Overview

The Juniper Networks J-Flow feature provides a method by which you can collect IP traffic flow statistics on your routing devices. J-Flow does not require any special protocol for connection setup. It also does not require any external changes to networked traffic, packets, or any other devices in the network. In other words, J-Flow is transparent to the existing network, including end stations and application software and network devices such as LAN switches.

The Juniper Networks implementation of J-Flow allows you to export data to the UDP port of a remote workstation for data collection and further processing. In addition, the ability to enable J-Flow on an individual virtual router, interface, or subinterface allows you to collect network statistics for specific locations within your network.

Interface Sampling

For any given IP interface, enabling J-Flow causes packets from the input stream to be sampled at a globally configured rate. For each packet sampled, the main flow cache is examined to see if there is an existing entry. If no entry exists, J-Flow creates a new entry and records attributes of the flow. If the packet matches an existing entry, J-Flow updates the existing flow.

In general, the system samples packets that it can forward. In other words, the system does not sample packets that it discards. As sampling occurs, the system records flow characteristics as they would appear for a packet that the virtual router transmits. This means, for example, that if a packet uses the address of an output interface or next-hop value altered by a policy setting, the system records the altered value in the flow record.

Flow Collection

The Juniper Networks J-Flow functionality allows statistics collection at the VR/VRF level. This means that each virtual router (VR) - VPN routing and forwarding table (VRF) has its own main cache for statistics gathering.

Although you can export flow statistics only at the VR level, VRF data is rolled up for each VR. The reason for supporting export flow at the VR level is that existing export formats cannot discriminate between VRs and VRFs. However, even though export formats do not allow for segregation, the JUNOSe CLI commands do. Segregating each collection by VR removes any ambiguity and aliasing that may occur with overlapping address spaces (as may occur in virtual private network [VPN] configurations).

Main Flow Cache Contents

A 7-tuple distinguishes an entry in the flow cache for a VR:

• Source IP address (SA)
• Destination IP address (DA)
• Source port number (SP)
• Destination port number (DP)
• Layer 3 protocol type
• Type of service (ToS byte) or Differentiated Services code point (DSCP)
• Input interface

Cache Flow Export

Using UDP as the transport method, the E-series router can export the content of the flow cache as the system removes the entries. For this release, you can specify one export destination for each VR.

Each export packet contains a header and some number of flow records. The version 5 header contains the following fields:

• Version—Format version
• Count—Number of records in this packet
• SysUpTime—Value of system up time when this packet was built
• Unix Timestamp—Number of seconds and nanoseconds since 0000 UTC 1970 (Coordinated Universal Time)
• Sequence Number—Number of total records sent on this export stream
• Engine type—Type of switching engine (line module or route processor)
  

  NOTE: The J-Flow setting will always be RP=0.

  
  
• Engine ID—SRP slot number

If, for any reason, the virtual router is unable to export records to the collector, the unsent records are discarded. However, the virtual router continues to increment the sequence number as if it sent the records. Discrepancies between the sequence number and sent records can assist in recognizing discontinuities at the collector end.

Aging Flows

Once the virtual router creates a flow in the cache, the flow is removed at the expiration of either the active or the inactive timer.

In sampled environments, methods for detecting the end of a flow can be unreliable. The active timer places a hard limit on how long a flow may last before the virtual router closes it and gathers the necessary statistics. If the flow was still active when the active timer expires, the virtual router creates a new flow entry to replace the closed flow.

The inactive timer removes flows if they do not contain any data traffic for a specified period of time.

Operation with NAT

When functioning with Network Address Translation (NAT), J-Flow sampling occurs before NAT applies any translation.

Operation with High Availability

When high availability is enabled, the following occurs in the event of a switchover:

• Any flows that are collected but not exported off of the router are lost.
• Flow history is lost.
• Counters are reset to zero.

Once the standby SRP becomes active, and all other applications indicate that they have recovered, sampling and flow-collecting resumes.