Turning on IPFIX (IP Flow Information Export) on Juniper MX is a good idea if you want to know what’s going on. Not only can it provide you with a tremendous insight into the traffic traversing your network, you can also use the information provided by IPFIX to automatically divert traffic or thwart a DDOS.
IPFIX is an IETF documented standard that describes how to format IP flow information. The information inside a flow contains the source and destination IP/port, the protocol, ToS and ingress interface.
After configuring all the Internet connected interfaces for IPFIX, the networking device starts to collect flows. These flows can be send to your flow collector. The information inside these flows will reveal a lot of what is going on. You can look at this information (near) real-time or you can make the collector generate periodic reports based on any the information gathered by IPFIX.
The basic IPFIX configuration on an MX router is very easy. You do have to go through 4 different configuration stanza’s to get things going. I’ll demonstrate the configuration using the following setup:
set services flow-monitoring version-ipfix template ipv4 ipv4-template set services flow-monitoring version-ipfix template ipv6 ipv6-template set forwarding-options sampling instance inline input rate 50 set forwarding-options sampling instance inline family inet output flow-server 10.0.0.1 port 2055 set forwarding-options sampling instance inline family inet output flow-server 10.0.0.1 version-ipfix template ipv4 set forwarding-options sampling instance inline family inet output inline-jflow source-address 1.1.1.1 set forwarding-options sampling instance inline family inet6 output flow-server 10.0.0.1 port 2055 set forwarding-options sampling instance inline family inet6 output flow-server 10.0.0.1 version-ipfix template ipv6 set forwarding-options sampling instance inline family inet6 output inline-jflow source-address 1.1.1.1 set chassis fpc 3 sampling-instance inline set chassis fpc 3 inline-services flow-table-size ipv4-flow-table-size 5 set chassis fpc 3 inline-services flow-table-size ipv6-flow-table-size 5 set interfaces xe-3/2/0 unit 0 family inet sampling input set interfaces xe-3/2/0 unit 0 family inet6 sampling input set interfaces xe-3/2/1 unit 0 family inet sampling input set interfaces xe-3/2/1 unit 0 family inet6 sampling input
To see if the MX is gathering and exporting flows, you can issue the following command:
play@MX480> show services accounting flow inline-jflow fpc-slot 3
Flow information
FPC Slot: 3
Flow Packets: 672557996, Flow Bytes: 395793951925
Active Flows: 1763, Total Flows: 239316095
Flows Exported: 224677847, Flow Packets Exported: 94025957
Flows Inactive Timed Out: 209386360, Flows Active Timed Out: 29927972
IPv4 Flows:
IPv4 Flow Packets: 672273557, IPv4 Flow Bytes: 395740955664
IPv4 Active Flows: 1761, IPv4 Total Flows: 239042164
IPv4 Flows Exported: 224405780, IPv4 Flow Packets exported: 93754406
IPv4 Flows Inactive Timed Out: 209114350, IPv4 Flows Active Timed Out: 29926053
IPv6 Flows:
IPv6 Flow Packets: 284439, IPv6 Flow Bytes: 52996261
IPv6 Active Flows: 2, IPv6 Total Flows: 273931
IPv6 Flows Exported: 272067, IPv6 Flow Packets Exported: 271551
IPv6 Flows Inactive Timed Out: 272010, IPv6 Flows Active Timed Out: 1919
FYIs:
• tested on MPC2, 12.3R8.7 ( MPC2 can export about 200K flows/second, MPC3 400k)
• will not kill your RE
• will reboot your FPC or TFEB when you configure or alter the flow-table size
• will not work on DPCE line-cards
• MX80 and MX104 configuration is slightly different, you have to reference the tfeb in the chassis stanza