Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Example: How to send sampling traffic from multiple VRFs to a destination VRF with the flow server

0

0
Article ID: KB36344 KB Last Updated: 11 Dec 2020Version: 1.0 Summary:

This article demonstrates how to send sampling traffic from multiple VRFs to a destination VRF where does the flow server is located.

 

Solution:

This example was created based on a customer's scenario.

Physical Connections

  • Two physical ports exist between each routers as given below:

    • R1 ge-0/0/0 ------- ge-0/0/0 R2

    • R1 ge-0/0/1 ------- ge-0/0/1 R2 

    • R2 ge-0/0/2 ------- ge-0/0/0 R3 

    • R2 ge-0/0/3 ------- ge-0/0/1 R3 

  • One link between R2 and the flow server

    • R2 ge-0/1/0 (100.1.1.1) ------- (100.1.1.2) flow server​

Logical Topology and Lab Details


R1 ----- (ae0) ----- R2 ----- (ae1) ----- R3
                     |
                     |
               Flow Server(link to R2)

  • R1 with port irb.111 and irb.333

  • R3 with port irb.222 and irb.444

  • R2 with three VRFs created, including: vrfa (irb.111 & irb.222), vrfb(irb.333 & irb.444), and vrfc(ge-0/1/0)

  • Ping test from R1 irb.111 to R3 irb.222 that will pass vrfa on R2

  • Ping test from R1 irb.333 to R3 irb.444 that will pass vrfb on R2

The above two ping test flows will be sampled and sent to the flow server in vrfc.

Configuration on R2

Jflow Template

set chassis afeb slot 0 sampling-instance test
set services flow-monitoring version-ipfix template ipfixtest flow-active-timeout 60
set services flow-monitoring version-ipfix template ipfixtest flow-inactive-timeout 30
set services flow-monitoring version-ipfix template ipfixtest template-refresh-rate seconds 10
set services flow-monitoring version-ipfix template ipfixtest option-refresh-rate seconds 10
set services flow-monitoring version-ipfix template ipfixtest ipv4-template
set services flow-monitoring version-ipfix template ipfixtest flow-key flow-direction

Sampling Instance

set forwarding-options sampling instance test input rate 1
set forwarding-options sampling instance test family inet output flow-server 100.1.1.2 port 2055
set forwarding-options sampling instance test family inet output flow-server 100.1.1.2 routing-instance vrfc <<<<< You need to point the routing-instance to the vrfc where the server is located.
set forwarding-options sampling instance test family inet output flow-server 100.1.1.2 version-ipfix template ipfixtest
set forwarding-options sampling instance test family inet output inline-jflow source-address 100.1.1.1

Firewall Filter

set firewall family inet filter test term 1 then count test
set firewall family inet filter test term 1 then log
set firewall family inet filter test term 1 then sample
set firewall family inet filter test term 1 then accept

Binding filter with port irb111 from vrfa on R2:

set interfaces irb unit 111 family inet filter input test
set interfaces irb unit 111 family inet filter output test

 Binding filter with port irb333 from vrfb on R2:

set interfaces irb unit 333 family inet filter input test
set interfaces irb unit 333 family inet filter output test

You will see the flow packet via Wireshark after you start the ping test.

Conclusion

Irrespective of where the sampled interface (source) is located, traffic will be sampled from the FPC only and sent to the flow server directly.

So you need to first check whether the flow server is located in the VRF. If the flow server is located in the VRF, then you need to add the set forwarding-options sampling instance test family inet output flow-server 100.1.1.2 routing-instance vrfc command. ​ 

Full configuration from R1, R2 and R3:

R1

set chassis aggregated-devices ethernet device-count 10
set interfaces ge-0/0/0 gigether-options 802.3ad ae0
set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ae0 flexible-vlan-tagging
set interfaces ae0 encapsulation flexible-ethernet-services
set interfaces ae0 unit 0 family bridge interface-mode trunk
set interfaces ae0 unit 0 family bridge vlan-id-list 111
set interfaces ae0 unit 0 family bridge vlan-id-list 333
set interfaces irb unit 111 family inet address 11.1.1.2/24
set interfaces irb unit 333 family inet address 33.1.1.2/24
set routing-options static route 22.1.1.0/24 next-hop 11.1.1.1
set routing-options static route 44.1.1.0/24 next-hop 33.1.1.1
set bridge-domains vlan111 domain-type bridge
set bridge-domains vlan111 vlan-id 111
set bridge-domains vlan111 routing-interface irb.111
set bridge-domains vlan333 domain-type bridge
set bridge-domains vlan333 vlan-id 333
set bridge-domains vlan333 routing-interface irb.333

