Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Types of Flow Sources

JSA Flow Processor can process flows from multiple sources, which are categorized as either internal or external sources.

Internal Flow Sources

Sources that include packet data by connecting to a SPAN port or a network TAP are considered internal sources. These sources provide raw packet data to a monitoring port on the Flow Processor, which converts the packet details into flow records.

JSA does not keep the entire packet payload. Instead, it captures a snapshot of the flow, referred to as the payload or content capture, which includes packets from the beginning of the communication.

Flow collection from internal sources normally requires a dedicated Flow Processor.

External Flow Sources

JSA also supports external flow sources, such as routers that send NetFlow, sFlow, J-Flow, and Packeteer data.

External sources do not require as much CPU utilization to process so you can send them directly to a Flow Processor. In this configuration, you may have a dedicated flow processor, receiving and creating flow data.

NetFlow

NetFlow is a proprietary accounting technology that is developed by Cisco Systems. NetFlow monitors traffic flows through a switch or router, and interprets the client, server, protocol, and port that is used. It also counts the number of bytes and packets, and sends that data to a NetFlow collector.

The process of sending data from NetFlow is often referred to as a NetFlow Data Export (NDE).

JSA accepts NetFlow Data Exports (NDE) so that it functions as a NetFlow collector. JSA supports NetFlow versions 1, 5, 7, and 9.

While NetFlow expands the amount of the network that is monitored, it uses a connection-less protocol (UDP) to deliver NDEs. After an NDE is sent from a switch or router, the NetFlow record is purged. UDP doesn’t guarantee the delivery of data. As a result, inaccurate presentations of both traffic volumes and bidirectional flows, and reduced alerting capabilities, might result with a NetFlow flow source.

For more information about NetFlow, see the Cisco web site.

NetFlow flow source configuration

When you configure an external flow source for NetFlow, you must do the following tasks:

  • Make sure that the appropriate firewall rules are configured.

    If you change your External Flow Source Monitoring Port parameter in the Flow Processor configuration, you must also update your firewall access configuration.

  • Make sure that the appropriate ports are configured for your flow processor.

NetFlow flow source template

Juniper suggests that, at minimum, the following fields are included in the NetFlow flow source template:

  • FIRST_SWITCHED

  • LAST_SWITCHED

  • PROTOCOL

  • IPV4_SRC_ADDR

  • IPV4_DST_ADDR

  • L4_SRC_PORT

  • L4_DST_PORT

  • IN_BYTES or OUT_BYTES

  • IN_PKTS or OUT_PKTS

  • TCP_FLAGS (TCP flows only)

Supported VLAN fields

The following VLAN fields are supported for NetFlow version 9.

  • vlanId

  • postVlanId

  • dot1qVlanId

  • dot1qPriority

  • dot1qCustomerVlanId

  • dot1qCustomerPriority

  • postDot1qVlanId

  • postDotqCustomerVlanId

  • dot1qDEI

  • dot1qCustomerDEI

Supported MAC address fields

The following MAC address fields are supported for NetFlow version 9:

  • sourceMacAddress (56)

  • postDestinationMacAddress (57)

  • DestinationMacAddress (80)

  • postSourceMacAddress (81)

Supported Network Address Translation (NAT) fields

The following fields are supported for Network Address Translation (NAT) and Network Address Port Translation (NAPT).

  • postNATSourceIPv4Address

  • postNATDestinationIPv4Address

  • postNAPTSourceTransportPort

  • postNAPTDestinationTransportPort

IPFIX

Internet Protocol Flow Information Export (IPFIX) is an accounting technology. IPFIX monitors traffic flows through a switch or router, and interprets the client, server, protocol, and port that is used. It also counts the number of bytes and packets, and sends that data to a IPFIX collector.

The process of sending IPFIX data is often referred to as a NetFlow Data Export (NDE). JSA accepts NDEs so that it functions as an IPFIX collector.

IPFIX provides more flow information and deeper insight than NetFlow v9. IPFIX uses User Datagram Protocol (UDP) to deliver NDEs. After an NDE is sent from the IPFIX forwarding device, the IPFIX record might be purged.

IPFIX flow source configuration

When you configure an external flow source for IPFIX, you must do the following tasks:

  • Add a NetFlow flow source. The NetFlow flow source processes IPFIX flows by using the same process.

    Your JSA might include a default NetFlow flow source. If it does, you might not need to configure another one.

    To confirm that your system includes a default NetFlow flow source, on the Admin tab, select Flow Sources. If default_Netflow is listed in the flow source list, IPFIX is already configured.

  • Ensure that the appropriate firewall rules are configured.

    If you change your External Flow Source Monitoring Port parameter in the Flow Collector configuration, you must also update your firewall access configuration.

  • Ensure that the appropriate ports are configured for your Flow Collector.

