Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Overview
The JunosE J-Flow feature provides a method by which you can collect IP traffic flow statistics on your routing devices. J-Flow does not require any special protocol for connection setup. It also does not require any external changes to networked traffic, packets, or any other devices in the network. In other words, J-Flow is transparent to the existing network, including end stations and application software and network devices such as LAN switches.
The JunosE implementation of J-Flow allows you to export data to the UDP port of a remote workstation for data collection and further processing. In addition, the ability to enable J-Flow on an individual virtual router, interface, or subinterface allows you to collect network statistics for specific locations within your network.
Interface Sampling
For any given IP interface, enabling J-Flow causes packets from the input stream to be sampled at a globally configured rate. For each packet sampled, the main flow cache is examined to see if there is an existing entry. If no entry exists, J-Flow creates a new entry and records attributes of the flow. If the packet matches an existing entry, J-Flow updates the existing flow.
In general, the system samples packets that it can forward. In other words, the system does not sample packets that it discards. As sampling occurs, the system records flow characteristics as they would appear for a packet that the virtual router transmits. This means, for example, that if a packet uses the address of an output interface or next-hop value altered by a policy setting, the system records the altered value in the flow record.
Aggregation Caches
Data from flow cache entries is summarized to build aggregated views or aggregation caches. Aggregation caches are created and maintained along with the main cache. Aggregation caches have their own history area where the aging aggregation cache records are collected. Aggregation caches have a set of configuration parameters: number of entries, active and inactive time out, and export destination.
Types of aggregation caches include:
- AS-Aggregates flow data based on source and destination AS, and ingress and egress interface values.
- Destination Prefix-Aggregates flow data based on the destination address, mask, destination AS, and egress interface.
- Prefix-Aggregates flow data based on source prefix, destination prefix, source mask, destination mask, source AS, destination AS, ingress interface, and egress interface.
- Protocol Port-Aggregates flow data based on protocol, source port, and destination port.
- Source Prefix-Aggregates flow data based on source address, source mask, source AS, and ingress interface.
Aggregation caches contain a subset of the fields collected in the raw flow data. For example, TCP flags, Next Hop Address, and ToS values are not maintained in any of the aggregation caches. Unlike the main cache, aggregation caches are not enabled by default.
Flow Collection
The JunosE J-Flow functionality allows statistics collection at the VR/VRF level. This means that each virtual router (VR)/VPN routing and forwarding (VRF) table has its own main cache for statistics gathering.
Although you can export flow statistics only at the VR level, VRF data is rolled up for each VR. The reason for supporting export flow at the VR level is that existing export formats cannot discriminate between VRs and VRFs. However, even though export formats do not allow for segregation, the JunosE CLI commands do. Segregating each collection by VR removes any ambiguity and aliasing that may occur with overlapping address spaces (as may occur in virtual private network [VPN] configurations).
Main Flow Cache Contents
The following 7-tuple distinguishes an entry in the flow cache for a VR:
- Source IP address (SA)
- Destination IP address (DA)
- Source port number (SP)
- Destination port number (DP)
- Layer 3 protocol type
- Type of service (ToS byte) or Differentiated Services code point (DSCP)
- Input interface
Cache Flow Export
Using UDP as the transport method, the ERX router can export the content of the flow cache as the system removes the entries. You can specify one export destination for each VR.
Each export packet contains a header and flow records. The version 5 header contains the following fields:
- Version-Format version
- Count-Number of records in this packet
- SysUpTime-System up time value when this packet was built
- Unix Timestamp-Number of seconds and nanoseconds since 0000 UTC 1970 (Coordinated Universal Time)
- Sequence Number-Number of total records sent on this export stream
- Engine type-Type of switching engine (line module or route
processor)
Note: The J-Flow setting for Engine type is always RP=0.
- Engine ID-SRP slot number
If, for any reason, the virtual router is unable to export records to the collector, the unsent records are discarded. However, the virtual router continues to increase the sequence number by one as if it sent the records. Discrepancies between the sequence number and sent records can assist in recognizing discontinuities at the collector end.
Aging Flows
After the virtual router creates a flow in the cache, the flow is removed at the expiration of either the active or the inactive timer.
In sampled environments, methods for detecting the end of a flow can be unreliable. The active timer places a hard limit on how long a flow may last before the virtual router closes it and gathers the necessary statistics. If the flow is still active when the active timer expires, the virtual router creates a new flow entry to replace the closed flow.
The inactive timer removes flows if they do not contain any data traffic for a specified period of time.
Operation with NAT
When functioning with Network Address Translation (NAT), J-Flow sampling occurs before NAT applies any translation.
Operation with High Availability
When high availability is enabled, the following occurs in the event of a switchover:
- Any flows that are collected but not exported off of the router are lost.
- Flow history is lost.
- Counters are reset to zero.
After the standby SRP becomes active, and all other applications indicate that they have recovered, sampling and flow-collecting resume.