R2

set chassis afeb slot 0 sampling-instance test
set services flow-monitoring version-ipfix template ipfixtest flow-active-timeout 60
set services flow-monitoring version-ipfix template ipfixtest flow-inactive-timeout 30
set services flow-monitoring version-ipfix template ipfixtest template-refresh-rate seconds 10
set services flow-monitoring version-ipfix template ipfixtest option-refresh-rate seconds 10
set services flow-monitoring version-ipfix template ipfixtest ipv4-template
set services flow-monitoring version-ipfix template ipfixtest flow-key flow-direction
set interfaces ge-0/0/0 gigether-options 802.3ad ae0
set interfaces ge-0/0/1 gigether-options 802.3ad ae0
set interfaces ge-0/0/2 gigether-options 802.3ad ae1
set interfaces ge-0/0/3 gigether-options 802.3ad ae1
set interfaces ge-0/1/0 unit 0 family inet address 100.1.1.1/24
set interfaces ae0 flexible-vlan-tagging
set interfaces ae0 encapsulation flexible-ethernet-services
set interfaces ae0 unit 0 family bridge interface-mode trunk
set interfaces ae0 unit 0 family bridge vlan-id-list 111
set interfaces ae0 unit 0 family bridge vlan-id-list 333
set interfaces ae1 flexible-vlan-tagging
set interfaces ae1 encapsulation flexible-ethernet-services
set interfaces ae1 unit 0 family bridge interface-mode trunk
set interfaces ae1 unit 0 family bridge vlan-id-list 222
set interfaces ae1 unit 0 family bridge vlan-id-list 444
set interfaces irb unit 111 family inet filter input test
set interfaces irb unit 111 family inet filter output test
set interfaces irb unit 111 family inet address 11.1.1.1/24
set interfaces irb unit 222 family inet address 22.1.1.1/24
set interfaces irb unit 333 family inet filter input test
set interfaces irb unit 333 family inet filter output test
set interfaces irb unit 333 family inet address 33.1.1.1/24
set interfaces irb unit 444 family inet address 44.1.1.1/24
set forwarding-options sampling instance test input rate 1
set forwarding-options sampling instance test family inet output flow-server 100.1.1.2 port 2055
set forwarding-options sampling instance test family inet output flow-server 100.1.1.2 routing-instance vrfc
set forwarding-options sampling instance test family inet output flow-server 100.1.1.2 version-ipfix template ipfixtest
set forwarding-options sampling instance test family inet output inline-jflow source-address 100.1.1.1
set firewall family inet filter test term 1 then count test
set firewall family inet filter test term 1 then log
set firewall family inet filter test term 1 then sample
set firewall family inet filter test term 1 then accept
set routing-instances vrfa instance-type vrf
set routing-instances vrfa interface irb.111
set routing-instances vrfa interface irb.222
set routing-instances vrfa route-distinguisher 100:1
set routing-instances vrfa vrf-target target:100:1
set routing-instances vrfa vrf-table-label
set routing-instances vrfb instance-type vrf
set routing-instances vrfb interface irb.333
set routing-instances vrfb interface irb.444
set routing-instances vrfb route-distinguisher 200:1
set routing-instances vrfb vrf-target target:200:1
set routing-instances vrfb vrf-table-label
set routing-instances vrfc instance-type vrf
set routing-instances vrfc interface ge-0/1/0.0
set routing-instances vrfc route-distinguisher 300:1
set routing-instances vrfc vrf-target target:300:1
set routing-instances vrfc vrf-table-label
set bridge-domains vlan111 domain-type bridge
set bridge-domains vlan111 vlan-id 111
set bridge-domains vlan111 routing-interface irb.111
set bridge-domains vlan222 domain-type bridge
set bridge-domains vlan222 vlan-id 222
set bridge-domains vlan222 routing-interface irb.222
set bridge-domains vlan333 domain-type bridge
set bridge-domains vlan333 vlan-id 333
set bridge-domains vlan333 routing-interface irb.333
set bridge-domains vlan444 domain-type bridge
set bridge-domains vlan444 vlan-id 444
set bridge-domains vlan444 routing-interface irb.444

R3

set chassis aggregated-devices ethernet device-count 10
set interfaces ge-0/0/0 gigether-options 802.3ad ae1
set interfaces ge-0/0/1 gigether-options 802.3ad ae1
set interfaces ae1 flexible-vlan-tagging
set interfaces ae1 encapsulation flexible-ethernet-services
set interfaces ae1 unit 0 family bridge interface-mode trunk
set interfaces ae1 unit 0 family bridge vlan-id-list 222
set interfaces ae1 unit 0 family bridge vlan-id-list 444
set interfaces irb unit 222 family inet address 22.1.1.2/24
set interfaces irb unit 444 family inet address 44.1.1.2/24
set routing-options static route 11.1.1.0/24 next-hop 22.1.1.1
set routing-options static route 33.1.1.0/24 next-hop 44.1.1.1
set bridge-domains vlan222 domain-type bridge
set bridge-domains vlan222 vlan-id 222
set bridge-domains vlan222 routing-interface irb.222
set bridge-domains vlan444 domain-type bridge
set bridge-domains vlan444 vlan-id 444
set bridge-domains vlan444 routing-interface irb.444

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search