadata Header
• IFA Metadata Stack

Figure 2 shows the L3 IFA 2.0 packet format at the IFA initiator node:

Figure 2: Layer 3 IFA 2.0 Packet Format at the IFA Initiator Node

Figure 3 shows the VXLAN IFA 2.0 packet format at the IFA initiator node.

Figure 3: VXLAN IFA 2.0 Packet Format at the IFA Initiator Node

IFA Header

IFA 2.0 defines an upper layer header (ULH), similar to how TCP, UDP, Generic Routing Encapsulation (GRE), and Spanning Tree Protocol (STP) define a ULH. The IFA ULH is always the first header after the IP header, even if there are some other IPv4 extension headers. The NextHdr field (that is, the Protocol Type field in the IFA header) carries the original IP header protocol field value. Figure 4 shows the IFA header format.

Figure 4: IFA Header

IFA Metadata Header

IFA 2.0 defines a compact 4-byte metadata header as shown in Figure 5. The IFA initiator node adds this header to the probe packet.

Figure 5: IFA Metadata Header Format

IFA Metadata Stack

Each IFA hop inserts hop-specific metadata into an IFA metadata stack as shown in Figure 6. The IFA initiator node adds the metadata header after the L4 header.

The QFX5220 as a transit node can not insert metadata into the metadata stack of the IFA probe packet header. Instead, the QFX5220 adds a tailstamp to the end of the IFA probe packet that includes timestamps and other metadata. For more information about these tailstamps, see Tailstamps for IFA Probe Packets (QFX5220 only).

Figure 6: IFA Metadata Stack Header

Tailstamps for IFA Probe Packets (QFX5220 only)

The QFX5220 as a transit node can not insert metadata into the metadata stack of the IFA probe packet header. Instead, the QFX5220 adds a tailstamp to the end of the IFA probe packet that includes timestamps and other metadata. The QFX5220 adds a total of 28 bytes of metadata as a tailstamp. Upon receiving the IFA probe packet, the IFA termination node uses the TTL value in the metadata to identify the number of tailstamps (that is, the number of QFX5220 hops on the path between two QFX5120 or QFX5130 devices). Then the tailstamps are converted into the correct metadata format and inserted into the correct place in the metadata stack, so that the metadata appears in the order that the transit nodes added them. Once complete, the IFA termination node exports the data in IPFIX format to the configured external collector.

Due to this inability to insert metadata into the stack, the IFA metadata stack fields IP TTL , Egress Port Speed and Congestion for the QFX5220 are received with the value of 0 at the collector. You must configure the collector to ignore these unsupported fields from the QFX5220.

The tailstamp includes 14 bytes of ingress (Rx) tailstamp and 14 bytes of egress (Tx) tailstamp. Figure 7 and Figure 8 provide details about the format of these timestamps.

Figure 7: Ingress (Rx) Tailstamp Format

Figure 8: Egress (Tx) Tailstamp Format

Supported Features on IFA Nodes

Table 5 lists the features supported by IFA nodes.

Supported IFA 2.0 IPFIX Format (Terminating Node)

The terminating node formats the IFA 2.0 packets in IPFIX format, updates the egress port information, and sends the packet to the configured collector. The IFA 2.0 IPFIX template is the same for L3 traffic and VXLAN traffic. Figure 9 shows the IPFIX template in which the terminating node formats the IFA 2.0 data and sends it to a collector.

Figure 9: IFA 2.0 IPFIX Template

Figure 10 shows a sample VXLAN IFA 2.0 packet received by the configured collector in IPFIX format.

Figure 10: VXLAN IFA 2.0 IPFIX Sample Packet

Limitations of IFA 2.0 Configuration

Before you configure IFA 2.0 on a device running Junos OS, you must be aware of the following limitations:

• Protocol Number—IFA 2.0 uses the experimental protocol number 253. If the switch receives any traffic with protocol number 253, those packets will hit the IFA transit filter. In this case the QFX5220 adds a 28-byte tailstamp to those packets. For the QFX5130 and QFX5700 switches, even though the packets hit the filter, IFA metadata is not added to the packets. However, the IFA transit statistics do increment.

