Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Example - Configuring forwarding-options to send IPFIX to remote flow server inside routing-instance

0

0

Article ID: KB28958 KB Last Updated: 12 Jun 2020Version: 2.0
Summary:

J-Flow version of the Internet Protocol Flow Information Export (IPFIX) configuration is supported under virtual routing and forwarding (VRF). The flow collector should be reachable through the default routing table (inet.0 or inet6.0). If the flow collector is reachable via a non-default VPN routing and forwarding table (VRF), flow records and templates can be exported.

This article will provide a workaround to send IPFIX to flow server inside routing-instance.

Symptoms:

 The following setup will demonstrate sample traffic in the routing-instance and send flows to flow server via the same routing-instance.

Routing-instance = INTERNET 
Solution:

Topology

SERVER ---<ge-1/2/1> VR <ge-1/1/9>---<ge-1/1/11> INTERNET 

<---------------configuration ------------------>

Chassis

set chassis tfeb slot 0 sampling-instance snake

Interfaces

set interfaces ge-1/1/9 unit 0 family inet address 100.101.1.1/30   --> VR interface
set interfaces ge-1/1/11 unit 0 family inet filter input v4-sample
set interfaces ge-1/1/11 unit 0 family inet address 100.101.1.2/30  ---> INTERNET interface
set interfaces ge-1/2/1 unit 0 family inet address 159.10.10.1/30  --> connected to FLOW SERVER in VR instance 
set interfaces lo0 unit 1 family inet address 199.1.1.1/32  ---> INTERNET interface

set firewall family inet filter v4-sample term 1 then count sample-count
set firewall family inet filter v4-sample term 1 then sample
set firewall family inet filter v4-sample term 1 then accept

set services flow-monitoring version-ipfix template ipv4 flow-active-timeout 60
set services flow-monitoring version-ipfix template ipv4 flow-inactive-timeout 60
set services flow-monitoring version-ipfix template ipv4 template-refresh-rate packets 1000
set services flow-monitoring version-ipfix template ipv4 template-refresh-rate seconds 10
set services flow-monitoring version-ipfix template ipv4 option-refresh-rate packets 1000
set services flow-monitoring version-ipfix template ipv4 option-refresh-rate seconds 10
set services flow-monitoring version-ipfix template ipv4 ipv4-template

set forwarding-options sampling instance snake input rate 1
set forwarding-options sampling instance snake family inet output flow-server 159.10.10.2 port 2055  <<<<<<<< server address 
set forwarding-options sampling instance snake family inet output flow-server 159.10.10.2 no-local-dump
set forwarding-options sampling instance snake family inet output flow-server 159.10.10.2 version-ipfix template ipv4
set forwarding-options sampling instance snake family inet output inline-jflow source-address 100.101.1.2 

lab@MX-80# show routing-instances 
INTERNET {
    instance-type vrf;
    interface ge-1/1/11.0;
    interface lo0.1;
    route-distinguisher 100:100;
    vrf-target target:100:100;
    protocols {
        ospf {
            rib-group VRF-to-G;  <--  exported into Global via rib-groups *** 
            area 0.0.0.0 {
                interface all;
            }
        }
    }
}
VR {
    instance-type virtual-router;
    interface ge-1/1/9.0;
    interface ge-1/2/1.0;  <-- towards flow server 
    protocols {
        ospf {
            area 0.0.0.0 {
                interface all;
            }
        }
    }
}

=================================================
lab# show routing-options
rib-groups {
    VRF-to-G {
        import-rib [ INTERNET.inet.0 inet.0 ];
    }
}
=================================================
lab@MX-80# show routing-instances INTERNET protocols ospf   
rib-group VRF-to-G;
area 0.0.0.0 {
    interface all;
}
=================================================

Note: You can also use a static route for flow server pointing towards routing-instance instead of rib-groups.

Example: set routing-options static route 159.10.10.2/32 next-table INTERNET.inet.0

<----------------- configuration ------------------>

<------------ verification & testing -------------->

lab@MX-80> show route table INTERNET.inet.0 

INTERNET.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

100.101.1.0/30     *[Direct/0] 00:31:53
                    > via ge-1/1/11.0
100.101.1.2/32     *[Local/0] 00:31:53
                      Local via ge-1/1/11.0
159.10.10.0/30     *[OSPF/10] 00:04:48, metric 2
                    > to 100.101.1.1 via ge-1/1/11.0
199.1.1.1/32       *[Direct/0] 00:31:53
                    > via lo0.1
224.0.0.5/32       *[OSPF/10] 00:31:54, metric 1
                      MultiRecv

lab@MX-80> show route table VR.inet.0          

VR.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

100.101.1.0/30     *[Direct/0] 00:31:56
                    > via ge-1/1/9.0
100.101.1.1/32     *[Local/0] 00:31:56
                      Local via ge-1/1/9.0
159.10.10.0/30     *[Direct/0] 00:04:52
                    > via ge-1/2/1.0
159.10.10.1/32     *[Local/0] 00:30:36
                      Local via ge-1/2/1.0
199.1.1.1/32       *[OSPF/10] 00:31:06, metric 1
                    > to 100.101.1.2 via ge-1/1/9.0
224.0.0.5/32       *[OSPF/10] 00:31:57, metric 1
                      MultiRecv

lab@MX-80> show route table inet.0 

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:37:31
                    > to 10.141.227.100 via fxp0.0
10.141.227.0/24    *[Direct/0] 00:37:31
                    > via fxp0.0
10.141.227.80/32   *[Local/0] 22:11:01
                      Local via fxp0.0
159.10.10.0/30     *[OSPF/10] 00:04:58, metric 2  <-- Flow server route should be present in Global Instance
                    > to 100.101.1.1 via ge-1/1/11.0

-

lab@MX-80> ping 199.1.1.1 routing-instance VR rapid count 100
PING 199.1.1.1 (199.1.1.1): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
--- 199.1.1.1 ping statistics ---

lab@MX-80> show firewall 

Filter: __default_bpdu_filter__                                

Filter: v4-sample                                             
Counters:
Name                                                Bytes              Packets
sample-count                                        92492                 1202

<----------- verification & testing -------------->


Under the newer version, you will have the option to configure the routing instance name instead of using the rib-groups. This works only in VRF. The syntax is as follows:

Set forwarding-options sampling instance JTAC family inet output flow-server 1.1.1.1 routing-instance <VRF name>

In case you reach the collector over a VR instance, you can configure a VRF Import/Export Dummy policy to configure the VRF:

labroot@test-re0# show policy-options policy-statement Dummy | display set
set policy-options policy-statement Dummy term 1 then reject

[edit]
labroot@test-re0# show routing-instances VRF | display set
set routing-instances VRF instance-type vrf
set routing-instances VRF vrf-import Dummy
set routing-instances VRF vrf-export Dummy
set routing-instances VRF route-distinguisher 1:1

Since IPFix/Version 9 will not support virtual-router instance for exporting the flows, the same configuration can be user for version 5.

set forwarding-options sampling family inet output flow-server 1.1.1.1 routing-instance

Note that this only works in VRF instance.

Modification History:
2020-06-12: Added to the end of the solution, steps on configuring the routing instance name in VRF.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search