IPFIX flow source template

Ensure that the IPFIX template from the IPFIX source includes the following IANA-listed Information Elements:

  • protocolIdentifier (4)

  • sourceIPv4Address (8)

  • destinationIPv4Address (12)

  • sourceTransportPort (7)

  • destinationTransportPort (11)

  • octetDeltaCount (1) or postOctetDeltaCount (23)

  • packetDeltaCount (2) or postPacketDeltaCount (24)

  • tcpControlBits (6) (TCP flows only)

  • flowStartSeconds (150) or flowStartMilliseconds (152) or flowStartDeltaMicroseconds (158)

  • flowEndSeconds (151) or flowEndMilliseconds (153) or flowEndDeltaMicroseconds (159)

Supported VLAN fields

The following VLAN fields are supported for IPFIX.

  • vlanId

  • postVlanId

  • dot1qVlanId

  • dot1qPriority

  • dot1qCustomerVlanId

  • dot1qCustomerPriority

  • postDot1qVlanId

  • postDotqCustomerVlanId

  • dot1qDEI

  • dot1qCustomerDEI

Supported MAC address fields

The following MAC address fields are supported for IPFIX:

  • sourceMacAddress (56)

  • postDestinationMacAddress (57)

  • DestinationMacAddress (80)

  • postSourceMacAddress (81)

Supported MPLS fields

The following MPLS fields are supported for IPFIX.

  • mplsTopLabelType

  • mplsTopLabelIPv4Address

  • mplsTopLabelStackSection

  • mplsLabelStackSection2

  • mplsLabelStackSection3

  • mplsLabelStackSection4

  • mplsLabelStackSection5

  • mplsLabelStackSection6

  • mplsLabelStackSection7

  • mplsLabelStackSection8

  • mplsLabelStackSection9

  • mplsLabelStackSection10

  • mplsVpnRouteDistinguisher

  • mplsTopLabelPrefixLength

  • mplsTopLabelIPv6Address

  • mplsPayloadLength

  • mplsTopLabelTTL

  • mplsLabelStackLength

  • mplsLabelStackDepth

  • mplstopLabelExp

  • postMplsTopLabelExp

  • pseudoWireType

  • pseudoWireControlWord

  • mplsLabelStackSection

  • mplsPayloadPacketSection

  • sectionOffset

  • sectionExportedOctets

SFlow

sFlow is a multi-vendor and user standard for sampling technology that provides continuous monitoring of application level traffic flows on all interfaces simultaneously.

An sFlow combines interface counters and flow samples into sFlow datagrams that are sent across the network to an sFlow collector. sFlow traffic is based on sampled data and, therefore, might not represent all network traffic.

JSA supports flow sources for sFlow versions 2, 4, and 5.

sFlow uses a connection-less protocol (UDP). When data is sent from a switch or router, the sFlow record is purged. UDP doesn't guarantee delivery of the data. As such, inaccurate presentations of both traffic volumes and bidirectional flows, and reduced alerting capabilities, might result when using an sFlow flow source.

For more information, see the sFlow website (www.sflow.org).

sFlow flow source configuration

When you configure an external flow source for sFlow, you must do the following tasks:

  • Ensure that the appropriate firewall rules are configured.

J-Flow

J-Flow is a proprietary accounting technology used by Juniper Networks that allows you to collect IP traffic flow statistics.

J-Flow enables you to export data to a UDP port on a J-Flow collector. Using J-Flow, you can also enable J-Flow on a router or interface to collect network statistics for specific locations on your network.

J-Flow uses a connection-less protocol (UDP). When data is sent from a switch or router, the J-Flow record is purged. UDP doesn't guarantee delivery of the data. As such, inaccurate presentations of both traffic volumes and bidirectional flows, and reduced alerting capabilities, might result when using a J-Flow flow source. J-Flow traffic is based on sampled data and, therefore, might not represent all network traffic.

For more information on J-Flow, see the Juniper Networks website.

J-Flow flow source configuration

When you configure an external flow source for J-Flow, you must do the following tasks:

  • Ensure that the appropriate firewall rules are configured.

  • Ensure that the appropriate ports are configured for your JSA Flow Processor.

Supported VLAN fields

The following VLAN fields are supported for J-Flow.

  • vlanId

  • postVlanId

  • dot1qVlanId

  • dot1qPriority

  • dot1qCustomerVlanId

  • dot1qCustomerPriority

  • dot1qDEI

  • dot1qCustomerDEI

  • postDot1qVlanId

  • postDotqCustomerVlanId

Packeteer

Packeteer devices collect, aggregate, and store network performance data.

After you configure an external flow source for Packeteer, you can send flow information from a Packeteer device to JSA.

Packeteer uses a connection-less protocol (UDP). When data is sent from a switch or router, the Packeteer record is purged. Because UDP doesn’t guarantee delivery of the data, inaccurate presentations of both traffic volumes and bidirectional flows, and reduced alerting capabilities might result when using a Packeteer flow source.

Packeteer flow source configuration

To configure Packeteer as an external flow source, you must do the following tasks:

  • Ensure that the appropriate firewall rules are configured.

  • Ensure that you configure Packeteer devices to export flow detail records and configure the JSA Flow Processor as the destination for the data export.

  • Ensure that the appropriate ports are configured for your JSA flow processor.

  • Ensure that the class IDs from the Packeteer devices can automatically be detected by the JSA flow processor.

  • For more information, see the Mapping Packeteer Applications into JSA.

Flowlog File

A Flowlog file is generated from the JSA flow logs.