• Filter Resource Allocation—If filter hardware resources are already exhausted in the system, the IFA feature does not work because it needs filter resources. You can monitor the system log (syslog) for filter space exhaustion errors.

• Layer 2 and BUM Traffic—IFA 2.0 is not supported on Layer 2 switched traffic and broadcast, unknown unicast, and multicast (BUM) traffic.

• IFA Layer 3 and VXLAN Flows

  • IFA 2.0 supports processing both L3 and VXLAN flows, but you can't configure IFA for both L3 and VXLAN flows on the same device. The flow-type options are mutually exclusive. You use the flow-type configuration statement to set the flow type of interest —either L3 or VXLAN. This restriction is only applicable for IFA initiator and terminating nodes (generally leaf nodes). For IFA transit nodes (generally spine nodes), it is not required to configure the flow type.
  • For VXLAN IFA flow, the egress port-related metadata for the terminating node (including egress port number, speed, queue ID, and congestion) are incorrect. It is recommended that you ignore the termination node egress-port-related metadata for VXLAN flows.
  • An IFA flow-type (L3 or VXLAN) change requires IFA filter removal and reconfiguration. In case of a flow-type mismatch (for example, flow-type configured as VXLAN, whereas the incoming traffic is L3 or vice versa), we can't guarantee IFA behavior (IFA probe packets could be initiated with invalid fields).

• IFA Initiator Node

  • L4 header (UDP/TCP) is mandatory for IFA initiation.
  • IFA initiation for VXLAN flow does not work if the egress port is configured to function as a link aggregation group (LAG) (links connecting leaf to spine).
  • You cannot configure different sample rates for different flows on a port for an IFA initiator. All flows within a port should have the same sample rate.

• IFA Transit Nodes—Devices running Junos OS and Junos OS Evolved do not support the maximum length check for the metadata stack. Configure the hop-limit option to limit the insertion of metadata on transit nodes. The QFX5220 cannot perform the hop-limit check to insert the tailstamp. The QFX5220 also cannot insert metadata into the metadata stack in the IFA probe packet header; instead, the QFX 5220 appends a tailstamp to the end of the IFA probe packet.

  QFX5220 supports only 18 bits for the Rx Seconds Timestamp value. The QFX5130 and QFX5700 support a 20-bit Rx Seconds Timestamp value.

  The Residence Time Nano Seconds field is updated as the actual value on the QFX5220, QFX5130, and QFX5700 transit nodes, but on the QFX5120 transit node, 1 second (1000000000 ns) is added along with the actual residence time. ​

• IFA Terminating Node

  • You can configure only a single IPv4 collector at the terminating node.
  • The terminating node metadata has the queue ID 47. This queue ID is reserved for IFA packet export.
  • The terminating node does not perform a hop-limit check. Even if the incoming IFA packet has hop-limit set to 0, the terminating node inserts the metadata and reduces the hop limit by 1, which resets the hop-limit value to 255.

Usage Considerations

Following are the IFA 2.0 related usage considerations:

• Sampled IFA packets have an additional 40 bytes (4-byte IFA header + 4-byte IFA metadata header + 32-byte metadata) when it egresses on the initiator node. On subsequent IFA nodes, 32-byte IFA metadata is inserted at every hop. Due to insertion of per-hop metadata into IFA packets, the packet size grows after every hop. You must configure the interface's maximum transmission unit (MTU) accordingly along the network path. In case of an IFA zone with a large number of transit nodes, you must take care of the MTU. Alternatively, you can configure the hop-limit option at the initiator node to ensure that the size of the IFA packets never exceeds the specified MTU value.
• To select the flow of interest, you can use any combination of source IP address, destination IP address, source port, destination port, and protocol match qualifiers. IFA 2.0 doesn't support any other match qualifiers.
• You must configure a unique device ID for each hop within an IFA zone. If you've configured the auto option for the device ID, then the device ID is generated from the last 20 bits of the router ID or management IP address.
• If you've configured the sampling rate as aggressive, the egress ports might experience congestion due to more IFA copies. This port congestion could create congestion on terminating nodes when IFA copies are sent to the chip processor for IPFIX export. We recommend that you select the sampling rate accordingly.
• When you configure an IFA 2.0 initiator, an internal mirror session is created for the loopback port. As a result, the number of user-configurable mirror sessions reduces from 4 to 3.
• The terminating node accepts an IFA packet size up to 9000 bytes (including IFA headers). On the terminating node, multiple IFA received packets are combined into a single IPFIX export packet. You can combine a maximum of 10 IFA records in a single IPFIX export packet. By default, a maximum of 256 bytes of the original flow packet are exported as part of the IPFIX export, along with IFA headers. The maximum size of a single IPFIX packet is 9000 bytes. You must configure the MTU properly on the collector port. Because the maximum size of a single IPFIX packet is 9000 bytes, the maximum clip length for the IPFIX packet is equal to or less than: 9000 bytes - (IFA header length + IFA metadata header length + IFA metadata stack length).
• We recommend that you use only IFA-aware (supported) devices within the IFA zone. We cannot guarantee proper IFA behavior with IFA-unaware devices.

Requirements

This example uses the following hardware and software components:

• One QFX5120-32C switch as a spine node
• Two QFX5120-48Y switches as the leaf nodes
• Junos OS Release 21.4R1

Pre-Requisites

This example assumes that you already have an EVPN-VXLAN based network and want to enable traffic monitoring on QFX switches.

Before you Begin

• Make sure you understand how EVPN and VXLAN works. See Example: Configuring IRB Interfaces in an EVPN-VXLAN Environment to Provide Layer 3 Connectivity for Hosts in a Data Center and Bridged Overlay Design and Implementation to understand EVPN-VXLAN in detail.
• For IFA terminating node configurations to take effect you need to have a valid Advanced Telemetry Feature (ATF) license in place.

Overview

In this example, you'll configure one of the QFX5120-48Y switches (Leaf 1) as an initiator node, the QFX5120-32C switch as a transit node, and the second QFX5120-48Y switch (Leaf 2) as a terminating node. The VXLAN traffic flows from Host 1 to Host 2. Configuring IFA on the ingress and egress nodes allows you to monitor network operation and identify the performance issues.

The QFX5120-32C functions as a spine to connect the QFX5120-48Y leaf nodes. At the terminating node, you collect the sampled traffic in IPFIX format using an IPv4 collector application.

Configuration

In this example, you'll configure the following functionality on the switches:

1. Configure Leaf 1 as an initiator node and configure initiator related attributes, like global device identifier and the sampling rate. Configure an IFA profile and firewall filter with the action as inband-flow-telemetry-init, and bind the IFA firewall filter to the interfaces.
2. Configure the QFX5120-32C spine switch as a transit node with a global device identifier. When you configure a global device identifier, the spine device adds the IFA metadata and forwards the IFA probe packets.
3. Configure Leaf 2 as a terminating node. Configure the IFA profile with the collector information and firewall filter with the action as inband-flow-telemetry-terminate, and bind the IFA firewall filter to the interfaces.

CLI Quick Configuration

To quickly configure this example on your QFX series devices, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Configuration on QFX5120-48Y Switch (Leaf 1 — IFA Initiator Node)

Configuration on QFX5120-32C Switch (IFA Transit Node)

Configuration on QFX5120-48Y Switch (Leaf 2 — IFA Terminating Node)

Step-by-Step Procedure

Configure the global device identifier for the transit node, QFX5120-32C switch.

Results

Verification